diff --git a/.github/workflows/beta.yml b/.github/workflows/beta.yml index 1b45de982..e1839b017 100644 --- a/.github/workflows/beta.yml +++ b/.github/workflows/beta.yml @@ -96,7 +96,7 @@ jobs: strategy: matrix: linux: [ubuntu, debian, fedora, rhel] - platforms: [linux/amd64, linux/arm64, linux/arm/v7] + platforms: [linux/amd64, linux/arm64] include: - release: beta - linux: ubuntu @@ -107,11 +107,6 @@ jobs: package: rpm - linux: rhel package: rpm - exclude: - - linux: fedora - platforms: linux/arm/v7 - - linux: rhel - platforms: linux/arm/v7 uses: ./.github/workflows/linux-build.yml with: RELEASE: ${{ matrix.release }} @@ -183,7 +178,7 @@ jobs: strategy: matrix: linux: [ubuntu, debian, fedora, el] - arch: [amd64, arm64, armv7] + arch: [amd64, arm64] include: - release: beta repo: bunkerweb @@ -229,29 +224,19 @@ jobs: arch: arm64 package_arch: aarch64 - linux: el - arch: amd64 + arch: arm64 package_arch: aarch64 - - linux: ubuntu - arch: armv7 - package_arch: armhf - - linux: debian - arch: armv7 - package_arch: armhf - exclude: - - linux: fedora - arch: armv7 - - linux: el - arch: armv7 uses: ./.github/workflows/push-packagecloud.yml with: SEPARATOR: ${{ matrix.separator }} SUFFIX: ${{ matrix.suffix }} REPO: ${{ matrix.repo }} LINUX: ${{ matrix.linux }} - VERSION: ${{ matrix.separator }} + VERSION: ${{ matrix.version }} PACKAGE: ${{ matrix.package }} - BW_VERSION: ${{ $matrix.package == 'rpm' && needs.wait-builds.outputs.versionrpm || needs.wait-builds.outputs.version }} + BW_VERSION: ${{ matrix.package == 'rpm' && needs.wait-builds.outputs.versionrpm || needs.wait-builds.outputs.version }} PACKAGE_ARCH: ${{ matrix.package_arch }} + ARCH: ${{ matrix.arch }} secrets: PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }} diff --git a/.github/workflows/linux-build.yml b/.github/workflows/linux-build.yml index 5315c45a9..5eaea0c4a 100644 --- a/.github/workflows/linux-build.yml +++ b/.github/workflows/linux-build.yml @@ -19,13 +19,6 @@ on: required: false type: boolean default: false - ARM_SSH_KEY: - required: false - ARM_SSH_IP: - required: false - ARM_SSH_CONFIG: - required: false - secrets: DOCKER_USERNAME: required: true @@ -35,6 +28,12 @@ on: required: true PRIVATE_REGISTRY_TOKEN: required: true + ARM_SSH_KEY: + required: false + ARM_SSH_IP: + required: false + ARM_SSH_CONFIG: + required: false jobs: build: @@ -48,8 +47,20 @@ jobs: echo "ARCH=${{ env.PLATFORMS }}" | sed 's/linux//g' | sed 's@/@@g' >> "$GITHUB_ENV" env: PLATFORMS: ${{ inputs.PLATFORMS }} + - name: Extract linux arch + if: inputs.PACKAGE == 'rpm' + run : | + echo "LARCH=${{ env.ARCH }}" | sed 's/amd64/x86_64/g' | sed 's/arm64/aarch64/g' >> "$GITHUB_ENV" + env: + ARCH: ${{ env.ARCH }} + - name: Extract linux arch + if: inputs.PACKAGE == 'deb' + run : | + echo "LARCH=${{ env.ARCH }}" >> "$GITHUB_ENV" + env: + ARCH: ${{ env.ARCH }} - name: Setup SSH for ARM node - if: startsWith(env.ARCH, "arm") == true + if: startsWith(env.ARCH, 'arm') == true run: | mkdir -p ~/.ssh echo "$SSH_KEY" > ~/.ssh/id_rsa_arm @@ -61,10 +72,10 @@ jobs: SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }} - name: Setup Buildx uses: docker/setup-buildx-action@v2 - if: startsWith(env.ARCH, "arm") == false + if: startsWith(env.ARCH, 'arm') == false - name: Setup Buildx (ARM) uses: docker/setup-buildx-action@v2 - if: startsWith(env.ARCH, "arm") == true + if: startsWith(env.ARCH, 'arm') == true with: endpoint: ssh://root@arm platforms: linux/arm64,linux/arm/v7,linux/arm/v6 @@ -103,10 +114,23 @@ jobs: tags: local/bunkerweb-${{ inputs.LINUX }}:latest # Generate package - name: Generate package - run: ./src/linux/package.sh ${{ inputs.LINUX }} + if: startsWith(env.ARCH, 'arm') == false + run: ./src/linux/package.sh ${{ inputs.LINUX }} ${{ env.LARCH }} + env: + LARCH: ${{ env.LARCH }} + - name: Generate package (ARM) + if: startsWith(env.ARCH, 'arm') == true + run: | + docker save local/bunkerweb-${{ inputs.LINUX }}:latest | ssh -C root@arm docker load + scp ./src/linux/package.sh root@arm:/opt + ssh root@arm chmod +x /opt/package.sh + ssh root@arm /opt/package.sh ${{ inputs.LINUX }} ${{ env.LARCH }} "$(cat src/VERSION | tr -d '\n')" + scp -r root@arm:/root/package-${{ inputs.LINUX }} ./package-${{ inputs.LINUX }} + env: + LARCH: ${{ env.LARCH }} - uses: actions/upload-artifact@v3 with: - name: package-${{ inputs.LINUX }}-${{ env.ARCH }} + name: package-${{ inputs.LINUX }}-${{ env.LARCH }} path: package-${{ inputs.LINUX }}/*.${{ inputs.PACKAGE }} # Build test image - name: Build test image diff --git a/.github/workflows/push-packagecloud.yml b/.github/workflows/push-packagecloud.yml index e4f72da15..135203a59 100644 --- a/.github/workflows/push-packagecloud.yml +++ b/.github/workflows/push-packagecloud.yml @@ -51,13 +51,13 @@ jobs: - uses: actions/download-artifact@v3 if: inputs.LINUX != 'el' with: - name: package-${{ inputs.LINUX }}-${{ inputs.ARCH }} + name: package-${{ inputs.LINUX }}-${{ inputs.PACKAGE_ARCH }} path: /tmp/${{ inputs.LINUX }} - uses: actions/download-artifact@v3 if: inputs.LINUX == 'el' with: - name: package-rhel - path: /tmp/${{ inputs.LINUX }}-${{ inputs.ARCH }} + name: package-rhel-${{ inputs.PACKAGE_ARCH }} + path: /tmp/${{ inputs.LINUX }} # Remove existing packages - name: Remove existing package run: package_cloud yank bunkerity/${{ inputs.REPO }}/${{ inputs.LINUX }}/${{ inputs.VERSION }} bunkerweb${{ inputs.SEPARATOR }}${{ inputs.BW_VERSION }}${{ inputs.SEPARATOR }}${{ inputs.SUFFIX }}${{ inputs.PACKAGE_ARCH }}.${{ inputs.PACKAGE }} diff --git a/.github/workflows/staging.yml b/.github/workflows/staging.yml index a3c667d19..657fc3109 100644 --- a/.github/workflows/staging.yml +++ b/.github/workflows/staging.yml @@ -105,17 +105,17 @@ jobs: strategy: matrix: type: [docker, autoconf, swarm, k8s, linux] - include: - - type: docker - runs_on: "['self-hosted', 'bw-docker']" - - type: autoconf - runs_on: "['self-hosted', 'bw-autoconf']" - - type: swarm - runs_on: "['self-hosted', 'bw-swarm']" - - type: k8s - runs_on: "['ubuntu-latest']" - - type: linux - runs_on: "['self-hosted', 'bw-linux']" + include: + - type: docker + runs_on: "['self-hosted', 'bw-docker']" + - type: autoconf + runs_on: "['self-hosted', 'bw-autoconf']" + - type: swarm + runs_on: "['self-hosted', 'bw-swarm']" + - type: k8s + runs_on: "['ubuntu-latest']" + - type: linux + runs_on: "['self-hosted', 'bw-linux']" uses: ./.github/workflows/staging-tests.yml with: TYPE: ${{ matrix.type }} @@ -133,7 +133,7 @@ jobs: # Delete infrastructures delete-infras: if: ${{ always() }} - needs: [create-infras] + needs: [staging-tests] strategy: matrix: type: [docker, autoconf, swarm, k8s, linux] diff --git a/docs/integrations.md b/docs/integrations.md index 1b66e40a1..f7f4ca7c4 100644 --- a/docs/integrations.md +++ b/docs/integrations.md @@ -813,7 +813,7 @@ spec:
Linux integration
-List of supported Linux distros : +List of supported Linux distros (amd64/x86_64 and arm64/aarch64 architectures) : - Debian 11 "Bullseye" - Ubuntu 22.04 "Jammy" @@ -1079,7 +1079,7 @@ BunkerWeb is managed using systemctl :
