Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update examples with new stack

Browse source
This commit is contained in:
Théophile Diot 2024-06-26 17:25:43 +01:00
parent 9a9d739aa2
commit a10aea51b4
No known key found for this signature in database
GPG key ID: FA995104A0BA376A
89 changed files with 1681 additions and 1930 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
.gitleaksignore
View file

@ -46,3 +46,34 @@ misc/integrations/swarm.mysql.yml:hashicorp-tf-password:69
misc/integrations/swarm.postgres.ui.yml:hashicorp-tf-password:68
misc/integrations/swarm.postgres.ui.yml:hashicorp-tf-password:86
misc/integrations/swarm.postgres.yml:hashicorp-tf-password:67
examples/drupal/docker-compose.yml:hashicorp-tf-password:57
examples/drupal/docker-compose.yml:hashicorp-tf-password:60
examples/joomla/docker-compose.yml:hashicorp-tf-password:50
examples/joomla/docker-compose.yml:hashicorp-tf-password:59
examples/joomla/docker-compose.yml:hashicorp-tf-password:62
examples/magento/docker-compose.yml:hashicorp-tf-password:48
examples/magento/docker-compose.yml:hashicorp-tf-password:56
examples/magento/docker-compose.yml:hashicorp-tf-password:76
examples/magento/docker-compose.yml:hashicorp-tf-password:79
examples/moodle/docker-compose.yml:hashicorp-tf-password:48
examples/moodle/docker-compose.yml:hashicorp-tf-password:54
examples/moodle/docker-compose.yml:hashicorp-tf-password:65
examples/moodle/docker-compose.yml:hashicorp-tf-password:68
examples/nextcloud/docker-compose.yml:hashicorp-tf-password:72
examples/nextcloud/docker-compose.yml:hashicorp-tf-password:79
examples/nextcloud/docker-compose.yml:hashicorp-tf-password:90
examples/nextcloud/docker-compose.yml:hashicorp-tf-password:93
examples/passbolt/docker-compose.yml:hashicorp-tf-password:60
examples/passbolt/docker-compose.yml:hashicorp-tf-password:80
examples/passbolt/docker-compose.yml:hashicorp-tf-password:83
examples/prestashop/docker-compose.yml:hashicorp-tf-password:65
examples/prestashop/docker-compose.yml:hashicorp-tf-password:68
examples/redmine/docker-compose.yml:hashicorp-tf-password:47
examples/redmine/docker-compose.yml:hashicorp-tf-password:57
examples/redmine/docker-compose.yml:hashicorp-tf-password:60
examples/web-ui/docker-compose.wizard.yml:hashicorp-tf-password:57
examples/wordpress/docker-compose.yml:hashicorp-tf-password:62
examples/web-ui/docker-compose.yml:hashicorp-tf-password:52
examples/wordpress/docker-compose.yml:hashicorp-tf-password:72
examples/wordpress/docker-compose.yml:hashicorp-tf-password:75
examples/web-ui/docker-compose.yml:hashicorp-tf-password:64

35
examples/authelia/autoconf.yml
View file

@ -1,5 +1,3 @@
version: "3"
services:
# APPLICATIONS
app1:
@ -43,17 +41,17 @@ services:
# AUTHELIA
authelia:
image: authelia/authelia:4
networks:
bw-services:
aliases:
- authelia
container_name: authelia
volumes:
- ./authelia:/config
restart: unless-stopped
environment:
TZ: "Europe/Paris"
restart: "unless-stopped"
healthcheck:
disable: true
environment:
- TZ=Europe/Paris
networks:
- authelia-redis
- bw-services
labels:
- bunkerweb.SERVER_NAME=auth.example.com
- bunkerweb.USE_REVERSE_PROXY=yes
@ -63,19 +61,20 @@ services:
redis:
image: redis:7-alpine
networks:
bw-services:
aliases:
- redis
volumes:
- ./redis:/data
container_name: redis
expose:
- 6379
restart: unless-stopped
- "6379:6379"
volumes:
- redis-data:/data
environment:
- TZ=Europe/Paris
TZ: "Europe/Paris"
restart: "unless-stopped"
networks:
- authelia-redis
networks:
bw-services:
external: true
name: bw-services
authelia-redis:
name: authelia-redis

125
examples/authelia/docker-compose.yml
View file

@ -1,69 +1,59 @@
version: "3.4"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
labels:
- "bunkerweb.INSTANCE=yes"
- "80:8080"
- "443:8443"
environment:
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
environment:
- MULTISITE=yes
- SERVER_NAME=auth.example.com app1.example.com app2.example.com # replace with your domains
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
# Proxy to auth_request URI
- REVERSE_PROXY_URL_999=/authelia
- REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify
- REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
# Authelia
- auth.example.com_REVERSE_PROXY_URL=/
- auth.example.com_REVERSE_PROXY_HOST=http://authelia:9091
- auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
# Applications
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1:8080
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
- app1.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2:8080
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
- app2.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
networks:
- bw-universe
- bw-docker
- bunkerweb
volumes:
- bw-data:/data
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "auth.example.com app1.example.com app2.example.com" # replace with your domains
MULTISITE: "yes"
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
SERVE_FILES: "no"
DISABLE_DEFAULT_SERVER: "yes"
AUTO_LETS_ENCRYPT: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
# Proxy to auth_request URI
REVERSE_PROXY_URL_999: "/authelia"
REVERSE_PROXY_HOST_999: "http://authelia:9091/api/verify"
REVERSE_PROXY_HEADERS_999: "X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length \"\""
# Authelia
auth.example.com_REVERSE_PROXY_URL: "/"
auth.example.com_REVERSE_PROXY_HOST: "http://authelia:9091"
auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS: "no"
# Applications
app1.example.com_REVERSE_PROXY_URL: "/"
app1.example.com_REVERSE_PROXY_HOST: "http://app1:8080"
app1.example.com_REVERSE_PROXY_AUTH_REQUEST: "/authelia"
app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL: "https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri"
app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET: "$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email"
app1.example.com_REVERSE_PROXY_HEADERS: "Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email"
app2.example.com_REVERSE_PROXY_URL: "/"
app2.example.com_REVERSE_PROXY_HOST: "http://app2:8080"
app2.example.com_REVERSE_PROXY_AUTH_REQUEST: "/authelia"
app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL: "https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri"
app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET: "$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email"
app2.example.com_REVERSE_PROXY_HEADERS: "Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email"
restart: "unless-stopped"
networks:
- bw-docker
- bw-universe
# APPLICATIONS
app1:
@ -79,31 +69,34 @@ services:
authelia:
image: authelia/authelia:4
container_name: authelia
networks:
- bw-services
volumes:
- ./authelia:/config
restart: unless-stopped
environment:
TZ: "Europe/Paris"
restart: "unless-stopped"
healthcheck:
disable: true
environment:
- TZ=Europe/Paris
networks:
- authelia-redis
- bw-services
redis:
image: redis:7-alpine
container_name: redis
networks:
- bw-services
volumes:
- ./redis:/data
expose:
- 6379
restart: unless-stopped
- "6379:6379"
volumes:
- redis-data:/data
environment:
- TZ=Europe/Paris
TZ: "Europe/Paris"
restart: "unless-stopped"
networks:
- authelia-redis
volumes:
bw-data:
redis-data:
networks:
bw-universe:
@ -113,4 +106,6 @@ networks:
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services
authelia-redis:
name: authelia-redis

2
examples/authelia/swarm.yml
View file

@ -1,5 +1,3 @@
version: "3"
services:
# APPLICATIONS
app1:

1
examples/authentik/.env
View file

@ -3,3 +3,4 @@ AUTHENTIK_SECRET_KEY=changeme
AUTHENTIK_COOKIE_DOMAIN=example.com
AUTHENTIK_BOOTSTRAP_PASSWORD=changeme
AUTHENTIK_BOOTSTRAP_TOKEN=changeme
AUTHENTIK_LOG_LEVEL=trace

223
examples/authentik/docker-compose.yml
View file

@ -1,78 +1,89 @@
version: "3.4"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
labels:
- "bunkerweb.INSTANCE=yes"
- "80:8080"
- "443:8443"
environment:
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
environment:
- MULTISITE=yes
- SERVER_NAME=auth.example.com app1.example.com app2.example.com # replace with your domains
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
# Proxy to outpost
- REVERSE_PROXY_URL_999=/outpost.goauthentik.io
- REVERSE_PROXY_HOST_999=http://server:9000
- REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
- REVERSE_PROXY_HEADERS_CLIENT_999=Set-Cookie $$auth_cookie
- REVERSE_PROXY_AUTH_REQUEST_SET_999=$$auth_cookie $$upstream_http_set_cookie
# Authentik
- auth.example.com_REVERSE_PROXY_URL=/
- auth.example.com_REVERSE_PROXY_HOST=http://server:9000
- auth.example.com_REVERSE_PROXY_WS=yes
- auth.example.com_LIMIT_REQ_URL_1=^/api/
- auth.example.com_LIMIT_REQ_RATE_1=5r/s
- auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
- auth.example.com_ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE|PATCH
- auth.example.com_COOKIE_FLAGS=* SameSite=Lax
# Applications
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1:8080
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST=/outpost.goauthentik.io/auth/nginx
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/outpost.goauthentik.io/start?rd=$$scheme%3A%2F%2F$$host$$request_uri
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$auth_cookie $$upstream_http_set_cookie;$$authentik_username $$upstream_http_x_authentik_username;$$authentik_groups $$upstream_http_x_authentik_groups;$$authentik_email $$upstream_http_x_authentik_email;$$authentik_name $$upstream_http_x_authentik_name;$$authentik_uid $$upstream_http_x_authentik_uid
- app1.example.com_REVERSE_PROXY_HEADERS_CLIENT=Set-Cookie $$auth_cookie
- app1.example.com_REVERSE_PROXY_HEADERS=X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2:8080
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST=/outpost.goauthentik.io/auth/nginx
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/outpost.goauthentik.io/start?rd=$$scheme%3A%2F%2F$$host$$request_uri
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$auth_cookie $$upstream_http_set_cookie;$$authentik_username $$upstream_http_x_authentik_username;$$authentik_groups $$upstream_http_x_authentik_groups;$$authentik_email $$upstream_http_x_authentik_email;$$authentik_name $$upstream_http_x_authentik_name;$$authentik_uid $$upstream_http_x_authentik_uid
- app2.example.com_REVERSE_PROXY_HEADERS_CLIENT=Set-Cookie $$auth_cookie
- app2.example.com_REVERSE_PROXY_HEADERS=X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
networks:
- bw-universe
- bw-docker
- bunkerweb
volumes:
- bw-data:/data
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "auth.example.com app1.example.com app2.example.com" # replace with your domains
MULTISITE: "yes"
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
SERVE_FILES: "no"
DISABLE_DEFAULT_SERVER: "yes"
AUTO_LETS_ENCRYPT: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_KEEPALIVE: "yes"
# Proxy to outpost
REVERSE_PROXY_URL_999: "/outpost.goauthentik.io"
REVERSE_PROXY_HOST_999: "http://server:9000"
REVERSE_PROXY_HEADERS_999: "X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length \"\";Connection $$connection_upgrade_keepalive"
REVERSE_PROXY_HEADERS_CLIENT_999: "Set-Cookie $$auth_cookie"
REVERSE_PROXY_AUTH_REQUEST_SET_999: "$$auth_cookie $$upstream_http_set_cookie"
REVERSE_PROXY_PASS_REQUEST_BODY_999: "no"
# Authentik
auth.example.com_REVERSE_PROXY_URL: "/"
auth.example.com_REVERSE_PROXY_HOST: "http://server:9000"
auth.example.com_REVERSE_PROXY_WS: "yes"
auth.example.com_LIMIT_REQ_URL_1: "^/api/"
auth.example.com_LIMIT_REQ_RATE_1: "5r/s"
auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS: "no"
auth.example.com_ALLOWED_METHODS: "GET|POST|HEAD|PUT|DELETE|PATCH"
auth.example.com_COOKIE_FLAGS: "* SameSite=Lax"
# Applications
app1.example.com_REVERSE_PROXY_URL: "/"
app1.example.com_REVERSE_PROXY_HOST: "http://app1:8080"
app1.example.com_REVERSE_PROXY_AUTH_REQUEST: "/outpost.goauthentik.io/auth/nginx"
app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL: "https://auth.example.com/outpost.goauthentik.io/start?rd=$$scheme%3A%2F%2F$$host$$request_uri"
app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET: "$$auth_cookie $$upstream_http_set_cookie;$$authentik_username $$upstream_http_x_authentik_username;$$authentik_groups $$upstream_http_x_authentik_groups;$$authentik_email $$upstream_http_x_authentik_email;$$authentik_name $$upstream_http_x_authentik_name;$$authentik_uid $$upstream_http_x_authentik_uid"
app1.example.com_REVERSE_PROXY_HEADERS_CLIENT: "Set-Cookie $$auth_cookie"
app1.example.com_REVERSE_PROXY_HEADERS: "Connection $$connection_upgrade_keepalive;X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid"
app1.example.com_ERRORS: "401=@goauthentik_proxy_signin"
app2.example.com_REVERSE_PROXY_URL: "/"
app2.example.com_REVERSE_PROXY_HOST: "http://app2:8080"
app2.example.com_REVERSE_PROXY_AUTH_REQUEST: "/outpost.goauthentik.io/auth/nginx"
app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL: "https://auth.example.com/outpost.goauthentik.io/start?rd=$$scheme%3A%2F%2F$$host$$request_uri"
app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET: "$$auth_cookie $$upstream_http_set_cookie;$$authentik_username $$upstream_http_x_authentik_username;$$authentik_groups $$upstream_http_x_authentik_groups;$$authentik_email $$upstream_http_x_authentik_email;$$authentik_name $$upstream_http_x_authentik_name;$$authentik_uid $$upstream_http_x_authentik_uid"
app2.example.com_REVERSE_PROXY_HEADERS_CLIENT: "Set-Cookie $$auth_cookie"
app2.example.com_REVERSE_PROXY_HEADERS: "Connection $$connection_upgrade_keepalive;X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid"
app2.example.com_ERRORS: "401=@goauthentik_proxy_signin"
# Custom configuration
CUSTOM_CONF_HTTP_connection_upgrade_keepalive: |
map $$http_upgrade $$connection_upgrade_keepalive {
default upgrade;
'' '';
}
CUSTOM_CONF_SERVER_HTTP_goauthentik_proxy_signin: |
proxy_buffers 8 16k;
proxy_buffer_size 32k;
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $$auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$$scheme://$$http_host$$request_uri;
}
restart: "unless-stopped"
networks:
- bw-docker
- bw-universe
# APPLICATIONS
app1:
@ -86,12 +97,14 @@ services:
# AUTHENTIK SERVICES
postgresql:
image: docker.io/library/postgres:12-alpine
image: docker.io/library/postgres:16-alpine
restart: unless-stopped
networks:
- bw-services
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
test:
[
"CMD-SHELL",
"pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"
]
start_period: 20s
interval: 30s
retries: 5
@ -99,30 +112,30 @@ services:
volumes:
- database:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=${PG_PASS:?database password required}
- POSTGRES_USER=${PG_USER:-authentik}
- POSTGRES_DB=${PG_DB:-authentik}
POSTGRES_PASSWORD: ${PG_PASS:?database password required}
POSTGRES_USER: ${PG_USER:-authentik}
POSTGRES_DB: ${PG_DB:-authentik}
env_file:
- .env
networks:
- authentik-net
redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
restart: unless-stopped
networks:
- bw-services
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
test: [ "CMD-SHELL", "redis-cli ping | grep PONG" ]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- redis:/data
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.11.2}
restart: unless-stopped
networks:
- bw-services
- authentik-net
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
@ -130,21 +143,23 @@ services:
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
# AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
volumes:
- ./media:/media
- ./custom-templates:/templates
- geoip:/geoip
- media:/media
- custom-templates:/templates
env_file:
- .env
# ports:
# - "0.0.0.0:${AUTHENTIK_PORT_HTTP:-9000}:9000"
# - "0.0.0.0:${AUTHENTIK_PORT_HTTPS:-9443}:9443"
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.11.2}
restart: unless-stopped
# - "${COMPOSE_PORT_HTTP:-9000}:9000"
# - "${COMPOSE_PORT_HTTPS:-9443}:9443"
depends_on:
- postgresql
- redis
networks:
- authentik-net
- bw-services
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
@ -152,36 +167,34 @@ services:
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
# AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
# This is optional, and can be removed. If you remove this, the following will happen
# - The permissions for the /media folders aren't fixed, so make sure they are 1000:1000
# - The docker socket can't be accessed anymore
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
user: root
volumes:
- ./media:/media
- ./certs:/certs
- /var/run/docker.sock:/var/run/docker.sock
- ./custom-templates:/templates
- geoip:/geoip
- media:/media
- certs:/certs
- custom-templates:/templates
env_file:
- .env
geoipupdate:
image: "maxmindinc/geoipupdate:latest"
depends_on:
- postgresql
- redis
networks:
- bw-services
volumes:
- "geoip:/usr/share/GeoIP"
environment:
GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
GEOIPUPDATE_FREQUENCY: "8"
env_file:
- .env
- authentik-net
volumes:
bw-data:
database:
redis:
geoip:
media:
certs:
custom-templates:
networks:
bw-universe:
@ -191,4 +204,6 @@ networks:
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services
authentik-net:
name: authentik-net

