From e2a3bfb106e82abecc1b05ddc2fb2b0079e536e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= Date: Fri, 2 Jun 2023 10:08:51 -0400 Subject: [PATCH 01/10] Bad behavior core tests change the ban time to 60 seconds --- tests/core/badbehavior/main.py | 4 ++-- tests/core/badbehavior/test.sh | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/core/badbehavior/main.py b/tests/core/badbehavior/main.py index 4e3c2cb88..ee61c0691 100644 --- a/tests/core/badbehavior/main.py +++ b/tests/core/badbehavior/main.py @@ -68,10 +68,10 @@ try: exit(1) elif bad_behavior_ban_time != "86400": print( - "ℹī¸ Sleeping for 7s to wait if Bad Behavior's ban time changed ...", + "ℹī¸ Sleeping for 65s to wait if Bad Behavior's ban time changed ...", flush=True, ) - sleep(7) + sleep(65) status_code = get( f"http://www.example.com", diff --git a/tests/core/badbehavior/test.sh b/tests/core/badbehavior/test.sh index b2c321df9..1b61a5967 100755 --- a/tests/core/badbehavior/test.sh +++ b/tests/core/badbehavior/test.sh @@ -21,7 +21,7 @@ cleanup_stack () { if [[ $end -eq 1 || $exit_code = 1 ]] || [[ $end -eq 0 && $exit_code = 0 ]] && [ $manual = 0 ] ; then find . -type f -name 'docker-compose.*' -exec sed -i 's@USE_BAD_BEHAVIOR: "no"@USE_BAD_BEHAVIOR: "yes"@' {} \; find . -type f -name 'docker-compose.*' -exec sed -i 's@BAD_BEHAVIOR_STATUS_CODES: "400 401 404 405 429 444"@BAD_BEHAVIOR_STATUS_CODES: "400 401 403 404 405 429 444"@' {} \; - find . -type f -name 'docker-compose.*' -exec sed -i 's@BAD_BEHAVIOR_BAN_TIME: "5"@BAD_BEHAVIOR_BAN_TIME: "86400"@' {} \; + find . -type f -name 'docker-compose.*' -exec sed -i 's@BAD_BEHAVIOR_BAN_TIME: "60"@BAD_BEHAVIOR_BAN_TIME: "86400"@' {} \; find . -type f -name 'docker-compose.*' -exec sed -i 's@BAD_BEHAVIOR_THRESHOLD: "20"@BAD_BEHAVIOR_THRESHOLD: "10"@' {} \; find . -type f -name 'docker-compose.*' -exec sed -i 's@BAD_BEHAVIOR_COUNT_TIME: "5"@BAD_BEHAVIOR_COUNT_TIME: "60"@' {} \; if [[ $end -eq 1 && $exit_code = 0 ]] ; then @@ -56,12 +56,12 @@ do find . -type f -name 'docker-compose.*' -exec sed -i 's@USE_BAD_BEHAVIOR: "no"@USE_BAD_BEHAVIOR: "yes"@' {} \; find . -type f -name 'docker-compose.*' -exec sed -i 's@BAD_BEHAVIOR_STATUS_CODES: "400 401 403 404 405 429 444"@BAD_BEHAVIOR_STATUS_CODES: "400 401 404 405 429 444"@' {} \; elif [ "$test" = "ban_time" ] ; then - echo "📟 Running tests with badbehavior's ban time changed to 5 seconds ..." + echo "📟 Running tests with badbehavior's ban time changed to 60 seconds ..." find . -type f -name 'docker-compose.*' -exec sed -i 's@BAD_BEHAVIOR_STATUS_CODES: "400 401 404 405 429 444"@BAD_BEHAVIOR_STATUS_CODES: "400 401 403 404 405 429 444"@' {} \; - find . -type f -name 'docker-compose.*' -exec sed -i 's@BAD_BEHAVIOR_BAN_TIME: "86400"@BAD_BEHAVIOR_BAN_TIME: "5"@' {} \; + find . -type f -name 'docker-compose.*' -exec sed -i 's@BAD_BEHAVIOR_BAN_TIME: "86400"@BAD_BEHAVIOR_BAN_TIME: "60"@' {} \; elif [ "$test" = "threshold" ] ; then echo "📟 Running tests with badbehavior's threshold set to 20 ..." - find . -type f -name 'docker-compose.