Ansible integration
-List of supported Linux distros : +List of supported Linux distros (amd64/x86_64 and arm64/aarch64 architectures) : - Debian 11 "Bullseye" - Ubuntu 22.04 "Jammy" diff --git a/docs/requirements.txt b/docs/requirements.txt index 93dcf966f..a7f6c145b 100644 --- a/docs/requirements.txt +++ b/docs/requirements.txt @@ -1,5 +1,5 @@ -mkdocs==1.4.2 -mkdocs-material==9.1.8 +mkdocs==1.4.3 +mkdocs-material==9.1.11 pytablewriter==0.64.2 mike==1.1.2 jinja2<3.1.0 diff --git a/docs/web-ui.md b/docs/web-ui.md index 8865fa69e..e0679eacb 100644 --- a/docs/web-ui.md +++ b/docs/web-ui.md @@ -26,7 +26,7 @@ Because the web UI is a web application, the recommended installation procedure The security of the web UI is really important. If someone manages to gain access to the application, not only he will be able to edit your configurations but he could execute some code in the context of BunkerWeb (with a custom configuration containing LUA code for example). We highly recommend you to follow minimal security best practices like : - * Choose a strong password for the login + * Choose a strong password for the login (**at least 8 chars with 1 lower case letter, 1 upper case letter, 1 digit and 1 special char is required**) * Put the web UI under a "hard to guess" URI * Do not open the web UI on the Internet without any further restrictions * Apply settings listed in the [security tuning section](security-tuning.md) of the documentation diff --git a/examples/drupal/drupal-chart-values.yml b/examples/drupal/drupal-chart-values.yml index 13bab1258..7f105fe7f 100644 --- a/examples/drupal/drupal-chart-values.yml +++ b/examples/drupal/drupal-chart-values.yml @@ -1,3 +1,6 @@ drupalUsername: "user" drupalPassword: "changeme42" drupalEmail: "contact@example.com" +mariadb: + auth: + password: "changeme1337" \ No newline at end of file diff --git a/examples/drupal/tests.json b/examples/drupal/tests.json index 6158582cc..cc1edd375 100644 --- a/examples/drupal/tests.json +++ b/examples/drupal/tests.json @@ -3,7 +3,7 @@ "kinds": ["docker", "autoconf", "swarm", "kubernetes", "linux"], "no_copy_container": true, "timeout": 60, - "delay": 60, + "delay": 120, "tests": [ { "type": "string", diff --git a/examples/ghost/ghost-chart-values.yml b/examples/ghost/ghost-chart-values.yml index 3cb49478d..f9b7b6f5c 100644 --- a/examples/ghost/ghost-chart-values.yml +++ b/examples/ghost/ghost-chart-values.yml @@ -1,3 +1,6 @@ ghostUsername: "user" ghostPassword: "changeme42" ghostHost: "www.example.com" +mysql: + auth: + password: "changeme1337" \ No newline at end of file diff --git a/examples/joomla/joomla-chart-values.yml b/examples/joomla/joomla-chart-values.yml index 943dc8bdc..eb1d42965 100644 --- a/examples/joomla/joomla-chart-values.yml +++ b/examples/joomla/joomla-chart-values.yml @@ -1,3 +1,6 @@ joomlaUsername: "user" joomlaPassword: "changeme42" joomlaEmail: "contact@example.com" +mariadb: + auth: + password: "changeme1337" \ No newline at end of file diff --git a/examples/load-balancer/docker-compose.yml b/examples/load-balancer/docker-compose.yml index f848d7ff7..1de8dcb4a 100644 --- a/examples/load-balancer/docker-compose.yml +++ b/examples/load-balancer/docker-compose.yml @@ -18,7 +18,7 @@ services: - REVERSE_PROXY_URL=/ - REVERSE_PROXY_HOST=http://app - | - CUSTOM_CONF_HTTP_upstream.conf= + CUSTOM_CONF_HTTP_upstream= upstream app { server app1:80; server app2:80; diff --git a/examples/magento/magento-chart-values.yml b/examples/magento/magento-chart-values.yml index 411ca30c7..d65ff2d17 100644 --- a/examples/magento/magento-chart-values.yml +++ b/examples/magento/magento-chart-values.yml @@ -5,3 +5,6 @@ magentoEmail: "contact@example.com" magentoFirstName: "John" magentoLastName: "Doe" magentoAdminUri: "admin" +mariadb: + auth: + password: "changeme1337" \ No newline at end of file diff --git a/examples/moodle/moodle-chart-values.yml b/examples/moodle/moodle-chart-values.yml index 5f0c86f03..b4597275d 100644 --- a/examples/moodle/moodle-chart-values.yml +++ b/examples/moodle/moodle-chart-values.yml @@ -2,3 +2,6 @@ moodleSiteName: "My Moodle" moodleUsername: "admin" moodlePassword: "changeme42" moodleEmail: "admin@example.com" +mariadb: + auth: + password: "changeme1337" \ No newline at end of file diff --git a/examples/prestashop/prestashop-chart-values.yml b/examples/prestashop/prestashop-chart-values.yml index 12806fd76..d476d39ed 100644 --- a/examples/prestashop/prestashop-chart-values.yml +++ b/examples/prestashop/prestashop-chart-values.yml @@ -8,3 +8,6 @@ prestashopCountry: "us" prestashopLanguage: "en" service: type: ClusterIP +mariadb: + auth: + password: "changeme1337" \ No newline at end of file diff --git a/examples/redmine/redmine-chart-values.yml b/examples/redmine/redmine-chart-values.yml index ce82ab3ed..b5311f6a5 100644 --- a/examples/redmine/redmine-chart-values.yml +++ b/examples/redmine/redmine-chart-values.yml @@ -4,3 +4,6 @@ redmineEmail: "user@example.com" redmineLanguage: "en" service: type: ClusterIP +mariadb: + auth: + password: "changeme1337" \ No newline at end of file diff --git a/examples/wordpress/wordpress-chart-values.yml b/examples/wordpress/wordpress-chart-values.yml index 5a3d468a7..259236d8c 100644 --- a/examples/wordpress/wordpress-chart-values.yml +++ b/examples/wordpress/wordpress-chart-values.yml @@ -6,3 +6,6 @@ wordpressLastName: "LastName" wordpressBlogName: "User's Blog!" wordpressTablePrefix: "changeme_" wordpressScheme: "https" +mariadb: + auth: + password: "changeme1337" \ No newline at end of file diff --git a/src/autoconf/Dockerfile b/src/autoconf/Dockerfile index 87f8251b9..22401e2b5 100644 --- a/src/autoconf/Dockerfile +++ b/src/autoconf/Dockerfile @@ -13,6 +13,7 @@ RUN apk add --no-cache --virtual .build-deps g++ gcc musl-dev jpeg-dev zlib-dev pip install --no-cache-dir --upgrade pip && \ pip install wheel && \ mkdir -p /usr/share/bunkerweb/deps/python && \ + export MAKEFLAGS="-j$(nproc)" && \ pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt && \ apk del .build-deps diff --git a/src/autoconf/IngressController.py b/src/autoconf/IngressController.py index 60dc99f48..4856b8fd2 100644 --- a/src/autoconf/IngressController.py +++ b/src/autoconf/IngressController.py @@ -51,7 +51,7 @@ class IngressController(Controller, ConfigCaller): self.