2
examples/autoconf-configs/autoconf.yml
View file

@ -1,5 +1,3 @@
version: "3"
services:
myapp1:
image: nginxdemos/nginx-hello

59
examples/behind-reverse-proxy/docker-compose.yml
View file

@ -1,23 +1,16 @@
version: "3"
x-env: &env
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
# real IP settings
USE_REAL_IP: "yes"
REAL_IP_FROM: "10.10.10.0/24"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
environment:
- SERVER_NAME=www.example.com # replace with your domains
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://myapp:8080
# real IP settings
- USE_REAL_IP=yes
- REAL_IP_FROM=10.10.10.0/24
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
<<: *env
restart: "unless-stopped"
networks:
- net-proxy
- bw-universe
@ -25,30 +18,30 @@ services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
environment:
<<: *env
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domains
SERVE_FILES: "no"
DISABLE_DEFAULT_SERVER: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL: "/"
REVERSE_PROXY_HOST: "http://myapp:8080"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
myproxy:
image: haproxy:2.7.0
image: haproxy:3.0-alpine
ports:
- 80:8080
- "80:8080"
volumes:
- ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
networks:
@ -62,6 +55,7 @@ services:
volumes:
bw-data:
networks:
bw-universe:
ipam:
@ -74,4 +68,3 @@ networks:
config:
- subnet: 10.10.10.0/24
bw-services:
bw-docker:

2
examples/behind-reverse-proxy/haproxy.cfg
View file

@ -11,4 +11,4 @@ frontend http_front
backend http_back
mode http
option forwardfor
server server01 mybunker:8080
server server01 bunkerweb:8080

52
examples/bigbluebutton/docker-compose.yml
View file

@ -1,5 +1,3 @@
version: '3.6'
# clone the repository https://github.com/bigbluebutton/docker into the root directory and run the following command: ./scripts/setup
# when executing the file ./scripts/setup do this:
@ -26,24 +24,15 @@ services:
...
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
- SERVER_NAME=${DOMAIN}
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_WS=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://10.7.7.253:8080
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
# You have to put this IP address in your docker-compose.yml file
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
bbb-net:
ipv4_address: 10.7.7.254
@ -51,25 +40,25 @@ services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
networks:
bw-universe:
bw-docker:
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "${DOMAIN}"
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
AUTO_LETS_ENCRYPT: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_WS: "yes"
REVERSE_PROXY_URL: "/"
REVERSE_PROXY_HOST: "http://10.7.7.253:8080"
restart: "unless-stopped"
networks:
- bw-docker
- bw-universe
...
@ -84,4 +73,3 @@ networks:
driver: default
config:
- subnet: 10.20.30.0/24
bw-docker:

78
examples/certbot-dns-cloudflare/docker-compose.yml
View file

@ -1,65 +1,53 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
volumes:
- certs:/certs
- "80:8080"
- "443:8443"
environment:
- MULTISITE=yes
- SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- USE_CUSTOM_SSL=yes
- CUSTOM_SSL_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_SSL_KEY=/certs/live/example.com/privkey.pem
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1:8080
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2:8080
- app3.example.com_REVERSE_PROXY_URL=/
- app3.example.com_REVERSE_PROXY_HOST=http://app3:8080
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
- certs:/certs
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "app1.example.com app2.example.com app3.example.com" # replace with your domains
MULTISITE: "yes"
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
SERVE_FILES: "no"
DISABLE_DEFAULT_SERVER: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
USE_CUSTOM_SSL: "yes"
CUSTOM_SSL_CERT: "/certs/live/example.com/fullchain.pem"
CUSTOM_SSL_KEY: "/certs/live/example.com/privkey.pem"
app1.example.com_REVERSE_PROXY_URL: "/"
app1.example.com_REVERSE_PROXY_HOST: "http://app1:8080"
app2.example.com_REVERSE_PROXY_URL: "/"
app2.example.com_REVERSE_PROXY_HOST: "http://app2:8080"
app3.example.com_REVERSE_PROXY_URL: "/"
app3.example.com_REVERSE_PROXY_HOST: "http://app3:8080"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
mycertbot:
image: certbot/dns-cloudflare:v2.0.0
image: certbot/dns-cloudflare:v2.11.0
environment:
- DOMAINS=*.example.com,example.com
- EMAIL=contact@example.com
DOMAINS: "*.example.com,example.com"
EMAIL: "contact@example.com"
volumes:
- certs:/etc/letsencrypt
- ./cloudflare.ini:/opt/cloudflare.ini
@ -85,11 +73,13 @@ volumes:
bw-data:
certs:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-docker:
bw-services:
name: bw-services

78
examples/certbot-dns-digitalocean/docker-compose.yml
View file

@ -1,65 +1,53 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
volumes:
- certs:/certs
- "80:8080"
- "443:8443"
environment:
- MULTISITE=yes
- SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- USE_CUSTOM_SSL=yes
- CUSTOM_SSL_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_SSL_KEY=/certs/live/example.com/privkey.pem
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1:8080
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2:8080
- app3.example.com_REVERSE_PROXY_URL=/
- app3.example.com_REVERSE_PROXY_HOST=http://app3:8080
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
- certs:/certs
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "app1.example.com app2.example.com app3.example.com" # replace with your domains
MULTISITE: "yes"
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
SERVE_FILES: "no"
DISABLE_DEFAULT_SERVER: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
USE_CUSTOM_SSL: "yes"
CUSTOM_SSL_CERT: "/certs/live/example.com/fullchain.pem"
CUSTOM_SSL_KEY: "/certs/live/example.com/privkey.pem"
app1.example.com_REVERSE_PROXY_URL: "/"
app1.example.com_REVERSE_PROXY_HOST: "http://app1:8080"
app2.example.com_REVERSE_PROXY_URL: "/"
app2.example.com_REVERSE_PROXY_HOST: "http://app2:8080"
app3.example.com_REVERSE_PROXY_URL: "/"
app3.example.com_REVERSE_PROXY_HOST: "http://app3:8080"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
mycertbot:
image: certbot/dns-digitalocean:v2.0.0
image: certbot/dns-digitalocean:v2.11.0
environment:
- DOMAINS=*.example.com,example.com
- EMAIL=contact@example.com
DOMAINS: "*.example.com,example.com"
EMAIL: "contact@example.com"
volumes:
- certs:/etc/letsencrypt
- ./digitalocean.ini:/opt/digitalocean.ini
@ -85,11 +73,13 @@ volumes:
bw-data:
certs:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-docker:
bw-services:
name: bw-services

78
examples/certbot-dns-google/docker-compose.yml
View file

@ -1,65 +1,53 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
volumes:
- certs:/certs
- "80:8080"
- "443:8443"
environment:
- MULTISITE=yes
- SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- USE_CUSTOM_SSL=yes
- CUSTOM_SSL_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_SSL_KEY=/certs/live/example.com/privkey.pem
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1:8080
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2:8080
- app3.example.com_REVERSE_PROXY_URL=/
- app3.example.com_REVERSE_PROXY_HOST=http://app3:8080
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
- certs:/certs
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "app1.example.com app2.example.com app3.example.com" # replace with your domains
MULTISITE: "yes"
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
SERVE_FILES: "no"
DISABLE_DEFAULT_SERVER: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
USE_CUSTOM_SSL: "yes"
CUSTOM_SSL_CERT: "/certs/live/example.com/fullchain.pem"
CUSTOM_SSL_KEY: "/certs/live/example.com/privkey.pem"
app1.example.com_REVERSE_PROXY_URL: "/"
app1.example.com_REVERSE_PROXY_HOST: "http://app1:8080"
app2.example.com_REVERSE_PROXY_URL: "/"
app2.example.com_REVERSE_PROXY_HOST: "http://app2:8080"
app3.example.com_REVERSE_PROXY_URL: "/"
app3.example.com_REVERSE_PROXY_HOST: "http://app3:8080"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
mycertbot:
image: certbot/dns-google:v2.0.0
image: certbot/dns-google:v2.11.0
environment:
- DOMAINS=*.example.com,example.com
- EMAIL=contact@example.com
DOMAINS: "*.example.com,example.com"
EMAIL: "contact@example.com"
volumes:
- certs:/etc/letsencrypt
- ./google.json:/opt/google.json
@ -85,11 +73,13 @@ volumes:
bw-data:
certs:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-docker:
bw-services:
name: bw-services

78
examples/certbot-dns-ovh/docker-compose.yml
View file

@ -1,65 +1,53 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
volumes:
- certs:/certs
- "80:8080"
- "443:8443"
environment:
- MULTISITE=yes
- SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- USE_CUSTOM_SSL=yes
- CUSTOM_SSL_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_SSL_KEY=/certs/live/example.com/privkey.pem
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1:8080
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2:8080
- app3.example.com_REVERSE_PROXY_URL=/
- app3.example.com_REVERSE_PROXY_HOST=http://app3:8080
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
- certs:/certs
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "app1.example.com app2.example.com app3.example.com" # replace with your domains
MULTISITE: "yes"
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
SERVE_FILES: "no"
DISABLE_DEFAULT_SERVER: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
USE_CUSTOM_SSL: "yes"
CUSTOM_SSL_CERT: "/certs/live/example.com/fullchain.pem"
CUSTOM_SSL_KEY: "/certs/live/example.com/privkey.pem"
app1.example.com_REVERSE_PROXY_URL: "/"
app1.example.com_REVERSE_PROXY_HOST: "http://app1:8080"
app2.example.com_REVERSE_PROXY_URL: "/"
app2.example.com_REVERSE_PROXY_HOST: "http://app2:8080"
app3.example.com_REVERSE_PROXY_URL: "/"
app3.example.com_REVERSE_PROXY_HOST: "http://app3:8080"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
mycertbot:
image: certbot/dns-ovh:v2.0.0
image: certbot/dns-ovh:v2.11.0
environment:
- DOMAINS=*.example.com,example.com
- EMAIL=contact@example.com
DOMAINS: "*.example.com,example.com"
EMAIL: "contact@example.com"
volumes:
- certs:/etc/letsencrypt
- ./ovh.ini:/opt/ovh.ini
@ -85,11 +73,13 @@ volumes:
bw-data:
certs:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-docker:
bw-services:
name: bw-services