*' -exec sed -i 's@BAD_BEHAVIOR_BAN_TIME: "5"@BAD_BEHAVIOR_BAN_TIME: "86400"@' {} \; + find . -type f -name 'docker-compose.*' -exec sed -i 's@BAD_BEHAVIOR_BAN_TIME: "60"@BAD_BEHAVIOR_BAN_TIME: "86400"@' {} \; find . -type f -name 'docker-compose.*' -exec sed -i 's@BAD_BEHAVIOR_THRESHOLD: "10"@BAD_BEHAVIOR_THRESHOLD: "20"@' {} \; elif [ "$test" = "count_time" ] ; then echo "📟 Running tests with badbehavior's count time set to 5 seconds ..." From 6cc20efe72e6be60e51289c69c6cbd5100ac8b40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= Date: Fri, 2 Jun 2023 10:30:02 -0400 Subject: [PATCH 02/10] Update bad behavior test BAD_BEHAVIOR_COUNT_TIME to 30 seconds --- tests/core/badbehavior/main.py | 4 ++-- tests/core/badbehavior/test.sh | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/core/badbehavior/main.py b/tests/core/badbehavior/main.py index ee61c0691..36027b7e0 100644 --- a/tests/core/badbehavior/main.py +++ b/tests/core/badbehavior/main.py @@ -86,11 +86,11 @@ try: exit(1) elif bad_behavior_count_time != "60": print( - "ℹī¸ Sleeping for 7s to wait if Bad Behavior's count time changed ...", + "ℹī¸ Sleeping for 35s to wait if Bad Behavior's count time changed ...", flush=True, ) current_time = datetime.now().timestamp() - sleep(7) + sleep(35) print( "ℹī¸ Checking BunkerWeb's logs to see if Bad Behavior's count time changed ...", diff --git a/tests/core/badbehavior/test.sh b/tests/core/badbehavior/test.sh index 1b61a5967..00e7449e8 100755 --- a/tests/core/badbehavior/test.sh +++ b/tests/core/badbehavior/test.sh @@ -23,7 +23,7 @@ cleanup_stack () { find . -type f -name 'docker-compose.*' -exec sed -i 's@BAD_BEHAVIOR_STATUS_CODES: "400 401 404 405 429 444"@BAD_BEHAVIOR_STATUS_CODES: "400 401 403 404 405 429 444"@' {} \; find . -type f -name 'docker-compose.*' -exec sed -i 's@BAD_BEHAVIOR_BAN_TIME: "60"@BAD_BEHAVIOR_BAN_TIME: "86400"@' {} \; find . -type f -name 'docker-compose.*' -exec sed -i 's@BAD_BEHAVIOR_THRESHOLD: "20"@BAD_BEHAVIOR_THRESHOLD: "10"@' {} \; - find . -type f -name 'docker-compose.*' -exec sed -i 's@BAD_BEHAVIOR_COUNT_TIME: "5"@BAD_BEHAVIOR_COUNT_TIME: "60"@' {} \; + find . -type f -name 'docker-compose.*' -exec sed -i 's@BAD_BEHAVIOR_COUNT_TIME: "30"@BAD_BEHAVIOR_COUNT_TIME: "60"@' {} \; if [[ $end -eq 1 && $exit_code = 0 ]] ; then return fi @@ -64,9 +64,9 @@ do find . -type f -name 'docker-compose.*' -exec sed -i 's@BAD_BEHAVIOR_BAN_TIME: "60"@BAD_BEHAVIOR_BAN_TIME: "86400"@' {} \; find . -type f -name 'docker-compose.*' -exec sed -i 's@BAD_BEHAVIOR_THRESHOLD: "10"@BAD_BEHAVIOR_THRESHOLD: "20"@' {} \; elif [ "$test" = "count_time" ] ; then - echo "📟 Running tests with badbehavior's count time set to 5 seconds ..." + echo "📟 Running tests with badbehavior's count time set to 30 seconds ..." find . -type f -name 'docker-compose.*' -exec sed -i 's@BAD_BEHAVIOR_THRESHOLD: "20"@BAD_BEHAVIOR_THRESHOLD: "10"@' {} \; - find . -type f -name 'docker-compose.