__logger.warning(f"Missing container bunkerweb in pod {controller_instance.metadata.name}") else: for env in pod.env: - instance["env"][env.name] = env.value + instance["env"][env.name] = env.value or "" for controller_service in self._get_controller_services(): if controller_service.metadata.annotations: for ( diff --git a/src/bw/lua/bunkerweb/utils.lua b/src/bw/lua/bunkerweb/utils.lua index 4671c2e05..049bb386b 100644 --- a/src/bw/lua/bunkerweb/utils.lua +++ b/src/bw/lua/bunkerweb/utils.lua @@ -64,7 +64,9 @@ utils.has_variable = function(var, value) return true, "success" end end - return false, "success" + if servers ~= "" then + return false, "success" + end end return check_value == value, "success" end @@ -93,7 +95,9 @@ utils.has_not_variable = function(var, value) return true, "success" end end - return false, "success" + if servers ~= "" then + return false, "success" + end end return check_value ~= value, "success" end diff --git a/src/common/core/blacklist/blacklist.lua b/src/common/core/blacklist/blacklist.lua index ee8aae24d..f23ffd5cb 100644 --- a/src/common/core/blacklist/blacklist.lua +++ b/src/common/core/blacklist/blacklist.lua @@ -162,7 +162,7 @@ function blacklist:kind_to_ele(kind) end function blacklist:is_in_cache(ele) - local ok, data = self.cachestore:get("plugin_blacklist_" .. ele) + local ok, data = self.cachestore:get("plugin_blacklist_" .. ngx.ctx.bw.server_name .. ele) if not ok then return false, data end @@ -170,7 +170,7 @@ function blacklist:is_in_cache(ele) end function blacklist:add_to_cache(ele, value) - local ok, err = self.cachestore:set("plugin_blacklist_" .. ele, value, 86400) + local ok, err = self.cachestore:set("plugin_blacklist_" .. ngx.ctx.bw.server_name .. ele, value, 86400) if not ok then return false, err end diff --git a/src/common/core/blacklist/jobs/blacklist-download.py b/src/common/core/blacklist/jobs/blacklist-download.py index 734534069..327930aee 100755 --- a/src/common/core/blacklist/jobs/blacklist-download.py +++ b/src/common/core/blacklist/jobs/blacklist-download.py @@ -23,13 +23,13 @@ from Database import Database from logger import setup_logger from jobs import cache_file, cache_hash, is_cached_file, file_hash -rdns_rx = re_compile(rb"^(\.?[a-z\d\-]+)*\.[a-z]{2,}$", IGNORECASE) +rdns_rx = re_compile(rb"^[^ ]+$", IGNORECASE) asn_rx = re_compile(rb"^\d+$") uri_rx = re_compile(rb"^/") def check_line(kind: str, line: bytes) -> Tuple[bool, bytes]: - if kind == "IP": + if kind in ("IP", "IGNORE_IP"): if b"/" in line: with suppress(ValueError): ip_network(line.decode("utf-8")) @@ -38,18 +38,18 @@ def check_line(kind: str, line: bytes) -> Tuple[bool, bytes]: with suppress(ValueError): ip_address(line.decode("utf-8")) return True, line - elif kind == "RDNS": + elif kind in ("RDNS", "IGNORE_RDNS"): if rdns_rx.match(line): return True, line.lower() - elif kind == "ASN": + elif kind in ("ASN", "IGNORE_ASN"): real_line = line.replace(b"AS", b"").replace(b"as", b"") if asn_rx.match(real_line): return True, real_line - elif kind == "USER_AGENT": + elif kind in ("USER_AGENT", "IGNORE_USER_AGENT"): return True, line.replace(b"\\ ", b" ").replace(b"\\.", b"%.").replace( b"\\\\", b"\\" ).replace(b"-", b"%-") - elif kind == "URI": + elif kind in ("URI", "IGNORE_URI"): if uri_rx.match(line): return True, line diff --git a/src/common/core/blacklist/plugin.json b/src/common/core/blacklist/plugin.json index 77003559b..73a29b5eb 100644 --- a/src/common/core/blacklist/plugin.json +++ b/src/common/core/blacklist/plugin.json @@ -48,7 +48,7 @@ "help": "List of reverse DNS suffixes, separated with spaces, to block.", "id": "blacklist-rdns", "label": "Blacklist reverse DNS", - "regex": "^( *((\\.([a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,})(?!.* \\3( |$))) *)*$", + "regex": "^( *(([^ ]+)(?!.*\\3( |$))) *)*$", "type": "text" }, "BLACKLIST_RDNS_URLS": { @@ -138,7 +138,7 @@ "help": "List of reverse DNS suffixes, separated with spaces, to ignore in the blacklist.", "id": "blacklist-ignore-rdns", "label": "Blacklist ignore reverse DNS", - "regex": "^( *((\\.([a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,})(?!.* \\3( |$))) *)*$", + "regex": "^( *(([^ ]+)(?!.*\\3( |$))) *)*$", "type": "text" }, "BLACKLIST_IGNORE_RDNS_URLS": { diff --git a/src/common/core/cors/confs/server-http/cors.conf b/src/common/core/cors/confs/server-http/cors.conf deleted file mode 100644 index 30cc0d46a..000000000 --- a/src/common/core/cors/confs/server-http/cors.conf +++ /dev/null @@ -1,5 +0,0 @@ -{% if USE_CORS == "yes" +%} -{% if CORS_ALLOW_ORIGIN != "" %}add_header Access-Control-Allow-Origin '{{ CORS_ALLOW_ORIGIN }}' always;{% endif %} -{% if CORS_EXPOSE_HEADERS != "" %}add_header Access-Control-Expose-Headers '{{ CORS_EXPOSE_HEADERS }}' always;{% endif %} -{% if CORS_ALLOW_CREDENTIALS != "no" %}add_header Access-Control-Allow-Credentials true always;{% endif %} -{% endif %} \ No newline at end of file diff --git a/src/common/core/cors/cors.lua b/src/common/core/cors/cors.lua index f8ee707e6..21833e041 100644 --- a/src/common/core/cors/cors.lua +++ b/src/common/core/cors/cors.lua @@ -1,12 +1,22 @@ -local class = require "middleclass" -local plugin = require "bunkerweb.plugin" -local utils = require "bunkerweb.utils" +local class = require "middleclass" +local plugin = require "bunkerweb.plugin" +local utils = require "bunkerweb.utils" -local cors = class("cors", plugin) +local cors = class("cors", plugin) function cors:initialize() -- Call parent initialize plugin.initialize(self, "cors") + self.all_headers = { + ["CORS_ALLOW_ORIGIN"] = "Access-Control-Allow-Origin", + ["CORS_EXPOSE_HEADERS"] = "Access-Control-Expose-Headers" + } + self.preflight_headers = { + ["CORS_MAX_AGE"] = "Access-Control-Max-Age", + ["CORS_ALLOW_CREDENTIALS"] = "Access-Control-Allow-Credentials", + ["CORS_ALLOW_METHODS"] = "Access-Control-Allow-Methods", + ["CORS_ALLOW_HEADERS"] = "Access-Control-Allow-Headers" + } end function cors:header() @@ -14,26 +24,40 @@ function cors:header() if self.variables["USE_CORS"] ~= "yes" then return self:ret(true, "service doesn't use CORS") end - if ngx.ctx.bw.request_method ~= "OPTIONS" then - return self:ret(true, "method is not OPTIONS") - end - -- Add headers - local cors_headers = { - ["CORS_MAX_AGE"] = "Access-Control-Max-Age", - ["CORS_ALLOW_METHODS"] = "Access-Control-Allow-Methods", - ["CORS_ALLOW_HEADERS"] = "Access-Control-Allow-Headers" - } - for variable, header in pairs(cors_headers) do - local value = self.variables[variable] - if value ~= "" then - ngx.header[header] = value + -- Standard headers + for variable, header in pairs(self.all_headers) do + if self.variables[variable] ~= "" then + ngx.header[header] = self.variables[variable] end end - ngx.header["Content-Type"] = "text/html" - ngx.header["Content-Length"] = "0" - - -- Send CORS policy with a 204 (no content) status - return self:ret(true, "sent CORS policy") + -- Preflight request + if ngx.ctx.bw.request_method == "OPTIONS" then + for variable, header in pairs(self.preflight_headers) do + if variable == "CORS_ALLOW_CREDENTIALS" then + if self.variables["CORS_ALLOW_CREDENTIALS"] == "yes" then + ngx.header[header] = "true" + end + elseif self.variables[variable] ~= "" then + ngx.header[header] = self.variables[variable] + end + end + ngx.header["Content-Type"] = "text/html" + ngx.header["Content-Length"] = "0" + return self:ret(true, "edited headers for preflight request") + end + return self:ret(true, "edited headers for standard request") end -return cors \ No newline at end of file +function