80
examples/certbot-dns-route53/docker-compose.yml
View file

@ -1,65 +1,53 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
volumes:
- certs:/certs
- "80:8080"
- "443:8443"
environment:
- MULTISITE=yes
- SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- USE_CUSTOM_SSL=yes
- CUSTOM_SSL_CERT=/certs/live/example.com/fullchain.pem
- CUSTOM_SSL_KEY=/certs/live/example.com/privkey.pem
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1:8080
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2:8080
- app3.example.com_REVERSE_PROXY_URL=/
- app3.example.com_REVERSE_PROXY_HOST=http://app3:8080
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bbw-scheduler:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
- certs:/certs
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "app1.example.com app2.example.com app3.example.com" # replace with your domains
MULTISITE: "yes"
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
SERVE_FILES: "no"
DISABLE_DEFAULT_SERVER: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
USE_CUSTOM_SSL: "yes"
CUSTOM_SSL_CERT: "/certs/live/example.com/fullchain.pem"
CUSTOM_SSL_KEY: "/certs/live/example.com/privkey.pem"
app1.example.com_REVERSE_PROXY_URL: "/"
app1.example.com_REVERSE_PROXY_HOST: "http://app1:8080"
app2.example.com_REVERSE_PROXY_URL: "/"
app2.example.com_REVERSE_PROXY_HOST: "http://app2:8080"
app3.example.com_REVERSE_PROXY_URL: "/"
app3.example.com_REVERSE_PROXY_HOST: "http://app3:8080"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
mycertbot:
image: certbot/dns-google:v2.0.0
image: certbot/dns-route53:v2.11.0
environment:
- DOMAINS=*.example.com,example.com
- EMAIL=contact@example.com
DOMAINS: "*.example.com,example.com"
EMAIL: "contact@example.com"
volumes:
- certs:/etc/letsencrypt
- ./aws.ini:/opt/aws.ini
@ -85,11 +73,13 @@ volumes:
bw-data:
certs:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-docker:
bw-services:
name: bw-services

8
examples/cors/autoconf.yml
View file

@ -1,8 +1,6 @@
version: "3"
services:
myapp1:
image: php:fpm
image: php:fpm-alpine3.19
networks:
bw-services:
aliases:
@ -21,7 +19,7 @@ services:
- bunkerweb.REMOTE_PHP_PATH=/app
myapp2:
image: php:fpm
image: php:fpm-alpine3.19
networks:
bw-services:
aliases:
@ -38,7 +36,7 @@ services:
- bunkerweb.REMOTE_PHP_PATH=/app
myapp3:
image: php:fpm
image: php:fpm-alpine3.19
networks:
bw-services:
aliases:

80
examples/cors/docker-compose.yml
View file

@ -1,11 +1,10 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
@ -15,52 +14,43 @@ services:
volumes:
- ./www:/var/www/html
environment:
- SERVER_NAME=app1.example.com app2.example.com app3.example.com # replace with your domains
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- MULTISITE=yes
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- app1.example.com_USE_CORS=yes
- app1.example.com_CORS_ALLOW_ORIGIN=^https://app2\.example\.com$$
- app1.example.com_ALLOWED_METHODS=GET|POST|HEAD|OPTIONS
- app1.example.com_REMOTE_PHP=myapp1
- app1.example.com_REMOTE_PHP_PATH=/app
- app2.example.com_REMOTE_PHP=myapp2
- app2.example.com_REMOTE_PHP_PATH=/app
- app3.example.com_REMOTE_PHP=myapp3
- app3.example.com_REMOTE_PHP_PATH=/app
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "app1.example.com app2.example.com app3.example.com" # replace with your domains
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
MULTISITE: "yes"
AUTO_LETS_ENCRYPT: "yes"
DISABLE_DEFAULT_SERVER: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
app1.example.com_USE_CORS: "yes"
app1.example.com_CORS_ALLOW_ORIGIN: "^https://app2\\.example\\.com$$"
app1.example.com_ALLOWED_METHODS: "GET|POST|HEAD|OPTIONS"
app1.example.com_REMOTE_PHP: "myapp1"
app1.example.com_REMOTE_PHP_PATH: "/app"
app2.example.com_REMOTE_PHP: "myapp2"
app2.example.com_REMOTE_PHP_PATH: "/app"
app3.example.com_REMOTE_PHP: "myapp3"
app3.example.com_REMOTE_PHP_PATH: "/app"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
myapp1:
image: php:fpm
image: php:fpm-alpine3.19
# ⚠️ UID and GID of BunkerWeb (101:101) and php:fpm (33:33) are not the same ⚠️
# but both needs access to the files and folders of web-files
# don't forget to edit the permissions of the files and folders accordingly
@ -71,7 +61,7 @@ services:
- bw-services
myapp2:
image: php:fpm
image: php:fpm-alpine3.19
# ⚠️ UID and GID of BunkerWeb (101:101) and php:fpm (33:33) are not the same ⚠️
# but both needs access to the files and folders of web-files
# don't forget to edit the permissions of the files and folders accordingly
@ -82,7 +72,7 @@ services:
- bw-services
myapp3:
image: php:fpm
image: php:fpm-alpine3.19
# ⚠️ UID and GID of BunkerWeb (101:101) and php:fpm (33:33) are not the same ⚠️
# but both needs access to the files and folders of web-files
# don't forget to edit the permissions of the files and folders accordingly
@ -92,14 +82,16 @@ services:
networks:
- bw-services
volumes:
bw-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-docker:
bw-services:
volumes:
bw-data:
name: bw-services

89
examples/docker-configs/docker-compose.yml
View file

@ -1,28 +1,41 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
- MULTISITE=yes
- SERVER_NAME=app1.example.com app2.example.com # replace with your domains
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://myapp1:8080
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://myapp2:8080
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
MULTISITE: "yes"
SERVER_NAME: "app1.example.com app2.example.com" # replace with your domains
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
SERVE_FILES: "no"
DISABLE_DEFAULT_SERVER: "yes"
AUTO_LETS_ENCRYPT: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
app1.example.com_REVERSE_PROXY_URL: "/"
app1.example.com_REVERSE_PROXY_HOST: "http://myapp1:8080"
app2.example.com_REVERSE_PROXY_URL: "/"
app2.example.com_REVERSE_PROXY_HOST: "http://myapp2:8080"
# global config applied at server context
- |
CUSTOM_CONF_SERVER_HTTP_hello-world=
CUSTOM_CONF_SERVER_HTTP_hello-world: |
location /hello {
default_type 'text/plain';
content_by_lua_block {
@ -30,49 +43,23 @@ services:
}
}
# site configs applied at server context
- |
app1.example.com_CUSTOM_CONF_SERVER_HTTP_dummy=
app1.example.com_CUSTOM_CONF_SERVER_HTTP_dummy: |
location = /app1 {
default_type 'text/plain';
content_by_lua_block {
ngx.say('hello app1')
}
}
- |
app2.example.com_CUSTOM_CONF_SERVER_HTTP_dummy=
app2.example.com_CUSTOM_CONF_SERVER_HTTP_dummy: |
location = /app2 {
default_type 'text/plain';
content_by_lua_block {
ngx.say('hello app2')
}
}
labels:
- "bunkerweb.INSTANCE=yes"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
volumes:
- bw-data:/data
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
myapp1:
image: nginxdemos/nginx-hello
@ -87,11 +74,13 @@ services:
volumes:
bw-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services

6
examples/drupal/autoconf.yml
View file

@ -1,8 +1,6 @@
version: "3"
services:
mydrupal:
image: drupal:9.4-apache
image: drupal:10-apache
networks:
bw-services:
aliases:
@ -24,7 +22,7 @@ services:
CUSTOM_CONF_MODSEC_CRS_drupal=SecAction "id:900130,phase:1,nolog,pass,t:none,setvar:tx.crs_exclusions_drupal=1"
mydb:
image: mariadb:10.10
image: mariadb:11
networks:
bw-services:
aliases:

65
examples/drupal/docker-compose.yml
View file

@ -1,12 +1,26 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
SERVE_FILES: "no"
@ -21,36 +35,12 @@ services:
# Once the installation is done, you can remove these lines
LIMIT_REQ_URL_1: "/core/install.php"
LIMIT_REQ_RATE_1: "5r/s"
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
depends_on:
- mybunker
environment:
DOCKER_HOST: "tcp://bw-docker-proxy:2375"
volumes:
- bw-data:/data
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
mydrupal:
image: drupal:9.4-apache
image: drupal:10-apache
volumes:
- ./drupal-modules:/var/www/html/modules
- ./drupal-profiles:/var/www/html/profiles
@ -60,14 +50,14 @@ services:
- bw-services
mydb:
image: mariadb:10.10
image: mariadb:11
volumes:
- db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=drupaldb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password
MYSQL_ROOT_PASSWORD: "db-root-pwd" # replace with a stronger password
MYSQL_DATABASE: "drupaldb"
MYSQL_USER: "user"
MYSQL_PASSWORD: "db-user-pwd" # replace with a stronger password
networks:
- bw-services
@ -78,9 +68,10 @@ volumes:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services

2
examples/drupal/setup-linux.sh
View file

@ -13,7 +13,7 @@ else
echo "❌ No PHP user found"
exit 1
fi
curl https://ftp.drupal.org/files/projects/drupal-9.5.3.tar.gz -Lo /tmp/drupal.tar.gz
curl https://ftp.drupal.org/files/projects/drupal-10.2.6.tar.gz -Lo /tmp/drupal.tar.gz
tar -xzf /tmp/drupal.tar.gz -C /tmp
current_dir="$(pwd)"
cd /tmp/drupal-* || exit 1

6
examples/drupal/swarm.yml
View file

@ -1,8 +1,6 @@
version: "3"
services:
mydrupal:
image: drupal:9.4-apache
image: drupal:10-apache
networks:
- bw-services
volumes:
@ -24,7 +22,7 @@ services:
- bunkerweb.LIMIT_REQ_RATE_1=5r/s
mydb:
image: mariadb:10.10
image: mariadb:11
networks:
- bw-services
volumes:

8
examples/ghost/autoconf.yml
View file

@ -1,8 +1,6 @@
version: "3"
services:
myghost:
image: ghost:5.25-alpine
image: ghost:5-alpine
volumes:
- ghost-data:/var/lib/ghost/content
networks:
@ -10,8 +8,8 @@ services:
aliases:
- myghost
environment:
- url=https://www.example.com # replace with your domain
- NODE_ENV=development
url: "https://www.example.com" # replace with your domain
NODE_ENV: "development"
labels:
- bunkerweb.SERVER_NAME=www.example.com # replace with your domain
- bunkerweb.USE_REVERSE_PROXY=yes

62
examples/ghost/docker-compose.yml
View file

@ -1,57 +1,47 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://myghost:2368
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
SERVE_FILES: "no"
DISABLE_DEFAULT_SERVER: "yes"
AUTO_LETS_ENCRYPT: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL: "/"
REVERSE_PROXY_HOST: "http://myghost:2368"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
myghost:
image: ghost:5.25-alpine
image: ghost:5-alpine
volumes:
- ghost-data:/var/lib/ghost/content
environment:
- url=https://www.example.com # replace with your domain
- NODE_ENV=development
url: "https://www.example.com" # replace with your domain
NODE_ENV: "development"
networks:
- bw-services
@ -59,11 +49,13 @@ volumes:
bw-data:
ghost-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services

8
examples/ghost/swarm.yml
View file

@ -1,15 +1,13 @@
version: "3"
services:
myghost:
image: ghost:5.25-alpine
image: ghost:5-alpine
volumes:
- ghost_data:/var/lib/ghost/content
networks:
- bw-services
environment:
- url=https://www.example.com # replace with your domain
- NODE_ENV=development
url: "https://www.example.com" # replace with your domain
NODE_ENV: "development"
deploy:
placement:
constraints:

4
examples/gogs/autoconf.yml
View file

@ -1,8 +1,6 @@
version: "3"
services:
mygogs:
image: gogs/gogs:0.12
image: gogs/gogs:0.13
volumes:
- ./gogs-data:/data
networks:

66
examples/gogs/docker-compose.yml
View file

@ -1,56 +1,46 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://mygogs:3000
- REVERSE_PROXY_HEADERS_1=Authorization $http_authorization
- MAX_CLIENT_SIZE=1G
- |
CUSTOM_CONF_MODSEC_CRS_gogs=SecAction "id:900220,phase:1,nolog,pass,t:none,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
SERVE_FILES: "no"
DISABLE_DEFAULT_SERVER: "yes"
AUTO_LETS_ENCRYPT: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL: "/"
REVERSE_PROXY_HOST: "http://mygogs:3000"
REVERSE_PROXY_HEADERS_1: "Authorization $$http_authorization"
MAX_CLIENT_SIZE: "1G"
CUSTOM_CONF_MODSEC_CRS_gogs: |
SecAction "id:900220,phase:1,nolog,pass,t:none,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
mygogs:
image: gogs/gogs:0.12
image: gogs/gogs:0.13
volumes:
- ./gogs-data:/data
networks:
@ -59,11 +49,13 @@ services:
volumes:
bw-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services