*' -exec sed -i 's@BAD_BEHAVIOR_COUNT_TIME: "60"@BAD_BEHAVIOR_COUNT_TIME: "5"@' {} \; + find . -type f -name 'docker-compose.*' -exec sed -i 's@BAD_BEHAVIOR_COUNT_TIME: "60"@BAD_BEHAVIOR_COUNT_TIME: "30"@' {} \; fi echo "📟 Starting stack ..." From 299a0b5c25980b09d8f9d902293b1350ae85bc6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= Date: Fri, 2 Jun 2023 10:36:31 -0400 Subject: [PATCH 03/10] Remove apk update at beginning of each Dockerfile --- src/autoconf/Dockerfile | 3 --- src/bw/Dockerfile | 3 --- src/scheduler/Dockerfile | 3 --- src/ui/Dockerfile | 3 --- 4 files changed, 12 deletions(-) diff --git a/src/autoconf/Dockerfile b/src/autoconf/Dockerfile index 1880a1432..36cb44900 100644 --- a/src/autoconf/Dockerfile +++ b/src/autoconf/Dockerfile @@ -8,9 +8,6 @@ RUN mkdir -p /usr/share/bunkerweb/deps && \ cat /tmp/req/requirements.txt /tmp/req/requirements.txt.1 > /usr/share/bunkerweb/deps/requirements.txt && \ rm -rf /tmp/req -# Update apk -RUN apk update - # Install python dependencies RUN apk add --no-cache --virtual .build-deps g++ gcc musl-dev jpeg-dev zlib-dev libffi-dev cairo-dev pango-dev gdk-pixbuf-dev openssl-dev cargo postgresql-dev diff --git a/src/bw/Dockerfile b/src/bw/Dockerfile index 76891a7db..5e412bbbe 100644 --- a/src/bw/Dockerfile +++ b/src/bw/Dockerfile @@ -3,9 +3,6 @@ FROM nginx:1.24.0-alpine AS builder # Copy dependencies sources folder COPY src/deps /tmp/bunkerweb/deps -# Update apk -RUN apk update - # Compile and install dependencies RUN apk add --no-cache --virtual .build-deps bash autoconf libtool automake geoip-dev g++ gcc curl-dev libxml2-dev pcre-dev make linux-headers musl-dev gd-dev gnupg brotli-dev openssl-dev patch readline-dev && \ mkdir -p /usr/share/bunkerweb/deps && \ diff --git a/src/scheduler/Dockerfile b/src/scheduler/Dockerfile index 05af7131d..9a57cd60b 100644 --- a/src/scheduler/Dockerfile +++ b/src/scheduler/Dockerfile @@ -9,9 +9,6 @@ RUN mkdir -p /usr/share/bunkerweb/deps && \ cat /tmp/req/requirements.txt /tmp/req/requirements.txt.1 /tmp/req/requirements.txt.2 > /usr/share/bunkerweb/deps/requirements.txt && \ rm -rf /tmp/req -# Update apk -RUN apk update - # Install python dependencies RUN apk add --no-cache --virtual .build-deps g++ gcc musl-dev jpeg-dev zlib-dev libffi-dev cairo-dev pango-dev gdk-pixbuf-dev openssl-dev cargo postgresql-dev diff --git a/src/ui/Dockerfile b/src/ui/Dockerfile index dced23cb9..27587fefb 100755 --- a/src/ui/Dockerfile +++ b/src/ui/Dockerfile @@ -9,9 +9,6 @@ RUN mkdir -p /usr/share/bunkerweb/deps && \ cat /tmp/req/requirements.txt /tmp/req/requirements.txt.1 /tmp/req/requirements.txt.2 > /usr/share/bunkerweb/deps/requirements.txt && \ rm -rf /tmp/req -# Update apk -RUN apk update - # Install python dependencies RUN apk add --no-cache --virtual .build-deps g++ gcc musl-dev jpeg-dev zlib-dev libffi-dev cairo-dev pango-dev gdk-pixbuf-dev openssl-dev cargo postgresql-dev file make From 5c7cd38b5132c3d4739917e20327285ca14f51f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= Date: Mon, 5 Jun 2023 14:04:44 -0400 Subject: [PATCH 04/10] Edit headers core plugins to use lua Code + Add new setting KEEP_UPSTREAM_HEADERS --- .../headers/confs/server-http/cookies.conf | 9 +++ .../confs/server-http/custom-headers.conf | 5 -- .../confs/server-http/remove-headers.conf | 5 -- .../confs/server-http/security-headers.conf | 41 ----------- src/common/core/headers/headers.lua | 70 +++++++++++++++++++ src/common/core/headers/plugin.json | 11 ++- 6 files changed, 89 insertions(+), 52 deletions(-) create mode 100644 src/common/core/headers/confs/server-http/cookies.conf delete mode 100644 src/common/core/headers/confs/server-http/custom-headers.conf delete mode 100644 src/common/core/headers/confs/server-http/remove-headers.conf delete mode 100644 src/common/core/headers/confs/server-http/security-headers.conf create mode 100644 src/common/core/headers/headers.lua diff --git a/src/common/core/headers/confs/server-http/cookies.conf b/src/common/core/headers/confs/server-http/cookies.conf new file mode 100644 index 000000000..f0efd7072 --- /dev/null +++ b/src/common/core/headers/confs/server-http/cookies.conf @@ -0,0 +1,9 @@ +{% for k, v in all.items() %} + {% if k.startswith("COOKIE_FLAGS") and v != "" +%} + {% if COOKIE_AUTO_SECURE_FLAG == "yes" and (AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_SSL == "yes" or GENERATE_SELF_SIGNED_SSL == "yes") +%} + set_cookie_flag {{ v }} secure; + {% else +%} + set_cookie_flag {{ v }}; + {% endif +%} + {% endif +%} +{% endfor %} \ No newline at end of file diff --git a/src/common/core/headers/confs/server-http/custom-headers.conf b/src/common/core/headers/confs/server-http/custom-headers.conf deleted file mode 100644 index ea3a1c045..000000000 --- a/src/common/core/headers/confs/server-http/custom-headers.conf +++ /dev/null @@ -1,5 +0,0 @@ -{% for k, v in all.items() +%} - {% if k.startswith("CUSTOM_HEADER") and v != "" +%} -more_set_headers "{{ v }}"; - {% endif %} -{% endfor %} \ No newline at end of file diff --git a/src/common/core/headers/confs/server-http/remove-headers.conf b/src/common/core/headers/confs/server-http/remove-headers.conf deleted file mode 100644 index 5eed2d974..000000000 --- a/src/common/core/headers/confs/server-http/remove-headers.conf +++ /dev/null @@ -1,5 +0,0 @@ -{% if REMOVE_HEADERS != "" %} - {% for header in REMOVE_HEADERS.split(" ") +%} -more_clear_headers '{{ header }}'; - {% endfor %} -{% endif %} \ No newline at end of file diff --git a/src/common/core/headers/confs/server-http/security-headers.conf b/src/common/core/headers/confs/server-http/security-headers.conf deleted file mode 100644 index 2e4c4a285..000000000 --- a/src/common/core/headers/confs/server-http/security-headers.conf +++ /dev/null @@ -1,41 +0,0 @@ -{% if STRICT_TRANSPORT_SECURITY != "" and (AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_SSL == "yes" or GENERATE_SELF_SIGNED_SSL == "yes") +%} -more_set_headers "Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}"; -{% endif +%} - -{% for k, v in all.items() %} - {% if k.startswith("COOKIE_FLAGS") and v != "" +%} - {% if COOKIE_AUTO_SECURE_FLAG == "yes" and (AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_SSL == "yes" or GENERATE_SELF_SIGNED_SSL == "yes") +%} - set_cookie_flag {{ v }} secure; - {% else +%} - set_cookie_flag {{ v }}; - {% endif +%} - {% endif +%} -{% endfor %} - -{% if CONTENT_SECURITY_POLICY != "" +%} -more_set_headers "Content-Security-Policy: {{ CONTENT_SECURITY_POLICY }}"; -{% endif +%} - -{% if REFERRER_POLICY != "" +%} -more_set_headers "Referrer-Policy: {{ REFERRER_POLICY }}"; -{% endif +%} - -{% if PERMISSIONS_POLICY != "" +%} -more_set_headers "Permissions-Policy: {{ PERMISSIONS_POLICY }}"; -{% endif +%} - -{% if FEATURE_POLICY != "" +%} -more_set_headers "Feature-Policy: {{ FEATURE_POLICY }}"; -{% endif +%} - -{% if X_FRAME_OPTIONS != "" +%} -more_set_headers "X-Frame-Options: {{ X_FRAME_OPTIONS }}"; -{% endif +%} - -{% if X_CONTENT_TYPE_OPTIONS != "" +%} -more_set_headers "X-Content-Type-Options: {{ X_CONTENT_TYPE_OPTIONS }}"; -{% endif +%} - -{% if X_XSS_PROTECTION != "" +%} -more_set_headers "X-XSS-Protection: {{ X_XSS_PROTECTION }}"; -{% endif +%} \ No newline at end of file diff --git a/src/common/core/headers/headers.lua b/src/common/core/headers/headers.lua new file mode 100644 index 000000000..c5cb31fa3 --- /dev/null +++ b/src/common/core/headers/headers.lua @@ -0,0 +1,70 @@ +local class = require "middleclass" +local plugin = require "bunkerweb.plugin" +local utils = require "bunkerweb.utils" + +local headers = class("headers", plugin) + +function headers:initialize() + -- Call parent initialize + plugin.initialize(self, "headers") + self.all_headers = { + ["STRICT_TRANSPORT_SECURITY"] = "Strict-Transport-Security", + ["CONTENT_SECURITY_POLICY"] = "Content-Security-Policy", + ["REFERRER_POLICY"] = "Referrer-Policy", + ["PERMISSIONS_POLICY"] = "Permissions-Policy", + ["FEATURE_POLICY"] = "Feature-Policy", + ["X_FRAME_OPTIONS"] = "X-Frame-Options", + ["X_CONTENT_TYPE_OPTIONS"] = "X-Content-Type-Options", + ["X_XSS_PROTECTION"] = "X-XSS-Protection" + } +end + +function headers:header() + -- Override upstream headers if needed + for variable, header in pairs(self.all_headers) do + if ngx.header[header] == nil or self.variables[variable] and self.variables["KEEP_UPSTREAM_HEADERS"] ~= "*" and utils.regex_match(self.variables["KEEP_UPSTREAM_HEADERS"], "(^| )" .. header .. "($| )") == nil then + if header ~= "Strict-Transport-Security" or self.variables["AUTO_LETS_ENCRYPT"] == "yes" or self.variables["USE_CUSTOM_SSL"] == "yes" or self.variables["GENERATE_SELF_SIGNED_SSL"] == "yes" then + ngx.header[header] = self.variables[variable] + end + end + end + -- Get variables + local variables, err = utils.get_multiple_variables({ "CUSTOM_HEADER" }) + if variables == nil then + return self:ret(false, err) + end + -- Add custom headers + for srv, vars in pairs(variables) do + if srv == ngx.var.server_name then + for var, value in pairs(vars) do + if utils.regex_match(var, "CUSTOM_HEADER") and value then + local m = utils.regex_match(value, "([\\w-]+): ([^,]+)") + if m then + ngx.header[m[1]] = m[2] + end + end + end + end + end + -- Remove headers + if self.variables["REMOVE_HEADERS"] then + local iterator, err = ngx.re.gmatch(self.variables["REMOVE_HEADERS"], "([\\w-]+)") + if not iterator then + return self:ret(false, "Error while matching remove headers: " .. err) + end + while true do + local m, err = iterator() + if err then + return self:ret(false, "Error while matching remove headers: " .. err) + end + if not m then + -- No more remove headers + break + end + ngx.header[m[1]] = nil + end + end + return self:ret(true, "Edited headers for request") +end + +return headers diff --git a/src/common/core/headers/plugin.json b/src/common/core/headers/plugin.json index 5a59c474b..1ec999407 100644 --- a/src/common/core/headers/plugin.json +++ b/src/common/core/headers/plugin.json @@ -11,7 +11,7 @@ "help": "Custom header to add (HeaderName: HeaderValue).", "id": "custom-header", "label": "Custom header (HeaderName: HeaderValue)", - "regex": "^([\\w-]+: .+)?$", + "regex": "^([\\w-]+: [^,]+)?$", "type": "text", "multiple": "custom-headers" }, @@ -24,6 +24,15 @@ "regex": "^(?! )( ?[\\w-]+)*$", "type": "text" }, + "KEEP_UPSTREAM_HEADERS": { + "context": "multisite", + "default": "*", + "help": "Headers to keep from upstream (Header1 Header2 Header3 ... or * for all).", + "id": "keep-upstream-headers", + "label": "Keep upstream headers", + "regex": "^((?! )( ?[\\w-]+)+|\\*)?$", + "type": "text" + }, "STRICT_TRANSPORT_SECURITY": { "context": "multisite", "default": "max-age=31536000", From afe6da4cf581b11a0daa98b149955910efd9a8b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= Date: Mon, 5 Jun 2023 14:05:10 -0400 Subject: [PATCH 05/10] Automatically add Content-Security-Policy header to response headers in the UI --- src/ui/main.py | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/ui/main.py b/src/ui/main.py index 435f76e41..24f7b633e 100755 --- a/src/ui/main.py +++ b/src/ui/main.py @@ -247,10 +247,6 @@ def update_config(): server_name = service.get("SERVER_NAME", {"value": None})["value"] endpoint = service.get("REVERSE_PROXY_URL", {"value": "/"})["value"] - logger.warning(service.get("AUTO_LETS_ENCRYPT", {"value": "no"})) - logger.warning(service.get("GENERATE_SELF_SIGNED_SSL", {"value": "no"})) - logger.warning(service.get("USE_CUSTOM_SSL", {"value": "no"})) - if any( [ service.get("AUTO_LETS_ENCRYPT", {"value": "no"})["value"] == "yes", @@ -282,9 +278,9 @@ def update_config(): if SCRIPT_NAME != getenv("SCRIPT_NAME"): environ["SCRIPT_NAME"] = f"/{basename(ABSOLUTE_URI[:-1])}" - logger.info(f"The script name is now {environ['SCRIPT_NAME']}") + logger.info(f"The SCRIPT_NAME is now {environ['SCRIPT_NAME']}") else: - logger.info(f"The script name is still {environ['SCRIPT_NAME']}") + logger.info(f"The SCRIPT_NAME is still {environ['SCRIPT_NAME']}") def check_config_changes(): @@ -387,6 +383,15 @@ def manage_bunkerweb(method: str, *args, operation: str = "reloads"): app.config["RELOADING"] = False +@app.after_request +def set_csp_header(response): + """Set the Content-Security-Policy header to prevent XSS attacks.""" + response.headers[ + "Content-Security-Policy" + ] = "object-src 'none'; frame-ancestors 'self';" + return response + + @login_manager.user_loader def load_user(user_id): return User(user_id, vars["ADMIN_PASSWORD"]) From 654172f436d0c917614a4b1ec28270383eac7475 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= Date: Mon, 5 Jun 2023 21:33:42 -0400 Subject: [PATCH 06/10] Update headers core plugin lua code --- src/common/core/headers/headers.lua | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/common/core/headers/headers.lua b/src/common/core/headers/headers.lua index c5cb31fa3..36b305157 100644 --- a/src/common/core/headers/headers.lua +++ b/src/common/core/headers/headers.lua @@ -35,7 +35,7 @@ function headers:header() end -- Add custom headers for srv, vars in pairs(variables) do - if srv == ngx.var.server_name then + if srv == ngx.ctx.bw.server_name then for var, value in pairs(vars) do if utils.regex_match(var, "CUSTOM_HEADER") and value then local m = utils.regex_match(value, "([\\w-]+): ([^,]+)") @@ -47,7 +47,7 @@ function headers:header() end end -- Remove headers - if self.variables["REMOVE_HEADERS"] then + if self.variables["REMOVE_HEADERS"] ~= "" then local iterator, err = ngx.re.gmatch(self.variables["REMOVE_HEADERS"], "([\\w-]+)") if not iterator then return self:ret(false, "Error while matching remove headers: " .. err) From c85a4183d8db95b5969b52f8b235ac8fd839b288 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= Date: Mon, 5 Jun 2023 21:58:05 -0400 Subject: [PATCH 07/10] Fix Strict-Transport-Security not being sent --- src/common/core/headers/headers.lua | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/common/core/headers/headers.lua b/src/common/core/headers/headers.lua index 36b305157..bc855da70 100644 --- a/src/common/core/headers/headers.lua +++ b/src/common/core/headers/headers.lua @@ -21,9 +21,10 @@ end function headers:header() -- Override upstream headers if needed + local ssl = utils.get_variable("AUTO_LETS_ENCRYPT") == "yes" or utils.get_variable("USE_CUSTOM_SSL") == "yes" or utils.get_variable("GENERATE_SELF_SIGNED_SSL") == "yes" for variable, header in pairs(self.all_headers) do if ngx.header[header] == nil or self.variables[variable] and self.variables["KEEP_UPSTREAM_HEADERS"] ~= "*" and utils.regex_match(self.variables["KEEP_UPSTREAM_HEADERS"], "(^| )" .. header .. "($| )") == nil then - if header ~= "Strict-Transport-Security" or self.variables["AUTO_LETS_ENCRYPT"] == "yes" or self.variables["USE_CUSTOM_SSL"] == "yes" or self.variables["GENERATE_SELF_SIGNED_SSL"] == "yes" then + if header ~= "Strict-Transport-Security" or ssl then ngx.header[header] = self.variables[variable] end end From c20bd05d35305210bdac001e435d1ddc7872ef65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= Date: Mon, 5 Jun 2023 