cors:access() + -- Check if access is needed + if self.variables["USE_CORS"] ~= "yes" then + return self:ret(true, "service doesn't use CORS") + end + -- Send CORS policy with a 204 (no content) status + if ngx.ctx.bw.request_method == "OPTIONS" then + return self:ret(true, "preflight request", ngx.HTTP_NO_CONTENT) + end + return self:ret(true, "standard request") +end + +return cors diff --git a/src/common/core/country/country.lua b/src/common/core/country/country.lua index 1d9d328fe..a1aef5b28 100644 --- a/src/common/core/country/country.lua +++ b/src/common/core/country/country.lua @@ -92,7 +92,7 @@ function country:preread() end function country:is_in_cache(ip) - local ok, data = self.cachestore:get("plugin_country_cache_" .. ip) + local ok, data = self.cachestore:get("plugin_country_cache_" .. ngx.ctx.bw.server_name .. ip) if not ok then return false, data end @@ -100,7 +100,7 @@ function country:is_in_cache(ip) end function country:add_to_cache(ip, country, result) - local ok, err = self.cachestore:set("plugin_country_cache_" .. ip, cjson.encode({country = country, result = result}), 86400) + local ok, err = self.cachestore:set("plugin_country_cache_" .. ngx.ctx.bw.server_name .. ip, cjson.encode({country = country, result = result}), 86400) if not ok then return false, err end diff --git a/src/common/core/customcert/confs/server-http/custom-cert.conf b/src/common/core/customcert/confs/server-http/custom-cert.conf index 4b3e5a580..467ad931c 100644 --- a/src/common/core/customcert/confs/server-http/custom-cert.conf +++ b/src/common/core/customcert/confs/server-http/custom-cert.conf @@ -1,12 +1,15 @@ {% set os_path = import("os.path") %} -{% if USE_CUSTOM_SSL == "yes" and os_path.isfile("/data/cache/customcert/{}".format(CUSTOM_SSL_CERT.replace("/", "_"))) and os_path.isfile("/data/cache/customcert/{}".format(CUSTOM_SSL_KEY.replace("/", "_"))) +%} +{% set cert_file_path = "/data/cache/customcert/{}".format(CUSTOM_SSL_CERT.replace("/", "_")) %} +{% set key_file_path = "/data/cache/customcert/{}".format(CUSTOM_SSL_KEY.replace("/", "_")) %} + +{% if USE_CUSTOM_SSL == "yes" and os_path.isfile(cert_file_path) and os_path.isfile(key_file_path) +%} # listen on HTTPS PORT listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %}; # TLS config -ssl_certificate {{ CUSTOM_SSL_CERT }}; -ssl_certificate_key {{ CUSTOM_SSL_KEY }}; +ssl_certificate {{ cert_file_path }}; +ssl_certificate_key {{ key_file_path }}; ssl_protocols {{ SSL_PROTOCOLS }}; ssl_prefer_server_ciphers on; ssl_session_tickets off; diff --git a/src/common/core/customcert/confs/server-stream/custom-cert.conf b/src/common/core/customcert/confs/server-stream/custom-cert.conf index 9635d94b6..d24fa5bae 100644 --- a/src/common/core/customcert/confs/server-stream/custom-cert.conf +++ b/src/common/core/customcert/confs/server-stream/custom-cert.conf @@ -1,12 +1,15 @@ {% set os_path = import("os.path") %} -{% if USE_CUSTOM_SSL == "yes" and os_path.isfile(CUSTOM_SSL_CERT) and os_path.isfile(CUSTOM_SSL_KEY) +%} +{% set cert_file_path = "/data/cache/customcert/{}".format(CUSTOM_SSL_CERT.replace("/", "_")) %} +{% set key_file_path = "/data/cache/customcert/{}".format(CUSTOM_SSL_KEY.replace("/", "_")) %} + +{% if USE_CUSTOM_SSL == "yes" and os_path.isfile(cert_file_path) and os_path.isfile(key_file_path) +%} # listen listen 0.0.0.0:{{ LISTEN_STREAM_PORT_SSL }} ssl {% if USE_UDP == "yes" %} udp {% endif %}{% if USE_PROXY_PROTOCOL == "yes" %} proxy_protocol {% endif %}; # TLS config -ssl_certificate {{ CUSTOM_SSL_CERT }}; -ssl_certificate_key {{ CUSTOM_SSL_KEY }}; +ssl_certificate {{ cert_file_path }}; +ssl_certificate_key {{ key_file_path }}; ssl_protocols {{ SSL_PROTOCOLS }}; ssl_prefer_server_ciphers on; ssl_session_tickets off; diff --git a/src/common/core/customcert/jobs/custom-cert.py b/src/common/core/customcert/jobs/custom-cert.py index 5b8ae1571..c435a5084 100644 --- a/src/common/core/customcert/jobs/custom-cert.py +++ b/src/common/core/customcert/jobs/custom-cert.py @@ -1,6 +1,7 @@ #!/usr/bin/python3 from os import getenv +from os.path import basename from pathlib import Path from shutil import copy from sys import exit as sys_exit, path as sys_path @@ -85,7 +86,7 @@ def check_cert(cert_path, key_path, first_server: Optional[str] = None) -> bool: err = db.update_job_cache( "custom-cert", first_server, - key_cache_path.replace(".hash", "").split("/")[-1], + basename(key_cache_path.replace(".hash", "")), Path(key_path).read_bytes(), checksum=key_hash, ) @@ -99,7 +100,7 @@ def check_cert(cert_path, key_path, first_server: Optional[str] = None) -> bool: err = db.update_job_cache( "custom-cert", first_server, - cert_cache_path.replace(".hash", "").split("/")[-1], + basename(cert_cache_path.replace(".hash", "")), Path(cert_path).read_bytes(), checksum=cert_hash, ) diff --git a/src/common/core/greylist/greylist.lua b/src/common/core/greylist/greylist.lua index cea946b33..d24cd00c6 100644 --- a/src/common/core/greylist/greylist.lua +++ b/src/common/core/greylist/greylist.lua @@ -231,7 +231,7 @@ function greylist:is_greylisted_ua() end function greylist:is_in_cache(ele) - local ok, data = self.cachestore:get("plugin_greylist_" .. ele) + local ok, data = self.cachestore:get("plugin_greylist_" .. ngx.ctx.bw.server_name .. ele) if not ok then return false, data end @@ -239,7 +239,7 @@ function greylist:is_in_cache(ele) end function greylist:add_to_cache(ele, value) - local ok, err = self.cachestore:set("plugin_greylist_" .. ele, value, 86400) + local ok, err = self.cachestore:set("plugin_greylist_" .. ngx.ctx.bw.server_name .. ele, value, 86400) if not ok then return false, err end diff --git a/src/common/core/greylist/jobs/greylist-download.py b/src/common/core/greylist/jobs/greylist-download.py index c5ce106b9..4dcdab421 100755 --- a/src/common/core/greylist/jobs/greylist-download.py +++ b/src/common/core/greylist/jobs/greylist-download.py @@ -23,7 +23,7 @@ from Database import Database from logger import setup_logger from jobs import cache_file, cache_hash, is_cached_file, file_hash -rdns_rx = re_compile(rb"^(\.?[a-z\d\-]+)*\.[a-z]{2,}$", IGNORECASE) +rdns_rx = re_compile(rb"^[^ ]+$", IGNORECASE) asn_rx = re_compile(rb"^\d+$") uri_rx = re_compile(rb"^/") diff --git a/src/common/core/greylist/plugin.json b/src/common/core/greylist/plugin.json index 4e08ff9f8..a5f28d885 100644 --- a/src/common/core/greylist/plugin.json +++ b/src/common/core/greylist/plugin.json @@ -48,7 +48,7 @@ "help": "List of reverse DNS suffixes, separated with spaces, to put into the greylist.", "id": "greylist-rdns", "label": "Greylist reverse DNS", - "regex": "^( *((\\.([a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,})(?!.* \\3( |$))) *)*$", + "regex": "^( *(([^ ]+)(?!.*\\3( |$))) *)*$", "type": "text" }, "GREYLIST_RDNS_URLS": { diff --git a/src/common/core/misc/jobs/update-check.py b/src/common/core/misc/jobs/update-check.py index 21fff2f30..194c5797a 100644 --- a/src/common/core/misc/jobs/update-check.py +++ b/src/common/core/misc/jobs/update-check.py @@ -27,7 +27,7 @@ try: if current_version != latest_version: logger.warning( - f"\n\nšŸšØ A new version of BunkerWeb is available: {latest_version} (current: {current_version}) šŸšØ\n\n", + f"* \n* \n* šŸšØ A new version of BunkerWeb is available: {latest_version} (current: {current_version}) šŸšØ\n* \n* ", ) except: status = 2 diff --git a/src/common/core/realip/jobs/realip-download.py b/src/common/core/realip/jobs/realip-download.py index 4923fb7a3..7843d7fb0 100755 --- a/src/common/core/realip/jobs/realip-download.py +++ b/src/common/core/realip/jobs/realip-download.py @@ -64,8 +64,9 @@ try: logger.info("RealIP is not activated, skipping download...") _exit(0) - # Create directory if it doesn't exist + # Create directories if they don't exist Path("/var/cache/bunkerweb/realip").mkdir(parents=True, exist_ok=True) + Path("/var/tmp/bunkerweb/realip").mkdir(parents=True, exist_ok=True) db = Database( logger, diff --git a/src/common/core/whitelist/jobs/whitelist-download.py b/src/common/core/whitelist/jobs/whitelist-download.py index 9621a54eb..8fce9bff0 100755 --- a/src/common/core/whitelist/jobs/whitelist-download.py +++ b/src/common/core/whitelist/jobs/whitelist-download.py @@ -23,7 +23,7 @@ from Database import Database from logger import setup_logger from jobs import cache_file, cache_hash, is_cached_file, file_hash -rdns_rx = re_compile(rb"^(\.?[a-z\d\-]+)*\.[a-z]{2,}$", IGNORECASE) +rdns_rx = re_compile(rb"^[^ ]+$", IGNORECASE) asn_rx = re_compile(rb"^\d+$") uri_rx = re_compile(rb"^/") diff --git a/src/common/core/whitelist/plugin.json b/src/common/core/whitelist/plugin.json index 54fad023c..7bd2f18e8 100644 --- a/src/common/core/whitelist/plugin.json +++ b/src/common/core/whitelist/plugin.json @@ -48,7 +48,7 @@ "help": "List of reverse DNS suffixes, separated with spaces, to whitelist.", "id": "whitelist-rdns", "label": "Whitelist reverse DNS", - "regex": "^( *((\\.([a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,})(?!.* \\3( |$))) *)*$", + "regex": "^( *(([^ ]+)(?!.*\\3( |$))) *)*$", "type": "text" }, "WHITELIST_RDNS_URLS": { diff --git a/src/common/core/whitelist/whitelist.lua b/src/common/core/whitelist/whitelist.lua index 52fdb6f5d..e9e1e8a4b 100644 --- a/src/common/core/whitelist/whitelist.lua +++ b/src/common/core/whitelist/whitelist.lua @@ -189,7 +189,7 @@ function whitelist:check_cache() end function whitelist:is_in_cache(ele) - local ok, data = self.cachestore:get("plugin_whitelist_" .. ele) + local ok, data = self.cachestore:get("plugin_whitelist_" .. ngx.ctx.bw.server_name .. ele) if not ok then return false, data end @@ -197,7 +197,7 @@ function whitelist:is_in_cache(ele) end function whitelist:add_to_cache(ele, value) - local ok, err = self.cachestore:set("plugin_whitelist_" .. ele, value, 86400) + local ok, err = self.cachestore:set("plugin_whitelist_" .. ngx.ctx.bw.server_name .. ele, value, 86400) if not ok then return false, err end diff --git a/src/common/gen/requirements.in b/src/common/gen/requirements.in index 20857ff44..f8aaa5ff2 100644 --- a/src/common/gen/requirements.in +++ b/src/common/gen/requirements.in @@ -1,6 +1,6 @@ -docker==6.0.1 +docker==6.1.1 kubernetes==26.1.0 jinja2==3.1.2 python-dotenv==1.0.0 -requests==2.29.0 -redis==4.5.4 +requests==2.30.0 +redis==4.5.5 diff --git a/src/common/gen/requirements.txt b/src/common/gen/requirements.txt index bfdd725fb..53ed92e22 100644 --- a/src/common/gen/requirements.txt +++ b/src/common/gen/requirements.txt @@ -12,9 +12,9 @@ cachetools==5.3.0 \ --hash=sha256:13dfddc7b8df938c21a940dfa6557ce6e94a2f1cdfa58eb90c805721d58f2c14 \ --hash=sha256:429e1a1e845c008ea6c85aa35d4b98b65d6a9763eeef3e37e92728a12d1de9d4 # via google-auth -certifi==2022.12.7 \ - --hash=sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3 \ - --hash=sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18 +certifi==2023.5.7 \ + --hash=sha256:0f0d56dc5a6ad56fd4ba36484d6cc34451e1c6548c61daad8c320169f91eddc7 \ + --hash=sha256:c6c2e98f5c7869efca1f8916fed228dd91539f9f1b444c314c06eef02980c716 # via # kubernetes # requests @@ -95,9 +95,9 @@ charset-normalizer==3.1.0 \ --hash=sha256:f8303414c7b03f794347ad062c0516cee0e15f7a612abd0ce1e25caf6ceb47df \ --hash=sha256:fca62a8301b605b954ad2e9c3666f9d97f63872aa4efcae5492baca2056b74ab # via requests -docker==6.0.1 \ - --hash=sha256:896c4282e5c7af5c45e8b683b0b0c33932974fe6e50fc6906a0a83616ab3da97 \ - --hash=sha256:dbcb3bd2fa80dca0788ed908218bf43972772009b881ed1e20dfc29a65e49782 +docker==6.1.1 \ + --hash=sha256:5ec18b9c49d48ee145a5b5824bb126dc32fc77931e18444783fc07a7724badc0 \ + --hash=sha256:8308b23d3d0982c74f7aa0a3abd774898c0c4fba006e9c3bde4f68354e470fe2 # via -r requirements.in google-auth==2.17.3 \ --hash=sha256:ce311e2bc58b130fddf316df57c9b3943c2a7b4f6ec31de9663a9333e4064efc \ @@ -235,13 +235,13 @@ pyyaml==6.0 \ --hash=sha256:e61ceaab6f49fb8bdfaa0f92c4b57bcfbea54c09277b1b4f7ac376bfb7a7c174 \ --hash=sha256:f84fbc98b019fef2ee9a1cb3ce93e3187a6df0b2538a651bfb890254ba9f90b5 # via kubernetes -redis==4.5.4 \ - --hash=sha256:2c19e6767c474f2e85167909061d525ed65bea9301c0770bb151e041b7ac89a2 \ - --hash=sha256:73ec35da4da267d6847e47f68730fdd5f62e2ca69e3ef5885c6a78a9374c3893 +redis==4.5.5 \ + --hash=sha256:77929bc7f5dab9adf3acba2d3bb7d7658f1e0c2f1cafe7eb36434e751c471119 \ + --hash=sha256:dc87a0bdef6c8bfe1ef1e1c40be7034390c2ae02d92dcd0c7ca1729443899880 # via -r requirements.in -requests==2.29.0 \ - --hash=sha256:e8f3c9be120d3333921d213eef078af392fba3933ab7ed2d1cba3b56f2568c3b \ - --hash=sha256:f2e34a75f4749019bb0e3effb66683630e4ffeaf75819fb51bebef1bf5aef059 +requests==2.30.0 \ + --hash=sha256:10e94cc4f3121ee6da529d358cdaeaff2f1c409cd377dbc72b825852f2f7e294 \ + --hash=sha256:239d7d4458afcb28a692cdd298d87542235f4ca8d36d03a15bfc128a6559a2f4 # via # -r requirements.in # docker @@ -262,9 +262,9 @@ six==1.16.0 \ # google-auth # kubernetes # python-dateutil -urllib3==1.26.15 \ - --hash=sha256:8a388717b9476f934a21484e8c8e61875ab60644d29b9b39e11e4b9dc1c6b305 \ - --hash=sha256:aa751d169e23c7479ce47a0cb0da579e3ede798f994f5816a74e4f4500dcea42 +urllib3==2.0.2 \ + --hash=sha256:61717a1095d7e155cdb737ac7bb2f4324a858a1e2e6466f6d03ff630ca68d3cc \ + --hash=sha256:d055c2f9d38dc53c808f6fdc8eab7360b6fdbbde02340ed25cfbcd817c62469e # via # docker # kubernetes diff --git a/src/linux/Dockerfile-centos b/src/linux/Dockerfile-centos index 10d499101..4ddc651b7 100644 --- a/src/linux/Dockerfile-centos +++ b/src/linux/Dockerfile-centos @@ -33,6 +33,7 @@ RUN dnf install -y python39-pip brotli brotli-devel wget gperftools-devel perl l chmod +x /tmp/bunkerweb/deps/install.sh && \ bash /tmp/bunkerweb/deps/install.sh && \ mkdir /usr/share/bunkerweb/deps/python && \ + export MAKEFLAGS="-j$(nproc)" && \ pip3.9 install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt #RUN pip3.9 install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /tmp/bunkerweb/deps/requirements.txt diff --git a/src/linux/Dockerfile-debian b/src/linux/Dockerfile-debian index 577f03c02..434b4b8b4 100644 --- a/src/linux/Dockerfile-debian +++ b/src/linux/Dockerfile-debian @@ -37,6 +37,7 @@ RUN apt update && \ chmod +x /tmp/bunkerweb/deps/install.sh && \ bash /tmp/bunkerweb/deps/install.sh && \ mkdir /usr/share/bunkerweb/deps/python && \ + export MAKEFLAGS="-j$(nproc)" && \ pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt # Dirty fix to avoid errors with --target and packages same namespace diff --git a/src/linux/Dockerfile-fedora b/src/linux/Dockerfile-fedora index ecdef85a3..f05e39b24 100644 --- a/src/linux/Dockerfile-fedora +++ b/src/linux/Dockerfile-fedora @@ -31,6 +31,7 @@ RUN dnf install -y python3-pip brotli brotli-devel gperftools-devel perl libxslt chmod +x /tmp/bunkerweb/deps/install.sh && \ bash /tmp/bunkerweb/deps/install.sh && \ mkdir /usr/share/bunkerweb/deps/python && \ + export MAKEFLAGS="-j$(nproc)" && \ pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt # Dirty fix to avoid errors with --target and packages same namespace #cp -r /usr/lib64/python3.10/* /usr/lib/python3.10/ && \ diff --git a/src/linux/Dockerfile-rhel b/src/linux/Dockerfile-rhel index 67012f0ef..197e21d65 100644 --- a/src/linux/Dockerfile-rhel +++ b/src/linux/Dockerfile-rhel @@ -5,7 +5,7 @@ ENV NGINX_VERSION 1.24.0 # Copy centos repo COPY src/linux/centos.repo /etc/yum.repos.d/centos.repo -RUN sed -i "s/%ARCH%/$(uname -m)/g" src/linux/centos.repo /etc/yum.repos.d/centos.repo +RUN sed -i "s/%ARCH%/$(uname -m)/g" /etc/yum.repos.d/centos.repo # Copy RPM-GPG-KEY-CentOS-Official COPY src/linux/RPM-GPG-KEY-centosofficial /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial @@ -23,9 +23,9 @@ RUN dnf install -y ruby ruby-devel make gcc redhat-rpm-config rpm-build wget && # Nginx COPY src/linux/nginx.repo /etc/yum.repos.d/nginx.repo RUN dnf install yum-utils -y && \ - wget https://nginx.org/packages/rhel/8/x86_64/RPMS/nginx-${NGINX_VERSION}-1.el8.ngx.x86_64.rpm && \ - dnf install nginx-${NGINX_VERSION}-1.el8.ngx.x86_64.rpm -y && \ - rm -rf nginx-${NGINX_VERSION}-1.el8.ngx.x86_64.rpm + wget https://nginx.org/packages/rhel/8/$(uname -m)/RPMS/nginx-${NGINX_VERSION}-1.el8.ngx.$(uname -m).rpm && \ + dnf install nginx-${NGINX_VERSION}-1.el8.ngx.$(uname -m).rpm -y && \ + rm -rf nginx-${NGINX_VERSION}-1.el8.ngx.$(uname -m).rpm # Copy dependencies sources folder COPY src/deps /tmp/bunkerweb/deps @@ -46,6 +46,7 @@ RUN dnf install -y readline-devel python39-pip brotli brotli-devel gperftools-de chmod +x /tmp/bunkerweb/deps/install.sh && \ bash /tmp/bunkerweb/deps/install.sh && \ mkdir /usr/share/bunkerweb/deps/python && \ + export MAKEFLAGS="-j$(nproc)" && \ pip3.9 install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt #RUN pip3.10 install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /tmp/bunkerweb/deps/requirements.txt diff --git a/src/linux/Dockerfile-ubuntu b/src/linux/Dockerfile-ubuntu index da931b9e4..155228bf0 100644 --- a/src/linux/Dockerfile-ubuntu +++ b/src/linux/Dockerfile-ubuntu @@ -37,6 +37,7 @@ RUN apt update && \ chmod +x /tmp/bunkerweb/deps/install.sh && \ bash /tmp/bunkerweb/deps/install.sh && \ mkdir /usr/share/bunkerweb/deps/python && \ + export MAKEFLAGS="-j$(nproc)" && \ pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt # Copy files diff --git a/src/linux/fpm-debian b/src/linux/fpm-debian index b1a991fe1..011b9a493 100644 --- a/src/linux/fpm-debian +++ b/src/linux/fpm-debian @@ -2,7 +2,7 @@ --name bunkerweb --license agpl3 --version %VERSION% ---architecture amd64 +--architecture %ARCH% --depends bash --depends python3 --depends procps --depends python3-pip --depends 'nginx = 1.24.0-1~bullseye' --depends libcurl4 --depends libgeoip-dev --depends libxml2 --depends libyajl2 --depends libmagic1 --depends net-tools --depends sudo --depends lsof --description "BunkerWeb %VERSION% for Debian 11" --url "https://www.bunkerweb.io" diff --git a/src/linux/fpm-fedora b/src/linux/fpm-fedora index f68a9b9aa..07b389fe9 100644 --- a/src/linux/fpm-fedora +++ b/src/linux/fpm-fedora @@ -2,8 +2,8 @@ --name bunkerweb --license agpl3 --version %VERSION% ---architecture x86_64 ---depends bash --depends python3 --depends 'nginx = 1:1.24.0-1.fc37' --depends libcurl-devel --depends libxml2 --depends lmdb-libs --depends geoip-devel --depends gd --depends sudo --depends procps --depends lsof --depends nginx-mod-stream +--architecture %ARCH% +--depends bash --depends python3 --depends 'nginx = 1:1.24.0-1.fc38' --depends libcurl-devel --depends libxml2 --depends lmdb-libs --depends geoip-devel --depends gd --depends sudo --depends procps --depends lsof --depends nginx-mod-stream --depends pcre --description "BunkerWeb %VERSION% for Fedora 38" --url "https://www.bunkerweb.io" --maintainer "Bunkerity " diff --git a/src/linux/fpm-rhel b/src/linux/fpm-rhel index b84e22821..893dc3a6b 100644 --- a/src/linux/fpm-rhel +++ b/src/linux/fpm-rhel @@ -2,9 +2,9 @@ --name bunkerweb --license agpl3 --version %VERSION% ---architecture x86_64 +--architecture %ARCH% --depends bash --depends python39 --depends 'nginx = 1:1.24.0-1.el8.ngx' --depends libcurl-devel --depends libxml2 --depends file-libs --depends net-tools --depends gd --depends sudo --depends procps --depends lsof --depends geoip ---description "BunkerWeb %VERSION% for Rhel 8" +--description "BunkerWeb %VERSION% for RHEL 8" --url "https://www.bunkerweb.io" --maintainer "Bunkerity " --before-install /usr/share/bunkerweb/scripts/beforeInstall.sh diff --git a/src/linux/fpm-ubuntu b/src/linux/fpm-ubuntu index b01d35ed0..429c30a5d 100644 --- a/src/linux/fpm-ubuntu +++ b/src/linux/fpm-ubuntu @@ -2,6 +2,7 @@ --name bunkerweb --license agpl3 --version %VERSION% +--architecture %ARCH% --depends bash --depends python3 --depends python3-pip --depends 'nginx = 1.24.0-1~jammy' --depends libcurl4 --depends libgeoip-dev --depends libxml2 --depends libyajl2 --depends libmagic1 --depends net-tools --depends sudo --depends procps --depends lsof --description "BunkerWeb %VERSION% for Ubuntu 22.04" --url "https://www.bunkerweb.io" diff --git a/src/linux/fpm.sh b/src/linux/fpm.sh index bc75586dd..e1b3f0c38 100644 --- a/src/linux/fpm.sh +++ b/src/linux/fpm.sh @@ -1,6 +1,8 @@ #!/bin/bash VERSION="$(cat /usr/share/bunkerweb/VERSION | tr -d '\n')" +ARCH="$(uname -m)" sed -i "s/%VERSION%/${VERSION}/g" .fpm +sed -i "s/%ARCH%/${ARCH}/g" .fpm fpm -t "$1" -p "/data/bunkerweb.$1" \ No newline at end of file diff --git a/src/linux/package.sh b/src/linux/package.sh index 12ca31e7c..6f8572986 100755 --- a/src/linux/package.sh +++ b/src/linux/package.sh @@ -15,12 +15,17 @@ function do_and_check_cmd() { return 0 } -# Check arg +# Check args if [ "$1" = "" ] ; then echo "āŒ Missing distro arg" exit 1 fi linux="$1" +if [ "$2" = "" ] ; then + echo "āŒ Missing arch arg" + exit 1 +fi +arch="$2" # Create empty directory package_dir="${PWD}/package-$linux" @@ -30,15 +35,18 @@ fi do_and_check_cmd mkdir "$package_dir" # Generate package -version="$(cat src/VERSION | tr -d '\n')" +version="$3" +if [ -f "src/VERSION" ] ; then + version="$(cat src/VERSION | tr -d '\n')" +fi type="deb" if [ "$linux" = "fedora" ] || [ "$linux" = "centos" ] || [ "$linux" = "rhel" ] ; then type="rpm" fi do_and_check_cmd docker run --rm -v "${package_dir}:/data" "local/bunkerweb-${linux}:latest" "$type" -name="bunkerweb_${version}-1_amd64" +name="bunkerweb_${version}-1_${arch}" if [ "$type" = "rpm" ] ; then - name="bunkerweb-${version}-1.x86_64" + name="bunkerweb-${version}-1.${arch}" fi do_and_check_cmd mv "${package_dir}/bunkerweb.$type" "${package_dir}/${name}.${type}" diff --git a/src/scheduler/Dockerfile b/src/scheduler/Dockerfile index 77e54c48c..95a461947 100644 --- a/src/scheduler/Dockerfile +++ b/src/scheduler/Dockerfile @@ -14,6 +14,7 @@ RUN apk add --no-cache --virtual .build-deps g++ gcc musl-dev jpeg-dev zlib-dev pip install --no-cache-dir --upgrade pip && \ pip install wheel && \ mkdir -p /usr/share/bunkerweb/deps/python && \ + export MAKEFLAGS="-j$(nproc)" && \ pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt && \ pip install --no-cache-dir gunicorn && \ apk del .build-deps diff --git a/src/scheduler/requirements.txt b/src/scheduler/requirements.txt index 52e879a7d..e49cbf0ed 100644 --- a/src/scheduler/requirements.txt +++ b/src/scheduler/requirements.txt @@ -12,9 +12,9 @@ certbot==2.5.0 \ --hash=sha256:76e6e5305021d3ee54c42fc471f8f0ed5dba790e6fd7fef6713060b0e42b97d7 \ --hash=sha256:a2d730753124508effe79f648264f5cab4d1e9120acfd695a4a0c2b7bab4a966 # via -r requirements.in -certifi==2022.12.7 \ - --hash=sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3 \ - --hash=sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18 +certifi==2023.5.7 \ + --hash=sha256:0f0d56dc5a6ad56fd4ba36484d6cc34451e1c6548c61daad8c320169f91eddc7 \ + --hash=sha256:c6c2e98f5c7869efca1f8916fed228dd91539f9f1b444c314c06eef02980c716 # via requests cffi==1.15.1 \ --hash=sha256:00a9ed42e88df81ffae7a8ab6d9356b371399b91dbdf0c3cb1e84c03a13aceb5 \ @@ -236,9 +236,9 @@ pytz==2023.3 \ # acme # certbot # pyrfc3339 -requests==2.29.0 \ - --hash=sha256:e8f3c9be120d3333921d213eef078af392fba3933ab7ed2d1cba3b56f2568c3b \ - --hash=sha256:f2e34a75f4749019bb0e3effb66683630e4ffeaf75819fb51bebef1bf5aef059 +requests==2.30.0 \ + --hash=sha256:10e94cc4f3121ee6da529d358cdaeaff2f1c409cd377dbc72b825852f2f7e294 \ + --hash=sha256:239d7d4458afcb28a692cdd298d87542235f4ca8d36d03a15bfc128a6559a2f4 # via acme schedule==1.2.0 \ --hash=sha256:415908febaba0bc9a7c727a32efb407d646fe994367ef9157d123aabbe539ea8 \ @@ -248,9 +248,9 @@ six==1.16.0 \ --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \ --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254 # via configobj -urllib3==1.26.15 \ - --hash=sha256:8a388717b9476f934a21484e8c8e61875ab60644d29b9b39e11e4b9dc1c6b305 \ - --hash=sha256:aa751d169e23c7479ce47a0cb0da579e3ede798f994f5816a74e4f4500dcea42 +urllib3==2.0.2 \ + --hash=sha256:61717a1095d7e155cdb737ac7bb2f4324a858a1e2e6466f6d03ff630ca68d3cc \ + --hash=sha256:d055c2f9d38dc53c808f6fdc8eab7360b6fdbbde02340ed25cfbcd817c62469e # via requests # The following packages are considered to be unsafe in a requirements file: diff --git a/src/ui/Dockerfile b/src/ui/Dockerfile index 621335ed6..da9a592d8 100755 --- a/src/ui/Dockerfile +++ b/src/ui/Dockerfile @@ -1,66 +1,67 @@ -FROM python:3.11.3-alpine - -# Copy python requirements -COPY src/ui/requirements.txt /tmp/req/requirements.txt -COPY src/common/gen/requirements.txt /tmp/req/requirements.txt.1 -COPY src/common/db/requirements.txt /tmp/req/requirements.txt.2 - -RUN mkdir -p /usr/share/bunkerweb/deps && \ - cat /tmp/req/requirements.txt /tmp/req/requirements.txt.1 /tmp/req/requirements.txt.2 > /usr/share/bunkerweb/deps/requirements.txt && \ - rm -rf /tmp/req - -# Install python requirements -RUN apk add --no-cache --virtual .build-deps g++ gcc musl-dev jpeg-dev zlib-dev libffi-dev cairo-dev pango-dev gdk-pixbuf-dev openssl-dev cargo file make postgresql-dev && \ - pip install --no-cache-dir --upgrade pip && \ - pip install wheel && \ - mkdir -p /usr/share/bunkerweb/deps/python && \ - pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt && \ - apk del .build-deps - -# Copy files -# can't exclude specific files/dir from . so we are copying everything by hand -COPY src/common/api /usr/share/bunkerweb/api -COPY src/common/db /usr/share/bunkerweb/db -COPY src/common/core /usr/share/bunkerweb/core -COPY src/common/gen /usr/share/bunkerweb/gen -COPY src/common/settings.json /usr/share/bunkerweb/settings.json -COPY src/common/utils /usr/share/bunkerweb/utils -COPY src/ui /usr/share/bunkerweb/ui -COPY src/VERSION /usr/share/bunkerweb/VERSION - -# Add ui user -RUN apk add --no-cache bash && \ - addgroup -g 101 ui && \ - adduser -h /var/cache/nginx -g ui -s /bin/sh -G ui -D -H -u 101 ui && \ - echo "Docker" > /usr/share/bunkerweb/INTEGRATION && \ - mkdir -p /var/tmp/bunkerweb && \ - mkdir -p /etc/bunkerweb && \ - mkdir -p /data/cache && ln -s /data/cache /var/cache/bunkerweb && \ - mkdir -p /data/lib && ln -s /data/lib /var/lib/bunkerweb && \ - mkdir -p /var/log/nginx/ && touch /var/log/nginx/ui.log && \ - for dir in $(echo "configs plugins") ; do mkdir -p "/data/${dir}" && ln -s "/data/${dir}" "/etc/bunkerweb/${dir}" ; done && \ - for dir in $(echo "configs/http configs/stream configs/server-http configs/server-stream configs/default-server-http configs/default-server-stream configs/modsec configs/modsec-crs") ; do mkdir "/data/${dir}" ; done && \ - chown -R root:ui /data && \ - chmod -R 770 /data && \ - chown -R root:ui /usr/share/bunkerweb /var/cache/bunkerweb /var/lib/bunkerweb /etc/bunkerweb /var/tmp/bunkerweb /var/log/nginx && \ - for dir in $(echo "/usr/share/bunkerweb /etc/bunkerweb") ; do find ${dir} -type f -exec chmod 0740 {} \; ; done && \ - for dir in $(echo "/usr/share/bunkerweb /etc/bunkerweb") ; do find ${dir} -type d -exec chmod 0750 {} \; ; done && \ - chmod 770 /var/cache/bunkerweb /var/lib/bunkerweb /var/tmp/bunkerweb /var/log/nginx/ui.log && \ - chmod 750 /usr/share/bunkerweb/gen/*.py /usr/share/bunkerweb/ui/*.py /usr/share/bunkerweb/ui/src/*.py /usr/share/bunkerweb/deps/python/bin/* && \ - chmod 660 /usr/share/bunkerweb/INTEGRATION - -# Fix CVEs -RUN apk add "libcrypto3>=3.0.8-r4" "libssl3>=3.0.8-r4" - -VOLUME /data /etc/nginx - -EXPOSE 7000 - -WORKDIR /usr/share/bunkerweb/ui - -USER ui:ui - -HEALTHCHECK --interval=10s --timeout=10s --start-period=30s --retries=6 CMD /usr/share/bunkerweb/helpers/healthcheck-ui.sh - -ENV PYTHONPATH /usr/share/bunkerweb/deps/python +FROM python:3.11.3-alpine + +# Copy python requirements +COPY src/ui/requirements.txt /tmp/req/requirements.txt +COPY src/common/gen/requirements.txt /tmp/req/requirements.txt.1 +COPY src/common/db/requirements.txt /tmp/req/requirements.txt.2 + +RUN mkdir -p /usr/share/bunkerweb/deps && \ + cat /tmp/req/requirements.txt /tmp/req/requirements.txt.1 /tmp/req/requirements.txt.2 > /usr/share/bunkerweb/deps/requirements.txt && \ + rm -rf /tmp/req + +# Install python requirements +RUN apk add --no-cache --virtual .build-deps g++ gcc musl-dev jpeg-dev zlib-dev libffi-dev cairo-dev pango-dev gdk-pixbuf-dev openssl-dev cargo file make postgresql-dev && \ + pip install --no-cache-dir --upgrade pip && \ + pip install wheel && \ + mkdir -p /usr/share/bunkerweb/deps/python && \ + export MAKEFLAGS="-j$(nproc)" && \ + pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt && \ + apk del .build-deps + +# Copy files +# can't exclude specific files/dir from . so we are copying everything by hand +COPY src/common/api /usr/share/bunkerweb/api +COPY src/common/db /usr/share/bunkerweb/db +COPY src/common/core /usr/share/bunkerweb/core +COPY src/common/gen /usr/share/bunkerweb/gen +COPY src/common/settings.json /usr/share/bunkerweb/settings.json +COPY src/common/utils /usr/share/bunkerweb/utils +COPY src/ui /usr/share/bunkerweb/ui +COPY src/VERSION /usr/share/bunkerweb/VERSION + +# Add ui user +RUN apk add --no-cache bash && \ + addgroup -g 101 ui && \ + adduser -h /var/cache/nginx -g ui -s /bin/sh -G ui -D -H -u 101 ui && \ + echo "Docker" > /usr/share/bunkerweb/INTEGRATION && \ + mkdir -p /var/tmp/bunkerweb && \ + mkdir -p /etc/bunkerweb && \ + mkdir -p /data/cache && ln -s /data/cache /var/cache/bunkerweb && \ + mkdir -p /data/lib && ln -s /data/lib /var/lib/bunkerweb && \ + mkdir -p /var/log/nginx/ && touch /var/log/nginx/ui.log && \ + for dir in $(echo "configs plugins") ; do mkdir -p "/data/${dir}" && ln -s "/data/${dir}" "/etc/bunkerweb/${dir}" ; done && \ + for dir in $(echo "configs/http configs/stream configs/server-http configs/server-stream configs/default-server-http configs/default-server-stream configs/modsec configs/modsec-crs") ; do mkdir "/data/${dir}" ; done && \ + chown -R root:ui /data && \ + chmod -R 770 /data && \ + chown -R root:ui /usr/share/bunkerweb /var/cache/bunkerweb /var/lib/bunkerweb /etc/bunkerweb /var/tmp/bunkerweb /var/log/nginx && \ + for dir in $(echo "/usr/share/bunkerweb /etc/bunkerweb") ; do find ${dir} -type f -exec chmod 0740 {} \; ; done && \ + for dir in $(echo "/usr/share/bunkerweb /etc/bunkerweb") ; do find ${dir} -type d -exec chmod 0750 {} \; ; done && \ + chmod 770 /var/cache/bunkerweb /var/lib/bunkerweb /var/tmp/bunkerweb /var/log/nginx/ui.log && \ + chmod 750 /usr/share/bunkerweb/gen/*.py /usr/share/bunkerweb/ui/*.py /usr/share/bunkerweb/ui/src/*.py /usr/share/bunkerweb/deps/python/bin/* && \ + chmod 660 /usr/share/bunkerweb/INTEGRATION + +# Fix CVEs +RUN apk add "libcrypto3>=3.0.8-r4" "libssl3>=3.0.8-r4" + +VOLUME /data /etc/nginx + +EXPOSE 7000 + +WORKDIR /usr/share/bunkerweb/ui + +USER ui:ui + +HEALTHCHECK --interval=10s --timeout=10s --start-period=30s --retries=6 CMD /usr/share/bunkerweb/helpers/healthcheck-ui.sh + +ENV PYTHONPATH /usr/share/bunkerweb/deps/python CMD ["python3", "-m", "gunicorn", "--user", "ui", "--group", "ui", "main:app", "--worker-class", "gevent", "--bind", "0.0.0.0:7000", "--graceful-timeout", "0", "--access-logfile", "-", "--error-logfile", "-"] \ No newline at end of file diff --git a/src/ui/requirements.in b/src/ui/requirements.in index 681b32a2d..9cf23173c 100644 --- a/src/ui/requirements.in +++ b/src/ui/requirements.in @@ -1,4 +1,4 @@ -Flask==2.3.1 +Flask==2.3.2 Flask_Login==0.6.2 Flask_WTF==1.1.1 beautifulsoup4==4.12.2 diff --git a/src/ui/requirements.txt b/src/ui/requirements.txt index cf3c3b5ed..f0df09995 100644 --- a/src/ui/requirements.txt +++ b/src/ui/requirements.txt @@ -1,5 +1,5 @@ # -# This file is autogenerated by pip-compile with Python 3.11 +# This file is autogenerated by pip-compile with Python 3.9 # by the following command: # # pip-compile --allow-unsafe --generate-hashes --resolver=backtracking @@ -39,9 +39,9 @@ click==8.1.3 \ --hash=sha256:7682dc8afb30297001674575ea00d1814d808d6a36af415a82bd481d37ba7b8e \ --hash=sha256:bb4d8133cb15a609f44e8213d9b391b0809795062913b383c62be0ee95b1db48 # via flask -flask==2.3.1 \ - --hash=sha256:8ba2a854608fdd603b67dccd4514a46450132227fb9df40127a8d0c1de8769ec \ - --hash=sha256:a6059db4297106e5a64b3215fa16ae641822c1cb97ecb498573549b2478602cb +flask==2.3.2 \ + --hash=sha256:77fd4e1249d8c9923de34907236b747ced06e5467ecac1a7bb7115ae0e9670b0 \ + --hash=sha256:8c2f9abd47a9e8df7f0c3f091ce9497d011dc3b31effcf4c85a6e2b50f4114ef # via # -r requirements.in # flask-login @@ -174,6 +174,10 @@ gunicorn==20.1.0 \ --hash=sha256:9dcc4547dbb1cb284accfb15ab5667a0e5d1881cc443e0677b4882a4067a807e \ --hash=sha256:e0a968b5ba15f8a328fdfd7ab1fcb5af4470c28aaf7e55df02a99bc13138e6e8 # via -r requirements.in +importlib-metadata==6.6.0 \ + --hash=sha256:43dd286a2cd8995d5eaef7fee2066340423b818ed3fd70adf0bad5f1fac53fed \ + --hash=sha256:92501cdf9cc66ebd3e612f1b4f0c0765dfa42f0fa38ffb319b6bd84dd675d705 + # via flask itsdangerous==2.1.2 \ --hash=sha256:2c2349112351b88699d8d4b6b075022c0808887cb7ad10069318a8b0bc88db44 \ --hash=sha256:5dbbc68b317e5e42f327f9021763545dc3fc3bfe22e6deb96aaf1fc38874156a @@ -341,9 +345,9 @@ soupsieve==2.4.1 \ --hash=sha256:1c1bfee6819544a3447586c889157365a27e10d88cde3ad3da0cf0ddf646feb8 \ --hash=sha256:89d12b2d5dfcd2c9e8c22326da9d9aa9cb3dfab0a83a024f05704076ee8d35ea # via beautifulsoup4 -werkzeug==2.3.3 \ - --hash=sha256:4866679a0722de00796a74086238bb3b98d90f423f05de039abb09315487254a \ - --hash=sha256:a987caf1092edc7523edb139edb20c70571c4a8d5eed02e0b547b4739174d091 +werkzeug==2.3.4 \ + --hash=sha256:1d5a58e0377d1fe39d061a5de4469e414e78ccb1e1e59c0f5ad6fa1c36c52b76 \ + --hash=sha256:48e5e61472fee0ddee27ebad085614ebedb7af41e88f687aaf881afb723a162f # via # flask # flask-login @@ -351,6 +355,10 @@ wtforms==3.0.1 \ --hash=sha256:6b351bbb12dd58af57ffef05bc78425d08d1914e0fd68ee14143b7ade023c5bc \ --hash=sha256:837f2f0e0ca79481b92884962b914eba4e72b7a2daaf1f939c890ed0124b834b # via flask-wtf +zipp==3.15.0 \ + --hash=sha256:112929ad649da941c23de50f356a2b5570c954b65150642bccdd66bf194d224b \ + --hash=sha256:48904fc76a60e542af151aded95726c1a5c34ed43ab4134b597665c86d7ad556 + # via importlib-metadata zope-event==4.6 \ --hash=sha256:73d9e3ef750cca14816a9c322c7250b0d7c9dbc337df5d1b807ff8d3d0b9e97c \ --hash=sha256:81d98813046fc86cc4136e3698fee628a3282f9c320db18658c21749235fce80 diff --git a/tests/linux/Dockerfile-rhel b/tests/linux/Dockerfile-rhel index aa41ef56a..dd481602e 100644 --- a/tests/linux/Dockerfile-rhel +++ b/tests/linux/Dockerfile-rhel @@ -4,7 +4,7 @@ ENV NGINX_VERSION 1.24.0 # Copy centos repo COPY src/linux/centos.repo /etc/yum.repos.d/centos.repo -RUN sed -i "s/%ARCH%/$(uname -m)/g" src/linux/centos.repo /etc/yum.repos.d/centos.repo +RUN sed -i "s/%ARCH%/$(uname -m)/g" /etc/yum.repos.d/centos.repo # Copy RPM-GPG-KEY-CentOS-Official COPY src/linux/RPM-GPG-KEY-centosofficial /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial diff --git a/tests/ui/requirements.txt b/tests/ui/requirements.txt index 0650e6655..f7f06f366 100644 --- a/tests/ui/requirements.txt +++ b/tests/ui/requirements.txt @@ -1,2 +1,2 @@ -selenium==4.9.0 -requests==2.29.0 +selenium==4.9.1 +requests==2.30.0