4
examples/gogs/swarm.yml
View file

@ -1,8 +1,6 @@
version: "3"
services:
mygogs:
image: gogs/gogs:0.12
image: gogs/gogs:0.13
volumes:
- gogs_data:/data/gogs/data
networks:

56
examples/hardened/docker-compose.yml
View file

@ -1,8 +1,7 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
# dropping all capabilities
cap_drop:
- ALL
@ -19,46 +18,37 @@ services:
- /var/cache/bunkerweb:mode=0770,uid=0,gid=101
- /etc/nginx:mode=0770,uid=0,gid=101
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://myapp:8080
- REMOTE_PHP_PATH=/app
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
AUTO_LETS_ENCRYPT: "yes"
DISABLE_DEFAULT_SERVER: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL: "/"
REVERSE_PROXY_HOST: "http://myapp:8080"
REMOTE_PHP_PATH: "/app"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
myapp:
image: nginxdemos/nginx-hello
@ -68,11 +58,13 @@ services:
volumes:
bw-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services

6
examples/joomla/autoconf.yml
View file

@ -1,8 +1,6 @@
version: "3"
services:
myjoomla:
image: joomla:4-apache
image: joomla:5-apache
networks:
bw-services:
aliases:
@ -25,7 +23,7 @@ services:
- bunkerweb.LIMIT_REQ_RATE_2=8r/s
mydb:
image: mariadb
image: mariadb:11
volumes:
- db-data:/var/lib/mysql
networks:

75
examples/joomla/docker-compose.yml
View file

@ -1,12 +1,26 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
AUTO_LETS_ENCRYPT: "yes"
@ -21,67 +35,46 @@ services:
LIMIT_REQ_RATE_1: "8r/s"
LIMIT_REQ_URL_2: "/installation/index.php"
LIMIT_REQ_RATE_2: "8r/s"
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
depends_on:
- mybunker
environment:
DOCKER_HOST: "tcp://bw-docker-proxy:2375"
volumes:
- bw-data:/data
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
myjoomla:
image: joomla:4-apache
image: joomla:5-apache
volumes:
- joomla-data:/var/www/html
environment:
- JOOMLA_DB_HOST=mydb
- JOOMLA_DB_NAME=joomla_db
- JOOMLA_DB_USER=user
- JOOMLA_DB_PASSWORD=db-user-pwd # set a stronger password in a .env file (must match MYSQL_PASSWORD)
JOOMLA_DB_HOST: "mydb"
JOOMLA_DB_NAME: "joomla_db"
JOOMLA_DB_USER: "user"
JOOMLA_DB_PASSWORD: "db-user-pwd" # set a stronger password in a .env file (must match MYSQL_PASSWORD)
networks:
- bw-services
mydb:
image: mariadb
image: mariadb:11
volumes:
- db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=joomla_db
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match JOOMLA_DB_PASSWORD)
MYSQL_ROOT_PASSWORD: "db-root-pwd" # replace with a stronger password
MYSQL_DATABASE: "joomla_db"
MYSQL_USER: "user"
MYSQL_PASSWORD: "db-user-pwd" # replace with a stronger password (must match JOOMLA_DB_PASSWORD)
networks:
- bw-services
volumes:
bw-data:
joomla-data:
db-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services

2
examples/joomla/setup-linux.sh
View file

@ -13,7 +13,7 @@ else
echo "❌ No PHP user found"
exit 1
fi
curl https://downloads.joomla.org/fr/cms/joomla4/4-1-5/Joomla_4-1-5-Stable-Full_Package.zip?format=zip -Lo /tmp/joomla.zip
curl https://downloads.joomla.org/fr/cms/joomla5/5-1-1/Joomla_5-1-1-Stable-Full_Package.zip?format=zip -Lo /tmp/joomla.zip
unzip -qq /tmp/joomla.zip -d /var/www/html
chown -R $user:nginx /var/www/html
find /var/www/html -type f -exec chmod 0640 {} \;

6
examples/joomla/swarm.yml
View file

@ -1,8 +1,6 @@
version: "3"
services:
myjoomla:
image: joomla:4-apache
image: joomla:5-apache
networks:
- bw-services
volumes:
@ -27,7 +25,7 @@ services:
- bunkerweb.LIMIT_REQ_RATE_2=8r/s
mydb:
image: mariadb
image: mariadb:11
networks:
- bw-services
volumes:

69
examples/load-balancer/docker-compose.yml
View file

@ -1,56 +1,45 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://app
- |
CUSTOM_CONF_HTTP_upstream=
upstream app {
server app1:8080;
server app2:8080;
server app3:8080;
}
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
SERVE_FILES: "no"
DISABLE_DEFAULT_SERVER: "yes"
AUTO_LETS_ENCRYPT: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL: "/"
REVERSE_PROXY_HOST: "http://app"
CUSTOM_CONF_HTTP_upstream: |
upstream app {
server app1:8080;
server app2:8080;
server app3:8080;
}
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
app1:
image: nginxdemos/nginx-hello
@ -70,11 +59,13 @@ services:
volumes:
bw-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services

4
examples/magento/autoconf.yml
View file

@ -1,5 +1,3 @@
version: "3"
services:
mymagento:
image: bitnami/magento:2
@ -44,7 +42,7 @@ services:
- elasticsearch-data:/bitnami/elasticsearch/data
mydb:
image: mariadb:10.2
image: mariadb:11
networks:
bw-services:
aliases:

104
examples/magento/docker-compose.yml
View file

@ -1,72 +1,62 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://mymagento:8080
- |
CUSTOM_CONF_SERVER_HTTP_magento=
proxy_busy_buffers_size 512k;
proxy_buffers 4 512k;
proxy_buffer_size 256k;
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
SERVE_FILES: "no"
DISABLE_DEFAULT_SERVER: "yes"
AUTO_LETS_ENCRYPT: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL: "/"
REVERSE_PROXY_HOST: "http://mymagento:8080"
CUSTOM_CONF_SERVER_HTTP_magento: |
proxy_busy_buffers_size 512k;
proxy_buffers 4 512k;
proxy_buffer_size 256k;
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
mymagento:
image: bitnami/magento:2
volumes:
- magento-data:/bitnami/magento
environment:
- MAGENTO_USERNAME=admin # replace with admin username
- MAGENTO_PASSWORD=changeme42 # replace with a stronger password
- MAGENTO_EMAIL=contact@example.com # replace with admin email
- MAGENTO_HOST=www.example.com # replace with your domain
- MAGENTO_ENABLE_HTTPS=yes
- MAGENTO_ENABLE_ADMIN_HTTPS=yes
- MAGENTO_DATABASE_HOST=mydb
- MAGENTO_DATABASE_NAME=magentodb
- MAGENTO_DATABASE_USER=user
- MAGENTO_DATABASE_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- ELASTICSEARCH_HOST=myelasticsearch
MAGENTO_USERNAME: "admin" # replace with admin username
MAGENTO_PASSWORD: "changeme42" # replace with a stronger password
MAGENTO_EMAIL: "contact@example.com" # replace with admin email
MAGENTO_HOST: "www.example.com" # replace with your domain
MAGENTO_ENABLE_HTTPS: "yes"
MAGENTO_ENABLE_ADMIN_HTTPS: "yes"
MAGENTO_DATABASE_HOST: "mydb"
MAGENTO_DATABASE_NAME: "magentodb"
MAGENTO_DATABASE_USER: "user"
MAGENTO_DATABASE_PASSWORD: "db-user-pwd" # replace with a stronger password (must match MYSQL_PASSWORD)
ELASTICSEARCH_HOST: "myelasticsearch"
networks:
- magento-net
- bw-services
myelasticsearch:
@ -76,19 +66,19 @@ services:
volumes:
- elasticsearch-data:/bitnami/elasticsearch/data
networks:
- bw-services
- magento-net
mydb:
image: mariadb:10.2
image: mariadb:11
volumes:
- db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=magentodb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD)
MYSQL_ROOT_PASSWORD: "db-root-pwd" # replace with a stronger password
MYSQL_DATABASE: "magentodb"
MYSQL_USER: "user"
MYSQL_PASSWORD: "db-user-pwd" # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD)
networks:
- bw-services
- magento-net
volumes:
bw-data:
@ -96,11 +86,15 @@ volumes:
magento-data:
elasticsearch-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services
magento-net:
name: magento-net

4
examples/magento/swarm.yml
View file

@ -1,5 +1,3 @@
version: "3"
services:
mymagento:
image: bitnami/magento:2
@ -41,7 +39,7 @@ services:
- "node.role==worker"
mydb:
image: mariadb:10.2
image: mariadb:11
networks:
- bw-services
volumes:

2
examples/mattermost/autoconf.yml
View file

@ -1,5 +1,3 @@
version: "3"
services:
mattermost:
depends_on:

96
examples/mattermost/docker-compose.yml
View file

@ -1,69 +1,59 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- SERVE_FILES=no
- MAX_CLIENT_SIZE=50m
- USE_GZIP=yes
# Methods used to query the api
# more info at https://api.mattermost.com/
- ALLOWED_METHODS=GET|POST|HEAD|DELETE|PUT
# Reverse proxy to Mattermost
# second endpoint needs websocket enabled
# more info at https://docs.mattermost.com/install/config-proxy-nginx.html
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_INTERCEPT_ERRORS=no
- REVERSE_PROXY_URL_1=/
- REVERSE_PROXY_HOST_1=http://mattermost:8065
- REVERSE_PROXY_URL_2=~ /api/v[0-9]+/(users/)?websocket$$
- REVERSE_PROXY_HOST_2=http://mattermost:8065
- REVERSE_PROXY_WS_2=yes
# Default limit rate for URLs
- LIMIT_REQ_URL_1=/
- LIMIT_REQ_RATE_1=3r/s
# Limit rate for api endpoints
- LIMIT_REQ_URL_2=^/api/
- LIMIT_REQ_RATE_2=10r/s
# Limit rate for static resources
- LIMIT_REQ_URL_3=^/static/
- LIMIT_REQ_RATE_3=10r/s
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
AUTO_LETS_ENCRYPT: "yes"
DISABLE_DEFAULT_SERVER: "yes"
USE_CLIENT_CACHE: "yes"
SERVE_FILES: "no"
MAX_CLIENT_SIZE: "50m"
USE_GZIP: "yes"
# Methods used to query the api
# more info at https://api.mattermost.com/
ALLOWED_METHODS: "GET|POST|HEAD|DELETE|PUT"
# Reverse proxy to Mattermost
# second endpoint needs websocket enabled
# more info at https://docs.mattermost.com/install/config-proxy-nginx.html
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_INTERCEPT_ERRORS: "no"
REVERSE_PROXY_URL_1: "/"
REVERSE_PROXY_HOST_1: "http://mattermost:8065"
REVERSE_PROXY_URL_2: "~ /api/v[0-9]+/(users/)?websocket$$"
REVERSE_PROXY_HOST_2: "http://mattermost:8065"
REVERSE_PROXY_WS_2: "yes"
# Default limit rate for URLs
LIMIT_REQ_URL_1: "/"
LIMIT_REQ_RATE_1: "3r/s"
# Limit rate for api endpoints
LIMIT_REQ_URL_2: "^/api/"
LIMIT_REQ_RATE_2: "10r/s"
# Limit rate for static resources
LIMIT_REQ_URL_3: "^/static/"
LIMIT_REQ_RATE_3: "10r/s"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
mattermost:
depends_on:
@ -125,11 +115,13 @@ services:
volumes:
bw-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services

6
examples/mongo-express/autoconf.yml
View file

@ -1,8 +1,6 @@
version: "3"
services:
mongo:
image: mongo:5.0.14
image: mongo:7
networks:
bw-services:
aliases:
@ -15,7 +13,7 @@ services:
- MONGO_INITDB_DATABASE=mongo # replace with the database name of your choice
mongo-ui:
image: mongo-express:0.54.0
image: mongo-express:1-20-alpine3.19
networks:
bw-services:
aliases:

65
examples/mongo-express/docker-compose.yml
View file

@ -1,55 +1,44 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://mongo-ui:8081
- |
CUSTOM_CONF_MODSEC_mongo-express=
SecRule REQUEST_FILENAME "@rx ^/db" "id:1,ctl:ruleRemoveByTag=attack-generic,ctl:ruleRemoveByTag=attack-protocol,nolog"
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
SERVE_FILES: "no"
DISABLE_DEFAULT_SERVER: "yes"
AUTO_LETS_ENCRYPT: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL: "/"
REVERSE_PROXY_HOST: "http://mongo-ui:8081"
CUSTOM_CONF_MODSEC_mongo-express: |
SecRule REQUEST_FILENAME "@rx ^/db" "id:1,ctl:ruleRemoveByTag=attack-generic,ctl:ruleRemoveByTag=attack-protocol,nolog"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
mongo:
image: mongo:5.0.14
image: mongo:7
volumes:
- db-data:/data/db
environment:
@ -60,7 +49,7 @@ services:
- bw-services
mongo-ui:
image: mongo-express:0.54.0
image: mongo-express:1-20-alpine3.19
environment:
- ME_CONFIG_MONGODB_SERVER=mongo
- ME_CONFIG_MONGODB_ADMINUSERNAME=root # replace with a less obvious username
@ -77,11 +66,13 @@ volumes:
bw-data:
db-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services