21:59:29 -0400 Subject: [PATCH 08/10] Test Aqua Security --- src/bw/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/bw/Dockerfile b/src/bw/Dockerfile index 5e412bbbe..f8ca5920a 100644 --- a/src/bw/Dockerfile +++ b/src/bw/Dockerfile @@ -70,7 +70,7 @@ RUN apk add --no-cache pcre bash python3 && \ ln -s /proc/1/fd/1 /var/log/nginx/access.log # Fix CVEs -RUN apk add "libcrypto3>=3.0.8-r4" "libssl3>=3.0.8-r4" "curl>=8.1.0-r0" "libcurl>=8.1.0-r0" "libwebp>=1.2.4-r2" "ncurses-libs>=6.3_p20221119-r1" "ncurses-terminfo-base>=6.3_p20221119-r1" +# RUN apk add "libcrypto3>=3.0.8-r4" "libssl3>=3.0.8-r4" "curl>=8.1.0-r0" "libcurl>=8.1.0-r0" "libwebp>=1.2.4-r2" "ncurses-libs>=6.3_p20221119-r1" "ncurses-terminfo-base>=6.3_p20221119-r1" VOLUME /data /etc/nginx From 84fcfb726d23ab22f79306d15b3b74cc2eb90259 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= Date: Mon, 5 Jun 2023 22:07:14 -0400 Subject: [PATCH 09/10] Test Aqua Security 2 --- src/autoconf/Dockerfile | 2 +- src/bw/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/autoconf/Dockerfile b/src/autoconf/Dockerfile index 36cb44900..a9c6cbdc2 100644 --- a/src/autoconf/Dockerfile +++ b/src/autoconf/Dockerfile @@ -60,7 +60,7 @@ RUN apk add --no-cache bash && \ chmod 750 /usr/share/bunkerweb/cli/main.py /usr/share/bunkerweb/helpers/*.sh /usr/bin/bwcli /usr/share/bunkerweb/autoconf/main.py /usr/share/bunkerweb/deps/python/bin/* # Fix CVEs -RUN apk add --no-cache "libcrypto3>=3.1.1-r0" "libssl3>=3.1.1-r0" +# RUN apk add --no-cache "libcrypto3>=3.1.1-r0" "libssl3>=3.1.1-r0" VOLUME /data /etc/nginx diff --git a/src/bw/Dockerfile b/src/bw/Dockerfile index f8ca5920a..5e412bbbe 100644 --- a/src/bw/Dockerfile +++ b/src/bw/Dockerfile @@ -70,7 +70,7 @@ RUN apk add --no-cache pcre bash python3 && \ ln -s /proc/1/fd/1 /var/log/nginx/access.log # Fix CVEs -# RUN apk add "libcrypto3>=3.0.8-r4" "libssl3>=3.0.8-r4" "curl>=8.1.0-r0" "libcurl>=8.1.0-r0" "libwebp>=1.2.4-r2" "ncurses-libs>=6.3_p20221119-r1" "ncurses-terminfo-base>=6.3_p20221119-r1" +RUN apk add "libcrypto3>=3.0.8-r4" "libssl3>=3.0.8-r4" "curl>=8.1.0-r0" "libcurl>=8.1.0-r0" "libwebp>=1.2.4-r2" "ncurses-libs>=6.3_p20221119-r1" "ncurses-terminfo-base>=6.3_p20221119-r1" VOLUME /data /etc/nginx From 0ca7de1de190a4d11da7fceedfba176ae2dc87f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= Date: Mon, 5 Jun 2023 22:09:29 -0400 Subject: [PATCH 10/10] Add CVEs fixes back --- src/autoconf/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/autoconf/Dockerfile b/src/autoconf/Dockerfile index a9c6cbdc2..36cb44900 100644 --- a/src/autoconf/Dockerfile +++ b/src/autoconf/Dockerfile @@ -60,7 +60,7 @@ RUN apk add --no-cache bash && \ chmod 750 /usr/share/bunkerweb/cli/main.py /usr/share/bunkerweb/helpers/*.sh /usr/bin/bwcli /usr/share/bunkerweb/autoconf/main.py /usr/share/bunkerweb/deps/python/bin/* # Fix CVEs -# RUN apk add --no-cache "libcrypto3>=3.1.1-r0" "libssl3>=3.1.1-r0" +RUN apk add --no-cache "libcrypto3>=3.1.1-r0" "libssl3>=3.1.1-r0" VOLUME /data /etc/nginx