6
examples/mongo-express/swarm.yml
View file

@ -1,8 +1,6 @@
version: "3"
services:
mongo:
image: mongo:5.0.14
image: mongo:7
networks:
- bw-services
volumes:
@ -17,7 +15,7 @@ services:
- "node.role==worker"
mongo-ui:
image: mongo-express:0.54.0
image: mongo-express:1-20-alpine3.19
networks:
- bw-services
environment:

8
examples/moodle/autoconf.yml
View file

@ -1,8 +1,6 @@
version: "3"
services:
mymoodle:
image: bitnami/moodle:4.1.0
image: bitnami/moodle:4
networks:
bw-services:
aliases:
@ -28,9 +26,9 @@ services:
- bunkerweb.REVERSE_PROXY_HOST=https://mymoodle:8443
mydb:
image: mariadb:10.5
image: bitnami/mariadb:11.2
volumes:
- db-data:/var/lib/mysql
- db-data:/bitnami/mariadb
networks:
bw-services:
aliases:

98
examples/moodle/docker-compose.yml
View file

@ -1,83 +1,75 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
- MAX_CLIENT_SIZE=50m
- SERVE_FILES=no
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=https://mymoodle:8443
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
AUTO_LETS_ENCRYPT: "yes"
DISABLE_DEFAULT_SERVER: "yes"
MAX_CLIENT_SIZE: "50m"
SERVE_FILES: "no"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL: "/"
REVERSE_PROXY_HOST: "https://mymoodle:8443"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
mymoodle:
image: bitnami/moodle:4.1.0
image: bitnami/moodle:4
depends_on:
- mydb
volumes:
- moodle-files:/bitnami/moodle
- moodle-data:/bitnami/moodledata
environment:
- MOODLE_USERNAME=admin # replace with your moodle admin username
- MOODLE_PASSWORD=password # replace with your moodle admin password
- MOODLE_EMAIL=moodle@example.com # replace with your moodle admin email
- MOODLE_SITE_NAME=My Moodle # replace with your moodle site name
- MOODLE_DATABASE_HOST=mydb
- MOODLE_DATABASE_NAME=moodle
- MOODLE_DATABASE_USER=user
- MOODLE_DATABASE_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
MOODLE_USERNAME: "admin" # replace with your moodle admin username
MOODLE_PASSWORD: "password" # replace with your moodle admin password
MOODLE_EMAIL: "moodle@example.com" # replace with your moodle admin email
MOODLE_SITE_NAME: "My Moodle" # replace with your moodle site name
MOODLE_DATABASE_HOST: "mydb"
MOODLE_DATABASE_NAME: "moodle"
MOODLE_DATABASE_USER: "user"
MOODLE_DATABASE_PASSWORD: "db-user-pwd" # replace with a stronger password (must match MARIADB_PASSWORD)
restart: "unless-stopped"
networks:
- moodle-net
- bw-services
mydb:
image: mariadb:10.5
image: bitnami/mariadb:11.2
volumes:
- db-data:/var/lib/mysql
- db-data:/bitnami/mariadb
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=moodle
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD)
- MARIADB_CHARACTER_SET=utf8mb4
- MARIADB_COLLATE=utf8mb4_unicode_ci
MARIADB_ROOT_PASSWORD: "db-root-pwd" # replace with a stronger password
MARIADB_DATABASE: "moodle"
MARIADB_USER: "user"
MARIADB_PASSWORD: "db-user-pwd" # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD)
MARIADB_CHARACTER_SET: "utf8mb4"
MARIADB_COLLATE: "utf8mb4_unicode_ci"
networks:
- bw-services
- moodle-net
volumes:
bw-data:
@ -85,11 +77,15 @@ volumes:
moodle-files:
moodle-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services
moodle-net:
name: moodle-net

2
examples/moodle/setup-linux.sh
View file

@ -13,7 +13,7 @@ else
echo "❌ No PHP user found"
exit 1
fi
curl https://download.moodle.org/download.php/direct/stable401/moodle-4.1.tgz -Lo /tmp/moodle.tgz
curl https://download.moodle.org/download.php/stable404/moodle-latest-404.tgz -Lo /tmp/moodle.tgz
tar -xzf /tmp/moodle.tgz -C /tmp
cp -r /tmp/moodle/* /var/www/html
chown -R $user:nginx /var/www/html

8
examples/moodle/swarm.yml
View file

@ -1,8 +1,6 @@
version: "3"
services:
mymoodle:
image: bitnami/moodle:4.1.0
image: bitnami/moodle:4
networks:
- bw-services
depends_on:
@ -30,9 +28,9 @@ services:
- bunkerweb.REVERSE_PROXY_HOST=https://mymoodle:8443
mydb:
image: mariadb:10.5
image: bitnami/mariadb:11.2
volumes:
- db-data:/var/lib/mysql
- db-data:/bitnami/mariadb
networks:
- bw-services
environment:

4
examples/nextcloud/autoconf.yml
View file

@ -1,5 +1,3 @@
version: "3"
services:
mync:
image: nextcloud:stable-apache
@ -57,7 +55,7 @@ services:
SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:2000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"
mydb:
image: mariadb
image: mariadb:11
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
volumes:
- db-data:/var/lib/mysql

136
examples/nextcloud/docker-compose.yml
View file

@ -1,34 +1,47 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
- SERVER_NAME=www.example.com # replace with your domain
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
- API_WHITELIST_IP=127.0.0.1 10.20.30.0/24
- MAX_CLIENT_SIZE=10G
- USE_CLIENT_CACHE=yes
- SERVE_FILES=no
- ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS
- X_FRAME_OPTIONS=SAMEORIGIN
- USE_GZIP=yes
- BAD_BEHAVIOR_STATUS_CODES=400 401 403 405 444
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://mync
- LIMIT_REQ_URL_1=/apps
- LIMIT_REQ_RATE_1=5r/s
- LIMIT_REQ_URL_2=/apps/text/session/sync
- LIMIT_REQ_RATE_2=8r/s
- LIMIT_REQ_URL_3=/core/preview
- LIMIT_REQ_RATE_3=5r/s
- |
CUSTOM_CONF_MODSEC_CRS_nextcloud=
API_WHITELIST_IP: "127.0.0.1 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domain
AUTO_LETS_ENCRYPT: "yes"
DISABLE_DEFAULT_SERVER: "yes"
API_WHITELIST_IP: "127.0.0.1 10.20.30.0/24"
MAX_CLIENT_SIZE: "10G"
USE_CLIENT_CACHE: "yes"
SERVE_FILES: "no"
ALLOWED_METHODS: "GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS"
X_FRAME_OPTIONS: "SAMEORIGIN"
USE_GZIP: "yes"
BAD_BEHAVIOR_STATUS_CODES: "400 401 403 405 444"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL: "/"
REVERSE_PROXY_HOST: "http://mync"
LIMIT_REQ_URL_1: "/apps"
LIMIT_REQ_RATE_1: "5r/s"
LIMIT_REQ_URL_2: "/apps/text/session/sync"
LIMIT_REQ_RATE_2: "8r/s"
LIMIT_REQ_URL_3: "/core/preview"
LIMIT_REQ_RATE_3: "5r/s"
CUSTOM_CONF_MODSEC_CRS_nextcloud: |
SecAction \
"id:900130,\
phase:1,\
@ -44,78 +57,57 @@ services:
pass,\
t:none,\
setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'"
- |
CUSTOM_CONF_MODSEC_nextcloud=
CUSTOM_CONF_MODSEC_nextcloud: |
SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:2000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
volumes:
- bw-data:/data
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
mync:
image: nextcloud:24-apache
image: nextcloud:stable-apache
volumes:
- nc-files:/var/www/html
environment:
- NEXTCLOUD_ADMIN_USER=admin # replace with the admin username
- NEXTCLOUD_ADMIN_PASSWORD=changeme # replace with a stronger password
- NEXTCLOUD_TRUSTED_DOMAINS=www.example.com # replace with your domain(s)
- TRUSTED_PROXIES=192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
- APACHE_DISABLE_REWRITE_IP=1
- MYSQL_HOST=mydb
- MYSQL_DATABASE=nc
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # set a stronger password in a .env file (must match MYSQL_PASSWORD)
NEXTCLOUD_ADMIN_USER: "admin" # replace with the admin username
NEXTCLOUD_ADMIN_PASSWORD: "changeme" # replace with a stronger password
NEXTCLOUD_TRUSTED_DOMAINS: "www.example.com" # replace with your domain(s)
TRUSTED_PROXIES: "192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
APACHE_DISABLE_REWRITE_IP: "1"
MYSQL_HOST: "mydb"
MYSQL_DATABASE: "nc"
MYSQL_USER: "user"
MYSQL_PASSWORD: "db-user-pwd" # set a stronger password in a .env file (must match MYSQL_PASSWORD)
networks:
- nextcloud-net
- bw-services
mydb:
image: mariadb:10.9
image: mariadb:11
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
volumes:
- db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=nc
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
MYSQL_ROOT_PASSWORD: "db-root-pwd" # replace with a stronger password
MYSQL_DATABASE: "nc"
MYSQL_USER: "user"
MYSQL_PASSWORD: "db-user-pwd" # replace with a stronger password (must match MYSQL_PASSWORD)
networks:
- bw-universe
- bw-services
- nextcloud-net
volumes:
bw-data:
db-data:
nc-files:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services
nextcloud-net:
name: nextcloud-net

6
examples/nextcloud/swarm.yml
View file

@ -1,8 +1,6 @@
version: "3"
services:
mync:
image: nextcloud:24-apache
image: nextcloud:stable-apache
volumes:
- nc-files:/var/www/html
networks:
@ -38,7 +36,7 @@ services:
- bunkerweb.LIMIT_REQ_RATE_3=5r/s
mydb:
image: mariadb:10.9
image: mariadb:11
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
volumes:
- db-data:/var/lib/mysql

17
examples/passbolt/autoconf.yml
View file

@ -1,11 +1,9 @@
version: "3"
services:
# you will need to add a user by hand
# example : docker-compose exec mypassbolt su -m -c "/usr/share/php/passbolt/bin/cake passbolt register_user -u <your@email.com> -f <yourname> -l <surname> -r admin" -s /bin/sh www-data
# more info at https://github.com/passbolt/passbolt_docker
mypassbolt:
image: passbolt/passbolt:3.8.3-1-ce
image: passbolt/passbolt:latest-ce
networks:
bw-services:
aliases:
@ -17,8 +15,8 @@ services:
- DATASOURCES_DEFAULT_USERNAME=user
- DATASOURCES_DEFAULT_DATABASE=passbolt
volumes:
- gpg-data:/etc/passbolt/gpg
- jwt-data:/etc/passbolt/jwt
- gpg_volume:/etc/passbolt/gpg
- jwt_volume:/etc/passbolt/jwt
command:
[
"/usr/bin/wait-for.sh",
@ -35,9 +33,12 @@ services:
- bunkerweb.USE_REVERSE_PROXY=yes
- bunkerweb.REVERSE_PROXY_URL=/
- bunkerweb.REVERSE_PROXY_HOST=https://mypassbolt
- |
bunkerweb.CUSTOM_CONF_MODSEC_CRS_passbolt=
SecRule REQUEST_FILENAME "@rx ^/locales" "id:1000000,ctl:ruleRemoveById=953100,nolog"
mydb:
image: mariadb
image: mariadb:10.11
volumes:
- db-data:/var/lib/mysql
networks:
@ -51,9 +52,9 @@ services:
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
volumes:
gpg-data:
jwt-data:
db-data:
gpg_volume:
jwt_volume:
networks:
bw-services:

107
examples/passbolt/docker-compose.yml
View file

@ -1,70 +1,64 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
- COOKIE_FLAGS=* SameSite=Lax
- ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE
- SERVE_FILES=no
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=https://mypassbolt
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
AUTO_LETS_ENCRYPT: "yes"
DISABLE_DEFAULT_SERVER: "yes"
COOKIE_FLAGS: "* SameSite=Lax"
ALLOWED_METHODS: "GET|POST|HEAD|PUT|DELETE"
SERVE_FILES: "no"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL: "/"
REVERSE_PROXY_HOST: "https://mypassbolt"
# REVERSE_PROXY_HOST: "https://mypassbolt:8080" # For non-root passbolt image
CUSTOM_CONF_MODSEC_CRS_passbolt: |
SecRule REQUEST_FILENAME "@rx ^/locales" "id:1000000,ctl:ruleRemoveById=953100,nolog"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
# you will need to add a user by hand
# example : docker-compose exec mypassbolt su -m -c "/usr/share/php/passbolt/bin/cake passbolt register_user -u <your@email.com> -f <yourname> -l <surname> -r admin" -s /bin/sh www-data
# example : docker compose exec mypassbolt su -m -c "/usr/share/php/passbolt/bin/cake passbolt register_user -u <your@email.com> -f <yourname> -l <surname> -r admin" -s /bin/sh www-data
# more info at https://github.com/passbolt/passbolt_docker
mypassbolt:
image: passbolt/passbolt:3.8.3-1-ce
image: passbolt/passbolt:latest-ce
#Alternatively you can use rootless:
# image: passbolt/passbolt:3.8.3-1-ce-non-root
#image: passbolt/passbolt:latest-ce-non-root
restart: unless-stopped
depends_on:
- mydb
environment:
- APP_FULL_BASE_URL=https://www.example.com # replace with your URL
- DATASOURCES_DEFAULT_HOST=mydb
- DATASOURCES_DEFAULT_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- DATASOURCES_DEFAULT_USERNAME=user
- DATASOURCES_DEFAULT_DATABASE=passbolt
volumes:
- gpg-data:/etc/passbolt/gpg
- jwt-data:/etc/passbolt/jwt
- gpg_volume:/etc/passbolt/gpg
- jwt_volume:/etc/passbolt/jwt
environment:
APP_FULL_BASE_URL: "https://www.example.com"
DATASOURCES_DEFAULT_HOST: "mydb"
DATASOURCES_DEFAULT_USERNAME: "user"
DATASOURCES_DEFAULT_PASSWORD: "db-user-pwd" # replace with a stronger password (must match MYSQL_PASSWORD)
DATASOURCES_DEFAULT_DATABASE: "passbolt"
command:
[
"/usr/bin/wait-for.sh",
@ -72,34 +66,39 @@ services:
"0",
"mydb:3306",
"--",
"/docker-entrypoint.sh",
"/docker-entrypoint.sh"
]
networks:
- passbolt-net
- bw-services
mydb:
image: mariadb
image: mariadb:10.11
volumes:
- db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=passbolt
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
MYSQL_ROOT_PASSWORD: "db-root-pwd" # replace with a stronger password
MYSQL_DATABASE: "passbolt"
MYSQL_USER: "user"
MYSQL_PASSWORD: "db-user-pwd" # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
networks:
- bw-services
- passbolt-net
volumes:
gpg-data:
jwt-data:
db-data:
bw-data:
gpg_volume:
jwt_volume:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services
passbolt-net:
name: passbolt-net

17
examples/passbolt/swarm.yml
View file

@ -1,11 +1,9 @@
version: "3"
services:
# you will need to add a user by hand
# example : docker-compose exec mypassbolt su -m -c "/usr/share/php/passbolt/bin/cake passbolt register_user -u <your@email.com> -f <yourname> -l <surname> -r admin" -s /bin/sh www-data
# more info at https://github.com/passbolt/passbolt_docker
mypassbolt:
image: passbolt/passbolt:3.8.1-1-ce
image: passbolt/passbolt:latest-ce
networks:
- bw-services
environment:
@ -15,8 +13,8 @@ services:
- DATASOURCES_DEFAULT_USERNAME=user
- DATASOURCES_DEFAULT_DATABASE=passbolt
volumes:
- gpg-data:/etc/passbolt/gpg
- jwt-data:/etc/passbolt/jwt
- gpg_volume:/etc/passbolt/gpg
- jwt_volume:/etc/passbolt/jwt
command:
[
"/usr/bin/wait-for.sh",
@ -37,9 +35,12 @@ services:
- bunkerweb.USE_REVERSE_PROXY=yes
- bunkerweb.REVERSE_PROXY_URL=/
- bunkerweb.REVERSE_PROXY_HOST=https://mypassbolt
- |
bunkerweb.CUSTOM_CONF_MODSEC_CRS_passbolt=
SecRule REQUEST_FILENAME "@rx ^/locales" "id:1000000,ctl:ruleRemoveById=953100,nolog"
mydb:
image: mariadb
image: mariadb:10.11
volumes:
- db-data:/var/lib/mysql
networks:
@ -61,5 +62,5 @@ networks:
volumes:
db-data:
gpg-data:
jwt-data:
gpg_volume:
jwt_volume:

56
examples/php-cookie-flags/docker-compose.yml
View file

@ -1,11 +1,10 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
@ -15,45 +14,36 @@ services:
volumes:
- ./www:/var/www/html # contains web files (PHP, assets, ...)
environment:
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- COOKIE_FLAGS_1=my_cookie HttpOnly
- REMOTE_PHP=myphp
- REMOTE_PHP_PATH=/app
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
AUTO_LETS_ENCRYPT: "yes"
DISABLE_DEFAULT_SERVER: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
COOKIE_FLAGS_1: "my_cookie HttpOnly"
REMOTE_PHP: "myphp"
REMOTE_PHP_PATH: "/app"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
myphp:
image: php:fpm-alpine3.17
image: php:fpm-alpine3.19
# ⚠️ UID and GID of BunkerWeb (101:101) and php:fpm (33:33) are not the same ⚠️
# but both needs access to the files and folders of web-files
# don't forget to edit the permissions of the files and folders accordingly
@ -66,11 +56,13 @@ services:
volumes:
bw-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services

6
examples/php-multisite/autoconf.yml
View file

@ -1,8 +1,6 @@
version: "3"
services:
myapp1:
image: php:fpm
image: php:fpm-alpine3.19
# ⚠️ UID and GID of BunkerWeb (101:101) and php:fpm (33:33) are not the same ⚠️
# but both needs access to the files and folders of web-files
# don't forget to edit the permissions of the files and folders accordingly
@ -19,7 +17,7 @@ services:
- bunkerweb.REMOTE_PHP_PATH=/app
myapp2:
image: php:fpm
image: php:fpm-alpine3.19
# ⚠️ UID and GID of BunkerWeb (101:101) and php:fpm (33:33) are not the same ⚠️
# but both needs access to the files and folders of web-files
# don't forget to edit the permissions of the files and folders accordingly

67
examples/php-multisite/docker-compose.yml
View file

@ -1,11 +1,10 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
@ -15,19 +14,8 @@ services:
volumes:
- ./www:/var/www/html # contains web files (PHP, assets, ...), don't forget to rename the subfolders
environment:
- SERVER_NAME=app1.example.com app2.example.com # replace with your domains
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- MULTISITE=yes
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- app1.example.com_REMOTE_PHP=myapp1
- app1.example.com_REMOTE_PHP_PATH=/app
- app2.example.com_REMOTE_PHP=myapp2
- app2.example.com_REMOTE_PHP_PATH=/app
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- net-app1
@ -35,28 +23,30 @@ services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "app1.example.com app2.example.com" # replace with your domains
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
MULTISITE: "yes"
AUTO_LETS_ENCRYPT: "yes"
DISABLE_DEFAULT_SERVER: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
app1.example.com_REMOTE_PHP: "myapp1"
app1.example.com_REMOTE_PHP_PATH: "/app"
app2.example.com_REMOTE_PHP: "myapp2"
app2.example.com_REMOTE_PHP_PATH: "/app"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
myapp1:
image: php:fpm
image: php:fpm-alpine3.19
# ⚠️ UID and GID of BunkerWeb (101:101) and php:fpm (33:33) are not the same ⚠️
# but both needs access to the files and folders of web-files
# don't forget to edit the permissions of the files and folders accordingly
@ -67,7 +57,7 @@ services:
- net-app1
myapp2:
image: php:fpm
image: php:fpm-alpine3.19
# ⚠️ UID and GID of BunkerWeb (101:101) and php:fpm (33:33) are not the same ⚠️
# but both needs access to the files and folders of web-files
# don't forget to edit the permissions of the files and folders accordingly
@ -77,15 +67,16 @@ services:
networks:
- net-app2
volumes:
bw-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-docker:
net-app1:
net-app2:
volumes:
bw-data:

58
examples/php-singlesite/docker-compose.yml
View file

@ -1,11 +1,10 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
@ -15,44 +14,34 @@ services:
volumes:
- ./www:/var/www/html # contains web files (PHP, assets, ...)
environment:
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- REMOTE_PHP=myphp
- REMOTE_PHP_PATH=/app
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- ./bw-data:/data
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
AUTO_LETS_ENCRYPT: "yes"
DISABLE_DEFAULT_SERVER: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
REMOTE_PHP: "myphp"
REMOTE_PHP_PATH: "/app"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
myphp:
image: php:fpm
image: php:fpm-alpine3.19
# ⚠️ UID and GID of BunkerWeb (101:101) and php:fpm (33:33) are not the same ⚠️
# but both needs access to the files and folders of web-files
# don't forget to edit the permissions of the files and folders accordingly
@ -62,11 +51,16 @@ services:
networks:
- bw-services
volumes:
bw-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services

6
examples/prestashop/autoconf.yml
View file

@ -1,8 +1,6 @@
version: "3"
services:
myps:
image: prestashop/prestashop:1.7
image: prestashop/prestashop:8
volumes:
- ps-data:/var/www/html
networks:
@ -29,7 +27,7 @@ services:
- bunkerweb.LIMIT_REQ_RATE_1=8r/s
mydb:
image: mariadb
image: mariadb:11
volumes:
- db-data:/var/lib/mysql
networks:

92
examples/prestashop/docker-compose.yml
View file

@ -1,12 +1,26 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
SERVE_FILES: "no"
@ -21,64 +35,39 @@ services:
# Once the installation is done, you can remove these lines
LIMIT_REQ_URL_1: "/install/index.php"
LIMIT_REQ_RATE_1: "8r/s"
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
depends_on:
- mybunker
environment:
DOCKER_HOST: "tcp://bw-docker-proxy:2375"
volumes:
- bw-data:/data
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
myps:
image: prestashop/prestashop:1.7
image: prestashop/prestashop:8
volumes:
- ps-data:/var/www/html
environment:
- DB_SERVER=mydb
- DB_USER=user
- DB_PASSWD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- DB_PREFIX=prefix_ # replace with a random prefix (good security practice)
- DB_NAME=prestashop
- PS_ENABLE_SSL=1
- ADMIN_MAIL=admin@example.com # change to the prestashop admin email
- ADMIN_PASSWD=changeme # change to the prestashop admin password
- PS_FOLDER_ADMIN=administration # change to the prestashop admin folder
DB_SERVER: "mydb"
DB_USER: "user"
DB_PASSWD: "db-user-pwd" # replace with a stronger password (must match MYSQL_PASSWORD)
DB_PREFIX: "prefix_" # replace with a random prefix (good security practice)
DB_NAME: "prestashop"
PS_ENABLE_SSL: "1"
ADMIN_MAIL: "admin@example.com" # change to the prestashop admin email
ADMIN_PASSWD: "changeme" # change to the prestashop admin password
PS_FOLDER_ADMIN: "administration" # change to the prestashop admin folder
networks:
- prestashop-net
- bw-services
mydb:
image: mariadb
image: mariadb:11
volumes:
- db-data:/var/lib/mysql
networks:
bw-services:
aliases:
- mydb
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=prestashop
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DB_PASSWD)
MYSQL_ROOT_PASSWORD: "db-root-pwd" # replace with a stronger password
MYSQL_DATABASE: "prestashop"
MYSQL_USER: "user"
MYSQL_PASSWORD: "db-user-pwd" # replace with a stronger password (must match DB_PASSWD)
networks:
- prestashop-net
volumes:
bw-data:
@ -88,9 +77,12 @@ volumes:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services
prestashop-net:
name: prestashop-net

6
examples/prestashop/swarm.yml
View file

@ -1,8 +1,6 @@
version: "3"
services:
myps:
image: prestashop/prestashop:1.7
image: prestashop/prestashop:8
volumes:
- ps-data:/var/www/html
networks:
@ -31,7 +29,7 @@ services:
- bunkerweb.LIMIT_REQ_RATE_1=8r/s
mydb:
image: mariadb
image: mariadb:11
volumes:
- db-data:/var/lib/mysql
networks:

69
examples/proxy-protocol/docker-compose.yml
View file

@ -1,26 +1,18 @@
version: "3"
x-env: &env
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
# proxy protocol settings
USE_PROXY_PROTOCOL: "yes"
USE_REAL_IP: "yes"
REAL_IP_FROM: "10.10.10.0/24"
REAL_IP_HEADER: "proxy_protocol"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
environment:
- SERVER_NAME=www.example.com # replace with your domains
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://myapp:8080
# proxy protocol settings
- USE_PROXY_PROTOCOL=yes
- USE_REAL_IP=yes
- REAL_IP_FROM=10.10.10.0/24
- REAL_IP_HEADER=proxy_protocol
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
<<: *env
restart: "unless-stopped"
networks:
- net-proxy
- bw-universe
@ -28,31 +20,32 @@ services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
environment:
<<: *env
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domains
SERVE_FILES: "no"
DISABLE_DEFAULT_SERVER: "yes"
AUTO_LETS_ENCRYPT: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL: "/"
REVERSE_PROXY_HOST: "http://myapp:8080"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
myproxy:
image: haproxy:2.9-alpine
image: haproxy:3.0-alpine
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
volumes:
- ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
networks:
@ -66,14 +59,16 @@ services:
volumes:
bw-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services
net-proxy:
ipam:
driver: default

4
examples/proxy-protocol/haproxy.cfg
View file

@ -15,8 +15,8 @@ frontend https_front
backend http_back
mode tcp
server server01 mybunker:8080 send-proxy-v2
server server01 bunkerweb:8080 send-proxy-v2
backend https_back
mode tcp
server server01 mybunker:8443 send-proxy-v2
server server01 bunkerweb:8443 send-proxy-v2

7
examples/radarr/autoconf.yml
View file

@ -1,8 +1,6 @@
version: "3.5"
services:
radarr:
image: lscr.io/linuxserver/radarr:4.2.4.6635-ls157
image: lscr.io/linuxserver/radarr:5.7.0.8882-ls226
networks:
bw-services:
aliases:
@ -30,6 +28,9 @@ services:
# Increase request rate for API endpoints
- bunkerweb.LIMIT_REQ_URL_1=^/api/
- bunkerweb.LIMIT_REQ_RATE_1=10r/s
- |
bunkerweb.CUSTOM_CONF_MODSEC_CRS_radarr=
SecAction "id:900220,phase:1,nolog,pass,t:none,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"
networks:
bw-services:

78
examples/radarr/docker-compose.yml
View file

@ -1,62 +1,54 @@
version: "3.5"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- SERVE_FILES=no
- MAX_CLIENT_SIZE=50m
- USE_GZIP=yes
# Methods used by the radarr API
# more info at https://radarr.video/docs/api/
- ALLOWED_METHODS=GET|POST|HEAD|DELETE|PUT
# Proxy requests to radarr
# websocket is needed
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://radarr:7878
- REVERSE_PROXY_WS=yes
# Increase request rate for API endpoints
- LIMIT_REQ_URL_1=^/api/
- LIMIT_REQ_RATE_1=10r/s
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
- bunkerweb
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
AUTO_LETS_ENCRYPT: "yes"
DISABLE_DEFAULT_SERVER: "yes"
USE_CLIENT_CACHE: "yes"
SERVE_FILES: "no"
MAX_CLIENT_SIZE: "50m"
USE_GZIP: "yes"
# Methods used by the radarr API
# more info at https://radarr.video/docs/api/
ALLOWED_METHODS: "GET|POST|HEAD|DELETE|PUT"
# Proxy requests to radarr
# websocket is needed
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL: "/"
REVERSE_PROXY_HOST: "http://radarr:7878"
REVERSE_PROXY_WS: "yes"
# Increase request rate for API endpoints
LIMIT_REQ_URL_1: "^/api/"
LIMIT_REQ_RATE_1: "10r/s"
CUSTOM_CONF_MODSEC_CRS_radarr: |
SecAction "id:900220,phase:1,nolog,pass,t:none,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"
restart: "unless-stopped"
volumes:
- bw-data:/data
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
radarr:
image: lscr.io/linuxserver/radarr:4.2.4.6635-ls157
image: lscr.io/linuxserver/radarr:5.7.0.8882-ls226
container_name: radarr
environment:
- PUID=1000
@ -72,11 +64,13 @@ services:
volumes:
bw-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services

5
examples/radarr/swarm.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
radarr:
image: lscr.io/linuxserver/radarr:4.2.4.6635-ls157
image: lscr.io/linuxserver/radarr:5.7.0.8882-ls226
networks:
- bw-services
environment:
@ -32,6 +32,9 @@ services:
# Increase request rate for API endpoints
- bunkerweb.LIMIT_REQ_URL_1=^/api/
- bunkerweb.LIMIT_REQ_RATE_1=10r/s
- |
bunkerweb.CUSTOM_CONF_MODSEC_CRS_radarr=
SecAction "id:900220,phase:1,nolog,pass,t:none,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"
networks:
bw-services:

6
examples/redmine/autoconf.yml
View file

@ -1,8 +1,6 @@
version: "3"
services:
myredmine:
image: redmine:5.0.4-alpine
image: redmine:5-alpine
restart: always
volumes:
- redmine-data:/usr/src/redmine/files
@ -22,7 +20,7 @@ services:
- bunkerweb.REVERSE_PROXY_HOST=http://myredmine:3000
mydb:
image: mysql
image: mysql:8
volumes:
- db-data:/var/lib/mysql
networks:

82
examples/redmine/docker-compose.yml
View file

@ -1,86 +1,80 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://myredmine:3000
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
SERVE_FILES: "no"
DISABLE_DEFAULT_SERVER: "yes"
AUTO_LETS_ENCRYPT: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL: "/"
REVERSE_PROXY_HOST: "http://myredmine:3000"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
myredmine:
image: redmine:5.0.4-alpine
image: redmine:5-alpine
restart: always
volumes:
- redmine-data:/usr/src/redmine/files
environment:
- REDMINE_DB_MYSQL=mydb
- REDMINE_DB_DATABASE=redminedb
- REDMINE_DB_USERNAME=user
- REDMINE_DB_PASSWORD=db-user-pwd # set a stronger password in a .env file (must match MYSQL_PASSWORD)
REDMINE_DB_MYSQL: "mydb"
REDMINE_DB_DATABASE: "redminedb"
REDMINE_DB_USERNAME: "user"
REDMINE_DB_PASSWORD: "db-user-pwd" # set a stronger password in a .env file (must match MYSQL_PASSWORD)
networks:
- redmine-net
- bw-services
mydb:
image: mysql
image: mysql:8
volumes:
- db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=redminedb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match REDMINE_DB_PASSWORD)
MYSQL_ROOT_PASSWORD: "db-root-pwd" # replace with a stronger password
MYSQL_DATABASE: "redminedb"
MYSQL_USER: "user"
MYSQL_PASSWORD: "db-user-pwd" # replace with a stronger password (must match REDMINE_DB_PASSWORD)
networks:
- bw-universe
- bw-services
- redmine-net
volumes:
bw-data:
redmine-data:
db-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services
redmine-net:
name: redmine-net

6
examples/redmine/swarm.yml
View file

@ -1,8 +1,6 @@
version: "3"
services:
myredmine:
image: redmine
image: redmine:5-alpine
restart: always
volumes:
- redmine-data:/usr/src/redmine/files
@ -24,7 +22,7 @@ services:
- bunkerweb.REVERSE_PROXY_HOST=http://myredmine:3000
mydb:
image: mysql
image: mysql:8
volumes:
- db-data:/var/lib/mysql
networks:

2
examples/reverse-proxy-multisite/autoconf.yml
View file

@ -1,5 +1,3 @@
version: "3"
services:
app1:
image: nginxdemos/nginx-hello

64
examples/reverse-proxy-multisite/docker-compose.yml
View file

@ -1,52 +1,42 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
- MULTISITE=yes
- SERVER_NAME=app1.example.com app2.example.com # replace with your domains
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1:8080
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2:8080
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "app1.example.com app2.example.com" # replace with your domains
MULTISITE: "yes"
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
SERVE_FILES: "no"
DISABLE_DEFAULT_SERVER: "yes"
AUTO_LETS_ENCRYPT: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
app1.example.com_REVERSE_PROXY_URL: "/"
app1.example.com_REVERSE_PROXY_HOST: "http://app1:8080"
app2.example.com_REVERSE_PROXY_URL: "/"
app2.example.com_REVERSE_PROXY_HOST: "http://app2:8080"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
app1:
image: nginxdemos/nginx-hello
@ -61,11 +51,13 @@ services:
volumes:
bw-data:
networks:
bw-services:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-docker:
bw-services:
name: bw-services

2
examples/reverse-proxy-multisite/swarm.yml
View file

@ -1,5 +1,3 @@
version: "3"
services:
app1:
image: nginxdemos/nginx-hello

2
examples/reverse-proxy-singlesite/autoconf.yml
View file

@ -1,5 +1,3 @@
version: "3"
services:
app1:
image: nginxdemos/nginx-hello

71
examples/reverse-proxy-singlesite/docker-compose.yml
View file

@ -1,57 +1,46 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL_1=~ ^/app1/(.*)$$
- REVERSE_PROXY_HOST_1=http://app1:8080/$$1
- REVERSE_PROXY_URL_2=~ ^/app2/(.*)$$
- REVERSE_PROXY_HOST_2=http://app2:8080/$$1
- |
CUSTOM_CONF_SERVER_HTTP_redirects=
port_in_redirect off;
location ~ ^/(app1|app2)$$ {
rewrite ^(.*)$$ $$1/ permanent;
}
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
SERVE_FILES: "no"
DISABLE_DEFAULT_SERVER: "yes"
AUTO_LETS_ENCRYPT: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL_1: "~ ^/app1/(.*)$$"
REVERSE_PROXY_HOST_1: "http://app1:8080/$$1"
REVERSE_PROXY_URL_2: "~ ^/app2/(.*)$$"
REVERSE_PROXY_HOST_2: "http://app2:8080/$$1"
CUSTOM_CONF_SERVER_HTTP_redirects: |
port_in_redirect off;
location ~ ^/(app1|app2)$$ {
rewrite ^(.*)$$ $$1/ permanent;
}
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
app1:
image: nginxdemos/nginx-hello
@ -66,11 +55,13 @@ services:
volumes:
bw-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services

2
examples/reverse-proxy-singlesite/swarm.yml
View file

@ -1,5 +1,3 @@
version: "3"
services:
app1:
image: nginxdemos/nginx-hello

58
examples/reverse-proxy-websocket/docker-compose.yml
View file

@ -1,50 +1,40 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/ws/
- REVERSE_PROXY_HOST=http://myws:8010/
- REVERSE_PROXY_WS=yes
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
SERVE_FILES: "no"
DISABLE_DEFAULT_SERVER: "yes"
AUTO_LETS_ENCRYPT: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL: "/ws/"
REVERSE_PROXY_HOST: "http://myws:8010"
REVERSE_PROXY_WS: "yes"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
myws:
image: ksdn117/web-socket-test
@ -54,11 +44,13 @@ services:
volumes:
bw-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services

84
examples/stream-multisite/docker-compose.yml
View file

@ -1,79 +1,71 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080 # required to resolve let's encrypt challenges
- 10000:10000 # app1 without SSL/TLS
- 10001:10001 # app1 with SSL/TLS
- 20000:20000 # app2 without SSL/TLS
- 20001:20001 # app2 with SSL/TLS
- "80:8080" # required to resolve let's encrypt challenges
- "10000:10000" # app1 without SSL/TLS
- "10001:10001" # app1 with SSL/TLS
- "20000:20000" # app2 without SSL/TLS
- "20001:20001" # app2 with SSL/TLS
environment:
- MULTISITE=yes
- SERVER_NAME=app1.example.com app2.example.com # replace with your domains
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- SERVER_TYPE=stream
- app1.example.com_REVERSE_PROXY_HOST=app1:9000
- app1.example.com_LISTEN_STREAM_PORT=10000
- app1.example.com_LISTEN_STREAM_PORT_SSL=10001
- app2.example.com_REVERSE_PROXY_HOST=app2:9000
- app2.example.com_LISTEN_STREAM_PORT=20000
- app2.example.com_LISTEN_STREAM_PORT_SSL=20001
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bunkerweb-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "app1.example.com app2.example.com" # replace with your domains
MULTISITE: "yes"
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
SERVE_FILES: "no"
DISABLE_DEFAULT_SERVER: "yes"
AUTO_LETS_ENCRYPT: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
SERVER_TYPE: "stream"
app1.example.com_REVERSE_PROXY_HOST: "app1:9000"
app1.example.com_LISTEN_STREAM_PORT: "10000"
app1.example.com_LISTEN_STREAM_PORT_SSL: "10001"
app2.example.com_REVERSE_PROXY_HOST: "app2:9000"
app2.example.com_LISTEN_STREAM_PORT: "20000"
app2.example.com_LISTEN_STREAM_PORT_SSL: "20001"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
app1:
image: istio/tcp-echo-server:1.2
command: ["9000", "app1"]
image: istio/tcp-echo-server:1.3
command: [ "9000", "app1" ]
networks:
- bw-services
app2:
image: istio/tcp-echo-server:1.2
command: ["9000", "app2"]
image: istio/tcp-echo-server:1.3
command: [ "9000", "app2" ]
networks:
- bw-services
volumes:
bw-data:
networks:
bw-services:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-docker:
bw-services:
name: bw-services

2
examples/swarm-configs/swarm.yml
View file

@ -1,5 +1,3 @@
version: "3"
services:
myapp1:
image: nginxdemos/nginx-hello

84
examples/syslog/docker-compose.yml
View file

@ -1,67 +1,60 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
logging:
driver: syslog
options:
syslog-address: "udp://10.10.10.254:514"
container_name: bunkerweb
depends_on:
- mysyslog
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.10.10.0/24
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://myapp:8080
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- syslog-net
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
logging:
driver: syslog
options:
syslog-address: "udp://10.10.10.254:514"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
depends_on:
- mybunker
- bunkerweb
- mysyslog
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
volumes:
- bw-data:/data
networks:
- bw-services
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.10.10.0/24"
AUTO_LETS_ENCRYPT: "yes"
DISABLE_DEFAULT_SERVER: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL: "/"
REVERSE_PROXY_HOST: "http://myapp:8080"
restart: "unless-stopped"
networks:
- bw-docker
- syslog-net
- bw-universe
logging:
driver: syslog
options:
syslog-address: "udp://10.10.10.254:514"
mysyslog:
image: balabit/syslog-ng:3.38.1
image: balabit/syslog-ng:4.7.1 # For x86_64 architecture
# image: lscr.io/linuxserver/syslog-ng:4.7.1-r1-ls116 # For aarch64 architecture
command: --no-caps
volumes:
- ./syslog-ng.conf:/etc/syslog-ng/syslog-ng.conf
- ./log:/var/log
networks:
bw-services:
syslog-net:
ipv4_address: 10.10.10.254
myapp:
@ -72,10 +65,19 @@ services:
volumes:
bw-data:
networks:
bw-services:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
syslog-net:
name: syslog-net
ipam:
driver: default
config:
- subnet: 10.10.10.0/24
bw-docker:
bw-services:
name: bw-services

2
examples/syslog/syslog-ng.conf
View file

@ -1,5 +1,5 @@
# This is a basic configuration file for syslog-ng.
@version: 3.38
@version: 4.7
@include "scl.conf"
log {

6
examples/tomcat/autoconf.yml
View file

@ -1,8 +1,6 @@
version: "3"
services:
mytomcat:
image: tomcat
image: tomcat:11.0
volumes:
- ./app:/usr/local/tomcat/webapps/ # folder containing war files
networks:
@ -13,7 +11,7 @@ services:
- bunkerweb.SERVER_NAME=www.example.com
- bunkerweb.USE_REVERSE_PROXY=yes
- bunkerweb.REVERSE_PROXY_URL=/
- bunkerweb.REVERSE_PROXY_HOST=http://mytomcat:8080/sample/
- bunkerweb.REVERSE_PROXY_HOST=http://mytomcat:8080
networks:
bw-services:

56
examples/tomcat/docker-compose.yml
View file

@ -1,51 +1,41 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
- SERVER_NAME=www.example.com # replace with your domain
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- DISABLE_DEFAULT_SERVER=yes
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://mytomcat:8080/sample/
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bunkerweb-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
DISABLE_DEFAULT_SERVER: "yes"
AUTO_LETS_ENCRYPT: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL: "/"
REVERSE_PROXY_HOST: "http://mytomcat:8080"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
mytomcat:
image: tomcat:10.1.2
image: tomcat:11.0
volumes:
- ./app:/usr/local/tomcat/webapps/ # folder containing war files
networks:
@ -54,11 +44,13 @@ services:
volumes:
bw-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services

6
examples/tomcat/swarm.yml
View file

@ -1,8 +1,6 @@
version: "3"
services:
mytomcat:
image: tomcat
image: tomcat:11.0
configs:
- source: tomcat_app_war
target: /usr/local/tomcat/webapps/sample.war
@ -19,7 +17,7 @@ services:
- bunkerweb.SERVER_NAME=www.example.com
- bunkerweb.USE_REVERSE_PROXY=yes
- bunkerweb.REVERSE_PROXY_URL=/
- bunkerweb.REVERSE_PROXY_HOST=http://mytomcat:8080/sample/
- bunkerweb.REVERSE_PROXY_HOST=http://mytomcat:8080
networks:
bw-services:

71
examples/tor-hidden-service/docker-compose.yml
View file

@ -1,59 +1,52 @@
version: "3"
services:
myonion:
image: goldy/tor-hidden-service:0.4.6.9
image: goldy/tor-hidden-service:v0.4.7.12-54c0e54
volumes:
- ./hidden-services:/var/lib/tor/hidden_service # .onion address and private key will be located in ./hidden_service
environment:
- SERVICE1_TOR_SERVICE_HOSTS=80:mybunker:8080
- SERVICE1_TOR_SERVICE_VERSION=3
SERVICE1_TOR_SERVICE_HOSTS: "80:bunkerweb:8080"
SERVICE1_TOR_SERVICE_VERSION: "3"
networks:
- bw-universe
- onion-net
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
environment:
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
# disable common security measures based on IP
- USE_BAD_BEHAVIOR=no
- USE_DNSBL=no
- USE_WHITELIST=no
- USE_BLACKLIST=no
# enable captcha at least
- USE_ANTIBOT=captcha
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://myapp:8080
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- onion-net
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bunkerweb-scheduler
depends_on:
- mybunker
environment:
- DOCKER_HOST=tcp://bw-docker-proxy:2375
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
# disable common security measures based on IP
USE_BAD_BEHAVIOR: "no"
USE_DNSBL: "no"
USE_WHITELIST: "no"
USE_BLACKLIST: "no"
USE_GREYLIST: "no"
# enable captcha at least
USE_ANTIBOT: "captcha"
SERVE_FILES: "no"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL: "/"
REVERSE_PROXY_HOST: "http://myapp:8080"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
myapp:
image: nginxdemos/nginx-hello
@ -63,11 +56,15 @@ services:
volumes:
bw-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services
onion-net:
name: onion-net

80
examples/web-ui/docker-compose.wizard.yml
View file

@ -1,74 +1,70 @@
version: "3.5"
x-env: &env
DATABASE_URI: "mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
labels:
- "bunkerweb.INSTANCE=yes"
- "80:8080"
- "443:8443"
environment:
- SERVER_NAME=
- MULTISITE=yes
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- UI_HOST=http://bw-ui:7000
API_WHITELIST_IP: "127.0.0.0/24 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- bunkerweb
- bw-docker
volumes:
- bw-data:/data
environment:
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
- DOCKER_HOST=tcp://bw-docker:2375
<<: *env
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: ""
MULTISITE: "yes"
API_WHITELIST_IP: "127.0.0.0/24 10.20.30.0/24"
SERVE_FILES: "no"
AUTO_LETS_ENCRYPT: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
UI_HOST: "http://bw-ui:7000"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
- bw-db
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.0-beta
depends_on:
- bw-docker
container_name: bw-ui
environment:
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
- DOCKER_HOST=tcp://bw-docker:2375
<<: *env
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
- bw-db
bw-db:
image: mariadb:10.10
image: mariadb:11
environment:
- MYSQL_RANDOM_ROOT_PASSWORD=yes
- MYSQL_DATABASE=db
- MYSQL_USER=bunkerweb
- MYSQL_PASSWORD=changeme # Remember to set a stronger password for the database
MYSQL_RANDOM_ROOT_PASSWORD: "yes"
MYSQL_DATABASE: "db"
MYSQL_USER: "bunkerweb"
MYSQL_PASSWORD: "changeme" # replace with a stronger password
volumes:
- bw-data:/var/lib/mysql
- bw-db:/var/lib/mysql
restart: "unless-stopped"
networks:
- bw-docker
- bw-db
volumes:
bw-data:
bw-db:
networks:
bw-universe:
@ -79,5 +75,5 @@ networks:
- subnet: 10.20.30.0/24
bw-services:
name: bw-services
bw-docker:
name: bw-docker
bw-db:
name: bw-db

94
examples/web-ui/docker-compose.yml
View file

@ -1,81 +1,77 @@
version: "3.5"
x-env: &env
DATABASE_URI: "mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db"
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
labels:
- "bunkerweb.INSTANCE=yes"
- "80:8080"
- "443:8443"
environment:
- SERVER_NAME=www.example.com
- MULTISITE=yes
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
- API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- www.example.com_USE_UI=yes
- www.example.com_USE_REVERSE_PROXY=yes
- www.example.com_REVERSE_PROXY_URL=/changeme
- www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
- www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
- www.example.com_MAX_CLIENT_SIZE=50m
API_WHITELIST_IP: "127.0.0.0/24 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- bunkerweb
- bw-docker
volumes:
- bw-data:/data
environment:
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
- DOCKER_HOST=tcp://bw-docker:2375
<<: *env
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com"
MULTISITE: "yes"
API_WHITELIST_IP: "127.0.0.0/24 10.20.30.0/24"
SERVE_FILES: "no"
AUTO_LETS_ENCRYPT: "yes"
USE_CLIENT_CACHE: "yes"
USE_GZIP: "yes"
www.example.com_USE_UI: "yes"
www.example.com_USE_REVERSE_PROXY: "yes"
www.example.com_REVERSE_PROXY_URL: "/changeme"
www.example.com_REVERSE_PROXY_HOST: "http://bw-ui:7000"
www.example.com_INTERCEPTED_ERROR_CODES: "400 404 405 413 429 500 501 502 503 504"
www.example.com_MAX_CLIENT_SIZE: "50m"
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
bw-docker:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
- bw-db
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.0-beta
depends_on:
- bw-docker
container_name: bw-ui
environment:
- DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
- DOCKER_HOST=tcp://bw-docker:2375
- ADMIN_USERNAME=changeme
- ADMIN_PASSWORD=changeme # Remember to set a stronger password for the changeme user
<<: *env
ADMIN_USERNAME: "changeme"
ADMIN_PASSWORD: "changeme" # Remember to set a stronger password for the changeme user
restart: "unless-stopped"
networks:
- bw-universe
- bw-docker
- bw-db
bw-db:
image: mariadb:10.10
image: mariadb:11
environment:
- MYSQL_RANDOM_ROOT_PASSWORD=yes
- MYSQL_DATABASE=db
- MYSQL_USER=bunkerweb
- MYSQL_PASSWORD=changeme # Remember to set a stronger password for the database
MYSQL_RANDOM_ROOT_PASSWORD: "yes"
MYSQL_DATABASE: "db"
MYSQL_USER: "bunkerweb"
MYSQL_PASSWORD: "changeme" # replace with a stronger password
volumes:
- bw-data:/var/lib/mysql
- bw-db:/var/lib/mysql
restart: "unless-stopped"
networks:
- bw-docker
- bw-db
volumes:
bw-data:
bw-db:
networks:
bw-universe:
@ -86,5 +82,5 @@ networks:
- subnet: 10.20.30.0/24
bw-services:
name: bw-services
bw-docker:
name: bw-docker
bw-db:
name: bw-db

15
examples/wordpress/autoconf.yml
View file

@ -1,8 +1,6 @@
version: "3"
services:
mywp:
image: wordpress:6.1.1-apache
image: wordpress:6-apache
volumes:
- wp-data:/var/www/html
networks:
@ -31,8 +29,17 @@ services:
t:none,\
setvar:tx.crs_exclusions_wordpress=1"
SecAction \
"id:900220,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"
mydb:
image: mariadb
image: mariadb:11
volumes:
- db-data:/var/lib/mysql
networks:

10
examples/wordpress/bw-data/configs/modsec-crs/wordpress.conf
View file

@ -1,7 +1,15 @@
SecAction \
"id:900130,\
"id:900130,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.crs_exclusions_wordpress=1"
SecAction \
"id:900220,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"

93
examples/wordpress/docker-compose.yml
View file

@ -1,12 +1,26 @@
version: "3"
services:
mybunker:
bunkerweb:
image: bunkerity/bunkerweb:1.6.0-beta
container_name: bunkerweb
ports:
- 80:8080
- 443:8443
- "80:8080"
- "443:8443"
environment:
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
container_name: bw-scheduler
depends_on:
- bunkerweb
volumes:
- bw-data:/data
environment:
BUNKERWEB_INSTANCES: "bunkerweb"
SERVER_NAME: "www.example.com" # replace with your domain
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
AUTO_LETS_ENCRYPT: "yes"
@ -17,57 +31,48 @@ services:
USE_REVERSE_PROXY: "yes"
REVERSE_PROXY_URL: "/"
REVERSE_PROXY_HOST: "http://mywp"
CUSTOM_CONF_MODSEC_CRS_wordpress: 'SecAction "id:900130,phase:1,nolog,pass,t:none,setvar:tx.crs_exclusions_wordpress=1"'
labels:
- "bunkerweb.INSTANCE=yes" # required for the scheduler to recognize the container
CUSTOM_CONF_MODSEC_CRS_wordpress: |
SecAction \
"id:900130,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.crs_exclusions_wordpress=1"
SecAction \
"id:900220,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"
restart: "unless-stopped"
networks:
- bw-universe
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.0-beta
depends_on:
- mybunker
environment:
DOCKER_HOST: "tcp://bw-docker-proxy:2375"
volumes:
- bw-data:/data
networks:
- bw-universe
- bw-docker
bw-docker-proxy:
image: tecnativa/docker-socket-proxy:nightly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- CONTAINERS=1
- LOG_LEVEL=warning
networks:
- bw-docker
mywp:
image: wordpress:6.1.1-apache
image: wordpress:6-apache
volumes:
- wp-data:/var/www/html
environment:
- WORDPRESS_DB_HOST=mydb
- WORDPRESS_DB_NAME=wp
- WORDPRESS_DB_USER=user
- WORDPRESS_DB_PASSWORD=db-user-pwd # set a stronger password in a .env file (must match MYSQL_PASSWORD)
- WORDPRESS_TABLE_PREFIX=prefix_ # best practice : replace with a random prefix
WORDPRESS_DB_HOST: "mydb"
WORDPRESS_DB_NAME: "wp"
WORDPRESS_DB_USER: "user"
WORDPRESS_DB_PASSWORD: "db-user-pwd" # set a stronger password in a .env file (must match MYSQL_PASSWORD)
WORDPRESS_TABLE_PREFIX: "prefix_" # best practice : replace with a random prefix
networks:
- bw-services
mydb:
image: mariadb
image: mariadb:11
volumes:
- db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=wp
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
MYSQL_ROOT_PASSWORD: "db-root-pwd" # replace with a stronger password
MYSQL_DATABASE: "wp"
MYSQL_USER: "user"
MYSQL_PASSWORD: "db-user-pwd" # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
networks:
- bw-services
@ -76,11 +81,13 @@ volumes:
wp-data:
db-data:
networks:
bw-universe:
name: bw-universe
ipam:
driver: default
config:
- subnet: 10.20.30.0/24
bw-services:
bw-docker:
name: bw-services

2
examples/wordpress/setup-linux.sh
View file

@ -13,7 +13,7 @@ else
echo "❌ No PHP user found"
exit 1
fi
curl https://wordpress.org/wordpress-6.1.1.tar.gz -Lo /tmp/wordpress.tar.gz
curl https://wordpress.org/latest.tar.gz -Lo /tmp/wordpress.tar.gz
tar -xzf /tmp/wordpress.tar.gz -C /tmp
cp -r /tmp/wordpress/* /var/www/html
chown -R $user:nginx /var/www/html

21
examples/wordpress/swarm.yml
View file

@ -2,7 +2,7 @@ version: "3"
services:
mywp:
image: wordpress:5-apache
image: wordpress:6-apache
volumes:
- wp-data:/var/www/html
networks:
@ -23,9 +23,26 @@ services:
- bunkerweb.USE_REVERSE_PROXY=yes
- bunkerweb.REVERSE_PROXY_URL=/
- bunkerweb.REVERSE_PROXY_HOST=http://mywp
- |
bunkerweb.CUSTOM_CONF_MODSEC_CRS_wordpress=
SecAction \
"id:900130,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.crs_exclusions_wordpress=1"
SecAction \
"id:900220,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"
mydb:
image: mariadb
image: mariadb:11
volumes:
- db-data:/var/lib/mysql
networks: