Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #3557 from bunkerity/dev
Some checks failed
Automatic push (RELEASE) / codeql (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers (false, false, latest) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers (linux/386, 386, src/autoconf/Dockerfile, autoconf) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers (linux/386, 386, src/bw/Dockerfile, bunkerweb) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers (linux/386, 386, src/scheduler/Dockerfile, scheduler) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers (linux/amd64, amd64, src/api/Dockerfile, api) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers (linux/amd64, amd64, src/autoconf/Dockerfile, autoconf) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers (linux/amd64, amd64, src/bw/Dockerfile, bunkerweb) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers (linux/amd64, amd64, src/scheduler/Dockerfile, scheduler) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers (linux/386, 386, src/all-in-one/Dockerfile, all-in-one) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers (linux/386, 386, src/api/Dockerfile, api) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers (linux/386, 386, src/ui/Dockerfile, ui) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers (linux/amd64, amd64, src/all-in-one/Dockerfile, all-in-one) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers (linux/amd64, amd64, src/ui/Dockerfile, ui) (push) Has been cancelled
Details
Automatic push (RELEASE) / create-arm (push) Has been cancelled
Details
Automatic push (RELEASE) / build-packages (rhel-10, rpm, linux/amd64) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-packages (rhel-10, rpm, linux/arm64) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-packages (rhel-8, rpm, linux/arm64) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-packages (latest) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-packages (rhel-8, rpm, linux/amd64) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-packages (rhel-9, rpm, linux/amd64) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers-arm (false, false, latest) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers-arm (linux/arm/v7, armv7, src/all-in-one/Dockerfile, all-in-one) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers-arm (linux/arm/v7, armv7, src/api/Dockerfile, api) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers-arm (linux/arm/v7, armv7, src/scheduler/Dockerfile, scheduler) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers-arm (linux/arm/v7, armv7, src/ui/Dockerfile, ui) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers-arm (linux/arm64, arm64, src/all-in-one/Dockerfile, all-in-one) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers-arm (linux/arm64, arm64, src/ui/Dockerfile, ui) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-packages (debian-bookworm, deb, linux/amd64) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-packages (debian-bookworm, deb, linux/arm64) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-packages (debian-trixie, deb, linux/arm64) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-packages (rhel-9, rpm, linux/arm64) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers-arm (linux/arm/v7, armv7, src/autoconf/Dockerfile, autoconf) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers-arm (linux/arm/v7, armv7, src/bw/Dockerfile, bunkerweb) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers-arm (linux/arm64, arm64, src/api/Dockerfile, api) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers-arm (linux/arm64, arm64, src/autoconf/Dockerfile, autoconf) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers-arm (linux/arm64, arm64, src/bw/Dockerfile, bunkerweb) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-containers-arm (linux/arm64, arm64, src/scheduler/Dockerfile, scheduler) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-packages (fedora-44, rpm, linux/arm64) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-packages (debian-trixie, deb, linux/amd64) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-packages (fedora-43, rpm, linux/amd64) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-packages (fedora-43, rpm, linux/arm64) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-packages (fedora-44, rpm, linux/amd64) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-packages (ubuntu, deb, linux/amd64) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-packages (ubuntu, deb, linux/arm64) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-packages (ubuntu-jammy, deb, linux/amd64) (push) Has been cancelled
Details
Automatic push (RELEASE) / build-packages (ubuntu-jammy, deb, linux/arm64) (push) Has been cancelled
Details
Automatic push (RELEASE) / wait-builds (push) Has been cancelled
Details
Automatic push (RELEASE) / push-images (all-in-one, src/all-in-one/Dockerfile, bunkerweb-all-in-one) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-images (api, src/api/Dockerfile, bunkerweb-api) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-images (autoconf, src/autoconf/Dockerfile, bunkerweb-autoconf) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-images (bunkerweb, src/bw/Dockerfile, bunkerweb) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-images (latest) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-images (scheduler, src/scheduler/Dockerfile, bunkerweb-scheduler) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-images (ui, src/ui/Dockerfile, bunkerweb-ui) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-packages (amd64, debian-bookworm, deb, amd64, _, , bookworm) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-packages (amd64, debian-trixie, deb, amd64, _, , trixie) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-packages (amd64, el-10, rpm, x86_64, -, 1., 10) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-packages (amd64, el-8, rpm, x86_64, -, 1., 8) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-packages (amd64, el-9, rpm, x86_64, -, 1., 9) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-packages (amd64, fedora-43, rpm, x86_64, -, 1., 43) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-packages (amd64, fedora-44, rpm, x86_64, -, 1., 44) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-packages (amd64, ubuntu, deb, amd64, _, , noble) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-packages (amd64, ubuntu-jammy, deb, amd64, _, , jammy) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-packages (arm64, debian-bookworm, deb, arm64, _, , bookworm) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-packages (arm64, debian-trixie, deb, arm64, _, , trixie) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-packages (arm64, el-10, rpm, aarch64, -, 1., 10) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-packages (arm64, el-8, rpm, aarch64, -, 1., 8) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-packages (arm64, el-9, rpm, aarch64, -, 1., 9) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-packages (arm64, fedora-43, rpm, aarch64, -, 1., 43) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-packages (arm64, fedora-44, rpm, aarch64, -, 1., 44) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-packages (arm64, ubuntu, deb, arm64, _, , noble) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-packages (arm64, ubuntu-jammy, deb, arm64, _, , jammy) (push) Has been cancelled
Details
Automatic push (RELEASE) / push-packages (latest, bunkerweb) (push) Has been cancelled
Details
Automatic push (RELEASE) / doc-pdf (push) Has been cancelled
Details
Automatic push (RELEASE) / push-gh (push) Has been cancelled
Details
Automatic push (RELEASE) / push-doc (push) Has been cancelled
Details
Automatic push (RELEASE) / rm-arm (push) Has been cancelled
Details

Browse source 
Road to 1.6.10 🚀
This commit is contained in:
Théophile Diot 2026-05-19 15:29:29 +02:00 committed by GitHub
commit b0f9622b93
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4794 changed files with 516273 additions and 407891 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

385
.coderabbit.yaml Normal file
View file

@ -0,0 +1,385 @@
# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
language: "en-GB"
tone_instructions: "Be direct, technical, and actionable. Cite exact lines.
Prefer concrete guidance over vague suggestions. Use British English."
early_access: false
knowledge_base:
opt_out: false
web_search:
enabled: false
code_guidelines:
enabled: true
code_generation:
docstrings:
language: "en-GB"
reviews:
profile: "assertive"
request_changes_workflow: true
high_level_summary: true
high_level_summary_in_walkthrough: true
high_level_summary_instructions: |
Summarise the PR by BunkerWeb component (`src/api`, `src/ui`, `src/common`, `src/bw`, `src/linux`, `.github`, `tests`, `docs`, `examples`).
Always call out: security impact, user-visible behaviour changes, configuration or schema changes, packaging or deployment impact, and whether documentation/tests were updated.
Keep the summary terse, technical, and suitable for maintainers reviewing a security-critical WAF project.
review_status: true
review_details: true
collapse_walkthrough: false
changed_files_summary: true
sequence_diagrams: false
estimate_code_review_effort: true
assess_linked_issues: true
related_issues: true
related_prs: true
suggested_labels: false
suggested_reviewers: false
enable_prompt_for_ai_agents: true
# Fun features — keep CodeRabbit cheerful
poem: true
in_progress_fortune: true
commit_status: true
fail_commit_status: false
abort_on_close: true
auto_review:
enabled: true
drafts: false
auto_incremental_review: true
auto_pause_after_reviewed_commits: 8
base_branches:
- "staging"
- "rc"
- "dev"
ignore_title_keywords:
- "WIP"
- "[WIP]"
- "RFC"
- "DO NOT REVIEW"
ignore_usernames:
- "dependabot[bot]"
- "TheophileDiot"
- "fl0ppy-d1sk"
slop_detection:
enabled: true
label: "needs-review"
pre_merge_checks:
title:
mode: "warning"
requirements: |
Use Conventional Commits or the "<component> - description" format already used in BunkerWeb history.
Examples: "feat: add bunkernet retry backoff", "fix(ui): escape next param", "docs: update advanced guide", "bunkernet - harden anonymous report".
Keep titles under ~70 characters; put detail in the description.
description:
mode: "warning"
issue_assessment:
mode: "off"
docstrings:
mode: "off"
finishing_touches:
# Auto-generated tests risk false confidence on a WAF; contributors write them.
unit_tests:
enabled: false
path_filters:
- "**"
# Override CodeRabbit's default !**/gen/** block — src/common/gen/ is BunkerWeb's settings engine
- "**/gen/**"
- "!src/deps/**"
# Vendored OWASP Core Rule Set — upstream files, leave crs-setup-v*.conf reviewable
- "!src/common/core/modsecurity/files/coreruleset-v*/**"
# Vendored third-party UI libraries (bootstrap, ace, datatables, jquery, purify, etc.)
- "!src/ui/app/static/libs/**"
# BunkerWeb runtime assets: root CA + MaxMind GeoIP databases (asn.mmdb, country.mmdb)
- "!src/bw/misc/**"
- "!src/VERSION"
- "!examples/community/**"
# Mkdocs site chrome
- "!docs/assets/**"
- "!docs/overrides/**"
- "!docs/misc/**"
- "!**/node_modules/**"
- "!**/.venv/**"
- "!**/venv/**"
- "!**/.pytest_cache/**"
- "!**/__pycache__/**"
- "!**/dist/**"
- "!**/build/**"
- "!**/*.min.js"
- "!**/*.pkg"
- "!**/*.log.txt"
- "!**/*.svg"
- "!**/*.drawio"
- "!**/*.patch*"
- "!**/*.ascii"
- "!**/*.tf"
- "!**/*.tftpl"
- "!**/*.key"
- "!.claude/**"
- "!.gemini/**"
- "!misc/generated/**"
path_instructions:
- path: "**/*.py"
instructions: |
Follow BunkerWeb's Python standards and security posture:
- Use snake_case for functions and variables, PascalCase for classes, and provide concise, accurate docstrings for public classes, functions, and methods.
- Respect Black formatting with a 160-character line limit and the existing pre-commit conventions. Do not insist on adding type annotations to previously untyped code, but accept them when added consistently.
- Catch specific exceptions; never use bare `except:`. Catching `Exception` is acceptable only at explicit process boundaries (for example scheduler loops, outer job runners, worker entrypoints, or graceful-shutdown boundaries) when the code logs enough context and either re-raises, returns an error status, or terminates safely.
- Never use `os.system`, `subprocess.*(..., shell=True)`, `eval`, or `exec`. Pass subprocess arguments as a list and prefer explicit binary paths for privileged operations.
- Do not use unsafe deserialisers (`pickle`, `marshal`, `shelve`, `jsonpickle`, `dill`) for untrusted data. Use `yaml.safe_load()` rather than unsafe YAML loading.
- Open files with an explicit encoding (normally `utf-8`) and use `with` statements for files, sockets, database sessions, and temporary resources.
- Use `secrets` for token generation and `hmac.compare_digest` for token, HMAC, or signature comparisons.
- For HTTP clients (`requests`, `httpx`): always set an explicit timeout, validate destination URLs to block RFC1918/loopback/link-local ranges (SSRF), disable automatic redirects to internal hosts, and be careful with proxy settings.
- For filesystem operations: resolve paths with `Path.resolve()` and verify they remain under the intended base directory before reading or writing (path traversal).
- Use `defusedxml` rather than stdlib XML parsers for untrusted XML.
- For SQLAlchemy, use bound parameters and safe query construction. Never call `text()` with f-strings or `.format()`, and flag `.execute()` calls built from string concatenation. Do not recommend Django-specific APIs such as `full_clean()`, `select_related()`, or `prefetch_related()` — BunkerWeb uses SQLAlchemy, not Django.
- For Jinja2, keep autoescaping enabled and never apply `|safe` to user-controlled data.
- Scrub secrets, tokens, cookies, database URIs, and `Authorization` headers from logs. Use the logging framework rather than `print()`.
- Secrets, API keys, and credentials must never be hard-coded; use environment variables, Docker secrets, or configuration templates.
- path: "src/api/**/*.py"
instructions: |
`src/api/` is the FastAPI service:
- Avoid blocking I/O in async endpoints and background tasks.
- Validate request models strictly and return precise HTTP status codes.
- Authentication, authorisation, CORS, and rate-limiting changes must preserve secure defaults.
- Propagate bounded timeouts to any outbound calls and avoid retry loops without caps, jitter, and logging.
- Be careful with streaming responses, file downloads, and proxy-like behaviour: validate content types, filenames, and upstream destinations.
- path: "src/ui/**/*.py"
instructions: |
`src/ui/` is the admin UI and related backend:
- State-changing routes must enforce CSRF protection where browser sessions are used.
- Session, remember-me, and auth-cookie changes must preserve `Secure`, `HttpOnly`, and appropriate `SameSite` behaviour.
- Redirect targets such as `next` parameters must be validated against an allowlist or local-path policy.
- For templates and forms, escape user-controlled data, validate uploads by type and size, and keep files outside the web root unless there is a deliberate reviewed exception.
- BunkerWeb uses `bcrypt`; flag any move towards weak password hashing or plaintext credential handling.
- path: "src/common/gen/**/*.py"
instructions: |
`src/common/gen/` drives settings validation and config generation:
- Preserve determinism: the same validated settings should render the same output.
- Do not bypass the configurator or validation layer when introducing new settings.
- Any template change that depends on a new setting should come with the corresponding schema or plugin metadata update.
- Be careful with escaping and quoting so user-supplied settings cannot break out of generated directives or file formats.
- path: "src/common/db/alembic/**/*.py"
instructions: |
Alembic migrations must be safe across supported databases:
- Make schema changes forward-safe, and keep downgrades sane when practical.
- Avoid long-running table rewrites or irreversible destructive operations without a strong justification in the PR.
- Backfills must be idempotent and chunked when data volume could be significant.
- Do not import current ORM models into old migrations; use explicit table definitions or migration-time constructs.
- path: "**/tests/**/*.py"
instructions: |
Tests should verify observable behaviour, not incidental implementation details:
- Prefer Arrange-Act-Assert structure and descriptive test names.
- Avoid broad exception swallowing, arbitrary sleeps, and unnecessary mocks.
- Prefer local containers, fixtures, and deterministic inputs over external services.
- When a PR fixes a regression, ask for a regression test that fails before the fix and passes after it.
- path: "**/plugin.json"
instructions: |
`plugin.json` files define the settings schema that the configurator depends on:
- Ensure setting IDs remain stable unless there is an intentional breaking change.
- Each setting should declare the expected metadata (`context`, `type`, defaults, help text, validation rules) and keep backwards compatibility in mind.
- Regex validators must be anchored where appropriate, compile cleanly, and avoid catastrophic backtracking. Default values must satisfy their own validators.
- When `jobs` are declared, verify schedule values, referenced scripts, and reload behaviour. Script paths must exist under the plugin tree.
- If a PR changes a setting ID, type, context, accepted value shape, or compatibility behaviour, require migration notes and any necessary Alembic or config-migration work.
- path: "**/*.lua"
instructions: |
Lua code runs on OpenResty and often sits on the request hot path:
- Use local variables and local module tables; avoid globals.
- Cache `ngx.var.*` and `ngx.req.*` values in locals instead of re-reading them repeatedly.
- Precompile regular expressions in module-level locals; never compile inside request loops. For `ngx.re.match`/`find`/`gmatch`/`sub`, pass the option string `"jo"` (`j` enables PCRE JIT, `o` compiles the pattern once and caches it), anchor patterns with `^...$` when a full match is intended, and cap input length before matching to prevent ReDoS.
- Validate and sanitise all request-derived input. Never evaluate request-derived code via `load`, `loadstring`, or similar mechanisms.
- Avoid blocking file I/O or synchronous network calls in request handlers. Use OpenResty-safe APIs and bounded caches.
- Shared-dictionary read-modify-write sequences are race-prone; prefer atomic operations such as `incr` or explicit locking where correctness matters.
- Never log request bodies, cookies, bearer tokens, or other secrets.
- Use `pcall` or explicit error handling at safe boundaries so a malformed request or upstream failure does not crash worker processes.
- Use `cjson` safely for JSON encode/decode and do not build JSON by string concatenation.
- path: "**/*.sh"
instructions: |
Shell scripts must match BunkerWeb's portability expectations:
- If the script is POSIX shell, prefer `set -eu`; if it explicitly requires Bash, use `set -euo pipefail`.
- Quote variables and command substitutions consistently and prefer `${var}` when concatenating.
- Do not use Bash-only features in `/bin/sh` scripts.
- Handle failures explicitly, use `trap` for cleanup where temporary files are created, and use `mktemp` safely.
- Never use `curl | sh` or `wget | sh`; verify downloads by checksum or signature and avoid `-k` / `--insecure`.
- Do not rely on inherited `PATH` in privileged contexts; set it explicitly where needed.
- Avoid `eval` and unsafe command construction from untrusted data.
- path: "src/ui/**/*.js"
instructions: |
UI JavaScript should remain framework-light, secure, and accessible:
- Prefer `const` / `let`, strict equality, explicit null checks, and clear error handling for async flows.
- Never use `eval`, the `Function` constructor, or string forms of `setTimeout` / `setInterval`.
- Do not assign dynamic content to `innerHTML` or `outerHTML`; prefer DOM construction APIs (`createElement` + `appendChild`). When untrusted HTML is unavoidable, sanitise via the DOMPurify build already shipped at `src/ui/app/static/libs/purify/purify.min.js` (referenced from `utils.js`, `dataTableInit.js`, `pages/profile.js`).
- Validate `postMessage` origins, avoid `"*"` target origins, and be careful with storage APIs and cross-window communication.
- Maintain keyboard accessibility, ARIA correctness, and sensible focus management for interactive UI changes.
- path: "src/ui/**/*.html"
instructions: |
HTML templates and UI fragments must be semantic and safe:
- Maintain a correct heading hierarchy and use semantic layout elements where they improve clarity.
- Provide labels, `alt` text, and ARIA attributes where needed for accessibility.
- Do not add inline scripts or inline event handlers unless there is a strong reviewed reason.
- Escape user-controlled values and avoid markup patterns that weaken CSP or enable DOM XSS.
- Any new external asset should justify trust, integrity, and loading behaviour.
- path: "src/ui/**/*.css"
instructions: |
CSS should work with the existing UI stack rather than fight it:
- Respect the existing Bootstrap-oriented approach and prefer small, targeted overrides over large bespoke frameworks.
- Flag hand-written rules that duplicate existing utilities, rely on `!important`, or create unnecessary specificity wars.
- Prefer CSS custom properties and reusable patterns over copy-pasted values.
- Keep responsiveness and accessibility in mind, especially focus states, contrast, and reduced-motion behaviour where relevant.
- path: ".github/workflows/**/*.yml"
instructions: &github_actions_instructions |
GitHub Actions workflows must be reproducible and safe:
- Pin third-party actions by commit SHA, not floating tags.
- Declare an explicit top-level `permissions:` block and keep it minimal by default.
- Be extremely careful with `pull_request_target`: do not combine untrusted PR code with repository secrets.
- Do not interpolate `${{ github.event.* }}` values directly inside `run:` scripts; assign them via `env:` first to reduce script-injection risk.
- Use `concurrency` intentionally: cancel superseded PR jobs, but avoid cancelling release or deployment jobs that should run to completion.
- path: ".github/workflows/**/*.yaml"
instructions: *github_actions_instructions
- path: ".pre-commit-config.yaml"
instructions: |
Keep the pre-commit stack aligned with repository reality:
- Hook revisions should stay pinned immutably.
- Exclusions for vendored, generated, minified, or upstream files should stay deliberate and in sync with CodeRabbit's own exclusions where practical.
- New hooks must not silently reformat or reject large swathes of historical code without an agreed migration plan.
- path: "**/*.yaml"
instructions: &yaml_instructions |
YAML files (CI, Compose, Kubernetes, app config, docs config) must be structured and reproducible:
- Use consistent indentation, stable key ordering where the project already has one, and avoid duplicate keys.
- Pin container images, dependency versions, and GitHub Actions rather than using `latest`.
- Never commit secrets in plaintext; use secret managers, encrypted values, or template/example files.
- Docker Compose changes should prefer `read_only`, `no-new-privileges`, dropped capabilities, and minimal mounts where compatible.
- Kubernetes manifests should prefer `runAsNonRoot`, `allowPrivilegeEscalation: false`, `seccompProfile: RuntimeDefault`, dropped capabilities, and explicit resource requests/limits.
- path: "**/*.yml"
instructions: *yaml_instructions
- path: "**/Dockerfile*"
instructions: |
Dockerfiles must be hardened and reproducible:
- Do not use `latest`; pin base images precisely, ideally by digest when the workflow supports it.
- Prefer multi-stage builds and keep the runtime image small.
- Install packages in a single `RUN` layer and clean the package cache in that same layer. BunkerWeb ships all three families under `src/linux/Dockerfile-*`:
- Debian/Ubuntu: `apt-get update && apt-get install -y --no-install-recommends <packages> && apt-get clean && rm -rf /var/lib/apt/lists/*`
- Alpine: `apk add --no-cache <packages>`
- Fedora/RHEL: `dnf install -y <packages> && dnf clean all && rm -rf /var/cache/dnf`
- Prefer `COPY` over `ADD`, avoid passing secrets via `ARG`, and use BuildKit secrets for sensitive material.
- The final runtime stage should run as a non-root user unless there is a documented reason not to.
- Exposing 80 and 443 is expected for BunkerWeb and should not be flagged as a problem by itself.
- path: "src/common/**/confs/**/*"
instructions: |
This tree contains Jinja2-templated NGINX configuration rendered by `src/common/gen/Templator.py`. Files mix `{% ... %}` and `{{ ... }}` blocks with NGINX directives. Apply these rules to the rendered NGINX intent, NOT to Jinja control blocks:
- Enforce TLS 1.2 and 1.3 only; disable TLS 1.0/1.1. Specify strong cipher suites and `ssl_prefer_server_ciphers on`.
- Enable OCSP stapling (`ssl_stapling on; ssl_stapling_verify on;`) with a `resolver` that sets `valid=` and avoids external resolvers like `8.8.8.8` unless the user explicitly configures one.
- Use HSTS (`add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;`). Only add `preload` if the domain is actually submitted to the HSTS preload list.
- Set `client_body_timeout`, `client_header_timeout`, `keepalive_timeout`, and `proxy_read_timeout` explicitly (typically 60s or less); do not hard-code values that bypass the settings engine.
- Define `client_max_body_size` appropriately and limit connections and requests per IP with `limit_conn` and `limit_req_zone`.
- Set `server_tokens off` and strip `Server`/`X-Powered-By` headers.
- Recommend security headers: `X-Content-Type-Options nosniff`, `X-Frame-Options DENY` or `SAMEORIGIN`, `Referrer-Policy`, `Content-Security-Policy`, `Permissions-Policy`, `Cross-Origin-Opener-Policy: same-origin`, and `Cross-Origin-Resource-Policy: same-site` on UI responses. Do not flag their absence on reverse-proxied upstream responses. Do NOT require `X-XSS-Protection`; the legacy filter is deprecated — set it to `0` if set at all and rely on CSP.
- `proxy_http_version 1.1` with explicit hop-by-hop header handling to avoid request smuggling. Strip client-supplied `X-Forwarded-*` headers and repopulate them from the trusted real-IP source only.
- Never `proxy_pass` to an upstream constructed from a request variable (SSRF).
- Prefer prefix `location` blocks over regex locations when possible; avoid fragile nested `if` logic.
- `proxy_intercept_errors on` to avoid leaking upstream error pages.
- Do not hard-code values that should come from the settings engine or validated plugin metadata. Template changes that rely on new settings require a matching `plugin.json` update and Configurator validation (`src/common/gen/Configurator.py`).
- Ensure any variable interpolation is safe: values come from the settings engine and are pre-validated, but double-check that user-supplied strings cannot break directive syntax or smuggle extra directives.
- Remove sensitive information (passwords, keys) from configuration files. Comments must not expose internal details.
- path: "src/common/core/modsecurity/**/*.modsec"
instructions: &modsec_instructions |
ModSecurity rules and config must preserve protection without unnecessary false positives:
- Keep the OWASP Core Rule Set wiring intact unless there is a clearly justified change.
- Document rule exclusions and paranoia-level adjustments with a concrete reason.
- Request-body limits, audit logging, and parsing behaviour should remain explicit and secure.
- Do not weaken inspection, disable whole rule classes, or broaden allowlists without a strong, specific reason.
- path: "src/common/core/modsecurity/**/*.conf"
instructions: *modsec_instructions
- path: "src/linux/fpm-*"
instructions: |
Packaging metadata should remain distribution-aware and idempotent:
- Dependencies must correspond to real package names for the target distribution and version.
- Post-install and pre-remove logic should be safe to run repeatedly.
- Ownership, permissions, service enablement, and directory creation must be explicit and conservative.
- Do not remove user data on uninstall unless the operation is explicitly a purge.
- path: "**/*.service"
instructions: |
systemd units should be hardened where compatible with the service:
- Prefer dedicated `User=` / `Group=` accounts, `NoNewPrivileges=true`, `PrivateTmp=true`, and tight filesystem protections.
- Add `ReadWritePaths=` only for legitimate writable locations.
- Restart behaviour should be explicit and sensible for long-running services.
- Recommend additional sandboxing directives only when they are compatible with the service's actual needs.
- path: "**/*.md"
instructions: |
Documentation should be concise, accurate, and written in British English:
- Keep the structure clear with a sensible heading hierarchy.
- Prefer concrete instructions, accurate examples, and explicit prerequisites.
- Check that commands, paths, and references still match the codebase and supported deployment modes.
- When a PR changes behaviour, defaults, packaging, or security posture, ask for the corresponding documentation update.
tools:
github-checks:
enabled: true
timeout_ms: 120000
languagetool:
enabled: true
level: "default"
gitleaks:
enabled: true
luacheck:
enabled: true
shellcheck:
enabled: true
hadolint:
enabled: true
yamllint:
enabled: true
actionlint:
enabled: true
markdownlint:
enabled: true
checkov:
enabled: true
osvScanner:
enabled: true
htmlhint:
enabled: true
dotenvLint:
enabled: true
flake8:
enabled: false
ruff:
enabled: false
eslint:
enabled: false
stylelint:
enabled: false
semgrep:
enabled: false
biome:
enabled: false
chat:
auto_reply: true

2
.github/ISSUE_TEMPLATE/bug_report.yml vendored
View file

@ -51,7 +51,7 @@ body:
label: BunkerWeb version
description: What version of BunkerWeb are you running?
placeholder: Version
value: 1.6.9
value: 1.6.10
validations:
required: true
- type: dropdown

26
.github/workflows/beta.yml vendored
View file

@ -110,8 +110,8 @@ jobs:
ubuntu,
debian-bookworm,
debian-trixie,
fedora-42,
fedora-43,
fedora-44,
rhel-8,
rhel-9,
rhel-10,
@ -126,10 +126,10 @@ jobs:
package: deb
- linux: debian-trixie
package: deb
- linux: fedora-42
package: rpm
- linux: fedora-43
package: rpm
- linux: fedora-44
package: rpm
- linux: rhel-8
package: rpm
- linux: rhel-9
@ -229,8 +229,8 @@ jobs:
ubuntu,
debian-bookworm,
debian-trixie,
fedora-42,
fedora-43,
fedora-44,
el-8,
el-9,
el-10,
@ -255,16 +255,16 @@ jobs:
suffix: ""
version: trixie
package: deb
- linux: fedora-42
separator: "-"
suffix: "1."
version: 42
package: rpm
- linux: fedora-43
separator: "-"
suffix: "1."
version: 43
package: rpm
- linux: fedora-44
separator: "-"
suffix: "1."
version: 44
package: rpm
- linux: el-8
separator: "-"
suffix: "1."
@ -294,10 +294,10 @@ jobs:
- linux: debian-trixie
arch: amd64
package_arch: amd64
- linux: fedora-42
- linux: fedora-43
arch: amd64
package_arch: x86_64
- linux: fedora-43
- linux: fedora-44
arch: amd64
package_arch: x86_64
- linux: el-8
@ -321,10 +321,10 @@ jobs:
- linux: debian-trixie
arch: arm64
package_arch: arm64
- linux: fedora-42
- linux: fedora-43
arch: arm64
package_arch: aarch64
- linux: fedora-43
- linux: fedora-44
arch: arm64
package_arch: aarch64
- linux: el-8

4
.github/workflows/codeql.yml vendored
View file

@ -36,12 +36,12 @@ jobs:
python -m pip install --no-cache-dir --require-hashes -r src/common/db/requirements.txt
echo "CODEQL_PYTHON=$(which python)" >> $GITHUB_ENV
- name: Initialize CodeQL
uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
with:
languages: ${{ matrix.language }}
config-file: ./.github/codeql.yml
setup-python-dependencies: false
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
with:
category: "/language:${{matrix.language}}"

39
.github/workflows/container-build.yml vendored
View file

@ -85,13 +85,13 @@ jobs:
endpoint: ssh://root@arm
platforms: linux/arm64,linux/arm/v7
- name: Login to Docker Hub
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to ghcr
if: inputs.PUSH == true
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@ -105,7 +105,7 @@ jobs:
# Build cached image
- name: Build image
if: inputs.CACHE == true
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
with:
context: .
file: ${{ inputs.DOCKERFILE }}
@ -118,7 +118,7 @@ jobs:
# Build non-cached image
- name: Build image
if: inputs.CACHE != true
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
with:
context: .
file: ${{ inputs.DOCKERFILE }}
@ -127,30 +127,17 @@ jobs:
tags: local/${{ inputs.IMAGE }}
cache-to: type=registry,ref=docker.io/bunkerity/bw-images-cache:${{ inputs.IMAGE }}-${{ inputs.RELEASE }}-${{ inputs.CACHE_SUFFIX }},mode=max
labels: ${{ steps.meta.outputs.labels }}
# Check OS vulnerabilities
- name: Check OS vulnerabilities
# Check vulnerabilities with Docker Scout
- name: Docker Scout CVE Analysis
if: ${{ startsWith(inputs.CACHE_SUFFIX, 'arm') == false }}
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
uses: docker/scout-action@bacf462e8d090c09660de30a6ccc718035f961e3 # v1.20.4
with:
vuln-type: os
skip-dirs: /root/.cargo
image-ref: local/${{ inputs.IMAGE }}
format: table
exit-code: 1
ignore-unfixed: false
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
trivyignores: .trivyignore
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
# - name: Docker Scout Analysis # TODO: Add back when the openssl shenanigans are fixed
# if: ${{ startsWith(inputs.CACHE_SUFFIX, 'arm') == false }}
# uses: docker/scout-action@aceeb83b88f2ae54376891227858dda7af647183 # v1.18.1
# with:
# command: cves,recommendations
# image: local/${{ inputs.IMAGE }}
# only-fixed: true
# only-package-types: apk
# exit-code: true
command: cves,recommendations
image: local/${{ inputs.IMAGE }}
only-package-types: apk,golang
only-fixed: true
exit-code: true
summary: true
# Push image
- name: Push image
if: inputs.PUSH == true

8
.github/workflows/create-arm.yml vendored
View file

@ -36,7 +36,7 @@ jobs:
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Get ARM availabilities
id: availabilities
uses: scaleway/action-scw@be2696f261325a78354eda14988c80405f33e082
uses: scaleway/action-scw@2e34a1eb35cf3cac627f24643a101fea269cbd83
with:
args: instance server-type get zone=fr-par-2
export-config: true
@ -46,14 +46,14 @@ jobs:
default-organization-id: ${{ secrets.SCW_DEFAULT_ORGANIZATION_ID }}
- name: Extract ARM type
run: |
TYPE=$(echo "$JSON" | jq '.servers | with_entries(select(.key | contains("COPARM1-"))) | with_entries(select(.value.availability != "shortage")) | keys[] | select(. | test("^COPARM1-[0-9]+C-[0-9]+G$"))' | sed 's/"//g' | cut -d '-' -f 2,3 | sort -g | tail -n 1 | xargs -I {} echo "COPARM1-{}")
TYPE=$(echo "$JSON" | jq -r '.servers | to_entries | map(select(.key | test("^BASIC2-A[0-9]+C-[0-9]+G$"))) | map(select(.value.availability != "shortage")) | map(. + {cores: (.key | capture("A(?<n>[0-9]+)C") | .n | tonumber), ram: (.key | capture("C-(?<n>[0-9]+)G") | .n | tonumber)}) | sort_by(.cores, .ram) | last.key')
echo "Type is $TYPE"
echo "TYPE=$TYPE" >> "$GITHUB_ENV"
env:
JSON: ${{ steps.availabilities.outputs.json }}
- name: Create ARM VM
id: scw
uses: scaleway/action-scw@be2696f261325a78354eda14988c80405f33e082
uses: scaleway/action-scw@2e34a1eb35cf3cac627f24643a101fea269cbd83
with:
args: instance server create zone=fr-par-2 type=${{ env.TYPE }} root-volume=block:100GB
- name: Get info
@ -62,7 +62,7 @@ jobs:
echo "id=${{ fromJson(steps.scw.outputs.json).id }}" >> "$GITHUB_OUTPUT"
echo "ip=${{ fromJson(steps.scw.outputs.json).public_ip.address }}" >> "$GITHUB_OUTPUT"
- name: Wait for VM
uses: scaleway/action-scw@be2696f261325a78354eda14988c80405f33e082
uses: scaleway/action-scw@2e34a1eb35cf3cac627f24643a101fea269cbd83
with:
args: instance server wait ${{ fromJson(steps.scw.outputs.json).ID }} zone=fr-par-2
- name: Wait for SSH

24
.github/workflows/dev.yml vendored
View file

@ -53,8 +53,8 @@ jobs:
ubuntu,
debian-bookworm,
debian-trixie,
fedora-42,
fedora-43,
fedora-44,
rhel-8,
rhel-9,
rhel-10,
@ -69,10 +69,10 @@ jobs:
package: deb
- linux: debian-trixie
package: deb
- linux: fedora-42
package: rpm
- linux: fedora-43
package: rpm
- linux: fedora-44
package: rpm
- linux: rhel-8
package: rpm
- linux: rhel-9
@ -189,12 +189,12 @@ jobs:
to: bunkerweb-all-in-one
steps:
- name: Login to Docker Hub
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to ghcr
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@ -213,8 +213,8 @@ jobs:
ubuntu,
debian-bookworm,
debian-trixie,
fedora-42,
fedora-43,
fedora-44,
el-8,
el-9,
el-10,
@ -242,18 +242,18 @@ jobs:
suffix: ""
version: trixie
package: deb
- linux: fedora-42
package_arch: x86_64
separator: "-"
suffix: "1."
version: 42
package: rpm
- linux: fedora-43
package_arch: x86_64
separator: "-"
suffix: "1."
version: 43
package: rpm
- linux: fedora-44
package_arch: x86_64
separator: "-"
suffix: "1."
version: 44
package: rpm
- linux: el-8
package_arch: x86_64
separator: "-"

7
.github/workflows/doc-to-pdf.yml vendored
View file

@ -19,11 +19,11 @@ jobs:
with:
python-version: "3.10"
- name: Install doc dependencies
run: pip install --no-cache-dir --require-hashes -r docs/requirements.txt && sudo apt update && sudo apt install -y libcairo2-dev libfreetype6-dev libffi-dev libjpeg-dev libpng-dev libz-dev
run: pip install --no-cache-dir --require-hashes -r docs/requirements.txt && sudo apt update && sudo apt install -y libcairo2-dev libfreetype6-dev libffi-dev libjpeg-dev libpng-dev libz-dev pngquant
- name: Install chromium
run: sudo apt update && sudo apt install chromium-browser
- name: Install node
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 22
- name: Install puppeteer
@ -35,7 +35,8 @@ jobs:
run: mkdocs serve -f mkdocs_print.yml & sleep 15
- name: Run pdf script
run: node docs/misc/pdf.js http://localhost:8000/print_page/ BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf 'BunkerWeb documentation v${{ inputs.VERSION }}'
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf
retention-days: 7
path: BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf

13
.github/workflows/linux-build.yml vendored
View file

@ -94,12 +94,12 @@ jobs:
endpoint: ssh://root@arm
platforms: linux/arm64,linux/arm/v7
- name: Login to Docker Hub
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to ghcr
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@ -107,7 +107,7 @@ jobs:
# Build testing package image
- name: Build package image
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui' || inputs.RELEASE == '1.5'
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
with:
context: .
load: true
@ -119,7 +119,7 @@ jobs:
# Build non-testing package image
- name: Build package image
if: inputs.RELEASE != 'testing' && inputs.RELEASE != 'dev' && inputs.RELEASE != 'ui' && inputs.RELEASE != '1.5'
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
with:
context: .
load: true
@ -143,9 +143,10 @@ jobs:
scp -r root@arm:/root/package-${{ inputs.LINUX }} ./package-${{ inputs.LINUX }}
env:
LARCH: ${{ env.LARCH }}
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: package-${{ inputs.LINUX }}-${{ env.LARCH }}
retention-days: 7
path: package-${{ inputs.LINUX }}/*.${{ inputs.PACKAGE }}
# Build test image
- name: Extract metadata
@ -156,7 +157,7 @@ jobs:
images: ghcr.io/bunkerity/${{ inputs.LINUX }}-tests:${{ inputs.RELEASE }}
- name: Build test image
if: inputs.TEST == true
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
with:
context: .
file: tests/linux/Dockerfile-${{ inputs.LINUX }}

2
.github/workflows/push-doc.yml vendored
View file

@ -37,7 +37,7 @@ jobs:
with:
python-version: "3.10"
- name: Install doc dependencies
run: pip install --no-cache-dir --require-hashes -r docs/requirements.txt && sudo apt update && sudo apt install -y libcairo2-dev libfreetype6-dev libffi-dev libjpeg-dev libpng-dev libz-dev
run: pip install --no-cache-dir --require-hashes -r docs/requirements.txt && sudo apt update && sudo apt install -y libcairo2-dev libfreetype6-dev libffi-dev libjpeg-dev libpng-dev libz-dev pngquant
- name: Set up hidden documentation
if: inputs.HIDDEN == true
run: |

6
.github/workflows/push-docker.yml vendored
View file

@ -35,12 +35,12 @@ jobs:
- name: Check out repository code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Login to Docker Hub
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to ghcr
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@ -87,7 +87,7 @@ jobs:
images: bunkerity/${{ inputs.IMAGE }}
# Build and push
- name: Build and push
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
with:
context: .
file: ${{ inputs.DOCKERFILE }}

4
.github/workflows/push-github.yml vendored
View file

@ -108,7 +108,7 @@ jobs:
# Create release
- name: Create release
if: inputs.VERSION != 'testing'
uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
with:
body: |
Documentation : https://docs.bunkerweb.io/${{ inputs.VERSION }}/
@ -137,7 +137,7 @@ jobs:
# Create release
- name: Create release
if: inputs.VERSION == 'testing'
uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
with:
body: |
**The testing version of BunkerWeb should not be used in production, please use the latest stable version instead.**

2
.github/workflows/push-packagecloud.yml vendored
View file

@ -42,7 +42,7 @@ jobs:
- name: Check out repository code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install ruby
uses: ruby/setup-ruby@4eb9f110bac952a8b68ecf92e3b5c7a987594ba6 # v1.292.0
uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
with:
ruby-version: "3.0"
- name: Install packagecloud

26
.github/workflows/rc.yml vendored
View file

@ -110,8 +110,8 @@ jobs:
ubuntu,
debian-bookworm,
debian-trixie,
fedora-42,
fedora-43,
fedora-44,
rhel-8,
rhel-9,
rhel-10,
@ -126,10 +126,10 @@ jobs:
package: deb
- linux: debian-trixie
package: deb
- linux: fedora-42
package: rpm
- linux: fedora-43
package: rpm
- linux: fedora-44
package: rpm
- linux: rhel-8
package: rpm
- linux: rhel-9
@ -233,8 +233,8 @@ jobs:
ubuntu,
debian-bookworm,
debian-trixie,
fedora-42,
fedora-43,
fedora-44,
el-8,
el-9,
el-10,
@ -259,16 +259,16 @@ jobs:
suffix: ""
version: trixie
package: deb
- linux: fedora-42
separator: "-"
suffix: "1."
version: 42
package: rpm
- linux: fedora-43
separator: "-"
suffix: "1."
version: 43
package: rpm
- linux: fedora-44
separator: "-"
suffix: "1."
version: 44
package: rpm
- linux: el-8
separator: "-"
suffix: "1."
@ -298,10 +298,10 @@ jobs:
- linux: debian-trixie
arch: amd64
package_arch: amd64
- linux: fedora-42
- linux: fedora-43
arch: amd64
package_arch: x86_64
- linux: fedora-43
- linux: fedora-44
arch: amd64
package_arch: x86_64
- linux: el-8
@ -325,10 +325,10 @@ jobs:
- linux: debian-trixie
arch: arm64
package_arch: arm64
- linux: fedora-42
- linux: fedora-43
arch: arm64
package_arch: aarch64
- linux: fedora-43
- linux: fedora-44
arch: arm64
package_arch: aarch64
- linux: el-8

26
.github/workflows/release.yml vendored
View file

@ -120,8 +120,8 @@ jobs:
ubuntu,
debian-bookworm,
debian-trixie,
fedora-42,
fedora-43,
fedora-44,
rhel-8,
rhel-9,
rhel-10,
@ -136,10 +136,10 @@ jobs:
package: deb
- linux: debian-trixie
package: deb
- linux: fedora-42
package: rpm
- linux: fedora-43
package: rpm
- linux: fedora-44
package: rpm
- linux: rhel-8
package: rpm
- linux: rhel-9
@ -239,8 +239,8 @@ jobs:
ubuntu,
debian-bookworm,
debian-trixie,
fedora-42,
fedora-43,
fedora-44,
el-8,
el-9,
el-10,
@ -265,16 +265,16 @@ jobs:
suffix: ""
version: trixie
package: deb
- linux: fedora-42
separator: "-"
suffix: "1."
version: 42
package: rpm
- linux: fedora-43
separator: "-"
suffix: "1."
version: 43
package: rpm
- linux: fedora-44
separator: "-"
suffix: "1."
version: 44
package: rpm
- linux: el-8
separator: "-"
suffix: "1."
@ -304,10 +304,10 @@ jobs:
- linux: debian-trixie
arch: amd64
package_arch: amd64
- linux: fedora-42
- linux: fedora-43
arch: amd64
package_arch: x86_64
- linux: fedora-43
- linux: fedora-44
arch: amd64
package_arch: x86_64
- linux: el-8
@ -331,10 +331,10 @@ jobs:
- linux: debian-trixie
arch: arm64
package_arch: arm64
- linux: fedora-42
- linux: fedora-43
arch: arm64
package_arch: aarch64
- linux: fedora-43
- linux: fedora-44
arch: arm64
package_arch: aarch64
- linux: el-8

2
.github/workflows/rm-arm.yml vendored
View file

@ -23,7 +23,7 @@ jobs:
- name: Checkout source code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Delete ARM VM
uses: scaleway/action-scw@be2696f261325a78354eda14988c80405f33e082
uses: scaleway/action-scw@2e34a1eb35cf3cac627f24643a101fea269cbd83
with:
args: instance server delete ${{ secrets.ARM_ID }} zone=fr-par-2 with-ip=true with-volumes=all force-shutdown=true
access-key: ${{ secrets.SCW_ACCESS_KEY }}

2
.github/workflows/scorecards-analysis.yml vendored
View file

@ -25,6 +25,6 @@ jobs:
results_format: sarif
publish_results: true
- name: "Upload SARIF results to code scanning"
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
with:
sarif_file: results.sarif

7
.github/workflows/staging-create-infra.yml vendored
View file

@ -23,9 +23,9 @@ jobs:
- name: Checkout source code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install terraform
uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1
- name: Install kubectl
uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
uses: azure/setup-kubectl@829323503d1be3d00ca8346e5391ca0b07a9ab0d # v5.1.0
if: inputs.TYPE == 'k8s'
with:
version: "v1.29.1"
@ -52,8 +52,9 @@ jobs:
if: always()
env:
SECRET_KEY: ${{ secrets.SECRET_KEY }}
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
if: always()
with:
name: tf-${{ inputs.TYPE }}
retention-days: 7
path: terraform.tar.enc

4
.github/workflows/staging-delete-infra.yml vendored
View file

@ -22,7 +22,7 @@ jobs:
- name: Checkout source code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install terraform
uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: tf-${{ inputs.TYPE }}
@ -34,7 +34,7 @@ jobs:
tar xf /tmp/terraform.tar -C / && mkdir ~/.ssh && touch ~/.ssh/id_rsa.pub
env:
SECRET_KEY: ${{ secrets.SECRET_KEY }}
- uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
- uses: azure/setup-kubectl@829323503d1be3d00ca8346e5391ca0b07a9ab0d # v5.1.0
if: inputs.TYPE == 'k8s'
with:
version: "v1.29.1"

26
.github/workflows/staging-tests.yml vendored
View file

@ -27,7 +27,7 @@ jobs:
- name: Checkout source code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Login to ghcr
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@ -41,7 +41,7 @@ jobs:
- name: Install test dependencies
run: PIP_BREAK_SYSTEM_PACKAGES=1 pip3 install --no-cache-dir --require-hashes --no-deps -r tests/requirements.txt
- name: Install Terraform
uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1
if: inputs.TYPE == 'k8s'
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
@ -66,11 +66,11 @@ jobs:
REG_USER: ${{ github.actor }}
REG_TOKEN: ${{ secrets.GITHUB_TOKEN }}
if: inputs.TYPE == 'k8s'
- uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
- uses: azure/setup-kubectl@829323503d1be3d00ca8346e5391ca0b07a9ab0d # v5.1.0
if: inputs.TYPE == 'k8s'
with:
version: "v1.29.1"
- uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
- uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
if: inputs.TYPE == 'k8s'
- name: Pull BW linux ubuntu test image
if: inputs.TYPE == 'linux'
@ -81,12 +81,12 @@ jobs:
- name: Pull BW linux debian Trixie test image
if: inputs.TYPE == 'linux'
run: docker pull ghcr.io/bunkerity/debian-trixie-tests:testing && docker tag ghcr.io/bunkerity/debian-trixie-tests:testing local/debian-trixie:latest
- name: Pull BW linux fedora 42 test image
if: inputs.TYPE == 'linux'
run: docker pull ghcr.io/bunkerity/fedora-42-tests:testing && docker tag ghcr.io/bunkerity/fedora-42-tests:testing local/fedora-42:latest
- name: Pull BW linux fedora 43 test image
if: inputs.TYPE == 'linux'
run: docker pull ghcr.io/bunkerity/fedora-43-tests:testing && docker tag ghcr.io/bunkerity/fedora-43-tests:testing local/fedora-43:latest
- name: Pull BW linux fedora 44 test image
if: inputs.TYPE == 'linux'
run: docker pull ghcr.io/bunkerity/fedora-44-tests:testing && docker tag ghcr.io/bunkerity/fedora-44-tests:testing local/fedora-44:latest
- name: Pull BW linux rhel-8 test image
if: inputs.TYPE == 'linux'
run: docker pull ghcr.io/bunkerity/rhel-8-tests:testing && docker tag ghcr.io/bunkerity/rhel-8-tests:testing local/rhel-8:latest
@ -139,18 +139,18 @@ jobs:
env:
TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
- name: Run Linux fedora 42 tests
if: inputs.TYPE == 'linux'
run: export $(echo "$TEST_DOMAINS" | xargs) && chmod +x ./tests/main.py && ./tests/main.py "linux" "fedora-42"
env:
TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
- name: Run Linux fedora 43 tests
if: inputs.TYPE == 'linux'
run: export $(echo "$TEST_DOMAINS" | xargs) && chmod +x ./tests/main.py && ./tests/main.py "linux" "fedora-43"
env:
TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
- name: Run Linux fedora 44 tests
if: inputs.TYPE == 'linux'
run: export $(echo "$TEST_DOMAINS" | xargs) && chmod +x ./tests/main.py && ./tests/main.py "linux" "fedora-44"
env:
TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
- name: Run Linux rhel-8 tests
if: inputs.TYPE == 'linux'
run: export $(echo "$TEST_DOMAINS" | xargs) && chmod +x ./tests/main.py && ./tests/main.py "linux" "rhel-8"

24
.github/workflows/staging.yml vendored
View file

@ -53,8 +53,8 @@ jobs:
ubuntu,
debian-bookworm,
debian-trixie,
fedora-42,
fedora-43,
fedora-44,
rhel-8,
rhel-9,
rhel-10,
@ -67,10 +67,10 @@ jobs:
package: deb
- linux: debian-trixie
package: deb
- linux: fedora-42
package: rpm
- linux: fedora-43
package: rpm
- linux: fedora-44
package: rpm
- linux: rhel-8
package: rpm
- linux: rhel-9
@ -153,12 +153,12 @@ jobs:
packages: write
steps:
- name: Login to Docker Hub
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to ghcr
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@ -186,8 +186,8 @@ jobs:
ubuntu,
debian-bookworm,
debian-trixie,
fedora-42,
fedora-43,
fedora-44,
el-8,
el-9,
el-10,
@ -215,18 +215,18 @@ jobs:
suffix: ""
version: trixie
package: deb
- linux: fedora-42
package_arch: x86_64
separator: "-"
suffix: "1."
version: 42
package: rpm
- linux: fedora-43
package_arch: x86_64
separator: "-"
suffix: "1."
version: 43
package: rpm
- linux: fedora-44
package_arch: x86_64
separator: "-"
suffix: "1."
version: 44
package: rpm
- linux: el-8
package_arch: x86_64
separator: "-"

6
.github/workflows/test-core-linux.yml vendored
View file

@ -38,7 +38,7 @@ jobs:
export DEBIAN_FRONTEND=noninteractive
sudo -E apt install --no-install-recommends -y openssl git nodejs tar bzip2 wget curl grep libx11-xcb1 libappindicator3-1 libasound2t64 libdbus-glib-1-2 libxtst6 libxt6 php-fpm unzip firefox
- name: Download geckodriver
uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
with:
max_attempts: 3
timeout_minutes: 20
@ -49,7 +49,7 @@ jobs:
sudo chmod +x /usr/local/bin/geckodriver
rm -f geckodriver.tar.gz
- name: Login to ghcr
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@ -76,7 +76,7 @@ jobs:
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
sudo apt update
sudo -E apt install -y nginx=1.26.3-1~noble
sudo -E apt install -y nginx=1.30.0-1~noble
- name: Fix version without a starting number
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == '1.5'
run: echo "force-bad-version" | sudo tee -a /etc/dpkg/dpkg.cfg

2
.github/workflows/test-core.yml vendored
View file

@ -18,7 +18,7 @@ jobs:
- name: Checkout source code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Login to ghcr
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}

6
.github/workflows/tests-ui-linux.yml vendored
View file

@ -38,7 +38,7 @@ jobs:
export DEBIAN_FRONTEND=noninteractive
sudo -E apt install --no-install-recommends -y openssl git nodejs tar bzip2 wget curl grep libx11-xcb1 libappindicator3-1 libasound2t64 libdbus-glib-1-2 libxtst6 libxt6 php-fpm unzip firefox
- name: Download geckodriver
uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
with:
max_attempts: 3
timeout_minutes: 20
@ -49,7 +49,7 @@ jobs:
sudo chmod +x /usr/local/bin/geckodriver
rm -f geckodriver.tar.gz
- name: Login to ghcr
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@ -76,7 +76,7 @@ jobs:
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
sudo apt update
sudo -E apt install -y nginx=1.26.3-1~noble
sudo -E apt install -y nginx=1.30.0-1~noble
- name: Fix version without a starting number
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui' || inputs.RELEASE == '1.5'
run: echo "force-bad-version" | sudo tee -a /etc/dpkg/dpkg.cfg

2
.github/workflows/tests-ui.yml vendored
View file

@ -17,7 +17,7 @@ jobs:
- name: Checkout source code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Login to ghcr
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}

6
.gitignore vendored
View file

@ -19,8 +19,4 @@ src/ui/client/static
src/ui/client/templates
src/ui/static
src/ui/templates
src/ui/builder
src/ui/client/builder/*.json
src/ui/client/builder/*.txt
sync-fork.sh
.DS_Store

13
.pre-commit-config.yaml
View file

@ -13,12 +13,12 @@ repos:
- id: trailing-whitespace
- id: end-of-file-fixer
- id: check-yaml
exclude: ^(mkdocs.*.yml|examples/bigbluebutton/docker-compose.yml)$
exclude: ^(mkdocs.*.yml|examples/(bigbluebutton/docker-compose.yml|authentik/blueprints/bunkerweb.yaml))$
args: ["--allow-multiple-documents"]
- id: check-case-conflict
- repo: https://github.com/psf/black
rev: 05f0a8ce1f71fbb36e1e032d3b518c7b945089a2 # frozen: 25.11.0
rev: c6755bb741b6481d6b3d3bb563c83fa060db96c9 # frozen: 26.3.1
hooks:
- id: black
name: Black Python Formatter
@ -34,7 +34,7 @@ repos:
files: \.(js|ts|jsx|tsx|css|less|html|json|markdown|md|yaml|yml)$
- repo: https://github.com/JohnnyMorganz/StyLua
rev: 3701d2cb65198ec748d3a593628625be9f91fe27 # frozen: v2.3.1
rev: 631f02492a9477bc9cf9d8a1db2d471767fbe005 # frozen: v2.4.1
hooks:
- id: stylua-github
exclude: ^src/(bw/lua/middleclass.lua$|common/core/antibot/captcha.lua$|common/core/crowdsec/lib)
@ -55,19 +55,20 @@ repos:
exclude: ^src/common/db/alembic/(mariadb|mysql|postgresql|sqlite)_versions
- repo: https://github.com/dosisod/refurb
rev: 854db6cdfab04b7f4911d9cba6bfc084f086ea92 # frozen: v2.2.0
rev: 0dbb127465ca9398b6c89c32a7fd86d78ca755c4 # frozen: v2.3.1
hooks:
- id: refurb
name: Refurb Python Refactoring Tool
exclude: ^tests/
additional_dependencies: ["mypy<1.20"]
- repo: https://github.com/codespell-project/codespell
rev: 63c8f8312b7559622c0d82815639671ae42132ac # frozen: v2.4.1
rev: 2ccb47ff45ad361a21071a7eedda4c37e6ae8c5a # frozen: v2.4.2
hooks:
- id: codespell
name: Codespell Spell Checker
exclude: (^src/(ui/templates|common/core/.+/files|bw/loading)/.+.html|modsecurity-rules.conf.*|src/ui/app/static/(fonts|libs)/.+|src/ui/app/static/locales/.+|docs/.+/.+|src/common/README\..+\.md|src/common/core/.+/README\..+\.md)$
entry: codespell --ignore-regex="(tabEl|Widgits|fpr|TE|STING|SUPPOR|FO|EXPEC)" --skip CHANGELOG.md,CODE_OF_CONDUCT.md,src/ui/client/build.py,src/ui/app/static/json/countries.geojson,src/ui/app/static/json/countries.topojson,src/ui/app/static/js/pages/bans.js,src/ui/app/static/json/periscop.min.json,src/ui/app/static/json/blockhaus.min.json,src/ui/app/routes/reports.py,src/ui/app/static/js/pages/reports.js,docs/json2md.py
entry: codespell --ignore-regex="(tabEl|Widgits|fpr|TE|STING|SUPPOR|FO|EXPEC|ND|AKS)" --skip CHANGELOG.md,CODE_OF_CONDUCT.md,src/ui/client/build.py,src/ui/app/static/json/countries.geojson,src/ui/app/static/json/countries.topojson,src/ui/app/static/js/pages/bans.js,src/ui/app/static/json/periscop.min.json,src/ui/app/static/json/blockhaus.min.json,src/ui/app/routes/reports.py,src/ui/app/static/js/pages/reports.js,docs/json2md.py
language: python
types: [text]

2
AGENTS.md
View file

@ -22,4 +22,4 @@ Use concise, present-tense messages; the history favors Conventional Commits (`f
## Security & Configuration Tips
Never commit secrets—use sample files in `env/` or add new templates when introducing config. Review `.trivyignore` and `.gitleaksignore` before adjusting dependencies. When touching TLS, keys, or rule bundles, document rotation steps and default hardening in the accompanying docs update.
Never commit secrets—use sample files in `env/` or add new templates when introducing config. Review `.gitleaksignore` before adjusting dependencies. Docker Scout is used for container image vulnerability scanning in CI/CD—check the `container-build.yml` workflow for current scan configuration. When touching TLS, keys, or rule bundles, document rotation steps and default hardening in the accompanying docs update.

2
BUILD.md
View file

@ -93,8 +93,8 @@ Linux package generation can be done directly with Docker in 2 steps:
- `ubuntu-jammy`
- `debian-bookworm`
- `debian-trixie`
- `fedora-42`
- `fedora-43`
- `fedora-44`
- `rhel-8`
- `rhel-9`
- `rhel-10`

193
CHANGELOG.md
View file

@ -1,10 +1,143 @@
# Changelog
## v1.6.9 - 2026/03/??
## v1.6.10
- [SECURITY] `nginx` : update nginx to 1.30.1 to fix various CVEs
- [BUGFIX] `reverseproxy`: pin a `USE_UI=yes` service upstream to HTTP/1.1 so a global `REVERSE_PROXY_HTTP_VERSION=2` no longer locks out the web UI. (Fixes #3550)
- [BUGFIX] `autoconf`: fix Docker/Podman instance discovery looping on `No instance found`. Container conversion no longer assumes the inspect payload exposes `State.Health` (Podman/no-`HEALTHCHECK` may omit it): health falls back to run-state, env parsing is hardened, and the wait loop logs the exception instead of swallowing it.
- [ALL-IN-ONE] Update CrowdSec version to 1.7.8
## v1.6.10~rc7 - 2026/05/15
- [FEATURE] `installer`: `misc/install-bunkerweb.sh` interactive prompts now use a modern inline TUI via [gum](https://github.com/charmbracelet/gum) (`--tui` / `--no-tui` / `BW_INSTALL_TUI`). Three-tier dispatch — gum → whiptail (only if pre-installed) → plain `read` — keeps every host usable.
- [SECURITY] `ui`: neutralize CSV/XLSX formula injection (CWE-1236) in bans and reports exports. Server-side CSV now goes through `defusedcsv` (new pinned dep) and a shared `csv_safe()` helper escapes openpyxl XLSX cells; client-side DataTables `csv`/`excel`/`copy` buttons inherit the same rule via a global `bwCsvSafe` hook in `dataTableInit.js`. Cells whose first character is `= + - @ | %` are prefixed with `'`, and embedded `|` is backslash-escaped.
- [BUGFIX] `metrics`: bound per-worker LRU and per-key event-history arrays via new `MAX_LRU_HISTORY` setting (default `1k`) to close OSS RAM leak under high-cardinality block traffic.
- [BUGFIX] `metrics`: lower `METRICS_MAX_BLOCKED_REQUESTS_REDIS` default `100000``10k`.
- [BUGFIX] `datastore`: lower shared worker-LRU default `100000``1k`, configurable via new `DATASTORE_LRU_SIZE` global setting.
- [BUGFIX] `modsec` : fix memory leak in variables retrieval from modsecurity to lua
- [FEATURE] `metrics`/`misc`: `METRICS_MAX_BLOCKED_REQUESTS`, `METRICS_MAX_BLOCKED_REQUESTS_REDIS`, `MAX_LRU_HISTORY`, and `DATASTORE_LRU_SIZE` accept `k`/`m` shorthand.
- [UI] List pages: unrestricted `10/25/50/100` page-size dropdown, header checkbox selects current page only, with opt-in "Select all N matching" banner so bulk actions cover every page. (Fixes #3513)
- [FEATURE] `all-in-one`: embedded Redis now boots from a generated `/var/lib/bunkerweb/redis-runtime.conf` (copy of `/etc/redis.conf` + env-driven defaults for directives the conf is silent about). `.conf` always prevails; env vars `REDIS_MAXMEMORY`, `REDIS_MAXMEMORY_POLICY`, `REDIS_APPENDONLY`, `REDIS_SAVE`/`REDIS_SAVE_<N>` (BunkerWeb multi-value pattern; empty disables RDB) and `REDIS_PASSWORD` (wired to `requirepass`) only fill the gaps. Defaults follow the documented Redis Best Practices.
- [FEATURE] `all-in-one`/`misc`: default `maxmemory-policy` flipped from `allkeys-lru` to `volatile-lru` in the AIO entrypoint, the Linux installer, all bundled compose examples, and the Redis Best Practices docs. Transient counters (rate-limit, bad-behavior) now evict before keys with TTLs that matter for sessions and timed bans; permanent bans (no TTL) are immune.
- [FEATURE] `ui`: align Web UI session handling with the Lua `sessions` plugin three-tier model. `SESSION_LIFETIME_HOURS` (default `12`) now drives a sliding idling TTL refreshed on every request, new `SESSION_ABSOLUTE_HOURS` (default `168` = 7 days) enforces a hard cap regardless of activity, and new `SESSION_ROLLING_HOURS` (default `0` = disabled) optionally regenerates the session ID at a fixed interval. Combined with `volatile-lru`, recently active UI sessions are kept across Redis memory pressure.
- [FEATURE] `installer`: post-install "Next steps" prints the host's real IPv4 instead of the literal `your-server-ip` placeholder. Detection uses `ip route get` (kernel-authoritative outbound source) with RFC1918 → public → `hostname -I``ip addr` fallbacks, rejecting loopback and link-local. New `--server-ip <IP>` flag and `SERVER_IP_INPUT` env var override detection; on hosts with multiple global IPv4s, interactive installs show a numbered menu (kernel choice preselected). Placeholder is preserved only when no IPv4 is detectable. (Fixes #3527)
- [DEPS] Updated LuaJIT version to v2.1-20260415
- [DEPS] Updated lua-resty-string version to v0.17
- [DEPS] Updated lua-cjson version to v2.1.0.17
## v1.6.10~rc6 - 2026/05/07
- [BUGFIX] `misc`: fix per-service HTTPS handshakes aborting with `no ssl_client_hello_by_lua* defined in server <name>` under `DISABLE_DEFAULT_SERVER_STRICT_SNI=yes` after the rc5 NGINX 1.30.0 bump, by emitting a no-op `ssl_client_hello_by_lua_block` in per-service blocks. Unknown-SNI rejection on the default server is unchanged.
- [BUGFIX] `database`: add a `__del__` safety net on the SQLAlchemy `Database` wrapper so per-job engines dispose cleanly on GC. Without it, scheduler jobs reloaded via `importlib.reload` dropped their pool connections without sending `COM_QUIT` (MariaDB/MySQL) or the protocol `Terminate` (PostgreSQL), producing a burst of `Aborted connection ... (Got an error reading communication packets)` warnings every cycle.
- [FEATURE] `misc`: new `MAX_HEADERS` setting (default `100`) caps header lines per request, leveraging the `max_headers` directive shipped with the NGINX 1.30.0 bump.
- [FEATURE] `reverseproxy`: new per-backend `REVERSE_PROXY_HTTP_VERSION` setting (default `1.1`, accepts `1.0`/`1.1`/`2`) lets operators opt the upstream leg onto HTTP/2, leveraging the `proxy_http_version 2` support shipped with the NGINX 1.30.0 bump. The WebSocket branch stays pinned to 1.1 since WS Upgrade is incompatible with HTTP/2 upstream.
- [FEATURE] `templates`: the bundled `ui` and `api` templates now pin `REVERSE_PROXY_KEEPALIVE=yes`, reusing the upstream TCP/TLS connection across admin clicks and API calls for lower click-to-render latency.
- [PERF] `database`: add 18 missing single-column indexes. (Fixes #3368, addresses #3367)
## v1.6.10~rc5 - 2026/05/06
- [BUGFIX] `modsecurity`/`ui`/`antibot`: stop `USE_MODSECURITY_GLOBAL_CRS=yes` from 403'ing UI POSTs and antibot challenges. Move UI exclusions to phase 1 (so phase-1 CRS rules like `920440` can be disabled), tolerate uppercase hostnames and `:port` in the `Host` chain regex, `re.escape()` hostnames in `antibot.modsec-crs`, and emit `modsecurity off;` on default-server UI proxy locations. Other defenses (limit, badbehavior, crowdsec, allowlists) still run. (Fixes #3118)
- [BUGFIX] `database`: back-fill `bw_settings` defaults from `settings.json` at read time when the catalogue row is missing or has a NULL/empty `default`, so directives like `client_body_timeout` no longer render empty after a desynced upgrade. Logs one WARNING per affected setting. (Fixes #3450)
- [BUGFIX] `errors`: revert the rc4 `return 444;` short-circuit on `@bwerror*` handlers. The deny path already exits via `ngx.exit(get_deny_status())`, so the gate only broke real 4xx/5xx rendering. Use `INTERCEPTED_ERROR_CODES=""` or `ERRORS=` for stealth. (Fixes #3490, reverts #3448)
- [UI] Reports and Bans pages: CSV/Excel exports now include every column and honor the active search and SearchPanes filters. (Fixes #3489)
- [UI] Service edit page: restore non-UI-method settings and template defaults on advanced/raw save so omitted keys can't roll a service back to defaults; raw-mode draft toggle and the `IS_DRAFT=` line stay in sync both ways.
- [LINUX] Support Fedora 44.
- [DEPS] Updated NGINX version to v1.30.0 for all integrations.
- [DEPS] Updated Modsecurity version to v3.0.15.
- [DEPS] Updated Mbed TLS version to v4.1.0.
- [DEPS] Updated libinjection version to v4.0.0.
- [DEPS] Update coreruleset-v4 version to v4.26.0.
## v1.6.10~rc4 - 2026/04/29
- [SECURITY] Harden AIO log wrapper: strip C0/C1 control chars from service output to prevent terminal injection in `docker logs`, disable pathname expansion around `HIDE_SERVICE_LOGS` word splitting, and reject `..` path-traversal segments in `LOG_FILE_PATH` validation.
- [SECURITY] Harden the AIO `logstream.sh` nginx/ModSecurity log forwarder with the same C0/DEL control-character strip as `service-log-wrapper.sh`, so attacker-controlled `access.log`/`error.log`/`modsec_audit.log` content cannot inject ANSI/CSI/OSC escape sequences into `docker logs` output.
- [SECURITY] `errors`: honor `DENY_HTTP_STATUS=444` on `/bwerror*` handlers — close the connection instead of serving the branded BunkerWeb error page. (Fixes #3448)
- [BUGFIX] Throttle repeated Redis-failure logs in `metrics`, `sessions`, and `badbehavior` timer hooks: errors of the same kind now log once then recap with a count at 60s window boundaries instead of flooding the error log on every tick.
- [BUGFIX] Add multisite `SESSIONS_DOMAIN` setting (default empty) that emits a `Domain` attribute on the session cookie per server, allowing antibot/challenge state to be shared across sibling subdomains of the same registrable domain. (Fixes #3415)
- [BUGFIX] Web UI: launch `tmp-gunicorn` with `env -u LOG_FILE_PATH` so the bootstrap UI falls back to its own `tmp-ui.log` instead of colliding with the main UI's `ui.log`.
- [BUGFIX] Fix `securitytxt` RFC 9116 compliance: populate the default `Canonical:` URL (was `https:///.well-known/security.txt`), emit `Expires:` as UTC with a trailing `Z`, rename the field to `Acknowledgments:`, and cache the auto-generated expiry per server so the served file is byte-stable across requests.
- [BUGFIX] Fix `DATABASE_URI` driver injection corrupting hostnames when the host matches the scheme name (e.g. `postgresql://u:p@postgresql:5432/db`). Use SQLAlchemy's `make_url` + `URL.set(drivername=...)` instead of `str.replace` so only the scheme is rewritten. (Fixes #3438)
- [BUGFIX] `badbehavior`: don't increment the counter for already-banned IPs. Log phase fast-paths on `ctx.bw.is_banned`; timer phase re-checks `is_banned()` authoritatively (Redis reachable) before calling `increase()`. (Fixes #3448)
- [BUGFIX] Add `REVERSE_PROXY_MODSECURITY` multisite setting (default `yes`) that emits `modsecurity off;` in the per-URL reverse-proxy `location` block when set to `no`, working around the ModSecurity-nginx connector's full-body buffering that causes OOM on large uploads. (Fixes #3154)
- [FEATURE] Let's Encrypt: new `LETS_ENCRYPT_MAX_LOG_BACKUPS` global setting (default `50`) caps certbot's own log rotation via `--max-log-backups`, preventing the default 1000-file pile-up in every integration mode.
- [ALL-IN-ONE] Python services (UI, API, scheduler, autoconf) now log to the container's stdout/stderr only. `service-log-wrapper.sh` prefixes each line with `[SERVICE]`, strips control characters, and honors `HIDE_SERVICE_LOGS`; no on-disk files are written. Retention is managed by the container logging driver (`docker logs`, `journald`, ...).
- [UI] Fix "Blocked Requests by Country" map: an off-by-one in `getColor()` plus an HSL-ramp clip to `#000` collapsed every populated country to the same color.
- [UI] Add import/export for custom configurations, with an opt-in `.zip` bundle that lets a service export include its attached custom configurations and re-import them in one shot.
- [AUTOCONF] Fix Kubernetes ingress rules being silently dropped and never recovering when a backend Service isn't visible to a GET at apply time (apiserver watch-vs-GET race seen on AKS). A background worker retries missing backends with exponential backoff and re-triggers the apply once they appear.
- [AUTOCONF] Relax the empty `SERVER_NAME` guard in `Database.save_config` for `autoconf`: if every existing service is autoconf/scheduler-owned, treat the empty list as a legitimate full-teardown and clear the services instead of aborting. Mixed-ownership DBs still abort.
- [AUTOCONF] Add `AUTOCONF_DISABLE_CLEANUP` (default `no`): convert services removed from the orchestrator to draft instead of deleting them, and let the Web UI delete drafted autoconf services.
- [CONTRIBUTION] Thank you [harshadkhetpal](https://github.com/harshadkhetpal) for your contribution regarding exception handling in the `autoconf` entrypoint. (#3421)
- [CONTRIBUTION] Thank you [Simonmiz](https://github.com/Simonmiz) for your contribution regarding the `German` translation of the web UI. (#3422)
- [CONTRIBUTION] Thank you [daemon-byte](https://github.com/daemon-byte) for your contribution adding the [Cap.js](https://capjs.js.org/) self-hosted proof-of-work antibot mode. (#3454)
## v1.6.10~rc3 - 2026/04/11
- [API/SECURITY] Fix `PATCH /global_config` accidentally deleting all services, custom configs, and jobs cache.
- [API/SECURITY] Add data-loss guards in `Database.save_config` and `Database.update_external_plugins`: refuse to delete every global setting for a method when the incoming config would wipe every existing row, refuse to cascade-delete plugins when the incoming plugins list is empty, and skip setting/selects/multiselects pruning on same-content plugin reinstalls (detected via checksum comparison) to prevent user-set values from being wiped.
- [SECURITY] Updated coreruleset-v3 version to v3.3.9 (fixes CVE-2026-33691) (Fixes #3402)
- [SECURITY] Updated coreruleset-v4 version to v4.25.0 (fixes CVE-2026-33691) (Fixes #3402)
- [SECURITY] Harden all tar/zip extraction with centralized `safe_tar_extractall`/`safe_zip_extractall` helpers, pre-extraction member validation, and `Path.is_relative_to()` containment checks (mitigates CVE-2025-4517 on Python < 3.13.4).
- [BUGFIX] `Configurator` now supplements its internal server list from the database `Services` table in multisite mode so that autoconf-managed services are recognized even when `SERVER_NAME` hasn't been updated in the variables yet at startup.
- [BUGFIX] Fix `bw_plugin_pages` and `bw_jobs_cache` PostgreSQL table bloat caused by non-deterministic tar archives and unconditional UPDATEs triggering massive TOAST dead tuple accumulation on every scheduler restart.
- [BUGFIX] Fix scheduler memory leak from unbounded job module cache, broken `sys.modules` cleanup, bulk cache loading, and infrequent garbage collection.
- [BUGFIX] Fix `cachestore:set()` silently dropping cache writes in non-cosocket phases due to an incorrect guard.
- [BUGFIX] Fix `cachestore:del_redis()` calling non-existent `clusterstore:del()` method.
- [BUGFIX] Fix metrics Redis sync cascading failures after a mid-cycle connection drop by adding auto-reconnect with circuit-breaker.
- [BUGFIX] Fix dead Redis connections being returned to the keepalive pool by tracking connection health in `clusterstore`.
- [BUGFIX] Move `cachestore:update()` IPC poll from `set_by_lua*` (where `ngx.sleep()` is unavailable) to `access_by_lua*`/`preread_by_lua*` phases, eliminating the `ipc.lua` "could not sleep before retry" warning on every request.
- [AUTOCONF] Fix multiple Kubernetes Ingress/Route resources for the same hostname overwriting each other instead of merging their paths into a single service configuration.
- [AUTOCONF] Fix Docker autoconf feedback loop where healthcheck exec events caused endless config regeneration and NGINX reloads by filtering events to container lifecycle actions only.
- [ALL-IN-ONE] Update CrowdSec version to 1.7.7
- [UI] Fix multiselect dropdown being clipped in template wizard steps. (Fixes #3401)
- [UI] Fix Reports page IP hit counts decreasing when clicking through to filter by IP: the precomputed Redis facet counts (unfiltered view) included all stored requests, but the streaming path dropped 5xx/3xx requests via an extra `400 <= status < 500 or security_mode == "detect"` filter. (Fixes #3407)
- [API] Fix `update_config_upload` resetting a custom config's service scope to global when the caller did not explicitly request a service move.
- [MISC] Update default value for Permissions-Policy header to include additional features (`local-network`, `local-network-access` and `loopback-network`).
- [MISC] Accept `g`/`G` suffix on memory size settings (`WORKERLOCK_MEMORY_SIZE`, `DATASTORE_MEMORY_SIZE`, `CACHESTORE_MEMORY_SIZE`, `CACHESTORE_IPC_MEMORY_SIZE`, `CACHESTORE_MISS_MEMORY_SIZE`, `CACHESTORE_LOCKS_MEMORY_SIZE`, `INTERNALSTORE_MEMORY_SIZE`): values are automatically normalized to megabytes at template rendering time since NGINX's `ngx_parse_size()` only supports `k`/`m` for `lua_shared_dict`.
- [MISC] Allow custom uppercase HTTP methods containing underscores and dashes in `ALLOWED_METHODS` (e.g. `CCM_POST`, `M-SEARCH`) for compatibility with non-standard protocols. (Fixes #3411)
- [MISC] `JobScheduler` tracks per-job failures better
## v1.6.10~rc2 - 2026/03/28
- [BUGFIX] Add `WORKER_SHUTDOWN_TIMEOUT` setting (default `30s`) to force old NGINX workers to terminate after a config reload, preventing unbounded memory growth when workers linger in "shutting down" state. (Fixes #3153)
- [BUGFIX] Fix ModSecurity `REQUEST_HEADERS:Host` and `SERVER_NAME` being empty for HTTP/3 requests, causing custom rules with header matching (including chained rules) to silently fail. Patch the ModSecurity-nginx connector to synthesize the `Host` header from the `:authority` pseudo-header on HTTP/3 connections. (Fixes #3298)
- [BUGFIX] Add `MODSECURITY_SEC_REQUEST_BODY_LIMIT` and `MODSECURITY_SEC_REQUEST_BODY_LIMIT_ACTION` settings to decouple ModSecurity body inspection from `MAX_CLIENT_SIZE`, preventing OOM kills on large uploads. Also fix missing `SecRequestBodyLimitAction` and broken unit conversion in global CRS templates. (Fixes #3154)
- [BUGFIX] Add explicit ModSecurity request-body parsing error rules so truncated or malformed bodies are logged consistently and rejected with the correct status when inspection fails.
- [BUGFIX] Clean orphaned NGINX temp files on startup to prevent unbounded disk usage after OOM kills or ungraceful shutdowns.
- [BUGFIX] Fix Post-Quantum Cryptography (PQC) auto-detection failing on OpenSSL 3.5+ because Python's `SSLContext.set_ecdh_curve()` does not recognize hybrid KEM groups like `X25519MLKEM768`. Add subprocess fallback probing `openssl list -kem-algorithms` so that `SSL_ECDH_CURVE=auto` (the default) correctly enables PQC key exchange when the system OpenSSL supports it, with graceful fallback to classical curves when it does not.
- [BUGFIX] Fix BunkerNet `log_stream()` crashing with `attempt to call field 'get_headers' (a nil value)` when reporting blocked IPs in stream (TCP proxy) context, where `ngx.req.get_headers()` is unavailable.
- [BUGFIX] Fix unbanning IPs not working for stream (TCP/UDP) services due to stale local ban cache not being refreshed from Redis after unban. (Fixes #2516)
- [BUGFIX] Fix `ngx.exit(nil)` crash when `DENY_HTTP_STATUS` variable is missing from the internal store. (Fixes #2516)
- [BUGFIX] Fix `robots.txt` and `security.txt` plugins running expensive initialization on every request instead of only on their target URIs, causing severe slowdowns on pages with many parallel assets. (Fixes #3155)
- [BUGFIX] Fix entrypoint spinning at 100% CPU when nginx/supervisord is OOM-killed, by adding process liveness check and stale PID cleanup in the wait loop.
- [BUGFIX] Fix `badbehavior:log()` crash caused by `resty.lock` calling `ngx.sleep()` in `log_by_lua*` context, by skipping the mlcache lock path in non-cosocket phases.
- [BUGFIX] Fix whitelist default-server crash caused by `resty.lock` calling `ngx.sleep()` in `set_by_lua*` context. Use lock-free L1/L2 cache reads in non-cosocket phases instead of silently dropping cached whitelist data. (Fixes #2583)
- [BUGFIX] Fix `is_cosocket_available()` never matching the SSL certificate phase (`"ssl_certificate"` vs actual `"ssl_cert"`), and add missing yieldable phases `server_rewrite`, `ssl_client_hello` and `ssl_session_fetch`.
- [UI] Fix service template switching so the newly selected template applies its defaults immediately while preserving fields already customized by the user. (Fixes #3241)
- [UI] Fix Reports page search not matching on Request ID. The global search field only checked IP, country, method, URL, status, user-agent, reason, and server name, causing searches by Request ID to always return "No matching Reports found" when using the Redis code path.
- [UI] Prevent reload and worker-restart infinite loops in the Web UI when the database is read-only or when configuration flag reset fails.
- [DEPS] Updated NGINX version to v1.28.3 for all integrations.
- [DEPS] Updated LuaJIT version to v2.1-20260311
- [DEPS] Updated Brotli version to v1.2.0
- [DEPS] Updated headers-more-nginx-module version to v0.39
## v1.6.10~rc1 - 2026/03/23
- [SECURITY] Replace Trivy with Docker Scout for container image vulnerability scanning in CI/CD pipeline.
- [BUGFIX] Disable Gunicorn 25.1.0 control socket to prevent worker deadlock caused by fork in multi-threaded master process (UI, TMP-UI, API).
- [UI/SECURITY] Replace unbounded "All" option in DataTable page length menus with capped values (500, 1000) across all pages, and clamp server-side `length`/`start` parameters to prevent OOM from oversized requests.
- [UI] Fix multiselect settings not correctly displaying or applying their values in the template editor and the service creation wizard.
- [UI] Fix multiselect and multivalue settings resetting to default values when all options are unchecked, by preserving empty string as a valid value across Jinja2 rendering, jQuery initialization, and the template editor module.
- [UI] Check database for `USE_REDIS` setting before showing the filesystem session backend warning, so Redis configured via the Web UI is correctly detected.
- [AUTOCONF] Fix Docker socket proxy restarts triggering catastrophic deletion of all instances and services by adding guards in `update_instances()` and `save_config()` to refuse empty-list updates when the database has existing data.
- [AUTOCONF] Fix `_get_controller_containers` and `_get_controller_swarm_services` silently swallowing Docker API errors as empty lists, causing downstream code to treat failures as zero containers.
- [DOCS] Add llms.txt and llms-full.txt generation via MkDocs post-build hook for AI agent documentation consumption, following the llms.txt standard (llmstxt.org).
## v1.6.9 - 2026/03/13
- [SECURITY] Implement `SafeFileSystemCache` for Web UI session storage with token regeneration on privilege changes, preventing session fixation attacks.
- [SECURITY] Sanitize uploaded filenames in the Web UI to strip path separators, null bytes, and control characters, preventing path traversal attacks.
- [SECURITY] Add tar extraction path filtering in `Let's Encrypt` certificate handling to only allow expected directories, preventing path traversal. Add 300s timeout to certificate account registration. Use explicit whitelist for API environment variables.
- [SECURITY] Add tar extraction path filtering in `Let's Encrypt` certificate handling to only allow expected directories, preventing path traversal. Add 300s timeout to certificate account registration. Use explicit whitelist for API environment variables. (Fixes #3252)
- [SECURITY] Validate IP addresses and service names across all ban management endpoints (API, Lua, UI, CLI) to prevent invalid data injection. Fix Redis key parsing for service names containing underscores.
- [BUGFIX] Close local database connections before forking worker processes to prevent file descriptor leaks and connection pool corruption.
- [BUGFIX] Fix race condition in instance update logic by using direct SQL `UPDATE` statements instead of ORM session operations.
@ -13,9 +146,9 @@
- [BUGFIX] Enhance error handling for missing server name in SSL certificate functions to avoid crashes when the server name is not yet configured.
- [BUGFIX] Improve backup cleanup logic when replacing destination files to correctly remove leftover backups after a successful replacement.
- [BUGFIX] Mark the Flask session as modified when adding flash messages to ensure session data is correctly persisted across redirects.
- [BUGFIX] Fix Domeneshop DNS provider in the `Let's Encrypt` plugin to use the correct credential keys and ensure proper certificate generation.
- [BUGFIX] Handle file-not-found and OS errors gracefully when archiving plugin UI pages in the database, and skip storing content when tar archiving fails to prevent corrupt data.
- [BUGFIX] Return false instead of a potentially incorrect result when version comparison encounters invalid version strings, preventing spurious update notifications.
- [BUGFIX] Fix Domeneshop DNS provider in the `Let's Encrypt` plugin to use the correct credential keys and ensure proper certificate generation. (Fixes #3056)
- [BUGFIX] Handle file-not-found and OS errors gracefully when archiving plugin UI pages in the database, and skip storing content when tar archiving fails to prevent corrupt data. (Fixes #3297)
- [BUGFIX] Return false instead of a potentially incorrect result when version comparison encounters invalid version strings, preventing spurious update notifications. (Fixes #3259)
- [BUGFIX] Validate gRPC host setting to only accept empty values or properly prefixed `grpc://` / `grpcs://` URIs.
- [BUGFIX] Properly close the database connection when the scheduler stops, and fix configuration generation flag to only reset after a successful reload.
- [BUGFIX] Add backup and rollback mechanism when deploying new configurations to BunkerWeb instances, preventing data loss if the file copy operation fails.
@ -39,7 +172,7 @@
- [BUGFIX] Fix issues with the new `multiselect` logic where a custom separator can be used, but the default one (space) was still used if the separator was empty, which caused issues with settings that had an empty string as a value.
- [BUGFIX] Fix issue with the failover not sending the failover configuration if the reload failed, which caused the failover configuration to not be applied until the next successful reload.
- [FEATURE] Add field value redaction in Let's Encrypt plugin and update ZeroSSL API key handling to avoid exposing sensitive information in logs and process arguments. (Except in TRACE level logs for debugging purposes)
- [FEATURE] Add field value redaction in Let's Encrypt plugin and update ZeroSSL API key handling to avoid exposing sensitive information in logs and process arguments. (Except in TRACE level logs for debugging purposes) (Fixes #3235, #3237)
- [UI] Set `reuse_port` setting to `False` with gunicorn to avoid issues with workers not starting.
- [UI] Tweak plugins headers style to avoid the text moving the buttons out of the page when the header is too long.
- [UI] Add `MAX_CONTENT_LENGTH` setting to configure the maximum upload size (defaults to 50 MB).
@ -54,19 +187,19 @@
## v1.6.9~rc2 - 2026/02/26
- [BUGFIX] Update reCAPTCHA handling to use ANTIBOT_RECAPTCHA_CLASSIC variable instead of session data to determine whether to use the classic reCAPTCHA response format or the new one, ensuring consistent behavior regardless of session state.
- [BUGFIX] Rename command argument to plugin_command for clarity and to avoid conflicts with other command arguments with bwcli.
- [BUGFIX] Update reCAPTCHA handling to use ANTIBOT_RECAPTCHA_CLASSIC variable instead of session data to determine whether to use the classic reCAPTCHA response format or the new one, ensuring consistent behavior regardless of session state. (Fixes #2825)
- [BUGFIX] Rename command argument to plugin_command for clarity and to avoid conflicts with other command arguments with bwcli. (Fixes #3222)
- [FEATURE] Add new `file` setting type to allow users to upload files directly from the web UI and use their content as values for settings.
- [FEATURE] Add `Gandi` as a DNS provider in the `letsencrypt` plugin
- [FEATURE] Add `Hetzner` as a DNS provider in the `letsencrypt` plugin
- [FEATURE] Add certificate authority selection in the `Let's Encrypt` plugin to allow users to choose between `Let's Encrypt` and `ZeroSSL` as the certificate authority for their certificates (Also added ZeroSSL specific settings).
- [FEATURE] Add `Gandi` as a DNS provider in the `letsencrypt` plugin (Fixes #3184)
- [FEATURE] Add `Hetzner` as a DNS provider in the `letsencrypt` plugin (Fixes #3205)
- [FEATURE] Add certificate authority selection in the `Let's Encrypt` plugin to allow users to choose between `Let's Encrypt` and `ZeroSSL` as the certificate authority for their certificates (Also added ZeroSSL specific settings). (Fixes #2392)
- [FEATURE] Add the possibility to whitelist/blacklist group of countries in the `Country` plugin.
- [UI] Add override non-global services functionality in global settings
- [UI] Make data columns in the reports page non orderable to avoid issues
- [UI] Make data columns in the reports page non orderable to avoid issues (Fixes #3214)
- [UI] Add control socket configuration for gunicorn
- [UI] Enhance multiselect dropdown functionality and update the type of multiple settings to use it
- [ALL-IN-ONE] Update CrowdSec version to 1.7.6
- [AUTOCONF] Update gateway and ingress status patching to handle multiple IP addresses and Handle NodePort services if a load balancer IP is not available.
- [AUTOCONF] Update gateway and ingress status patching to handle multiple IP addresses and Handle NodePort services if a load balancer IP is not available. (Fixes #3216)
- [API] Add control socket configuration for gunicorn
- [MISC] Change type of `CUSTOM_SSL_CERT_DATA` and `CUSTOM_SSL_KEY_DATA` settings to `file` to allow users to upload their certificate and key files directly from the web UI.
- [MISC] Update default value for Permissions-Policy header to include an additional feature (`gamepad`).
@ -79,36 +212,36 @@
## v1.6.9~rc1 - 2026/02/13
- [BUGFIX] Ensure variables are only added if they are defined in the environment file and are valid key-value pairs to prevent issues with malformed lines in the variables file.
- [BUGFIX] Add API token back for certbot hooks in environment configuration
- [FEATURE] Add `ClouDNS` as a DNS provider in the `letsencrypt` plugin
- [BUGFIX] Add API token back for certbot hooks in environment configuration (Fixes #3144)
- [FEATURE] Add `ClouDNS` as a DNS provider in the `letsencrypt` plugin (Fixes #3162)
- [FEATURE] Add new `CLIENT_BODY_TIMEOUT`, `CLIENT_HEADER_TIMEOUT`, `KEEPALIVE_TIMEOUT` and `SEND_TIMEOUT` settings to control the corresponding NGINX timeouts, allowing better handling of long-lived connections and preventing unintended timeouts.
- [FEATURE] Add a new `gRPC` plugin to allow proxying gRPC traffic to upstream gRPC services with support for TLS, SNI, custom headers and retry policies.
- [FEATURE] Make it possible to leave HTTP/HTTPS/STREAM/TLS ports empty to not listen on them.
- [AUTOCONF] Add experimental support for GRPCRoute in the Kubernetes integration to allow routing gRPC traffic based on Kubernetes Gateway API resources.
- [LINUX] Updated NGINX version to v1.28.2 for Fedora 42 and 43 integration
- [UI] Fix status for PHP plugin to not always be shown as activated
- [UI] Fix status for PHP plugin to not always be shown as activated (Fixes #3152)
- [UI] Fix dark theme background for datatables actions
- [UI] Make it possible to edit settings with the `wizard` method in the web UI
- [UI] Enhance reports functionality with improved filter handling and data fetching
- [UI] Enhance home dashboard with new IP blocking metrics and improved tooltips
- [API] Fix redis sentinel issue when a password is set on the master node
- [MISC] Remove warning for uninitialized variables in default server configuration (as we control the configuration and we know that some variables may be uninitialized in some cases, especially for 400 errors)
- [MISC] Remove warning for uninitialized variables in default server configuration (as we control the configuration and we know that some variables may be uninitialized in some cases, especially for 400 errors) (Fixes #1963)
## v1.6.8 - 2026/02/06
- [DOCS] Add forward proxy configuration for outgoing traffic
- [DOCS] Add forward proxy configuration for outgoing traffic (Fixes #2535)
- [DEPS] Update coreruleset-v4 version to v4.23.0
- [DEPS] Updated NGINX version to v1.28.2 (except for Fedora as it is not yet available)
## v1.6.8~rc3 - 2026/02/02
- [FEATURE] Add new `REVERSE_PROXY_REQUEST_BUFFERING` setting to the `Reverse Proxy` plugin to control request body buffering behavior when proxying requests (default: `on`)
- [BUGFIX] Initialize is_whitelisted variable to 'no' in configuration files to avoid spam uninitialized messages in logs
- [BUGFIX] Reorganize insertion logic to prevent foreign key errors and improve order of operations in database when creating/updating plugins
- [FEATURE] Add new `REVERSE_PROXY_REQUEST_BUFFERING` setting to the `Reverse Proxy` plugin to control request body buffering behavior when proxying requests (default: `on`) (Fixes #3108)
- [BUGFIX] Initialize is_whitelisted variable to 'no' in configuration files to avoid spam uninitialized messages in logs (Fixes #1963)
- [BUGFIX] Reorganize insertion logic to prevent foreign key errors and improve order of operations in database when creating/updating plugins (Fixes #3091)
- [AUTOCONF] Add experimental Gateway API controller support (Gateway/HTTPRoute) and documentation
- [UI] Change redirect status code from 302 to 303 in the web UI to follow best practices for redirection after form submissions
- [UI] Fix bug where updating a ban to a custom duration accidentally created a permanent ban
- [UI] Enhance map legend and color ramp for blocked requests visualization
- [UI] Fix bug where updating a ban to a custom duration accidentally created a permanent ban (Fixes #3105)
- [UI] Enhance map legend and color ramp for blocked requests visualization (Fixes #3113)
- [UI] Enhance dark mode styles for news card elements
- [UI] Add CIDR annotations support for `FORWARDED_ALLOW_IPS` and `PROXY_ALLOW_IPS` settings and update the default values to common private network ranges
- [API] Add HTTP/2 support in Gunicorn configuration for improved performance and compatibility
@ -120,15 +253,15 @@
- [FEATURE] Enhance `Let's Encrypt` plugin to support concurrent certificate generation for multiple services via the new `LETS_ENCRYPT_CONCURRENT_REQUESTS` setting (default: `no`), improving efficiency and reducing wait times during bulk operations
- [FEATURE] Add `GoDaddy` as a DNS provider in the `letsencrypt` plugin
- [FEATURE] Add `TransIP` as a DNS provider in the `letsencrypt` plugin
- [FEATURE] Add `Domeneshop` as a DNS provider in the `letsencrypt` plugin
- [FEATURE] Add new `KEEP_CONFIG_ON_RESTART` global setting to control whether a temporary configuration should be generated on each restart or preserve the existing one (default: `no`)
- [BUGFIX] Fix robots.txt and list-based plugins (greylist/whitelist/blacklist/dnsbl) appending duplicate entries on subsequent requests by creating deep copies of internalstore data instead of using shared references
- [FEATURE] Add `TransIP` as a DNS provider in the `letsencrypt` plugin (Fixes #3070)
- [FEATURE] Add `Domeneshop` as a DNS provider in the `letsencrypt` plugin (Fixes #3056)
- [FEATURE] Add new `KEEP_CONFIG_ON_RESTART` global setting to control whether a temporary configuration should be generated on each restart or preserve the existing one (default: `no`) (Fixes #3045)
- [BUGFIX] Fix robots.txt and list-based plugins (greylist/whitelist/blacklist/dnsbl) appending duplicate entries on subsequent requests by creating deep copies of internalstore data instead of using shared references (Fixes #3012)
- [LINUX] Enhance Easy Install script to detect if the epel-release should be installed or not for RHEL-family distros
- [UI] Add security mode in services table
- [UI] Add security mode in services table (Fixes #3058)
- [UI] Implement services import functionality with drag-and-drop support
- [UI] Ensure UI service URL is properly formatted in setup loading route
- [UI] Enhance Redis report querying with filter parsing and chunked retrieval
- [UI] Ensure UI service URL is properly formatted in setup loading route (Fixes #3082)
- [UI] Enhance Redis report querying with filter parsing and chunked retrieval (Fixes #3057)
- [UI] Update ace editor to version 1.43.5
- [DEPS] Updated lua-cjson version to v2.1.0.16
- [CONTRIBUTION] Thank you [rayshoo](https://github.com/rayshoo) for your contribution regarding the `Korean` translation of the web UI.

95
README.md
View file

@ -1,5 +1,5 @@
<p align="center">
<img alt="BunkerWeb logo" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/misc/logo.png" height=100 width=350 />
<img alt="BunkerWeb logo" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.10/misc/logo.png" height=100 width=350 />
</p>
<p align="center">
@ -17,6 +17,14 @@
<img src="https://www.bestpractices.dev/projects/8001/badge">
</a>
<a href="https://gitrated.com/bunkerity/bunkerweb"><img src="https://gitrated.com/bunkerity/bunkerweb/badge" alt="GitRated rating" /></a>
<br />
<a href="https://www.star-history.com/bunkerity/bunkerweb">
<picture>
<source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/badge?repo=bunkerity/bunkerweb&theme=dark" />
<source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/badge?repo=bunkerity/bunkerweb" />
<img alt="Star History Rank" src="https://api.star-history.com/badge?repo=bunkerity/bunkerweb" width=140 />
</picture>
</a>
</p>
<p align="center">
@ -32,7 +40,7 @@
&#124;
🧩 <a href="https://github.com/bunkerity/bunkerweb-templates">Templates</a>
&#124;
🛡️ <a href="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/examples">Examples</a>
🛡️ <a href="https://github.com/bunkerity/bunkerweb/raw/v1.6.10/examples">Examples</a>
<br/>
💬 <a href="https://discord.com/invite/fTf46FmtyD">Chat</a>
&#124;
@ -52,14 +60,14 @@
# BunkerWeb
<p align="center">
<img alt="Overview banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/docs/assets/img/intro-overview.svg" />
<img alt="Overview banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.10/docs/assets/img/intro-overview.svg" />
</p>
BunkerWeb is a next-generation, open-source Web Application Firewall (WAF).
Being a full-featured web server (based on [NGINX](https://nginx.org/) under the hood), it will protect your web services to make them "secure by default." BunkerWeb integrates seamlessly into your existing environments ([Linux](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#linux), [Docker](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#docker), [Swarm](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#swarm), [Kubernetes](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#kubernetes), …) as a reverse proxy and is fully configurable (don't panic, there is an [awesome web UI](https://docs.bunkerweb.io/1.6.9/web-ui/?utm_campaign=self&utm_source=github) if you don't like the CLI) to meet your own use cases. In other words, cybersecurity is no longer a hassle.
Being a full-featured web server (based on [NGINX](https://nginx.org/) under the hood), it will protect your web services to make them "secure by default." BunkerWeb integrates seamlessly into your existing environments ([Linux](https://docs.bunkerweb.io/1.6.10/integrations/?utm_campaign=self&utm_source=github#linux), [Docker](https://docs.bunkerweb.io/1.6.10/integrations/?utm_campaign=self&utm_source=github#docker), [Swarm](https://docs.bunkerweb.io/1.6.10/integrations/?utm_campaign=self&utm_source=github#swarm), [Kubernetes](https://docs.bunkerweb.io/1.6.10/integrations/?utm_campaign=self&utm_source=github#kubernetes), …) as a reverse proxy and is fully configurable (don't panic, there is an [awesome web UI](https://docs.bunkerweb.io/1.6.10/web-ui/?utm_campaign=self&utm_source=github) if you don't like the CLI) to meet your own use cases. In other words, cybersecurity is no longer a hassle.
BunkerWeb contains primary [security features](https://docs.bunkerweb.io/1.6.9/advanced/?utm_campaign=self&utm_source=github#security-tuning) as part of the core but can be easily extended with additional ones thanks to a [plugin system](https://docs.bunkerweb.io/1.6.9/plugins/?utm_campaign=self&utm_source=github).
BunkerWeb contains primary [security features](https://docs.bunkerweb.io/1.6.10/advanced/?utm_campaign=self&utm_source=github#security-tuning) as part of the core but can be easily extended with additional ones thanks to a [plugin system](https://docs.bunkerweb.io/1.6.10/plugins/?utm_campaign=self&utm_source=github).
## Why BunkerWeb?
@ -86,7 +94,7 @@ A non-exhaustive list of security features:
- **Block known bad IPs** with external blacklists and DNSBL
- And much more...
Learn more about the core security features in the [security tuning](https://docs.bunkerweb.io/1.6.9/advanced/?utm_campaign=self&utm_source=github#security-tuning) section of the documentation.
Learn more about the core security features in the [security tuning](https://docs.bunkerweb.io/1.6.10/advanced/?utm_campaign=self&utm_source=github#security-tuning) section of the documentation.
## Demo
@ -121,13 +129,13 @@ When using BunkerWeb, you have the choice of the version you want to use: open-s
Whether it's enhanced security, an enriched user experience, or technical monitoring, the BunkerWeb PRO version allows you to fully benefit from BunkerWeb and meet your professional needs.
In the documentation or the user interface, PRO features are annotated with a crown <img src="https://docs.bunkerweb.io/1.6.9/assets/img/pro-icon.svg" alt="crown pro icon" height="32px" width="32px"> to distinguish them from those integrated into the open-source version.
In the documentation or the user interface, PRO features are annotated with a crown <img src="https://docs.bunkerweb.io/1.6.10/assets/img/pro-icon.svg" alt="crown pro icon" height="32px" width="32px"> to distinguish them from those integrated into the open-source version.
You can upgrade from the open-source version to the PRO one easily and at any time. The process is straightforward:
- Claim your [free trial on the BunkerWeb panel](https://panel.bunkerweb.io/store/bunkerweb-pro?utm_campaign=self&utm_source=doc) by using the `freetrial` promo code at checkout
- Once connected to the client area, copy your PRO license key
- Paste your license key into BunkerWeb using the [web UI](https://docs.bunkerweb.io/1.6.9/web-ui/#upgrade-to-pro) or a [specific setting](https://docs.bunkerweb.io/1.6.9/features/#pro)
- Paste your license key into BunkerWeb using the [web UI](https://docs.bunkerweb.io/1.6.10/web-ui/#upgrade-to-pro) or a [specific setting](https://docs.bunkerweb.io/1.6.10/features/#pro)
Do not hesitate to visit the [BunkerWeb panel](https://panel.bunkerweb.io/knowledgebase?utm_campaign=self&utm_source=doc) or [contact us](https://panel.bunkerweb.io/contact.php?utm_campaign=self&utm_source=doc) if you have any questions regarding the PRO version.
@ -160,10 +168,10 @@ Community and social networks:
# Concepts
<p align="center">
<img alt="Concepts banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/docs/assets/img/concepts.svg" />
<img alt="Concepts banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.10/docs/assets/img/concepts.svg" />
</p>
You will find more information about the key concepts of BunkerWeb in the [documentation](https://docs.bunkerweb.io/1.6.9/concepts/?utm_campaign=self&utm_source=github).
You will find more information about the key concepts of BunkerWeb in the [documentation](https://docs.bunkerweb.io/1.6.10/concepts/?utm_campaign=self&utm_source=github).
## Integrations
@ -171,12 +179,12 @@ The first concept is the integration of BunkerWeb into the target environment. W
The following integrations are officially supported:
- [Docker](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#docker)
- [Linux](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#linux)
- [Docker autoconf](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#docker-autoconf)
- [Kubernetes](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#kubernetes)
- [Swarm](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#swarm)
- [Microsoft Azure](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#microsoft-azure)
- [Docker](https://docs.bunkerweb.io/1.6.10/integrations/?utm_campaign=self&utm_source=github#docker)
- [Linux](https://docs.bunkerweb.io/1.6.10/integrations/?utm_campaign=self&utm_source=github#linux)
- [Docker autoconf](https://docs.bunkerweb.io/1.6.10/integrations/?utm_campaign=self&utm_source=github#docker-autoconf)
- [Kubernetes](https://docs.bunkerweb.io/1.6.10/integrations/?utm_campaign=self&utm_source=github#kubernetes)
- [Swarm](https://docs.bunkerweb.io/1.6.10/integrations/?utm_campaign=self&utm_source=github#swarm)
- [Microsoft Azure](https://docs.bunkerweb.io/1.6.10/integrations/?utm_campaign=self&utm_source=github#microsoft-azure)
## Settings
@ -206,7 +214,7 @@ When multisite mode is enabled, BunkerWeb will serve and protect multiple web ap
## Custom configurations
Because meeting all the use cases only using the settings is not an option (even with [external plugins](https://docs.bunkerweb.io/1.6.9/plugins/?utm_campaign=self&utm_source=github)), you can use custom configurations to solve your specific challenges.
Because meeting all the use cases only using the settings is not an option (even with [external plugins](https://docs.bunkerweb.io/1.6.10/plugins/?utm_campaign=self&utm_source=github)), you can use custom configurations to solve your specific challenges.
Under the hood, BunkerWeb uses the notorious NGINX web server, that's why you can leverage its configuration system for your specific needs. Custom NGINX configurations can be included in different [contexts](https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/#contexts) like HTTP or server (all servers and/or specific server block).
@ -215,7 +223,7 @@ Another core component of BunkerWeb is the ModSecurity Web Application Firewall:
## Database
<p align="center">
<img alt="Database model" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/docs/assets/img/bunkerweb_db.svg" />
<img alt="Database model" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.10/docs/assets/img/bunkerweb_db.svg" />
</p>
The state of the current configuration of BunkerWeb is stored in a backend database which contains the following data:
@ -244,7 +252,7 @@ In other words, the scheduler is the brain of BunkerWeb.
<!--## BunkerWeb Cloud
<p align="center">
<img alt="Docker banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/docs/assets/img/bunkerweb-cloud.webp" />
<img alt="Docker banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.10/docs/assets/img/bunkerweb-cloud.webp" />
</p>
BunkerWeb Cloud is the easiest way to get started with BunkerWeb. It offers you a fully managed BunkerWeb service with no hassle. Think of it like a BunkerWeb-as-a-Service!
@ -254,7 +262,7 @@ You will find more information about BunkerWeb Cloud beta [here](https://www.bun
## Linux
<p align="center">
<img alt="Linux banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/docs/assets/img/integration-linux.svg" />
<img alt="Linux banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.10/docs/assets/img/integration-linux.svg" />
</p>
List of supported Linux distros:
@ -265,6 +273,7 @@ List of supported Linux distros:
- Ubuntu 24.04 "Noble"
- Fedora 42
- Fedora 43
- Fedora 44
- RHEL 8.10
- RHEL 9.6
- RHEL 10.0
@ -274,7 +283,7 @@ You will find more information in the [Linux section](https://docs.bunkerweb.io/
## Docker
<p align="center">
<img alt="Docker banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/docs/assets/img/integration-docker.svg" />
<img alt="Docker banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.10/docs/assets/img/integration-docker.svg" />
</p>
We provide ready-to-use prebuilt images for x64, x86, armv7, and arm64 platforms on [Docker Hub](https://hub.docker.com/u/bunkerity).
@ -285,63 +294,63 @@ Docker integration key concepts are:
- **Scheduler** container to store configuration and execute jobs
- **Networks** to expose ports for clients and connect to upstream web services
You will find more information in the [Docker integration section](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#docker) of the documentation.
You will find more information in the [Docker integration section](https://docs.bunkerweb.io/1.6.10/integrations/?utm_campaign=self&utm_source=github#docker) of the documentation.
## Docker autoconf
<p align="center">
<img alt="Docker autoconf banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/docs/assets/img/integration-autoconf.svg" />
<img alt="Docker autoconf banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.10/docs/assets/img/integration-autoconf.svg" />
</p>
The downside of using environment variables is that the container needs to be recreated each time there is an update, which is not very convenient. To counter that issue, you can use another image called **autoconf** which will listen for Docker events and automatically reconfigure BunkerWeb in real-time without recreating the container.
Instead of defining environment variables for the BunkerWeb container, you simply add **labels** to your web applications containers and the **autoconf** will "automagically" take care of the rest.
You will find more information in the [Docker autoconf section](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#docker-autoconf) of the documentation.
You will find more information in the [Docker autoconf section](https://docs.bunkerweb.io/1.6.10/integrations/?utm_campaign=self&utm_source=github#docker-autoconf) of the documentation.
## Kubernetes
<p align="center">
<img alt="Kubernetes banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/docs/assets/img/integration-kubernetes.svg" />
<img alt="Kubernetes banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.10/docs/assets/img/integration-kubernetes.svg" />
</p>
The autoconf acts as an [Ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) and will configure the BunkerWeb instances according to the [Ingress resources](https://kubernetes.io/docs/concepts/services-networking/ingress/). It also monitors other Kubernetes objects like [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) for custom configurations.
The official [Helm chart](https://helm.sh/) for BunkerWeb is available in the [bunkerity/bunkerweb-helm repository](https://github.com/bunkerity/bunkerweb-helm).
You will find more information in the [Kubernetes section](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#kubernetes) of the documentation.
You will find more information in the [Kubernetes section](https://docs.bunkerweb.io/1.6.10/integrations/?utm_campaign=self&utm_source=github#kubernetes) of the documentation.
## Microsoft Azure
<p align="center">
<img alt="Azure banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/docs/assets/img/integration-azure.webp" />
<img alt="Azure banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.10/docs/assets/img/integration-azure.webp" />
</p>
BunkerWeb is referenced in the [Azure Marketplace](https://azuremarketplace.microsoft.com/fr-fr/marketplace/apps/bunkerity.bunkerweb?tab=Overview) and an ARM template is available in the [misc folder](https://github.com/bunkerity/bunkerweb/raw/v1.6.9/misc/integrations/azure-arm-template.json).
BunkerWeb is referenced in the [Azure Marketplace](https://azuremarketplace.microsoft.com/fr-fr/marketplace/apps/bunkerity.bunkerweb?tab=Overview) and an ARM template is available in the [misc folder](https://github.com/bunkerity/bunkerweb/raw/v1.6.10/misc/integrations/azure-arm-template.json).
You will find more information in the [Microsoft Azure section](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#microsoft-azure) of the documentation.
You will find more information in the [Microsoft Azure section](https://docs.bunkerweb.io/1.6.10/integrations/?utm_campaign=self&utm_source=github#microsoft-azure) of the documentation.
## Swarm
<p align="center">
<img alt="Swarm banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.9/docs/assets/img/integration-swarm.svg" />
<img alt="Swarm banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.6.10/docs/assets/img/integration-swarm.svg" />
</p>
To automatically configure BunkerWeb instances, a special service, called **autoconf** will listen for Docker Swarm events like service creation or deletion and automatically configure the **BunkerWeb instances** in real-time without downtime.
Like the [Docker autoconf integration](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#docker-autoconf), configuration for web services is defined using labels starting with the special **bunkerweb.** prefix.
Like the [Docker autoconf integration](https://docs.bunkerweb.io/1.6.10/integrations/?utm_campaign=self&utm_source=github#docker-autoconf), configuration for web services is defined using labels starting with the special **bunkerweb.** prefix.
You will find more information in the [Swarm section](https://docs.bunkerweb.io/1.6.9/integrations/?utm_campaign=self&utm_source=github#swarm) of the documentation.
You will find more information in the [Swarm section](https://docs.bunkerweb.io/1.6.10/integrations/?utm_campaign=self&utm_source=github#swarm) of the documentation.
# Quickstart guide
Once you have set up BunkerWeb with the integration of your choice, you can follow the [quickstart guide](https://docs.bunkerweb.io/1.6.9/quickstart-guide/?utm_campaign=self&utm_source=github) that will cover the installation and first configuration to protect a web service.
Once you have set up BunkerWeb with the integration of your choice, you can follow the [quickstart guide](https://docs.bunkerweb.io/1.6.10/quickstart-guide/?utm_campaign=self&utm_source=github) that will cover the installation and first configuration to protect a web service.
# Security tuning
BunkerWeb offers many security features that you can configure with [features](https://docs.bunkerweb.io/1.6.9/features/?utm_campaign=self&utm_source=github). Even if the default values of settings ensure a minimal "security by default," we strongly recommend you to tune them. By doing so, you will be able to ensure a security level of your choice but also manage false positives.
BunkerWeb offers many security features that you can configure with [features](https://docs.bunkerweb.io/1.6.10/features/?utm_campaign=self&utm_source=github). Even if the default values of settings ensure a minimal "security by default," we strongly recommend you to tune them. By doing so, you will be able to ensure a security level of your choice but also manage false positives.
You will find more information in the [security tuning section](https://docs.bunkerweb.io/1.6.9/advanced/?utm_campaign=self&utm_source=github#security-tuning) of the documentation.
You will find more information in the [security tuning section](https://docs.bunkerweb.io/1.6.10/advanced/?utm_campaign=self&utm_source=github#security-tuning) of the documentation.
# Settings
@ -349,7 +358,7 @@ As a general rule, when multisite mode is enabled, if you want to apply settings
When settings are considered as "multiple," it means that you can have multiple groups of settings for the same feature by adding numbers as suffixes like `REVERSE_PROXY_URL_1=/subdir`, `REVERSE_PROXY_HOST_1=http://myhost1`, `REVERSE_PROXY_URL_2=/anotherdir`, `REVERSE_PROXY_HOST_2=http://myhost2`, ... for example.
Check the [features section](https://docs.bunkerweb.io/1.6.9/features/?utm_campaign=self&utm_source=github) of the documentation to get the full list.
Check the [features section](https://docs.bunkerweb.io/1.6.10/features/?utm_campaign=self&utm_source=github) of the documentation to get the full list.
# Web UI
@ -368,7 +377,7 @@ Here is the list of features offered by the web UI:
- Monitor job execution and restart them when needed
- View the logs and search patterns
You will find more information in the [Web UI section](https://docs.bunkerweb.io/1.6.9/web-ui/?utm_campaign=self&utm_source=github) of the documentation.
You will find more information in the [Web UI section](https://docs.bunkerweb.io/1.6.10/web-ui/?utm_campaign=self&utm_source=github) of the documentation.
# Plugins
@ -385,7 +394,7 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
| **VirusTotal** | 1.9 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
| **WebHook** | 1.9 | Send security notifications to a custom HTTP endpoint using a Webhook. | [bunkerweb-plugins/webhook](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
You will find more information in the [plugins section](https://docs.bunkerweb.io/1.6.9/plugins/?utm_campaign=self&utm_source=github) of the documentation.
You will find more information in the [plugins section](https://docs.bunkerweb.io/1.6.10/plugins/?utm_campaign=self&utm_source=github) of the documentation.
# Language Support & Localization
@ -409,7 +418,7 @@ BunkerWeb UI supports multiple languages. Translations are managed in the `src/u
- Urdu (ur)
- Simplified Chinese (zh)
See the [locales/README.md](https://github.com/bunkerity/bunkerweb/raw/v1.6.9/src/ui/app/static/locales/README.md) for details on translation provenance and review status.
See the [locales/README.md](https://github.com/bunkerity/bunkerweb/raw/v1.6.10/src/ui/app/static/locales/README.md) for details on translation provenance and review status.
## Contributing Translations
@ -425,7 +434,7 @@ We welcome contributions to improve or add new locale files!
For updates, edit the relevant file and update the provenance table as needed.
See the [locales/README.md](https://github.com/bunkerity/bunkerweb/raw/v1.6.9/src/ui/app/static/locales/README.md) for full guidelines.
See the [locales/README.md](https://github.com/bunkerity/bunkerweb/raw/v1.6.10/src/ui/app/static/locales/README.md) for full guidelines.
# Support
@ -448,15 +457,15 @@ Please don't use [GitHub issues](https://github.com/bunkerity/bunkerweb/issues)
# License
This project is licensed under the terms of the [GNU Affero General Public License (AGPL) version 3](https://github.com/bunkerity/bunkerweb/raw/v1.6.9/LICENSE.md).
This project is licensed under the terms of the [GNU Affero General Public License (AGPL) version 3](https://github.com/bunkerity/bunkerweb/raw/v1.6.10/LICENSE.md).
# Contribute
If you would like to contribute to the plugins, you can read the [contributing guidelines](https://github.com/bunkerity/bunkerweb/raw/v1.6.9/CONTRIBUTING.md) to get started.
If you would like to contribute to the plugins, you can read the [contributing guidelines](https://github.com/bunkerity/bunkerweb/raw/v1.6.10/CONTRIBUTING.md) to get started.
# Security policy
We take security bugs as serious issues and encourage responsible disclosure; see our [security policy](https://github.com/bunkerity/bunkerweb/raw/v1.6.9/SECURITY.md) for more information.
We take security bugs as serious issues and encourage responsible disclosure; see our [security policy](https://github.com/bunkerity/bunkerweb/raw/v1.6.10/SECURITY.md) for more information.
# Star History

52
context7.json Normal file
View file

@ -0,0 +1,52 @@
{
"projectTitle": "BunkerWeb",
"description": "Next-generation open-source Web Application Firewall (WAF) based on NGINX",
"branch": "master",
"folders": [
"docs/",
"src/common/core/",
"src/common/db/",
"src/common/gen/",
"src/common/utils/",
"src/common/confs/",
"src/bw/",
"src/scheduler/",
"src/autoconf/",
"src/api/",
"src/ui/"
],
"excludeFolders": [
"docs/assets/",
"docs/node_modules/",
"docs/overrides/",
"docs/misc/",
"docs/diagrams/",
"src/bw/misc/",
"src/ui/app/static/",
"src/ui/app/templates/"
],
"rules": [
"All BunkerWeb settings are environment variables in UPPERCASE_WITH_UNDERSCORES format",
"Settings have two contexts: 'global' (applies to entire instance) and 'multisite' (can be per-server when MULTISITE=yes)",
"In multisite mode, prefix settings with the server name to apply per-server: www.example.com_USE_ANTIBOT=captcha",
"SERVER_NAME is a space-separated list of domains, not a single domain: SERVER_NAME=www.example.com api.example.com",
"Numbered suffixes define multiple values: REVERSE_PROXY_URL_1=/api REVERSE_PROXY_HOST_1=http://backend1 REVERSE_PROXY_URL_2=/static REVERSE_PROXY_HOST_2=http://backend2",
"USE_REVERSE_PROXY=yes alone does nothing; REVERSE_PROXY_HOST and REVERSE_PROXY_URL are also required",
"BunkerWeb is secure by default: ModSecurity WAF, rate limiting, bad behavior detection, and strict security headers are all active in block mode out of the box",
"SECURITY_MODE defaults to 'block' (active blocking), not 'detect' (logging only)",
"USE_REAL_IP defaults to 'no'; must be enabled and REAL_IP_FROM configured when behind a CDN or load balancer",
"API_WHITELIST_IP defaults to 127.0.0.0/8; must expand for Docker networks (e.g., add scheduler/autoconf container IPs)",
"Internal API requires Host: bwapi header; requests with Host: 127.0.0.1 get 444 error",
"Docker autoconf mode requires AUTOCONF_MODE=yes and uses bunkerweb.* labels on containers for service discovery",
"Docker autoconf and Kubernetes modes automatically enforce multisite; setting MULTISITE=no will fail with multiple services",
"Kubernetes mode acts as Ingress controller; uses Ingress resources and ConfigMap annotations with bunkerweb.io/ prefix but can also act as a Gateway API controller with Gateway resources",
"Each plugin has a plugin.json with id, name, version, settings (with context/type/regex/default), and optional jobs array",
"Plugin jobs specify 'every' (once/minute/hour/day/week) and 'reload' (boolean); exit code 1 means success+reload, exit code >=2 means failure",
"Lua request processing follows NGINX phases in order: set, rewrite, access, content, header_filter, body_filter, log",
"External plugins use the same structure as core plugins and go in /etc/bunkerweb/plugins/{name}/",
"DATABASE_URI is required for multi-component setups (Docker/Kubernetes); SQLite is default for single-instance",
"Rate limiting defaults to 2 requests/second (LIMIT_REQ_RATE) and 10 HTTP/1.1 connections per IP (LIMIT_CONN_MAX_HTTP1)",
"HSTS is enabled by default with max-age=63072000 (2 years), includeSubDomains, and preload",
"Custom NGINX configs use CUSTOM_CONF_SERVER_HTTP_myconf pattern for server block directives and have the 'multisite' context"
]
}

954
docs/advanced.md
View file

File diff suppressed because it is too large Load diff

10
docs/api.md
View file

@ -41,7 +41,7 @@ Choose the flavor that matches your environment.
services:
bunkerweb:
# This is the name that will be used to identify the instance in the Scheduler
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -54,7 +54,7 @@ Choose the flavor that matches your environment.
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # Make sure to set the correct instance name
@ -76,7 +76,7 @@ Choose the flavor that matches your environment.
- bw-db
bw-api:
image: bunkerity/bunkerweb-api:1.6.9
image: bunkerity/bunkerweb-api:1.6.10
environment:
<<: *bw-env
API_USERNAME: "admin"
@ -108,7 +108,7 @@ Choose the flavor that matches your environment.
command: >
redis-server
--maxmemory 256mb
--maxmemory-policy allkeys-lru
--maxmemory-policy volatile-lru
--save 60 1000
--appendonly yes
volumes:
@ -143,7 +143,7 @@ Choose the flavor that matches your environment.
-e SERVICE_API=yes \
-e API_WHITELIST_IPS="127.0.0.0/8" \
-p 80:8080/tcp -p 443:8443/tcp -p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
=== "Linux"

118
docs/assets/tab-aware-search.js Normal file
View file

@ -0,0 +1,118 @@
// Activate the parent content tab(s) when the URL anchor — or a search
// highlight injected by Material's `search.highlight` feature — points at
// content hidden inside a `pymdownx.tabbed` block (`alternate_style: true`).
//
// Upstream issue: https://github.com/squidfunk/mkdocs-material/issues/4125
// (closed without a fix). Without this, search results that match content
// inside a non-default tab leave the user staring at the wrong tab.
(function () {
function activateTabBlock(block) {
var content = block.parentNode;
if (!content || !content.classList || !content.classList.contains('tabbed-content')) return;
var blocks = content.children;
var index = -1;
for (var i = 0; i < blocks.length; i++) {
if (blocks[i] === block) {
index = i;
break;
}
}
if (index === -1) return;
var set = content.parentNode;
if (!set) return;
var inputs = set.querySelectorAll(':scope > input[type="radio"][name^="__tabbed_"]');
if (!inputs || index >= inputs.length) return;
var input = inputs[index];
if (input.checked) return;
input.checked = true;
try {
input.dispatchEvent(new Event('change', { bubbles: true }));
} catch (e) {
/* ignore */
}
}
function activateAncestorsOf(el) {
var node = el;
while (node && node !== document.body) {
if (node.classList && node.classList.contains('tabbed-block')) {
activateTabBlock(node);
}
node = node.parentNode;
}
}
function getHashTarget() {
var hash = window.location.hash;
if (!hash || hash.length < 2) return null;
var id;
try {
id = decodeURIComponent(hash.slice(1));
} catch (e) {
id = hash.slice(1);
}
if (!id) return null;
try {
return document.getElementById(id) || document.querySelector('[id="' + CSS.escape(id) + '"]');
} catch (e) {
return document.getElementById(id);
}
}
function runForHash() {
try {
var target = getHashTarget();
if (!target) return;
activateAncestorsOf(target);
// Re-scroll: the browser already scrolled before tab activation, so the
// target may now be off-screen because surrounding tab content shifted.
target.scrollIntoView({ block: 'start' });
} catch (e) {
/* ignore */
}
}
function runForHighlights() {
try {
var marks = document.querySelectorAll('mark[data-md-highlight], mark.highlight');
if (!marks || !marks.length) return;
var firstInTab = null;
for (var i = 0; i < marks.length; i++) {
var mark = marks[i];
if (mark.closest && mark.closest('.tabbed-block')) {
activateAncestorsOf(mark);
if (!firstInTab) firstInTab = mark;
}
}
if (firstInTab) firstInTab.scrollIntoView({ block: 'center' });
} catch (e) {
/* ignore */
}
}
function runAll() {
runForHash();
// Highlights are injected after navigation; give Material a tick to mark
// matches before we scan for them.
setTimeout(runForHighlights, 50);
setTimeout(runForHighlights, 250);
}
if (document.readyState === 'loading') {
document.addEventListener('DOMContentLoaded', runAll);
} else {
runAll();
}
window.addEventListener('hashchange', runAll);
if (window.document$ && window.document$.subscribe) {
window.document$.subscribe(function () {
runAll();
});
}
})();

4
docs/concepts.md
View file

@ -105,7 +105,7 @@ Please note that multisite mode is implicit when using the web User Interface. Y
!!! info "Going further"
You will find concrete examples of multisite mode in the [advanced usages](advanced.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) directory of the repository.
You will find concrete examples of multisite mode in the [advanced usages](advanced.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/examples) directory of the repository.
## Custom configurations {#custom-configurations}
@ -126,7 +126,7 @@ Managing custom configurations from the web User Interface is done through the *
!!! info "Going further"
You will find concrete examples of custom configurations in the [advanced usages](advanced.md#custom-configurations) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) directory of the repository.
You will find concrete examples of custom configurations in the [advanced usages](advanced.md#custom-configurations) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/examples) directory of the repository.
## Database

969
docs/de/advanced.md
View file

File diff suppressed because it is too large Load diff

10
docs/de/api.md
View file

@ -41,7 +41,7 @@ Wählen Sie die Variante, die zu Ihrer Umgebung passt.
services:
bunkerweb:
# Name, unter dem die Instanz im Scheduler erscheint
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -54,7 +54,7 @@ Wählen Sie die Variante, die zu Ihrer Umgebung passt.
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # Instanznamen korrekt setzen
@ -76,7 +76,7 @@ Wählen Sie die Variante, die zu Ihrer Umgebung passt.
- bw-db
bw-api:
image: bunkerity/bunkerweb-api:1.6.9
image: bunkerity/bunkerweb-api:1.6.10
environment:
<<: *bw-env
API_USERNAME: "admin"
@ -108,7 +108,7 @@ Wählen Sie die Variante, die zu Ihrer Umgebung passt.
command: >
redis-server
--maxmemory 256mb
--maxmemory-policy allkeys-lru
--maxmemory-policy volatile-lru
--save 60 1000
--appendonly yes
volumes:
@ -143,7 +143,7 @@ Wählen Sie die Variante, die zu Ihrer Umgebung passt.
-e SERVICE_API=yes \
-e API_WHITELIST_IPS="127.0.0.0/8" \
-p 80:8080/tcp -p 443:8443/tcp -p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
=== "Linux"

4
docs/de/concepts.md
View file

@ -105,7 +105,7 @@ Bitte beachten Sie, dass der Multisite-Modus bei Verwendung der Web-Benutzerober
!!! info "Weiterführende Informationen"
Konkrete Beispiele für den Multisite-Modus finden Sie in den [fortgeschrittenen Nutzungen](advanced.md) der Dokumentation und im [Beispiele](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples)-Verzeichnis des Repositorys.
Konkrete Beispiele für den Multisite-Modus finden Sie in den [fortgeschrittenen Nutzungen](advanced.md) der Dokumentation und im [Beispiele](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/examples)-Verzeichnis des Repositorys.
## Benutzerdefinierte Konfigurationen {#custom-configurations}
@ -126,7 +126,7 @@ Die Verwaltung benutzerdefinierter Konfigurationen über die Web-Benutzeroberfl
!!! info "Weiterführende Informationen"
Konkrete Beispiele für benutzerdefinierte Konfigurationen finden Sie in den [fortgeschrittenen Nutzungen](advanced.md#custom-configurations) der Dokumentation und im [Beispiele](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples)-Verzeichnis des Repositorys.
Konkrete Beispiele für benutzerdefinierte Konfigurationen finden Sie in den [fortgeschrittenen Nutzungen](advanced.md#custom-configurations) der Dokumentation und im [Beispiele](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/examples)-Verzeichnis des Repositorys.
## Datenbank

833
docs/de/features.md
View file

File diff suppressed because it is too large Load diff

218
docs/de/integrations.md
View file

@ -1268,7 +1268,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
Standardmäßig stellt der Container Folgendes bereit:
@ -1284,7 +1284,7 @@ Ein benanntes Volume (oder Bind-Mount) ist erforderlich, um die unter `/data` ge
```yaml
services:
bunkerweb-aio:
image: bunkerity/bunkerweb-all-in-one:1.6.9
image: bunkerity/bunkerweb-all-in-one:1.6.10
volumes:
- bw-storage:/data
...
@ -1340,7 +1340,8 @@ Das All-In-One-Image enthält mehrere integrierte Dienste, die über Umgebungsva
- `AUTOCONF_MODE=no` (Standard) - Aktiviert den Autoconf-Dienst
- `USE_REDIS=yes` (Standard) - Aktiviert die integrierte [Redis-Instanz](#redis-integration)
- `USE_CROWDSEC=no` (Standard) - Die [CrowdSec-Integration](#crowdsec-integration) ist standardmäßig deaktiviert
- `HIDE_SERVICE_LOGS=` (optional) - Kommagetrennte Liste von Diensten, deren Ausgaben in den Container-Logs unterdrückt werden. Unterstützte Werte: `api`, `autoconf`, `bunkerweb`, `crowdsec`, `redis`, `scheduler`, `ui`, `nginx.access`, `nginx.error`, `modsec`. Die Dateien in `/var/log/bunkerweb/<service>.log` werden weiterhin beschrieben.
- `HIDE_SERVICE_LOGS=` (optional) - Kommagetrennte Liste von Diensten, deren Ausgaben in den Container-Logs unterdrückt werden. Unterstützte Werte: `api`, `autoconf`, `bunkerweb`, `crowdsec`, `redis`, `scheduler`, `ui`, `nginx.access`, `nginx.error`, `modsec`.
- **Protokollierung**: Das All-In-One-Image leitet stdout und stderr aller Dienste an die Container-Ausgabe weiter. Verwenden Sie `docker logs bunkerweb-aio` (oder Ihren bevorzugten Container-Logging-Treiber), um Protokolle anzuzeigen und zu rotieren. Das Image schreibt für seine Python-Dienste keine Logdateien auf die Festplatte.
### API-Integration
@ -1361,7 +1362,7 @@ docker run -d \
-e API_PASSWORD=StrongP@ssw0rd \
-p 80:8080/tcp -p 443:8443/tcp -p 443:8443/udp \
-p 8888:8888/tcp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
Empfohlen (hinter BunkerWeb) — veröffentlichen Sie `8888` nicht; verwenden Sie stattdessen einen Reverse-Proxy:
@ -1369,7 +1370,7 @@ Empfohlen (hinter BunkerWeb) — veröffentlichen Sie `8888` nicht; verwenden Si
```yaml
services:
bunkerweb-aio:
image: bunkerity/bunkerweb-all-in-one:1.6.9
image: bunkerity/bunkerweb-all-in-one:1.6.10
container_name: bunkerweb-aio
ports:
- "80:8080/tcp"
@ -1425,6 +1426,10 @@ Das BunkerWeb **All-In-One**-Image enthält standardmäßig Redis für die [Pers
- Er lauscht auf dem Loopback-Interface des Containers und ist daher nur aus dem Container heraus erreichbar nicht von anderen Containern oder vom Host.
- Überschreiben Sie `REDIS_HOST` nur, wenn ein externer Redis-/Valkey-Endpunkt verfügbar ist; andernfalls wird die eingebettete Instanz nicht gestartet.
- Um Redis vollständig zu deaktivieren, setzen Sie `USE_REDIS=no`.
- **Konfigurationsvorrang (wichtig):** Das eingebettete Redis wird aus `/var/lib/bunkerweb/redis-runtime.conf` gestartet. Diese Datei wird beim Boot erzeugt, indem `/etc/redis.conf` kopiert und um env-getriebene Defaults **nur für Direktiven ergänzt wird, zu denen die Konfigurationsdatei schweigt**. Eine eingehängte eigene `/etc/redis.conf` hat daher immer Vorrang; die unten genannten Umgebungsvariablen füllen lediglich Lücken.
- **Speicher-Tuning:** Die Standardwerte folgen den [Redis Best Practices](features.md#redis-best-practices) `maxmemory 256mb` und `maxmemory-policy volatile-lru`. Überschreiben Sie diese über `REDIS_MAXMEMORY` und `REDIS_MAXMEMORY_POLICY`, sofern die Konfigurationsdatei sie nicht festschreibt.
- **Persistenz-Overrides:** `REDIS_APPENDONLY=yes|no` schaltet AOF um (Standard `yes`); RDB-Snapshots werden mit `REDIS_SAVE` sowie optional `REDIS_SAVE_0`, `REDIS_SAVE_1`, … konfiguriert, die jeweils ein `save <Sekunden> <Änderungen>`-Paar liefern (z. B. `REDIS_SAVE_0="900 1"`, `REDIS_SAVE_1="300 10"`). Sobald eine dieser Variablen gesetzt ist, ersetzen sie die eingebauten Defaults `900 1 / 300 10 / 60 10000`; ein leerer Wert erzeugt `save ""` und deaktiviert RDB. Wird ignoriert, sobald die Konfigurationsdatei selbst `save` setzt.
- **Authentifizierung:** Wird `REDIS_PASSWORD` gesetzt und die Konfigurationsdatei deklariert noch kein `requirepass`, startet das eingebettete Redis mit `requirepass`, sodass BunkerWeb-Client und -Server konsistent bleiben. Der eingebettete Server unterstützt nur den Default-Benutzer setzen Sie `REDIS_USERNAME` ausschließlich beim Anbinden eines externen Redis mit ACLs.
- Redis-Protokolle erscheinen mit dem Präfix `[REDIS]` in den Docker-Protokollen sowie in `/var/log/bunkerweb/redis.log`.
### CrowdSec-Integration {#crowdsec-integration}
@ -1441,7 +1446,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9```
bunkerity/bunkerweb-all-in-one:1.6.10```
* Wenn `USE_CROWDSEC=yes`, wird das Einstiegsskript:
@ -1495,7 +1500,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
!!! info "Wie es intern funktioniert"
@ -1517,7 +1522,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
Hinweise:
@ -1553,7 +1558,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
* Die **lokale Registrierung** wird übersprungen, wenn `CROWDSEC_API` nicht `127.0.0.1` oder `localhost` ist.
@ -1585,13 +1590,13 @@ Um Ihre Docker-Bereitstellung zu erleichtern, stellen wir auf [Docker Hub](https
Durch den Zugriff auf diese vorgefertigten Images von Docker Hub können Sie BunkerWeb schnell in Ihrer Docker-Umgebung ziehen und ausführen, wodurch umfangreiche Konfigurations- oder Einrichtungsprozesse entfallen. Dieser optimierte Ansatz ermöglicht es Ihnen, sich auf die Nutzung der Funktionen von BunkerWeb zu konzentrieren, ohne unnötige Komplexität.
```shell
docker pull bunkerity/bunkerweb:1.6.9
docker pull bunkerity/bunkerweb:1.6.10
```
Docker-Images sind auch auf [GitHub-Paketen](https://github.com/orgs/bunkerity/packages?repo_name=bunkerweb) verfügbar und können über die Repository-Adresse `ghcr.io` heruntergeladen werden:
```shell
docker pull ghcr.io/bunkerity/bunkerweb:1.6.9
docker pull ghcr.io/bunkerity/bunkerweb:1.6.10
```
Schlüsselkonzepte für die Docker-Integration sind:
@ -1601,7 +1606,7 @@ Schlüsselkonzepte für die Docker-Integration sind:
- **Netzwerke**: Docker-Netzwerke spielen eine wichtige Rolle bei der Integration von BunkerWeb. Diese Netzwerke dienen zwei Hauptzwecken: dem Bereitstellen von Ports für Clients und dem Verbinden mit Upstream-Webdiensten. Durch das Bereitstellen von Ports kann BunkerWeb eingehende Anfragen von Clients annehmen und ihnen den Zugriff auf die geschützten Webdienste ermöglichen. Darüber hinaus kann BunkerWeb durch die Verbindung mit Upstream-Webdiensten den Datenverkehr effizient weiterleiten und verwalten und so eine verbesserte Sicherheit und Leistung bieten.
!!! info "Datenbank-Backend"
Bitte beachten Sie, dass unsere Anweisungen davon ausgehen, dass Sie SQLite als Standard-Datenbank-Backend verwenden, wie durch die Einstellung `DATABASE_URI` konfiguriert. Es werden jedoch auch andere Datenbank-Backends unterstützt. Weitere Informationen finden Sie in den docker-compose-Dateien im Ordner [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) des Repositorys.
Bitte beachten Sie, dass unsere Anweisungen davon ausgehen, dass Sie SQLite als Standard-Datenbank-Backend verwenden, wie durch die Einstellung `DATABASE_URI` konfiguriert. Es werden jedoch auch andere Datenbank-Backends unterstützt. Weitere Informationen finden Sie in den docker-compose-Dateien im Ordner [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations) des Repositorys.
### Umgebungsvariablen
@ -1611,7 +1616,7 @@ Einstellungen werden dem Scheduler über Docker-Umgebungsvariablen übergeben:
...
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
- MY_SETTING=value
- ANOTHER_SETTING=another value
@ -1655,7 +1660,7 @@ Dadurch wird sichergestellt, dass sensible Einstellungen aus der Umgebung und de
Der [Scheduler](concepts.md#scheduler) läuft in seinem eigenen Container, der auch auf Docker Hub verfügbar ist:
```shell
docker pull bunkerity/bunkerweb-scheduler:1.6.9
docker pull bunkerity/bunkerweb-scheduler:1.6.10
```
!!! info "BunkerWeb-Einstellungen"
@ -1676,7 +1681,7 @@ docker pull bunkerity/bunkerweb-scheduler:1.6.9
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
environment:
# Dies setzt die API-Einstellungen für den BunkerWeb-Container
<<: *bw-api-env
@ -1685,7 +1690,7 @@ docker pull bunkerity/bunkerweb-scheduler:1.6.9
- bw-universe
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
# Dies setzt die API-Einstellungen für den Scheduler-Container
<<: *bw-api-env
@ -1703,7 +1708,7 @@ Ein Volume wird benötigt, um die vom Scheduler verwendete SQLite-Datenbank und
...
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
volumes:
- bw-storage:/data
...
@ -1783,14 +1788,14 @@ Der Scheduler ist der Control-Plane-Worker, der Einstellungen liest, Konfigurati
##### Logging
| Setting | Beschreibung | Akzeptierte Werte | Standard |
| ------------------------------- | ---------------------------------------------------------------------- | ----------------------------------------------- | ------------------------------------------------------------------------------- |
| `LOG_LEVEL`, `CUSTOM_LOG_LEVEL` | Basis/Override Log-Level | `debug`, `info`, `warning`, `error`, `critical` | `info` |
| `LOG_TYPES` | Ziele | Leerzeichen-getrennt `stderr`/`file`/`syslog` | `stderr` |
| `SCHEDULER_LOG_TO_FILE` | File-Logging aktivieren und Standardpfad setzen | `yes` oder `no` | `no` |
| `LOG_FILE_PATH` | Benutzerdefinierter Log-Pfad (genutzt wenn `LOG_TYPES` `file` enthält) | Dateipfad | `/var/log/bunkerweb/scheduler.log` bei `SCHEDULER_LOG_TO_FILE=yes`, sonst unset |
| `LOG_SYSLOG_ADDRESS` | Syslog-Ziel (`udp://host:514`, `tcp://host:514` oder Socket-Pfad) | Host:Port, Protokoll-präfixter Host oder Socket | unset |
| `LOG_SYSLOG_TAG` | Syslog-Ident/Tag | String | `bw-scheduler` |
| Setting | Beschreibung | Akzeptierte Werte | Standard |
| ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------- | -------------------------------------------------------------------------------- |
| `LOG_LEVEL`, `CUSTOM_LOG_LEVEL` | Basis/Override Log-Level | `debug`, `info`, `warning`, `error`, `critical` | `info` |
| `LOG_TYPES` | Ziele | Leerzeichen-getrennt `stderr`/`file`/`syslog` | `stderr` |
| `SCHEDULER_LOG_TO_FILE` | Kompatibilitätsoption aus älteren Versionen: Wenn gesetzt, wird `LOG_FILE_PATH` standardmäßig auf `/var/log/bunkerweb/scheduler.log` gesetzt, falls `LOG_TYPES` `file` enthält und Sie `LOG_FILE_PATH` nicht explizit gesetzt haben. | `yes` oder `no` | `no` |
| `LOG_FILE_PATH` | Benutzerdefinierter Log-Pfad (genutzt wenn `LOG_TYPES` `file` enthält) | Dateipfad | `/var/log/bunkerweb/scheduler.log`, wenn `LOG_TYPES` `file` enthält, sonst unset |
| `LOG_SYSLOG_ADDRESS` | Syslog-Ziel (`udp://host:514`, `tcp://host:514` oder Socket-Pfad) | Host:Port, Protokoll-präfixter Host oder Socket | unset |
| `LOG_SYSLOG_TAG` | Syslog-Ident/Tag | String | `bw-scheduler` |
### UI-Container-Einstellungen
@ -1849,7 +1854,7 @@ x-bw-api-env: &bw-api-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -1862,7 +1867,7 @@ services:
- bw-universe
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "bunkerweb" # Diese Einstellung ist obligatorisch, um die BunkerWeb-Instanz anzugeben
@ -1895,7 +1900,7 @@ x-bw-api-env: &bw-api-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -1908,7 +1913,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
depends_on:
- bunkerweb
environment:
@ -1961,7 +1966,7 @@ Unterstützte Linux-Distributionen für BunkerWeb (amd64/x86_64 und arm64/aarch6
- Debian 13 "Trixie"
- Ubuntu 22.04 "Jammy"
- Ubuntu 24.04 "Noble"
- Fedora 42 und 43
- Fedora 42, 43 und 44
- Red Hat Enterprise Linux (RHEL) 8, 9 und 10
### Einfaches Installationsskript
@ -1974,8 +1979,8 @@ Um zu beginnen, laden Sie das Installationsskript und seine Prüfsumme herunter
```bash
# Skript und Prüfsumme herunterladen
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.10/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.10/install-bunkerweb.sh.sha256
# Prüfsumme überprüfen
sha256sum -c install-bunkerweb.sh.sha256
@ -2006,7 +2011,24 @@ Das einfache Installationsskript ist ein leistungsstarkes Werkzeug, das entwicke
#### Interaktive Installation
Wenn das Skript ohne Optionen ausgeführt wird, wechselt es in einen interaktiven Modus, der Sie durch den Einrichtungsprozess führt. Sie werden gebeten, die folgenden Entscheidungen zu treffen:
Wenn das Skript ohne Optionen ausgeführt wird, wechselt es in einen interaktiven Modus, der Sie durch den Einrichtungsprozess führt. Der interaktive Ablauf verwendet eine Inline-TUI via [gum](https://github.com/charmbracelet/gum) — Pfeiltastenmenüs mit ``-Cursor und maskierte Passwortfelder.
!!! info "gum wird beim ersten interaktiven Lauf ephemer abgerufen"
Der Installer lädt gum beim ersten Bedarf einer interaktiven Eingabeaufforderung herunter und führt es für die Dauer des Skripts aus einem Temp-Verzeichnis aus — **es wird nichts systemweit installiert**:
- Lädt das offizielle `gum_${VERSION}_${ARCH}.tar.gz` aus der [GitHub-Release](https://github.com/charmbracelet/gum/releases) per HTTPS (TLS 1.2+, lehnt HTTP-Weiterleitungen ab, Verbindungs-Timeout 10 s / Gesamt-Timeout 30 s).
- Verifiziert das Archiv gegen einen **in diesem Skript gepinnten SHA256** (lokaler Vertrauensanker — sowohl die Skript-Checksumme als auch das gum-Binary müssen passen).
- Wenn `cosign` installiert ist: verifiziert zusätzlich die Upstream-`checksums.txt` gegen die GitHub-Actions-OIDC-Identität von Charm (`https://github.com/charmbracelet/gum/...`) als Defense-in-Depth und gleicht ab, dass der gepinnte Hash dem von Charm für genau dieses Archiv veröffentlichten Wert entspricht.
- Entpackt das Binary in ein ausführungsfähiges Temp-Verzeichnis (`/var/tmp/bw-gum.XXXXXX` standardmäßig; `/tmp`, `$XDG_RUNTIME_DIR` oder `$HOME/.cache`, wenn `/var/tmp` als `noexec` gemountet ist).
- Fügt das Temp-Verzeichnis dem `PATH` für die Dauer des Skripts hinzu und entfernt es beim Beenden (über einen `EXIT`-Trap, auch bei `set -e`-Fehlern oder Signalen).
**Was nach dem Beenden des Installers auf der Festplatte bleibt:** nichts. Kein `/etc/apt/sources.list.d/charm.list`, kein GPG-Schlüssel in `apt`/`rpm`, kein `gum`-Binary in `/usr/bin`/`/usr/local/bin`, kein Paket-DB-Eintrag. Der Installer registriert nie eine Drittanbieter-apt- oder dnf-Quelle.
Kann gum nicht heruntergeladen werden — isolierter Host, Netzwerkfehler, SHA256-Abweichung — verwendet der Installer ein bereits auf dem System vorhandenes `whiptail` (auf Debian/Ubuntu-Cloud-Images häufig via `newt`-Paket vorinstalliert). Ist weder gum noch whiptail verfügbar, fällt er auf **Klartext-Eingaben** zurück.
Übergeben Sie `--no-tui` (oder setzen Sie `BW_INSTALL_TUI=no`), um alle TUI-Ebenen zu überspringen, oder `--tui`, um abzubrechen, wenn keine TUI gerendert werden kann. **Air-gapped-Installationen**: kombinieren Sie `--no-tui` mit `--yes` und den passenden `--*`-Flags / `*_INPUT`-Umgebungsvariablen; für die TUI-Schicht wird kein Netzwerkaufruf ausgeführt.
Sie werden gebeten, die folgenden Entscheidungen zu treffen:
1. **Installationstyp**: Wählen Sie die Komponenten aus, die Sie installieren möchten.
* **Full Stack (Standard)**: Eine All-in-One-Installation mit BunkerWeb, dem Scheduler und der Web-UI.
@ -2034,10 +2056,12 @@ Für nicht-interaktive oder automatisierte Setups kann das Skript mit Befehlszei
| Option | Beschreibung |
| ----------------------- | ------------------------------------------------------------------------------------------- |
| `-v, --version VERSION` | Gibt die zu installierende BunkerWeb-Version an (z. B. `1.6.9`). |
| `-v, --version VERSION` | Gibt die zu installierende BunkerWeb-Version an (z. B. `1.6.10`). |
| `-w, --enable-wizard` | Aktiviert den Einrichtungsassistenten. |
| `-n, --no-wizard` | Deaktiviert den Einrichtungsassistenten. |
| `-y, --yes` | Führt im nicht-interaktiven Modus mit Standardantworten für alle Eingabeaufforderungen aus. |
| `--tui` | Erzwingt eine TUI (gum oder whiptail). Bricht ab, wenn keine installiert werden kann. |
| `--no-tui` | Deaktiviert alle TUI-Ebenen und verwendet Klartext-Eingaben. Entspricht `BW_INSTALL_TUI=no`. |
| `-f, --force` | Erzwingt die Installation, auch auf einer nicht unterstützten Betriebssystemversion. |
| `-q, --quiet` | Stille Installation (unterdrückt die Ausgabe). |
| `--api`, `--enable-api` | Aktiviert den API (FastAPI) systemd-Dienst (standardmäßig deaktiviert). |
@ -2054,7 +2078,7 @@ Für nicht-interaktive oder automatisierte Setups kann das Skript mit Befehlszei
| `--worker` | Installiert nur die BunkerWeb-Instanz. |
| `--scheduler-only` | Installiert nur die Scheduler-Komponente. |
| `--ui-only` | Installiert nur die Web-UI-Komponente. |
| `--api-only` | Installiert nur den API-Dienst (Port 8000). |
| `--api-only` | Installiert nur den API-Dienst (Port 8888). |
**Sicherheitsintegrationen:**
@ -2099,7 +2123,7 @@ sudo ./install-bunkerweb.sh --yes
sudo ./install-bunkerweb.sh --worker --no-wizard
# Eine bestimmte Version installieren
sudo ./install-bunkerweb.sh --version 1.6.9
sudo ./install-bunkerweb.sh --version 1.6.10
# Manager-Setup mit entfernten Worker-Instanzen (Instanzen erforderlich)
sudo ./install-bunkerweb.sh --manager --instances "192.168.1.10 192.168.1.11"
@ -2146,7 +2170,7 @@ sudo ./install-bunkerweb.sh --yes --api
**Verfügbarkeit des API-Dienstes:**
- Der externe API-Dienst (Port 8000) ist für die Installationstypen `--full` und `--manager` verfügbar
- Der externe API-Dienst (Port 8888) ist für die Installationstypen `--full` und `--manager` verfügbar
- Er ist nicht verfügbar für `--worker`, `--scheduler-only` oder `--ui-only` Installationen
- Verwenden Sie `--api-only` für eine dedizierte API-Dienst-Installation
@ -2207,7 +2231,7 @@ Abhängig von Ihren Entscheidungen während der Installation:
### Installation mit dem Paketmanager
Bitte stellen Sie sicher, dass Sie **NGINX 1.28.2 installiert haben, bevor Sie BunkerWeb installieren**. Für alle Distributionen ist es zwingend erforderlich, vorgefertigte Pakete aus dem [offiziellen NGINX-Repository](https://nginx.org/en/linux_packages.html) zu verwenden. Das Kompilieren von NGINX aus dem Quellcode oder die Verwendung von Paketen aus verschiedenen Repositories funktioniert nicht mit den offiziellen vorgefertigten Paketen von BunkerWeb. Sie haben jedoch die Möglichkeit, BunkerWeb aus dem Quellcode zu erstellen.
Bitte stellen Sie sicher, dass Sie **NGINX 1.30.1 installiert haben, bevor Sie BunkerWeb installieren**. Für alle Distributionen ist es zwingend erforderlich, vorgefertigte Pakete aus dem [offiziellen NGINX-Repository](https://nginx.org/en/linux_packages.html) zu verwenden. Das Kompilieren von NGINX aus dem Quellcode oder die Verwendung von Paketen aus verschiedenen Repositories funktioniert nicht mit den offiziellen vorgefertigten Paketen von BunkerWeb. Sie haben jedoch die Möglichkeit, BunkerWeb aus dem Quellcode zu erstellen.
=== "Debian Bookworm/Trixie"
@ -2222,11 +2246,11 @@ Bitte stellen Sie sicher, dass Sie **NGINX 1.28.2 installiert haben, bevor Sie B
| sudo tee /etc/apt/sources.list.d/nginx.list
```
Sie sollten jetzt NGINX 1.28.2 installieren können:
Sie sollten jetzt NGINX 1.30.1 installieren können:
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades nginx=1.28.2-1~$(lsb_release -cs)
sudo apt install -y --allow-downgrades nginx=1.30.1-1~$(lsb_release -cs)
```
!!! warning "Testing/dev-Version"
@ -2243,12 +2267,12 @@ Bitte stellen Sie sicher, dass Sie **NGINX 1.28.2 installiert haben, bevor Sie B
export UI_WIZARD=no
```
Und installieren Sie schließlich BunkerWeb 1.6.9:
Und installieren Sie schließlich BunkerWeb 1.6.10:
```shell
curl -s https://repo.bunkerweb.io/install/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.9
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.10
```
Um ein Upgrade der NGINX- und/oder BunkerWeb-Pakete bei der Ausführung von `apt upgrade` zu verhindern, können Sie den folgenden Befehl verwenden:
@ -2270,11 +2294,11 @@ Bitte stellen Sie sicher, dass Sie **NGINX 1.28.2 installiert haben, bevor Sie B
| sudo tee /etc/apt/sources.list.d/nginx.list
```
Sie sollten jetzt NGINX 1.28.2 installieren können:
Sie sollten jetzt NGINX 1.30.1 installieren können:
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades nginx=1.28.2-1~$(lsb_release -cs)
sudo apt install -y --allow-downgrades nginx=1.30.1-1~$(lsb_release -cs)
```
!!! warning "Testing/dev-Version"
@ -2291,12 +2315,12 @@ Bitte stellen Sie sicher, dass Sie **NGINX 1.28.2 installiert haben, bevor Sie B
export UI_WIZARD=no
```
Und installieren Sie schließlich BunkerWeb 1.6.9:
Und installieren Sie schließlich BunkerWeb 1.6.10:
```shell
curl -s https://repo.bunkerweb.io/install/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.9
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.10
```
Um ein Upgrade der NGINX- und/oder BunkerWeb-Pakete bei der Ausführung von `apt upgrade` zu verhindern, können Sie den folgenden Befehl verwenden:
@ -2314,10 +2338,10 @@ Bitte stellen Sie sicher, dass Sie **NGINX 1.28.2 installiert haben, bevor Sie B
sudo dnf config-manager setopt updates-testing.enabled=1
```
Fedora stellt bereits NGINX 1.28.2 zur Verfügung, das wir unterstützen
Fedora stellt bereits NGINX 1.30.1 zur Verfügung, das wir unterstützen
```shell
sudo dnf install -y --allowerasing nginx-1.28.2
sudo dnf install -y --allowerasing nginx-1.30.1
```
!!! example "Einrichtungsassistenten deaktivieren"
@ -2327,12 +2351,12 @@ Bitte stellen Sie sicher, dass Sie **NGINX 1.28.2 installiert haben, bevor Sie B
export UI_WIZARD=no
```
Und installieren Sie schließlich BunkerWeb 1.6.9:
Und installieren Sie schließlich BunkerWeb 1.6.10:
```shell
curl -s https://repo.bunkerweb.io/install/script.rpm.sh | sudo bash && \
sudo dnf makecache && \
sudo -E dnf install -y --allowerasing bunkerweb-1.6.9
sudo -E dnf install -y --allowerasing bunkerweb-1.6.10
```
Um ein Upgrade der NGINX- und/oder BunkerWeb-Pakete bei der Ausführung von `dnf upgrade` zu verhindern, können Sie den folgenden Befehl verwenden:
@ -2364,10 +2388,10 @@ Bitte stellen Sie sicher, dass Sie **NGINX 1.28.2 installiert haben, bevor Sie B
module_hotfixes=true
```
Sie sollten jetzt NGINX 1.28.2 installieren können:
Sie sollten jetzt NGINX 1.30.1 installieren können:
```shell
sudo dnf install --allowerasing nginx-1.28.2
sudo dnf install --allowerasing nginx-1.30.1
```
!!! example "Einrichtungsassistenten deaktivieren"
@ -2377,12 +2401,12 @@ Bitte stellen Sie sicher, dass Sie **NGINX 1.28.2 installiert haben, bevor Sie B
export UI_WIZARD=no
```
Und installieren Sie schließlich BunkerWeb 1.6.9:
Und installieren Sie schließlich BunkerWeb 1.6.10:
```shell
curl -s https://repo.bunkerweb.io/install/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo -E dnf install -y --allowerasing bunkerweb-1.6.9
sudo -E dnf install -y --allowerasing bunkerweb-1.6.10
```
Um ein Upgrade der NGINX- und/oder BunkerWeb-Pakete bei der Ausführung von `dnf upgrade` zu verhindern, können Sie den folgenden Befehl verwenden:
@ -2474,7 +2498,7 @@ Durch die Übernahme dieses Ansatzes können Sie eine Echtzeit-Rekonfiguration v
Die Docker Autoconf-Integration impliziert die Verwendung des **Multisite-Modus**. Weitere Informationen finden Sie im [Multisite-Abschnitt](concepts.md#multisite-mode) der Dokumentation.
!!! info "Datenbank-Backend"
Bitte beachten Sie, dass unsere Anweisungen davon ausgehen, dass Sie MariaDB als Standard-Datenbank-Backend verwenden, wie durch die Einstellung `DATABASE_URI` konfiguriert. Wir verstehen jedoch, dass Sie möglicherweise alternative Backends für Ihre Docker-Integration bevorzugen. In diesem Fall können Sie sicher sein, dass auch andere Datenbank-Backends möglich sind. Weitere Informationen finden Sie in den docker-compose-Dateien im Ordner [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) des Repositorys.
Bitte beachten Sie, dass unsere Anweisungen davon ausgehen, dass Sie MariaDB als Standard-Datenbank-Backend verwenden, wie durch die Einstellung `DATABASE_URI` konfiguriert. Wir verstehen jedoch, dass Sie möglicherweise alternative Backends für Ihre Docker-Integration bevorzugen. In diesem Fall können Sie sicher sein, dass auch andere Datenbank-Backends möglich sind. Weitere Informationen finden Sie in den docker-compose-Dateien im Ordner [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations) des Repositorys.
Um automatisierte Konfigurationsupdates zu ermöglichen, fügen Sie einen zusätzlichen Container namens `bw-autoconf` zum Stack hinzu. Dieser Container hostet den Autoconf-Dienst, der dynamische Konfigurationsänderungen für BunkerWeb verwaltet.
@ -2488,7 +2512,7 @@ x-bw-env: &bw-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -2503,7 +2527,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "" # Wir müssen die BunkerWeb-Instanz hier nicht angeben, da sie automatisch vom Autoconf-Dienst erkannt werden
@ -2518,7 +2542,7 @@ services:
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
depends_on:
- bunkerweb
- bw-docker
@ -2597,16 +2621,17 @@ Der `bw-autoconf`-Controller überwacht Ihren Orchestrator und schreibt Änderun
##### Modus & Laufzeit
| Setting | Beschreibung | Akzeptierte Werte | Standard |
| ------------------------- | ------------------------------------------------- | ---------------------------------------- | ------------------------------------- |
| `AUTOCONF_MODE` | Autoconf-Controller aktivieren | `yes` oder `no` | `no` |
| `SWARM_MODE` | Swarm-Services statt Docker-Containern beobachten | `yes` oder `no` | `no` |
| `KUBERNETES_MODE` | Kubernetes Ingresses/Pods statt Docker beobachten | `yes` oder `no` | `no` |
| `KUBERNETES_GATEWAY_MODE` | Gateway-API-Controller für Kubernetes verwenden | `yes` oder `no` | `no` |
| `DOCKER_HOST` | Docker-Socket / Remote-API-URL | z. B. `unix:///var/run/docker.sock` | `unix:///var/run/docker.sock` |
| `WAIT_RETRY_INTERVAL` | Sekunden zwischen Readiness-Checks für Instanzen | Ganze Sekunden | `5` |
| `LOG_SYSLOG_TAG` | Syslog-Tag für Autoconf-Logs | String | `bw-autoconf` |
| `TZ` | Zeitzone für Autoconf-Logs und Zeitstempel | TZ-Datenbank-Name (z. B. `Europe/Paris`) | unset (Container-Standard, meist UTC) |
| Setting | Beschreibung | Akzeptierte Werte | Standard |
| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | ------------------------------------- |
| `AUTOCONF_MODE` | Autoconf-Controller aktivieren | `yes` oder `no` | `no` |
| `SWARM_MODE` | Swarm-Services statt Docker-Containern beobachten | `yes` oder `no` | `no` |
| `KUBERNETES_MODE` | Kubernetes Ingresses/Pods statt Docker beobachten | `yes` oder `no` | `no` |
| `KUBERNETES_GATEWAY_MODE` | Gateway-API-Controller für Kubernetes verwenden | `yes` oder `no` | `no` |
| `DOCKER_HOST` | Docker-Socket / Remote-API-URL | z. B. `unix:///var/run/docker.sock` | `unix:///var/run/docker.sock` |
| `WAIT_RETRY_INTERVAL` | Sekunden zwischen Readiness-Checks für Instanzen | Ganze Sekunden | `5` |
| `AUTOCONF_DISABLE_CLEANUP` | Wenn `yes`, werden aus dem Orchestrator entfernte Dienste und benutzerdefinierte Konfigurationen als Entwurf (Draft) beibehalten, statt hart gelöscht zu werden. So bleiben sie bei transienten Ausfällen erhalten und können aus der Web-UI gelöscht werden. | `yes` oder `no` | `no` |
| `LOG_SYSLOG_TAG` | Syslog-Tag für Autoconf-Logs | String | `bw-autoconf` |
| `TZ` | Zeitzone für Autoconf-Logs und Zeitstempel | TZ-Datenbank-Name (z. B. `Europe/Paris`) | unset (Container-Standard, meist UTC) |
##### Datenbank & Validierung
@ -2672,6 +2697,27 @@ networks:
name: bw-services
```
#### Dienste bei Entfernung als Entwürfe beibehalten {#autoconf-disable-cleanup}
Standardmäßig wird ein von Autoconf verwalteter Dienst (Container, Swarm-Service oder Ingress) sofort aus der gemeinsamen Datenbank gelöscht, sobald das zugehörige Orchestrator-Objekt verschwindet — zusammen mit allen zugehörigen `services_settings`-Einträgen und benutzerdefinierten Konfigurationen. Dieses Verhalten ist destruktiv: ein transienter Ausfall ist vom absichtlichen Abbau nicht zu unterscheiden, und eine Wiederherstellung erfordert das vollständige Neuerstellen der Dienstdefinition.
Wenn `AUTOCONF_DISABLE_CLEANUP=yes` am `bw-autoconf`-Container gesetzt ist:
- Aus dem Orchestrator entfernte Dienste werden auf `is_draft = true` umgestellt statt gelöscht. Ihre `services_settings`-Zeilen, benutzerdefinierten Konfigurationen und Job-Caches bleiben erhalten.
- Draft-Dienste werden nicht in die gerenderte NGINX-Konfiguration übernommen (sie werden nicht ausgeliefert), die Seite geht also offline, nur die Konfiguration bleibt gespeichert.
- Wird derselbe Dienst später erneut vom Orchestrator erkannt (gleicher Server-Name / Ingress-Host), wird er automatisch wieder online gestellt und republiziert; bestehende benutzerdefinierte Konfigurationen werden wiederverwendet.
- Während sich ein Dienst in diesem "von Autoconf als Entwurf markierten" Zustand befindet, kann er über die Seite **Dienste** der Web-UI gelöscht werden — normalerweise sind Autoconf-eigene Dienste aus der UI heraus nicht löschbar, aber die Schaltfläche **Löschen** wird für Draft-Autoconf-Dienste aktiviert, damit Betreiber veraltete Einträge entfernen können. Online-Autoconf-Dienste bleiben aus der UI heraus nicht löschbar.
```yaml
services:
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
AUTOCONF_MODE: "yes"
AUTOCONF_DISABLE_CLEANUP: "yes" # entfernte Dienste als Entwürfe beibehalten
DATABASE_URI: "mariadb+pymysql://bunkerweb:secret@bw-db:3306/db"
```
### Namespaces {#namespaces}
Ab Version `1.6.0` unterstützen die Autoconf-Stacks von BunkerWeb Namespaces. Mit dieser Funktion können Sie mehrere "*Cluster*" von BunkerWeb-Instanzen und -Diensten auf demselben Docker-Host verwalten. Um Namespaces zu nutzen, setzen Sie einfach das `NAMESPACE`-Label auf Ihre Dienste. Hier ist ein Beispiel:
@ -2701,13 +2747,13 @@ networks:
...
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
labels:
- "bunkerweb.INSTANCE=yes"
- "bunkerweb.NAMESPACE=my-namespace" # Setzen Sie den Namespace für die BunkerWeb-Instanz, damit der Autoconf-Dienst sie erkennen kann
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
...
NAMESPACES: "my-namespace my-other-namespace" # Lauschen Sie nur auf diese Namespaces
@ -2759,7 +2805,7 @@ Für eine optimale Einrichtung wird empfohlen, BunkerWeb als **[DaemonSet](https
Angesichts des Vorhandenseins mehrerer BunkerWeb-Instanzen ist es erforderlich, einen gemeinsamen Datenspeicher zu implementieren, der als [Redis](https://redis.io/)- oder [Valkey](https://valkey.io/)-Dienst realisiert wird. Dieser Dienst wird von den Instanzen genutzt, um Daten zwischen ihnen zu cachen und zu teilen. Weitere Informationen zu den Redis/Valkey-Einstellungen finden Sie [hier](features.md#redis).
!!! info "Datenbank-Backend"
Bitte beachten Sie, dass unsere Anweisungen davon ausgehen, dass Sie MariaDB als Standard-Datenbank-Backend verwenden, wie durch die Einstellung `DATABASE_URI` konfiguriert. Wir verstehen jedoch, dass Sie möglicherweise alternative Backends für Ihre Docker-Integration bevorzugen. In diesem Fall können Sie sicher sein, dass auch andere Datenbank-Backends möglich sind. Weitere Informationen finden Sie in den docker-compose-Dateien im Ordner [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) des Repositorys.
Bitte beachten Sie, dass unsere Anweisungen davon ausgehen, dass Sie MariaDB als Standard-Datenbank-Backend verwenden, wie durch die Einstellung `DATABASE_URI` konfiguriert. Wir verstehen jedoch, dass Sie möglicherweise alternative Backends für Ihre Docker-Integration bevorzugen. In diesem Fall können Sie sicher sein, dass auch andere Datenbank-Backends möglich sind. Weitere Informationen finden Sie in den docker-compose-Dateien im Ordner [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations) des Repositorys.
Die Einrichtung von geclusterten Datenbank-Backends liegt außerhalb des Geltungsbereichs dieser Dokumentation.
@ -2874,7 +2920,7 @@ The **BunkerWeb controller** automatically discovers pods with BunkerWeb sidecar
```yaml
controller:
enabled: true
tag: "1.6.9"
tag: "1.6.10"
```
2. For each sidecar, add:
@ -2967,7 +3013,7 @@ In your BunkerWeb chart `values.yaml`, configure the `BUNKERWEB_INSTANCES` envir
```yaml
scheduler:
tag: "1.6.9"
tag: "1.6.10"
extraEnvs:
- name: BUNKERWEB_INSTANCES
value: "http://app1-bunkerweb-workers.namespace.svc.cluster.local:5000 http://app2-bunkerweb-workers.namespace.svc.cluster.local:5000"
@ -3011,7 +3057,7 @@ spec:
# BunkerWeb Sidecar
- name: bunkerweb
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- containerPort: 8080 # Exposed HTTP port
- containerPort: 5000 # Internal API (mandatory)
@ -3282,7 +3328,7 @@ To add a new application protected by BunkerWeb:
#### Vollständige YAML-Dateien
Anstatt das Helm-Chart zu verwenden, können Sie auch die YAML-Vorlagen im Ordner [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) des GitHub-Repositorys verwenden. Bitte beachten Sie, dass wir dringend empfehlen, stattdessen das Helm-Chart zu verwenden.
Anstatt das Helm-Chart zu verwenden, können Sie auch die YAML-Vorlagen im Ordner [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations) des GitHub-Repositorys verwenden. Bitte beachten Sie, dass wir dringend empfehlen, stattdessen das Helm-Chart zu verwenden.
### Ingress-Ressourcen
@ -3430,7 +3476,7 @@ metadata:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
imagePullPolicy: Always
env:
- name: NAMESPACES
@ -3604,11 +3650,11 @@ service:
# BunkerWeb-Einstellungen
bunkerweb:
tag: 1.6.9
tag: 1.6.10
# Scheduler-Einstellungen
scheduler:
tag: 1.6.9
tag: 1.6.10
extraEnvs:
# Aktivieren Sie das Real-IP-Modul, um die echte IP der Clients zu erhalten
- name: USE_REAL_IP
@ -3616,11 +3662,11 @@ scheduler:
# Controller-Einstellungen
controller:
tag: 1.6.9
tag: 1.6.10
# UI-Einstellungen
ui:
tag: 1.6.9
tag: 1.6.10
```
Installieren Sie BunkerWeb mit benutzerdefinierten Werten:
@ -4242,7 +4288,7 @@ Da mehrere Instanzen von BunkerWeb ausgeführt werden, muss ein gemeinsamer Date
Was das Datenbank-Volume betrifft, so gibt die Dokumentation keinen spezifischen Ansatz vor. Die Wahl eines freigegebenen Ordners oder eines bestimmten Treibers für das Datenbank-Volume hängt von Ihrem einzigartigen Anwendungsfall ab und bleibt dem Leser als Übung überlassen.
!!! info "Datenbank-Backend"
Bitte beachten Sie, dass unsere Anweisungen davon ausgehen, dass Sie MariaDB als Standard-Datenbank-Backend verwenden, wie durch die Einstellung `DATABASE_URI` konfiguriert. Wir verstehen jedoch, dass Sie möglicherweise alternative Backends für Ihre Docker-Integration bevorzugen. In diesem Fall können Sie sicher sein, dass auch andere Datenbank-Backends möglich sind. Weitere Informationen finden Sie in den docker-compose-Dateien im Ordner [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) des Repositorys.
Bitte beachten Sie, dass unsere Anweisungen davon ausgehen, dass Sie MariaDB als Standard-Datenbank-Backend verwenden, wie durch die Einstellung `DATABASE_URI` konfiguriert. Wir verstehen jedoch, dass Sie möglicherweise alternative Backends für Ihre Docker-Integration bevorzugen. In diesem Fall können Sie sicher sein, dass auch andere Datenbank-Backends möglich sind. Weitere Informationen finden Sie in den docker-compose-Dateien im Ordner [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations) des Repositorys.
Die Einrichtung von geclusterten Datenbank-Backends liegt außerhalb des Geltungsbereichs dieser Dokumentation.
@ -4256,7 +4302,7 @@ x-bw-env: &bw-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- published: 80
target: 8080
@ -4285,7 +4331,7 @@ services:
- "bunkerweb.INSTANCE=yes" # Obligatorisches Label für den Autoconf-Dienst, um die BunkerWeb-Instanz zu identifizieren
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "" # Wir müssen die BunkerWeb-Instanz hier nicht angeben, da sie automatisch vom Autoconf-Dienst erkannt werden
@ -4306,7 +4352,7 @@ services:
- "node.role == worker"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
SWARM_MODE: "yes"
DATABASE_URI: "mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db" # Denken Sie daran, ein stärkeres Passwort für die Datenbank festzulegen
@ -4458,7 +4504,7 @@ networks:
...
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
...
deploy:
mode: global
@ -4470,7 +4516,7 @@ networks:
- "bunkerweb.NAMESPACE=my-namespace" # Setzen Sie den Namespace für die BunkerWeb-Instanz
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
NAMESPACES: "my-namespace my-other-namespace" # Lauschen Sie nur auf diese Namespaces
...

14
docs/de/plugins.md
View file

@ -89,7 +89,7 @@ Der erste Schritt besteht darin, das Plugin zu installieren, indem Sie seine Dat
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
volumes:
- ./bw-data:/data
...
@ -124,7 +124,7 @@ Der erste Schritt besteht darin, das Plugin zu installieren, indem Sie seine Dat
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
volumes:
- ./bw-data:/data
...
@ -167,7 +167,7 @@ Der erste Schritt besteht darin, das Plugin zu installieren, indem Sie seine Dat
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
volumes:
- /shared/bw-plugins:/data/plugins
...
@ -214,7 +214,7 @@ Der erste Schritt besteht darin, das Plugin zu installieren, indem Sie seine Dat
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -254,7 +254,7 @@ Der erste Schritt besteht darin, das Plugin zu installieren, indem Sie seine Dat
!!! tip "Bestehende Plugins"
Wenn die Dokumentation nicht ausreicht, können Sie sich den bestehenden Quellcode der [offiziellen Plugins](https://github.com/bunkerity/bunkerweb-plugins) und der [Kern-Plugins](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/src/common/core) ansehen (bereits in BunkerWeb enthalten, aber technisch gesehen sind es Plugins).
Wenn die Dokumentation nicht ausreicht, können Sie sich den bestehenden Quellcode der [offiziellen Plugins](https://github.com/bunkerity/bunkerweb-plugins) und der [Kern-Plugins](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/src/common/core) ansehen (bereits in BunkerWeb enthalten, aber technisch gesehen sind es Plugins).
Wie eine Plugin-Struktur aussieht:
```
@ -478,7 +478,7 @@ Die deklarierten Funktionen werden automatisch in bestimmten Kontexten aufgerufe
#### Bibliotheken
Alle Direktiven aus dem [NGINX LUA-Modul](https://github.com/openresty/lua-nginx-module) und dem [NGINX Stream LUA-Modul](https://github.com/openresty/stream-lua-nginx-module) sind verfügbar. Darüber hinaus können Sie die in BunkerWeb enthaltenen LUA-Bibliotheken verwenden: siehe [dieses Skript](https://github.com/bunkerity/bunkerweb/blob/v1.6.9/src/deps/clone.sh) für die vollständige Liste.
Alle Direktiven aus dem [NGINX LUA-Modul](https://github.com/openresty/lua-nginx-module) und dem [NGINX Stream LUA-Modul](https://github.com/openresty/stream-lua-nginx-module) sind verfügbar. Darüber hinaus können Sie die in BunkerWeb enthaltenen LUA-Bibliotheken verwenden: siehe [dieses Skript](https://github.com/bunkerity/bunkerweb/blob/v1.6.10/src/deps/clone.sh) für die vollständige Liste.
Wenn Sie zusätzliche Bibliotheken benötigen, können Sie diese in den Stammordner des Plugins legen und darauf zugreifen, indem Sie ihnen Ihre Plugin-ID voranstellen. Hier ist ein Beispiel für eine Datei namens **mylibrary.lua**:
@ -559,7 +559,7 @@ end
!!! tip "Weitere Beispiele"
Wenn Sie die vollständige Liste der verfügbaren Funktionen sehen möchten, können Sie sich die Dateien im [lua-Verzeichnis](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/src/bw/lua/bunkerweb) des Repositorys ansehen.
Wenn Sie die vollständige Liste der verfügbaren Funktionen sehen möchten, können Sie sich die Dateien im [lua-Verzeichnis](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/src/bw/lua/bunkerweb) des Repositorys ansehen.
### Jobs

45
docs/de/quickstart-guide.md
View file

@ -18,7 +18,7 @@ Diese Schnellstart-Anleitung hilft Ihnen, BunkerWeb schnell zu installieren und
Der Schutz bestehender Webanwendungen, die bereits über das HTTP(S)-Protokoll erreichbar sind, ist das Hauptziel von BunkerWeb: Es fungiert als klassischer [Reverse-Proxy](https://de.wikipedia.org/wiki/Reverse_Proxy) mit zusätzlichen Sicherheitsfunktionen.
Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) des Repositorys finden Sie Beispiele aus der Praxis.
Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/examples) des Repositorys finden Sie Beispiele aus der Praxis.
## Grundlegende Einrichtung
@ -33,7 +33,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples)
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
Standardmäßig stellt der Container Folgendes bereit:
@ -51,8 +51,8 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples)
```bash
# Laden Sie das Skript und seine Prüfsumme herunter
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.10/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.10/install-bunkerweb.sh.sha256
# Überprüfen Sie die Prüfsumme
sha256sum -c install-bunkerweb.sh.sha256
@ -68,10 +68,13 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples)
#### Highlights des Easy-Install-Skripts
- Erkennt Ihre Linux-Distribution und CPU-Architektur im Voraus und warnt, wenn Sie sich außerhalb der unterstützten Matrix befinden, bevor Änderungen vorgenommen werden.
- Der interaktive Ablauf lässt Sie das Installationsprofil auswählen (Full Stack, Manager, Worker usw.); im Manager-Modus wird die API immer auf `0.0.0.0` gebunden, der Setup-Assistent deaktiviert und nach der freizuschaltenden IP gefragt (in nicht-interaktiven Läufen per `--manager-ip` übergeben), während der Worker-Modus die Manager-IP(s) für seine Whitelist erzwingt.
- Interaktive Eingabeaufforderungen verwenden eine Inline-TUI via [gum](https://github.com/charmbracelet/gum) — Pfeiltastenmenüs mit ``-Cursor und maskierte Passwortfelder. Beim ersten interaktiven Lauf lädt das Skript das offizielle `gum`-Binary aus der [GitHub-Release](https://github.com/charmbracelet/gum/releases) herunter (SHA256-gepinnt, optionale cosign-Signaturprüfung, sofern cosign installiert ist), führt es aus einem Temp-Verzeichnis aus und entfernt das Temp-Verzeichnis beim Beenden — **es wird kein Systempaket installiert, keine apt/dnf-Quelle hinzugefügt und kein Binary auf dem System hinterlassen**. Kann gum nicht bezogen werden, verwendet der Installer ein bereits vorhandenes `whiptail`; ist auch das nicht verfügbar, fällt er auf einfache Texteingaben zurück.
- Zwei Flags steuern die TUI: `--no-tui` (oder `BW_INSTALL_TUI=no`) überspringt alle TUI-Ebenen und verwendet einfache Texteingaben; `--tui` erfordert eine funktionierende TUI und bricht ab, wenn gum nicht abgerufen werden kann und kein vorhandenes whiptail verfügbar ist.
- Wenn der Installer per Pipe gestartet wird (`curl … | bash`) oder stdin kein TTY ist, beendet er sich mit einer klaren Fehlermeldung, anstatt jede Vorgabe stillschweigend zu übernehmen. Verwenden Sie `--yes` zusammen mit den passenden `--*`-Flags / `*_INPUT`-Umgebungsvariablen für nicht-interaktive Installationen.
- Der interaktive Ablauf lässt Sie das Installationsprofil auswählen (Full Stack, Manager, Worker usw.); im Manager-Modus wird der interne API-Listener auf `0.0.0.0` gebunden, der Setup-Assistent deaktiviert und nach der freizuschaltenden IP gefragt (in nicht-interaktiven Läufen per `--manager-ip` übergeben), während der Worker-Modus die Manager-IP(s) für seine Whitelist erzwingt.
- Manager-Installationen können weiterhin entscheiden, ob der Web-UI-Dienst gestartet werden soll, obwohl der Assistent deaktiviert bleibt.
- Die Zusammenfassung zeigt an, ob der FastAPI-Dienst gestartet wird, sodass Sie ihn bewusst mit `--api` / `--no-api` aktivieren oder deaktivieren können.
- CrowdSec-Optionen stehen nur für Full-Stack-Installationen zur Verfügung; Manager-/Worker-Modi überspringen sie automatisch, damit sich der Ablauf auf die Fernverwaltung konzentriert.
- CrowdSec wird interaktiv nur bei Full-Stack-Installationen abgefragt. Auf der CLI sind `--crowdsec` und `--crowdsec-appsec` für Full Stack und Manager gültig; Worker-, Scheduler-only-, UI-only- und API-only-Modi lehnen sie ab.
Weitere Installationsmethoden (Paketmanager, Installationstypen, nicht-interaktive Flags, CrowdSec-Integration usw.) finden Sie unter [Linux-Integration](integrations.md#linux).
@ -90,7 +93,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples)
services:
bunkerweb:
# Dies ist der Name, der zur Identifizierung der Instanz im Scheduler verwendet wird
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -103,7 +106,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples)
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # Stellen Sie sicher, dass Sie den richtigen Instanznamen festlegen
@ -120,7 +123,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples)
- bw-db
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
environment:
<<: *bw-env
restart: "unless-stopped"
@ -148,7 +151,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples)
command: >
redis-server
--maxmemory 256mb
--maxmemory-policy allkeys-lru
--maxmemory-policy volatile-lru
--save 60 1000
--appendonly yes
volumes:
@ -187,7 +190,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples)
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -203,7 +206,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples)
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: ""
@ -221,7 +224,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples)
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
depends_on:
- bw-docker
environment:
@ -244,7 +247,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples)
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
environment:
<<: *bw-ui-env
TOTP_ENCRYPTION_KEYS: "mysecret" # Denken Sie daran, einen stärkeren geheimen Schlüssel festzulegen (siehe Abschnitt Voraussetzungen)
@ -273,7 +276,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples)
command: >
redis-server
--maxmemory 256mb
--maxmemory-policy allkeys-lru
--maxmemory-policy volatile-lru
--save 60 1000
--appendonly yes
volumes:
@ -339,7 +342,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples)
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- published: 80
target: 8080
@ -369,7 +372,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples)
- "bunkerweb.INSTANCE=yes"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: ""
@ -387,7 +390,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples)
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
<<: *bw-ui-env
DOCKER_HOST: "tcp://bw-docker:2375"
@ -416,7 +419,7 @@ Im [Beispielordner](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples)
- "node.role == manager"
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
environment:
<<: *bw-ui-env
TOTP_ENCRYPTION_KEYS: "mysecret" # Denken Sie daran, einen stärkeren geheimen Schlüssel festzulegen (siehe Abschnitt Voraussetzungen)
@ -637,7 +640,7 @@ Sie können sich nun mit dem während des Einrichtungsassistenten erstellten Adm
-e "www.example.com_REVERSE_PROXY_HOST=http://myapp:8080" \
-e "www.example.com_REVERSE_PROXY_URL=/" \
# --- Fügen Sie alle anderen vorhandenen Umgebungsvariablen für UI, Redis, CrowdSec usw. hinzu ---
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
Ihr Anwendungscontainer (`myapp`) und der `bunkerweb-aio`-Container müssen sich im selben Docker-Netzwerk befinden, damit BunkerWeb ihn über den Hostnamen `myapp` erreichen kann.
@ -659,7 +662,7 @@ Sie können sich nun mit dem während des Einrichtungsassistenten erstellten Adm
-p 443:8443/tcp \
-p 443:8443/udp \
# ... (alle anderen relevanten Umgebungsvariablen wie im Hauptbeispiel oben gezeigt) ...
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
Stellen Sie sicher, dass Sie `myapp` durch den tatsächlichen Namen oder die IP Ihres Anwendungscontainers und `http://myapp:8080` durch dessen korrekte Adresse und Port ersetzen.

41
docs/de/upgrading.md
View file

@ -25,16 +25,16 @@
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
...
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
...
```
@ -78,6 +78,9 @@
Wenn die Überprüfung der Prüfsumme fehlschlägt, **führen Sie das Skript nicht aus** es könnte unsicher sein.
!!! tip "Interaktive Upgrade-Oberfläche"
Der Upgrade-Ablauf verwendet dieselbe TUI wie Neuinstallationen: Inline-Eingabeaufforderungen mit [gum](https://github.com/charmbracelet/gum), mit Rückfall auf `whiptail`-Dialogboxen und schließlich auf Klartext-Eingaben, falls gum nicht bezogen werden kann. Das `gum`-Binary wird aus der offiziellen [GitHub-Release](https://github.com/charmbracelet/gum/releases) heruntergeladen (SHA256-gepinnt, cosign-verifiziert, wenn cosign installiert ist) und aus einem Temp-Verzeichnis ausgeführt, das beim Beenden entfernt wird — es wird kein Systempaket installiert und keine apt/dnf-Quelle hinzugefügt. Übergeben Sie `--no-tui` (oder setzen Sie `BW_INSTALL_TUI=no`), um alle TUI-Ebenen zu überspringen, oder `--tui`, um eine funktionierende TUI zu erzwingen. Für vollständig unbeaufsichtigte Upgrades übergeben Sie `-y` / `--yes` mit den entsprechenden Flags Pipe-Aufrufe (`curl … | bash`) brechen mit einer klaren Fehlermeldung ab, statt jede Vorgabe stillschweigend zu übernehmen. **Air-gapped-Upgrades**: kombinieren Sie `--no-tui --yes`, damit für die TUI-Schicht kein Netzwerkaufruf ausgeführt wird.
* **Wie es funktioniert**:
Das gleiche vielseitige Installationsskript, das für Neuinstallationen verwendet wird, kann auch ein In-Place-Upgrade durchführen. Wenn es eine bestehende Installation und eine andere Zielversion erkennt, wechselt es in den Upgrade-Modus und wendet den folgenden Arbeitsablauf an:
@ -128,6 +131,8 @@
| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------ |
| `-v, --version <X.Y.Z>` | Ziel-BunkerWeb-Version, auf die aktualisiert werden soll. |
| `-y, --yes` | Nicht-interaktiv (geht von Upgrade-Bestätigung aus und aktiviert die automatische Sicherung, es sei denn, `--no-auto-backup`). |
| `--tui` | Erzwingt eine TUI (gum oder whiptail). Bricht ab, wenn keine installiert werden kann. |
| `--no-tui` | Überspringt alle TUI-Ebenen und verwendet Klartext-Eingaben. Entspricht `BW_INSTALL_TUI=no`. |
| `--backup-dir <PFAD>` | Ziel für die automatische Pre-Upgrade-Sicherung. Wird erstellt, wenn es fehlt. |
| `--no-auto-backup` | Überspringt die automatische Sicherung (NICHT empfohlen). Sie müssen eine manuelle Sicherung haben. |
| `-q, --quiet` | Unterdrückt die Ausgabe (mit Protokollierung / Überwachung kombinieren). |
@ -137,20 +142,20 @@
Beispiele:
```bash
# Interaktiv auf 1.6.9 aktualisieren (fragt nach Sicherung)
sudo ./install-bunkerweb.sh --version 1.6.9
# Interaktiv auf 1.6.10 aktualisieren (fragt nach Sicherung)
sudo ./install-bunkerweb.sh --version 1.6.10
# Nicht-interaktives Upgrade mit automatischer Sicherung in ein benutzerdefiniertes Verzeichnis
sudo ./install-bunkerweb.sh -v 1.6.9 --backup-dir /var/backups/bw-2025-01 -y
sudo ./install-bunkerweb.sh -v 1.6.10 --backup-dir /var/backups/bw-2025-01 -y
# Stilles unbeaufsichtigtes Upgrade (Protokolle unterdrückt) verlässt sich auf die standardmäßige automatische Sicherung
sudo ./install-bunkerweb.sh -v 1.6.9 -y -q
sudo ./install-bunkerweb.sh -v 1.6.10 -y -q
# Einen Probelauf (Plan) durchführen, ohne Änderungen anzuwenden
sudo ./install-bunkerweb.sh -v 1.6.9 --dry-run
sudo ./install-bunkerweb.sh -v 1.6.10 --dry-run
# Upgrade unter Überspringen der automatischen Sicherung (NICHT empfohlen)
sudo ./install-bunkerweb.sh -v 1.6.9 --no-auto-backup -y
sudo ./install-bunkerweb.sh -v 1.6.10 --no-auto-backup -y
```
!!! warning "Überspringen von Sicherungen"
@ -230,7 +235,7 @@
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades bunkerweb=1.6.9
sudo apt install -y --allow-downgrades bunkerweb=1.6.10
```
Um zu verhindern, dass das BunkerWeb-Paket bei der Ausführung von `apt upgrade` aktualisiert wird, können Sie den folgenden Befehl verwenden:
@ -256,7 +261,7 @@
```shell
sudo dnf makecache && \
sudo dnf install -y --allowerasing bunkerweb-1.6.9
sudo dnf install -y --allowerasing bunkerweb-1.6.10
```
Um zu verhindern, dass das BunkerWeb-Paket bei der Ausführung von `dnf upgrade` aktualisiert wird, können Sie den folgenden Befehl verwenden:
@ -653,16 +658,16 @@ Wir haben eine **Namespace**-Funktion zu den Autoconf-Integrationen hinzugefügt
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
...
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
...
```
@ -697,7 +702,7 @@ Wir haben eine **Namespace**-Funktion zu den Autoconf-Integrationen hinzugefügt
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades bunkerweb=1.6.9
sudo apt install -y --allow-downgrades bunkerweb=1.6.10
```
Um zu verhindern, dass das BunkerWeb-Paket bei der Ausführung von `apt upgrade` aktualisiert wird, können Sie den folgenden Befehl verwenden:
@ -723,7 +728,7 @@ Wir haben eine **Namespace**-Funktion zu den Autoconf-Integrationen hinzugefügt
```shell
sudo dnf makecache && \
sudo dnf install -y --allowerasing bunkerweb-1.6.9
sudo dnf install -y --allowerasing bunkerweb-1.6.10
```
Um zu verhindern, dass das BunkerWeb-Paket bei der Ausführung von `dnf upgrade` aktualisiert wird, können Sie den folgenden Befehl verwenden:

14
docs/de/web-ui.md
View file

@ -35,7 +35,7 @@ Die UI erwartet, dass Scheduler/(BunkerWeb-)API/Redis/DB erreichbar sind.
Verwenden Sie die veröffentlichten Images und das Layout aus dem [Quickstart-Guide](quickstart-guide.md#__tabbed_1_3). Stack starten, dann den Wizard im Browser abschließen.
```bash
docker compose -f https://raw.githubusercontent.com/bunkerity/bunkerweb/v1.6.9-rc1/misc/integrations/docker-compose.yml up -d
docker compose -f https://raw.githubusercontent.com/bunkerity/bunkerweb/v1.6.10-rc1/misc/integrations/docker-compose.yml up -d
```
Öffnen Sie den Scheduler-Host (z.B. `https://www.example.com/changeme`) und führen Sie den `/setup`-Wizard aus, um UI, Scheduler und Instanz zu konfigurieren.
@ -52,7 +52,7 @@ Die UI erwartet, dass Scheduler/(BunkerWeb-)API/Redis/DB erreichbar sind.
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -63,7 +63,7 @@ Die UI erwartet, dass Scheduler/(BunkerWeb-)API/Redis/DB erreichbar sind.
networks: [bw-universe, bw-services]
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *service-env
BUNKERWEB_INSTANCES: "bunkerweb"
@ -83,7 +83,7 @@ Die UI erwartet, dass Scheduler/(BunkerWeb-)API/Redis/DB erreichbar sind.
networks: [bw-universe, bw-db]
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
environment:
<<: *service-env
ADMIN_USERNAME: "admin"
@ -165,7 +165,7 @@ Die UI erwartet, dass Scheduler/(BunkerWeb-)API/Redis/DB erreichbar sind.
```
Recovery-Codes werden einmalig angezeigt; gehen die Verschlüsselungs-Keys verloren, werden gespeicherte TOTP-Secrets verworfen.
- Sessions: Standard-Lebensdauer 12 h (`SESSION_LIFETIME_HOURS`). Sessions an IP und User-Agent gebunden; `CHECK_PRIVATE_IP=no` lockert die IP-Prüfung nur für private Netze. `ALWAYS_REMEMBER=yes` erzwingt persistente Cookies.
- Sessions: Standard-Leerlauf-Lebensdauer 12 h (`SESSION_LIFETIME_HOURS`), bei jeder Anfrage erneuert. Ein hartes Absolutlimit gilt über `SESSION_ABSOLUTE_HOURS` (Standard `168` = 7 Tage) — danach werden Nutzer unabhängig von Aktivität ausgeloggt. Optionale Session-ID-Rotation (`SESSION_ROLLING_HOURS`, Standard `0` = deaktiviert) erzeugt in diesem Intervall eine neue Session-ID. Sessions an IP und User-Agent gebunden; `CHECK_PRIVATE_IP=no` lockert die IP-Prüfung nur für private Netze. `ALWAYS_REMEMBER=yes` erzwingt persistente Cookies.
- `PROXY_NUMBERS` setzen, wenn mehrere Proxies `X-Forwarded-*` anhängen.
## Konfigurationsquellen und Priorität
@ -205,7 +205,9 @@ Die UI erwartet, dass Scheduler/(BunkerWeb-)API/Redis/DB erreichbar sind.
| `FLASK_SECRET` | Session-Signing-Secret (persistiert in `/var/lib/bunkerweb/.flask_secret`) | Hex/Base64/opaque | auto-generiert |
| `TOTP_ENCRYPTION_KEYS` (`TOTP_SECRETS`) | Verschlüsselungs-Keys für TOTP (Leerzeichen oder JSON) | Strings / JSON | auto-generiert falls fehlend |
| `BISCUIT_PUBLIC_KEY`, `BISCUIT_PRIVATE_KEY` | Biscuit-Keys (hex) für UI-Tokens | Hex-Strings | auto-generiert & gespeichert |
| `SESSION_LIFETIME_HOURS` | Session-Lebensdauer | Zahl (Stunden) | `12` |
| `SESSION_LIFETIME_HOURS` | Leerlauf-Lebensdauer der Session (gleitende TTL, pro Anfrage erneuert) | Zahl (Stunden) | `12` |
| `SESSION_ABSOLUTE_HOURS` | Absolute Obergrenze der Session unabhängig von Aktivität | Zahl (Stunden) | `168` |
| `SESSION_ROLLING_HOURS` | Intervall für Session-ID-Rotation (`0` deaktiviert die Rotation) | Zahl (Stunden) | `0` |
| `ALWAYS_REMEMBER` | „Remember me“-Cookies immer setzen | `yes` oder `no` | `no` |
| `CHECK_PRIVATE_IP` | Sessions an IP binden (locker für private Netze bei `no`) | `yes` oder `no` | `yes` |
| `PROXY_NUMBERS` | Anzahl vertrauenswürdiger Proxy-Hops für `X-Forwarded-*` | Integer | `1` |

969
docs/es/advanced.md
View file

File diff suppressed because it is too large Load diff

10
docs/es/api.md
View file

@ -41,7 +41,7 @@ Elige el sabor que encaje con tu entorno.
services:
bunkerweb:
# Nombre que usará el scheduler para identificar la instancia
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -54,7 +54,7 @@ Elige el sabor que encaje con tu entorno.
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # Asegúrate de poner el nombre de instancia correcto
@ -76,7 +76,7 @@ Elige el sabor que encaje con tu entorno.
- bw-db
bw-api:
image: bunkerity/bunkerweb-api:1.6.9
image: bunkerity/bunkerweb-api:1.6.10
environment:
<<: *bw-env
API_USERNAME: "admin"
@ -108,7 +108,7 @@ Elige el sabor que encaje con tu entorno.
command: >
redis-server
--maxmemory 256mb
--maxmemory-policy allkeys-lru
--maxmemory-policy volatile-lru
--save 60 1000
--appendonly yes
volumes:
@ -143,7 +143,7 @@ Elige el sabor que encaje con tu entorno.
-e SERVICE_API=yes \
-e API_WHITELIST_IPS="127.0.0.0/8" \
-p 80:8080/tcp -p 443:8443/tcp -p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
=== "Linux"

4
docs/es/concepts.md
View file

@ -105,7 +105,7 @@ Ten en cuenta que el modo multisitio es implícito cuando se utiliza la interfaz
!!! info "Para saber más"
Encontrarás ejemplos concretos del modo multisitio en los [usos avanzados](advanced.md) de la documentación y en el directorio de [ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) del repositorio.
Encontrarás ejemplos concretos del modo multisitio en los [usos avanzados](advanced.md) de la documentación y en el directorio de [ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/examples) del repositorio.
## Configuraciones personalizadas {#custom-configurations}
@ -126,7 +126,7 @@ La gestión de configuraciones personalizadas desde la interfaz de usuario web s
!!! info "Para saber más"
Encontrarás ejemplos concretos de configuraciones personalizadas en los [usos avanzados](advanced.md#custom-configurations) de la documentación y en el directorio de [ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) del repositorio.
Encontrarás ejemplos concretos de configuraciones personalizadas en los [usos avanzados](advanced.md#custom-configurations) de la documentación y en el directorio de [ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/examples) del repositorio.
## Base de datos

651
docs/es/features.md
View file

@ -124,22 +124,24 @@ Cambiar al modo `detect` puede ayudarte a identificar y resolver posibles falsos
=== "Ajustes de Workers"
| Parámetro | Valor por defecto | Contexto | Múltiple | Descripción |
| ---------------------- | ----------------- | -------- | -------- | -------------------------------------------------------------------------------------------------------- |
| `WORKER_PROCESSES` | `auto` | global | No | **Procesos Worker:** Número de procesos worker. Establécelo en `auto` para usar los núcleos disponibles. |
| `WORKER_CONNECTIONS` | `1024` | global | No | **Conexiones por Worker:** Número máximo de conexiones por worker. |
| `WORKER_RLIMIT_NOFILE` | `2048` | global | No | **Límite de Descriptores de Archivo:** Número máximo de archivos abiertos por worker. |
| Parámetro | Valor por defecto | Contexto | Múltiple | Descripción |
| ------------------------- | ----------------- | -------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `WORKER_PROCESSES` | `auto` | global | No | **Procesos Worker:** Número de procesos worker. Establécelo en `auto` para usar los núcleos disponibles. |
| `WORKER_CONNECTIONS` | `1024` | global | No | **Conexiones por Worker:** Número máximo de conexiones por worker. |
| `WORKER_RLIMIT_NOFILE` | `2048` | global | No | **Límite de Descriptores de Archivo:** Número máximo de archivos abiertos por worker. |
| `WORKER_SHUTDOWN_TIMEOUT` | `30s` | global | No | **Tiempo de espera de apagado de Workers:** Tiempo de espera para el apagado ordenado de los procesos worker. Los workers antiguos se terminan forzosamente después de este plazo durante una recarga. |
=== "Ajustes de Memoria"
| Parámetro | Valor por defecto | Contexto | Múltiple | Descripción |
| ------------------------------ | ----------------- | -------- | -------- | -------------------------------------------------------------------------------------------------- |
| `WORKERLOCK_MEMORY_SIZE` | `48k` | global | No | **Tamaño de Memoria de Workerlock:** Tamaño de lua_shared_dict para los workers de inicialización. |
| `DATASTORE_MEMORY_SIZE` | `64m` | global | No | **Tamaño de Memoria del Datastore:** Tamaño del datastore interno. |
| `CACHESTORE_MEMORY_SIZE` | `64m` | global | No | **Tamaño de Memoria del Cachestore:** Tamaño del cachestore interno. |
| `CACHESTORE_IPC_MEMORY_SIZE` | `16m` | global | No | **Tamaño de Memoria IPC del Cachestore:** Tamaño del cachestore interno (ipc). |
| `CACHESTORE_MISS_MEMORY_SIZE` | `16m` | global | No | **Tamaño de Memoria de Fallos del Cachestore:** Tamaño del cachestore interno (fallos). |
| `CACHESTORE_LOCKS_MEMORY_SIZE` | `16m` | global | No | **Tamaño de Memoria de Bloqueos del Cachestore:** Tamaño del cachestore interno (bloqueos). |
| Parámetro | Valor por defecto | Contexto | Múltiple | Descripción |
| ------------------------------ | ----------------- | -------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `WORKERLOCK_MEMORY_SIZE` | `48k` | global | No | **Tamaño de Memoria de Workerlock:** Tamaño de lua_shared_dict para los workers de inicialización. |
| `DATASTORE_MEMORY_SIZE` | `64m` | global | No | **Tamaño de Memoria del Datastore:** Tamaño del datastore interno. |
| `DATASTORE_LRU_SIZE` | `1k` | global | No | **Tamaño del LRU del Datastore:** Número de ranuras del LRU del datastore compartido por worker. Acepta un entero o los sufijos `k`/`m` (por ejemplo `1k`, `10k`, `1m`). |
| `CACHESTORE_MEMORY_SIZE` | `64m` | global | No | **Tamaño de Memoria del Cachestore:** Tamaño del cachestore interno. |
| `CACHESTORE_IPC_MEMORY_SIZE` | `16m` | global | No | **Tamaño de Memoria IPC del Cachestore:** Tamaño del cachestore interno (ipc). |
| `CACHESTORE_MISS_MEMORY_SIZE` | `16m` | global | No | **Tamaño de Memoria de Fallos del Cachestore:** Tamaño del cachestore interno (fallos). |
| `CACHESTORE_LOCKS_MEMORY_SIZE` | `16m` | global | No | **Tamaño de Memoria de Bloqueos del Cachestore:** Tamaño del cachestore interno (bloqueos). |
=== "Ajustes de Registro"
@ -223,9 +225,82 @@ Cambiar al modo `detect` puede ayudarte a identificar y resolver posibles falsos
USE_UDP: "no"
```
=== "Desactivar modos de escucha"
Puede desactivar modos de escucha específicos dejando vacíos los ajustes de puerto:
```yaml
# Desactivar la escucha HTTP (solo HTTPS)
HTTP_PORT: ""
HTTPS_PORT: "8443"
# Desactivar la escucha HTTPS (solo HTTP)
HTTP_PORT: "8080"
HTTPS_PORT: ""
# Stream: desactivar la escucha no SSL (solo SSL)
LISTEN_STREAM_PORT: ""
LISTEN_STREAM_PORT_SSL: "4242"
# Stream: desactivar la escucha SSL (solo no SSL)
LISTEN_STREAM_PORT: "1337"
LISTEN_STREAM_PORT_SSL: ""
```
## ACME <img src='../../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
Para una guía más detallada, consulta la documentación de [usos avanzados](advanced.md#acme).
Compatibilidad con STREAM :white_check_mark:
Advanced ACME certificate management with custom CA support, certificate monitoring dashboard, expiry alerting, CT log monitoring, and enhanced OCSP stapling. Complements the built-in Let's Encrypt plugin.
| Parámetro | Valor predeterminado | Contexto | Múltiple | Descripción |
| ----------------------------------- | -------------------- | --------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `USE_ACME` | `no` | multisite | no | Enable ACME certificate management for this service using a custom ACME-compatible Certificate Authority. |
| `ACME_PASSTHROUGH` | `no` | multisite | no | Pass through ACME HTTP-01 challenge requests to the upstream server. |
| `ACME_DIRECTORY_URL` | | multisite | no | ACME directory URL of the Certificate Authority (e.g. https://ca.example.com/acme/directory for Step CA, https://vault.example.com/v1/pki/acme/directory for Vault PKI). |
| `ACME_EMAIL` | | multisite | no | Email address for ACME account registration and notifications. |
| `ACME_EAB_KID` | | multisite | no | External Account Binding Key ID (required by some CAs like Sectigo, Google Trust Services). |
| `ACME_EAB_HMAC_KEY` | | multisite | no | External Account Binding HMAC key (base64-encoded, required when EAB Key ID is set). |
| `ACME_CA_CERT_PATH` | | multisite | no | File path to the root CA certificate for private ACME servers (Step CA, Vault PKI). Required when the CA root is not in the system trust store. |
| `ACME_CHALLENGE` | `http` | multisite | no | ACME challenge type. HTTP-01 is simplest; DNS-01 is required for wildcard certificates; TLS-ALPN-01 works when port 80 is unavailable. |
| `ACME_DNS_PROVIDER` | | multisite | no | DNS provider for DNS-01 challenges. |
| `ACME_DNS_CREDENTIAL_ITEM` | | multisite | sí | Configuration item for the DNS provider credentials (e.g. 'cloudflare_api_token 123456'). Values can be base64 encoded. |
| `ACME_DNS_CREDENTIAL_DECODE_BASE64` | `yes` | multisite | sí | Automatically decode base64 encoded DNS provider credentials. |
| `ACME_DNS_PROPAGATION` | `default` | multisite | no | Time to wait for DNS propagation in seconds for DNS challenges. |
| `ACME_DNS_ALIAS` | | multisite | no | Target zone for DNS-01 CNAME delegation. Passed as --dns-<provider>-domain-alias to certbot and applied to every challenge for the cert, so DNS credentials only need to control the alias zone. Prerequisite: each cert domain must already have a CNAME `_acme-challenge.<domain>` -> `_acme-challenge.<target>` (and the target zone must resolve). Example: 'alias.acmeplay.org'. Silently ignored on older runtimes or with incompatible DNS providers (e.g. route53). |
| `ACME_KEY_TYPE` | `ecdsa` | multisite | no | Key type for the certificate. ECDSA is smaller and faster; RSA has broader compatibility. |
| `ACME_KEY_SIZE` | `256` | multisite | no | Key size in bits. For ECDSA: 256 or 384. For RSA: 2048 or 4096. |
| `ACME_PREFERRED_CHAIN` | | multisite | no | Preferred certificate chain issuer CN. Selects the preferred chain when the CA provides multiple. |
| `ACME_RENEWAL_DAYS` | `30` | multisite | no | Renew the certificate when it has fewer than this many days until expiry. |
| `ACME_SSL_VERIFY` | `yes` | multisite | no | Verify SSL certificates when communicating with the ACME server. Disable only for testing with self-signed CA certs. |
| `ACME_WILDCARD` | `no` | multisite | no | Request wildcard certificate (requires DNS-01 challenge). |
| `ACME_MUST_STAPLE` | `no` | multisite | no | Request the OCSP Must-Staple extension in the certificate. |
| `ACME_MAX_RETRIES` | `3` | multisite | no | Number of times to retry certificate generation on failure (0 disables retries). |
| `USE_ACME_MONITORING` | `yes` | global | no | Enable certificate expiry monitoring and status tracking for all managed certificates (including OSS Let's Encrypt certificates). |
| `ACME_ALERT_DAYS` | `30 14 7 1` | global | no | Space-separated list of day thresholds that trigger expiry alerts. |
| `USE_ACME_ALERT_WEBHOOK` | `no` | global | no | Send certificate alerts via webhook. |
| `ACME_ALERT_WEBHOOK_URLS` | | global | no | Space-separated list of webhook URLs for certificate alerts. |
| `USE_ACME_ALERT_EMAIL` | `no` | global | no | Send certificate alerts via email. |
| `ACME_ALERT_SMTP_EMAILS` | | global | no | Space-separated list of email recipients for certificate alerts. |
| `ACME_ALERT_SMTP_HOST` | | global | no | SMTP host for certificate alert emails. |
| `ACME_ALERT_SMTP_PORT` | `465` | global | no | SMTP port for certificate alert emails (SSL=465, TLS=587). |
| `ACME_ALERT_SMTP_FROM_EMAIL` | | global | no | Sender email address for certificate alerts. |
| `ACME_ALERT_SMTP_FROM_USER` | | global | no | SMTP authentication user for certificate alert emails. |
| `ACME_ALERT_SMTP_FROM_PASSWORD` | | global | no | SMTP authentication password for certificate alert emails. |
| `ACME_ALERT_SMTP_SSL` | `SSL` | global | no | Connection type for certificate alert SMTP. |
| `USE_ACME_CT_MONITORING` | `no` | global | no | Enable Certificate Transparency log monitoring. Queries crt.sh to detect unauthorized certificate issuance for your domains. |
| `ACME_CT_MONITORED_DOMAINS` | | global | no | Space-separated list of domains to monitor in CT logs. Leave empty to auto-detect from configured services. |
| `USE_ACME_OCSP_STAPLING` | `no` | multisite | no | Enable enhanced OCSP stapling with proactive response fetching and caching. |
| `ACME_OCSP_CACHE_SIZE` | `1m` | global | no | Size of the shared dictionary for OCSP response caching. |
## Anti DDoS <img src='../../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
Para una guía más detallada, consulta la documentación de [usos avanzados](advanced.md#anti-ddos-pro).
Compatibilidad con STREAM :x:
Provides enhanced protection against DDoS attacks by analyzing and filtering suspicious traffic.
@ -256,9 +331,9 @@ Los atacantes suelen utilizar herramientas automatizadas (bots) para intentar ex
Siga estos pasos para habilitar y configurar la función Antibot:
1. **Elija un tipo de desafío:** Decida qué tipo de desafío antibot usar (p. ej., [captcha](#__tabbed_3_3), [hcaptcha](#__tabbed_3_5), [javascript](#__tabbed_3_2)).
1. **Elija un tipo de desafío:** Decida qué tipo de desafío antibot usar (p. ej., [captcha](#__tabbed_3_3), [hcaptcha](#__tabbed_3_5), [capjs](#__tabbed_3_8), [javascript](#__tabbed_3_2)).
2. **Habilite la función:** Establezca la configuración `USE_ANTIBOT` en el tipo de desafío elegido en su configuración de BunkerWeb.
3. **Configure los ajustes:** Ajuste las otras configuraciones `ANTIBOT_*` según sea necesario. Para reCAPTCHA, hCaptcha, Turnstile y mCaptcha, debe crear una cuenta con el servicio respectivo y obtener claves de API.
3. **Configure los ajustes:** Ajuste las otras configuraciones `ANTIBOT_*` según sea necesario. Para reCAPTCHA, hCaptcha y Turnstile, cree una cuenta con el servicio respectivo y obtenga claves de API. Para mCaptcha y Cap.js, puede autoalojar el proveedor o usar un servicio alojado y luego configurar la clave de sitio y la clave secreta requeridas.
4. **Importante:** Asegúrese de que el `ANTIBOT_URI` sea una URL única en su sitio que no esté en uso.
!!! important "Acerca de la configuración `ANTIBOT_URI`"
@ -296,6 +371,9 @@ BunkerWeb le permite especificar ciertos usuarios, IP o solicitudes que deben om
- Cuando se configuran `ANTIBOT_IGNORE_COUNTRY` y `ANTIBOT_ONLY_COUNTRY`, la lista de exclusiones tiene prioridad: los países presentes en ambas listas omiten el desafío.
- Las direcciones IP privadas o desconocidas omiten el desafío cuando `ANTIBOT_ONLY_COUNTRY` está configurado, porque no se puede determinar un código de país.
!!! tip "Compartir el estado del desafío entre subdominios"
El estado de antibot (incluidos `turnstile`, `hcaptcha`, `recaptcha`, `mcaptcha`, `captcha`, `javascript` y `cookie`) se conserva en la [cookie de sesión](#sessions) de BunkerWeb. De forma predeterminada, esa cookie queda limitada al host exacto que la emitió, por lo que un usuario que resuelva el desafío en `a.example.com` tendrá que resolverlo de nuevo en `b.example.com`. Para resolver el desafío una sola vez para todos los subdominios hermanos del mismo dominio registrable, configure [`SESSIONS_DOMAIN`](#sessions) con el dominio padre (por ejemplo `example.com`) **en cada servidor relevante**. `SESSIONS_DOMAIN` es un ajuste multisite: configúrelo por servidor para que los tenants no relacionados alojados en la misma instancia de BunkerWeb nunca reciban un atributo `Domain` compartido entre tenants.
**Ejemplos:**
- `ANTIBOT_IGNORE_URI: "^/api/ ^/webhook/ ^/assets/"`
@ -471,6 +549,29 @@ BunkerWeb le permite especificar ciertos usuarios, IP o solicitudes que deben om
Consulte los [Ajustes comunes](#configuraciones-comunes) para opciones de configuración adicionales.
=== "Cap.js"
[Cap.js](https://capjs.js.org/) es un CAPTCHA de prueba de trabajo autoalojado, de código abierto y respetuoso con la privacidad. En lugar de delegar la verificación en un servicio de terceros, usted ejecuta el servidor Cap.js y BunkerWeb verifica los tokens contra ese servidor.
Use la URL frontend para el endpoint visible desde el navegador que sirve el widget. Si BunkerWeb puede llegar al servidor Cap.js mediante una dirección interna, establezca la URL backend en ese endpoint interno; de lo contrario, déjela vacía y BunkerWeb usará la URL frontend para `/siteverify`.
**Ajustes de configuración:**
| Configuración | Valor por defecto | Contexto | Múltiple | Descripción |
| ---------------------------- | ----------------- | --------- | -------- | ------------------------------------------------------------------------------------------------------------------------- |
| `USE_ANTIBOT` | `no` | multisite | no | **Habilitar Antibot:** Establezca en `capjs` para habilitar el desafío de Cap.js. |
| `ANTIBOT_CAPJS_FRONTEND_URL` | | multisite | no | **URL frontend de Cap.js:** URL visible para el navegador del servidor Cap.js que sirve el widget. |
| `ANTIBOT_CAPJS_BACKEND_URL` | | multisite | no | **URL backend de Cap.js:** URL interna opcional que BunkerWeb usa para `/siteverify`; si está vacía, usa la URL frontend. |
| `ANTIBOT_CAPJS_SITEKEY` | | multisite | no | **Clave del sitio de Cap.js:** La clave de sitio para el desafío de Cap.js. |
| `ANTIBOT_CAPJS_SECRET` | | multisite | no | **Clave secreta de Cap.js:** La clave secreta que BunkerWeb usa para verificar los tokens de Cap.js. |
!!! note "Requisitos operativos"
- Use HTTPS para `ANTIBOT_CAPJS_FRONTEND_URL` en producción. El worker del navegador requiere `crypto.subtle` en un contexto seguro, y HTTPS evita cambios MITM en el widget.
- Configure CORS en la clave de sitio de Cap.js para permitir el origen protegido.
- Defina `ANTIBOT_CAPJS_FRONTEND_URL` y `ANTIBOT_CAPJS_BACKEND_URL` solo como orígenes: esquema, host y puerto opcional, sin ruta.
Consulte los [Ajustes comunes](#configuraciones-comunes) para opciones de configuración adicionales.
### Configuraciones de ejemplo
=== "Desafío de Cookie"
@ -583,6 +684,21 @@ BunkerWeb le permite especificar ciertos usuarios, IP o solicitudes que deben om
ANTIBOT_TIME_VALID: "86400"
```
=== "Desafío de Cap.js"
Configuración de ejemplo para habilitar el desafío de Cap.js:
```yaml
USE_ANTIBOT: "capjs"
ANTIBOT_CAPJS_FRONTEND_URL: "https://cap.example.com"
ANTIBOT_CAPJS_BACKEND_URL: "http://cap-server:3000"
ANTIBOT_CAPJS_SITEKEY: "your-site-key"
ANTIBOT_CAPJS_SECRET: "your-secret-key"
ANTIBOT_URI: "/challenge"
ANTIBOT_TIME_RESOLVE: "60"
ANTIBOT_TIME_VALID: "86400"
```
## Auth basic
Compatibilidad con STREAM :x:
@ -1308,6 +1424,8 @@ Consejo profesional: Al ver sus alertas, haga clic en la opción "columnas" y ma
## Cache <img src='../../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
Para una guía más detallada, consulta la documentación de [usos avanzados](advanced.md#cache-pro).
Compatibilidad con STREAM :x:
Provides caching functionality at the reverse proxy level.
@ -1357,12 +1475,12 @@ Siga estos pasos para configurar y usar la función de Caché del Cliente:
### Ajustes de Configuración
| Ajuste | Valor por defecto | Contexto | Múltiple | Descripción |
| ------------------------- | -------------------------- | --------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------- |
| `USE_CLIENT_CACHE` | `no` | multisite | no | **Habilitar Caché del Cliente:** Establezca en `yes` para habilitar el almacenamiento en caché del lado del cliente de los archivos estáticos. |
| `CLIENT_CACHE_EXTENSIONS` | `jpg | jpeg | png | bmp | ico | svg | tif | css | js | otf | ttf | eot | woff | woff2` | global | no | **Extensiones Cacheadas:** Lista de extensiones de archivo (separadas por barras verticales) que deben ser almacenadas en caché por el cliente. |
| `CLIENT_CACHE_CONTROL` | `public, max-age=15552000` | multisite | no | **Encabezado Cache-Control:** Valor para el encabezado HTTP Cache-Control para controlar el comportamiento del almacenamiento en caché. |
| `CLIENT_CACHE_ETAG` | `yes` | multisite | no | **Habilitar ETags:** Establezca en `yes` para enviar el encabezado HTTP ETag para los recursos estáticos. |
| Ajuste | Valor por defecto | Contexto | Múltiple | Descripción |
| ------------------------- | ------------------------------------------------------------------------- | --------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
| `USE_CLIENT_CACHE` | `no` | multisite | no | **Habilitar Caché del Cliente:** Establezca en `yes` para habilitar el almacenamiento en caché del lado del cliente de los archivos estáticos. |
| `CLIENT_CACHE_EXTENSIONS` | `jpg\|jpeg\|png\|bmp\|ico\|svg\|tif\|css\|js\|otf\|ttf\|eot\|woff\|woff2` | global | no | **Extensiones Cacheadas:** Lista de extensiones de archivo (separadas por barras verticales) que deben ser almacenadas en caché por el cliente. |
| `CLIENT_CACHE_CONTROL` | `public, max-age=15552000` | multisite | no | **Encabezado Cache-Control:** Valor para el encabezado HTTP Cache-Control para controlar el comportamiento del almacenamiento en caché. |
| `CLIENT_CACHE_ETAG` | `yes` | multisite | no | **Habilitar ETags:** Establezca en `yes` para enviar el encabezado HTTP ETag para los recursos estáticos. |
!!! tip "Optimizando los Ajustes de Caché"
Para contenido que se actualiza con frecuencia, considere usar valores de `max-age` más cortos. Para contenido que cambia raramente (como bibliotecas de JavaScript versionadas o logotipos), use tiempos de caché más largos. El valor por defecto de 15552000 segundos (180 días) es apropiado para la mayoría de los activos estáticos.
@ -1690,6 +1808,8 @@ Las siguientes secciones desarrollan cada paso.
**Componente de Seguridad de Aplicaciones (*opcional*)**
CrowdSec también proporciona un [Componente de Seguridad de Aplicaciones](https://docs.crowdsec.net/docs/appsec/intro?utm_source=external-docs&utm_medium=cta&utm_campaign=bunker-web-docs) que se puede usar para proteger su aplicación frente a ataques. Si desea utilizarlo, debe crear otro archivo de adquisición para el Componente AppSec:
```yaml
appsec_config: crowdsecurity/appsec-default
labels:
@ -1734,7 +1854,7 @@ Las siguientes secciones desarrollan cada paso.
services:
bunkerweb:
# Este es el nombre que se utilizará para identificar la instancia en el Planificador
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -1751,7 +1871,7 @@ Las siguientes secciones desarrollan cada paso.
syslog-address: "udp://10.20.30.254:514" # La dirección IP del servicio syslog
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # Asegúrese de establecer el nombre de instancia correcto
@ -1785,7 +1905,7 @@ Las siguientes secciones desarrollan cada paso.
- bw-db
crowdsec:
image: crowdsecurity/crowdsec:v1.7.6 # Use la última versión pero siempre fije la versión para una mejor estabilidad/seguridad
image: crowdsecurity/crowdsec:v1.7.8 # Use la última versión pero siempre fije la versión para una mejor estabilidad/seguridad
volumes:
- cs-data:/var/lib/crowdsec/data # Para persistir los datos de CrowdSec
- bw-logs:/var/log:ro # Los registros de BunkerWeb para que CrowdSec los analice
@ -1922,7 +2042,7 @@ Las siguientes secciones desarrollan cada paso.
### Paso&nbsp;2 Configurar los ajustes de BunkerWeb
Aplica las siguientes variables de entorno (o valores del scheduler) para que la instancia de BunkerWeb pueda comunicarse con la API local de CrowdSec. Como mínimo necesitas `USE_CROWDSEC`, `CROWDSEC_API` y una clave válida creada con `cscli bouncers add`.
Aplica las siguientes variables de entorno (o valores del scheduler) para que la instancia de BunkerWeb pueda comunicarse con la API local de CrowdSec. Como mínimo necesitas `USE_CROWDSEC`, `CROWDSEC_API` y `CROWDSEC_API_KEY` con una clave válida creada mediante `cscli bouncers add`.
| Ajuste | Valor por defecto | Contexto | Múltiple | Descripción |
| --------------------------- | ---------------------- | --------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
@ -1948,7 +2068,9 @@ Aplica las siguientes variables de entorno (o valores del scheduler) para que la
| `CROWDSEC_ALWAYS_SEND_TO_APPSEC` | `no` | global | no | **Enviar Siempre:** Establezca en `yes` para enviar siempre las solicitudes a AppSec, incluso si hay una decisión a nivel de IP. |
| `CROWDSEC_APPSEC_SSL_VERIFY` | `no` | global | no | **Verificar SSL:** Establezca en `yes` para verificar el certificado SSL del Componente AppSec. |
!!! info "Sobre los Modos de Operación" - **Modo `live`** consulta la API de CrowdSec para cada solicitud entrante, proporcionando protección en tiempo real a costa de una mayor latencia. - **Modo `stream`** descarga periódicamente todas las decisiones de la API de CrowdSec y las almacena en caché localmente, reduciendo la latencia con un ligero retraso en la aplicación de nuevas decisiones.
!!! info "Sobre los Modos de Operación"
- **Modo `live`** consulta la API de CrowdSec para cada solicitud entrante, proporcionando protección en tiempo real a costa de una mayor latencia.
- **Modo `stream`** descarga periódicamente todas las decisiones de la API de CrowdSec y las almacena en caché localmente, reduciendo la latencia con un ligero retraso en la aplicación de nuevas decisiones.
### Configuraciones de Ejemplo
@ -1987,16 +2109,12 @@ Aplica las siguientes variables de entorno (o valores del scheduler) para que la
- En los registros del scheduler, busque las entradas `CrowdSec configuration successfully generated` y `CrowdSec bouncer denied request` para verificar que el complemento esté activo.
- En el lado de CrowdSec, supervise `cscli metrics show` o la CrowdSec Console para asegurarse de que las decisiones de BunkerWeb aparezcan como se espera.
- En la interfaz de BunkerWeb, abra la página del complemento CrowdSec para ver el estado de la integración.
# Configuración de AppSec
CROWDSEC_APPSEC_URL: "http://crowdsec:7422"
CROWDSEC_APPSEC_FAILURE_ACTION: "deny"
CROWDSEC_ALWAYS_SEND_TO_APPSEC: "yes"
CROWDSEC_APPSEC_SSL_VERIFY: "yes"
```
## Custom Pages <img src='../../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
Para una guía más detallada, consulta la documentación de [usos avanzados](advanced.md#custom-pages-pro).
Compatibilidad con STREAM :x:
Tweak BunkerWeb error/antibot/default pages with custom HTML.
@ -2011,6 +2129,7 @@ Tweak BunkerWeb error/antibot/default pages with custom HTML.
| `CUSTOM_ANTIBOT_HCAPTCHA_PAGE` | | multisite | no | Full path of the custom antibot hcaptcha page (must be readable by the scheduler) (Can be a lua template). |
| `CUSTOM_ANTIBOT_TURNSTILE_PAGE` | | multisite | no | Full path of the custom antibot turnstile page (must be readable by the scheduler) (Can be a lua template). |
| `CUSTOM_ANTIBOT_MCAPTCHA_PAGE` | | multisite | no | Full path of the custom antibot mcaptcha page (must be readable by the scheduler) (Can be a lua template). |
| `CUSTOM_ANTIBOT_CAPJS_PAGE` | | multisite | no | Full path of the custom antibot Cap.js page (must be readable by the scheduler) (Can be a lua template). |
## Custom SSL certificate
@ -2159,7 +2278,11 @@ Siga estos pasos para configurar y utilizar la función de Base de Datos:
| `DATABASE_REQUEST_RETRY_ATTEMPTS` | `2` | global | no | **Intentos de Reintento:** El número de reintentos en caso de errores transitorios durante las operaciones. |
| `DATABASE_REQUEST_RETRY_DELAY` | `0.25` | global | no | **Retraso entre Reintentos:** El retraso en segundos entre reintentos en caso de errores transitorios. |
!!! tip "Selección de Base de Datos" - **SQLite** (predeterminado): Ideal para implementaciones de un solo nodo o entornos de prueba debido a su simplicidad y naturaleza basada en archivos. - **PostgreSQL**: Recomendado para entornos de producción con múltiples instancias de BunkerWeb debido a su robustez y soporte de concurrencia. - **MySQL/MariaDB**: Una buena alternativa a PostgreSQL con capacidades similares de nivel de producción. - **Oracle**: Adecuado para entornos empresariales donde Oracle ya es la plataforma de base de datos estándar.
!!! tip "Selección de Base de Datos"
- **SQLite** (predeterminado): Ideal para implementaciones de un solo nodo o entornos de prueba debido a su simplicidad y naturaleza basada en archivos.
- **PostgreSQL**: Recomendado para entornos de producción con múltiples instancias de BunkerWeb debido a su robustez y soporte de concurrencia.
- **MySQL/MariaDB**: Una buena alternativa a PostgreSQL con capacidades similares de nivel de producción.
- **Oracle**: Adecuado para entornos empresariales donde Oracle ya es la plataforma de base de datos estándar.
!!! info "Formato de URI de SQLAlchemy"
El URI de la base de datos sigue el formato de SQLAlchemy:
@ -2172,10 +2295,10 @@ Siga estos pasos para configurar y utilizar la función de Base de Datos:
!!! warning "Mantenimiento de la Base de Datos"
El complemento ejecuta automáticamente trabajos de mantenimiento diarios:
- **Limpiar Ejecuciones de Trabajos en Exceso:** Purga el historial que supera el límite `DATABASE_MAX_JOBS_RUNS`.
- **Limpiar Sesiones de UI Caducadas:** Elimina las sesiones de usuarios de la UI que superan `DATABASE_MAX_SESSION_AGE_DAYS`.
- **Limpiar Ejecuciones de Trabajos en Exceso:** Purga el historial que supera el límite `DATABASE_MAX_JOBS_RUNS`.
- **Limpiar Sesiones de UI Caducadas:** Elimina las sesiones de usuarios de la UI que superan `DATABASE_MAX_SESSION_AGE_DAYS`.
Estas tareas evitan el crecimiento ilimitado de la base de datos mientras conservan un historial operativo útil.
Estas tareas evitan el crecimiento ilimitado de la base de datos mientras conservan un historial operativo útil.
## DNSBL
@ -2293,6 +2416,10 @@ Siga estos pasos para configurar y usar la función DNSBL:
## Easy Resolve <img src='../../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
<p align='center'><iframe style='display: block;' width='560' height='315' data-src='https://www.youtube-nocookie.com/embed/45vX0WJqjxo' title='Easy Resolve' frameborder='0' allow='accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture' allowfullscreen></iframe></p>
Para una guía más detallada, consulta la documentación de [usos avanzados](advanced.md#easy-resolve-pro).
Compatibilidad con STREAM :x:
Provides a simpler way to fix false positives in reports.
@ -2912,9 +3039,17 @@ Siga estos pasos para configurar y usar la función de Inyección de HTML:
| `INJECT_HEAD` | | multisite | no | **Código HTML de la Cabecera:** El código HTML para inyectar antes de la etiqueta `</head>`. |
| `INJECT_BODY` | | multisite | no | **Código HTML del Cuerpo:** El código HTML para inyectar antes de la etiqueta `</body>`. |
!!! tip "Mejores Prácticas" - Por razones de rendimiento, coloque los archivos de JavaScript al final del cuerpo para evitar el bloqueo del renderizado. - Coloque CSS y JavaScript crítico en la sección de la cabecera para evitar un "destello" de contenido sin estilo (FOUC). - Tenga cuidado con el contenido inyectado que podría potencialmente romper la funcionalidad de su sitio.
!!! tip "Mejores Prácticas"
- Por razones de rendimiento, coloque los archivos de JavaScript al final del cuerpo para evitar el bloqueo del renderizado.
- Coloque CSS y JavaScript crítico en la sección de la cabecera para evitar un "destello" de contenido sin estilo (FOUC).
- Tenga cuidado con el contenido inyectado que podría potencialmente romper la funcionalidad de su sitio.
!!! info "Casos de Uso Comunes" - Agregar scripts de análisis (como Google Analytics, Matomo) - Integrar widgets de chat o herramientas de soporte al cliente - Incluir píxeles de seguimiento para campañas de marketing - Agregar estilos CSS personalizados o funcionalidad de JavaScript - Incluir bibliotecas de terceros sin modificar el código de su aplicación
!!! info "Casos de Uso Comunes"
- Agregar scripts de análisis (como Google Analytics, Matomo)
- Integrar widgets de chat o herramientas de soporte al cliente
- Incluir píxeles de seguimiento para campañas de marketing
- Agregar estilos CSS personalizados o funcionalidad de JavaScript
- Incluir bibliotecas de terceros sin modificar el código de su aplicación
### Configuraciones de Ejemplo
@ -2954,6 +3089,49 @@ Siga estos pasos para configurar y usar la función de Inyección de HTML:
INJECT_BODY: "<div id=\"cookie-banner\" class=\"cookie-banner\">Este sitio web utiliza cookies para garantizar que obtenga la mejor experiencia. <button onclick=\"acceptCookies()\">Aceptar</button></div><script>function acceptCookies() { document.getElementById('cookie-banner').style.display = 'none'; localStorage.setItem('cookies-accepted', 'true'); } if(localStorage.getItem('cookies-accepted') === 'true') { document.getElementById('cookie-banner').style.display = 'none'; }</script>"
```
## LDAP SSO <img src='../../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
Para una guía más detallada, consulta la documentación de [usos avanzados](advanced.md#ldap-sso-pro).
Compatibilidad con STREAM :x:
LDAP-based single sign-on plugin with session-backed authentication.
| Parámetro | Valor predeterminado | Contexto | Múltiple | Descripción |
| --------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | --------- | -------- | ---------------------------------------------------------------------------------- |
| `USE_LDAP` | `no` | multisite | no | Enable or disable LDAP SSO authentication. |
| `LDAP_HOST` | | multisite | no | LDAP server hostname or IP address. |
| `LDAP_PORT` | `389` | multisite | no | LDAP server port (389 for LDAP/STARTTLS, 636 for LDAPS). |
| `LDAP_LDAPS` | `no` | multisite | no | Use LDAPS (TLS from connection start). |
| `LDAP_STARTTLS` | `no` | multisite | no | Use STARTTLS upgrade on LDAP connection. |
| `LDAP_SSL_VERIFY` | `yes` | multisite | no | Verify server TLS certificate. |
| `LDAP_TIMEOUT` | `10000` | multisite | no | LDAP socket timeout in milliseconds. |
| `LDAP_KEEPALIVE_TIMEOUT` | `60000` | multisite | no | LDAP keepalive timeout in milliseconds. |
| `LDAP_KEEPALIVE_POOL_SIZE` | `10` | multisite | no | LDAP keepalive connection pool size. |
| `LDAP_KEEPALIVE_POOL_NAME` | | multisite | no | Optional custom LDAP keepalive pool name. |
| `LDAP_BIND_DN` | | multisite | no | Optional service account DN used to perform LDAP user searches. |
| `LDAP_BIND_PASSWORD` | | multisite | no | Password for LDAP Bind DN service account. |
| `LDAP_USER_SEARCH_BASE_DN` | | multisite | no | Base DN for user discovery search (enables enterprise search mode when set). |
| `LDAP_USER_SEARCH_FILTER` | `(&(objectClass=person)(\|(uid={username})(mail={username})(sAMAccountName={username})(userPrincipalName={username})))` | multisite | no | LDAP user search filter template. Use {username} placeholder. |
| `LDAP_AUTHZ_FILTER` | | multisite | no | Optional extra LDAP authorization filter (AND-ed with user search filter). |
| `LDAP_USER_SEARCH_SCOPE` | `subtree` | multisite | no | LDAP search scope for user lookup. |
| `LDAP_USER_SEARCH_DEREF_ALIASES` | `always` | multisite | no | LDAP alias dereferencing mode during user lookup. |
| `LDAP_USER_SEARCH_SIZE_LIMIT` | `10` | multisite | no | Maximum number of LDAP entries returned by user search. |
| `LDAP_USER_SEARCH_TIME_LIMIT` | `10` | multisite | no | Maximum LDAP user search time in seconds. |
| `LDAP_USER_SEARCH_ATTRIBUTES` | `dn` | multisite | no | Attributes requested during user search (space separated). |
| `LDAP_USER_SEARCH_DN_FIELD` | `object_name` | multisite | no | Preferred field name in search response to extract user DN (e.g. object_name, dn). |
| `LDAP_USER_SEARCH_REQUIRE_UNIQUE` | `yes` | multisite | no | Require exactly one search result before authenticating user. |
| `LDAP_USER_DN_TEMPLATE` | `uid={username},ou=people,dc=example,dc=com` | multisite | no | User DN template used for direct bind fallback. Must include {username} when set. |
| `LDAP_USERNAME_REGEX` | `^[A-Za-z0-9@._-]+$` | multisite | no | PCRE regex used to validate submitted usernames. |
| `LDAP_LOGIN_PATH` | `/ldap/login` | multisite | no | Login page path exposed by the LDAP plugin. |
| `LDAP_LOGOUT_PATH` | `/ldap/logout` | multisite | no | Logout path exposed by the LDAP plugin. |
| `LDAP_SESSION_TTL` | `3600` | multisite | no | LDAP session validity duration in seconds. |
| `LDAP_REALM` | `LDAP SSO` | multisite | no | Authentication realm displayed on LDAP login form. |
| `LDAP_USER_HEADER` | `X-User` | multisite | no | Header to pass authenticated username to upstream (empty to disable). |
| `LDAP_REDIRECT_AFTER_LOGIN` | `/` | multisite | no | Fallback relative path after successful login when no redirect target is provided. |
| `LDAP_REDIRECT_AFTER_LOGOUT` | `/` | multisite | no | Relative path to redirect users to after logout. |
## Let's Encrypt
Compatibilidad con STREAM :white_check_mark:
@ -3021,6 +3199,7 @@ Siga estos pasos para configurar y usar la función de Let's Encrypt:
| `LETS_ENCRYPT_PROFILE` | `classic` | multisite | no | **Perfil de certificado:** Seleccione el perfil de certificado a utilizar. Opciones: `classic` (propósito general), `tlsserver` (optimizado para servidores TLS) o `shortlived` (certificados de 7 días). |
| `LETS_ENCRYPT_CUSTOM_PROFILE` | | multisite | no | **Perfil de certificado personalizado:** Ingrese un perfil de certificado personalizado si su servidor ACME admite perfiles no estándar. Esto anula `LETS_ENCRYPT_PROFILE` si está configurado. |
| `LETS_ENCRYPT_MAX_RETRIES` | `3` | multisite | no | **Máximo de reintentos:** Número de veces que se reintentará la generación de certificados en caso de fallo. Establezca en `0` para deshabilitar los reintentos. Útil para manejar problemas de red temporales o límites de velocidad de la API. |
| `LETS_ENCRYPT_MAX_LOG_BACKUPS` | `50` | global | no | **Máximo de copias de seguridad de logs de Certbot:** Número de copias rotadas de `letsencrypt.log` que Certbot conserva por trabajo. El valor predeterminado de Certbot, `1000`, se acumula rápidamente; `50` es un límite razonable. Establece `0` para conservar solo el log activo. |
!!! info "Información y comportamiento"
- El ajuste `LETS_ENCRYPT_DNS_CREDENTIAL_ITEM` es un ajuste múltiple y se puede utilizar para establecer varios elementos para el proveedor de DNS. Los elementos se guardarán como un archivo de caché, y Certbot leerá las credenciales de él.
@ -3216,7 +3395,9 @@ El complemento de Límite en BunkerWeb proporciona capacidades robustas para apl
| `LIMIT_CONN_MAX_HTTP3` | `100` | multisite | no | **Flujos HTTP/3:** Número máximo de flujos HTTP/3 concurrentes por dirección IP. |
| `LIMIT_CONN_MAX_STREAM` | `10` | multisite | no | **Conexiones de Flujo:** Número máximo de conexiones de flujo concurrentes por dirección IP. |
!!! info "Limitación de Conexiones vs. Solicitudes" - **La limitación de conexiones** restringe el número de conexiones simultáneas que una sola dirección IP puede mantener. - **La limitación de tasa de solicitudes** restringe el número de solicitudes que una dirección IP puede hacer dentro de un período de tiempo definido.
!!! info "Limitación de Conexiones vs. Solicitudes"
- **La limitación de conexiones** restringe el número de conexiones simultáneas que una sola dirección IP puede mantener.
- **La limitación de tasa de solicitudes** restringe el número de solicitudes que una dirección IP puede hacer dentro de un período de tiempo definido.
El uso de ambos métodos proporciona una protección completa contra varios tipos de abuso.
@ -3315,37 +3496,6 @@ El complemento de Límite en BunkerWeb proporciona capacidades robustas para apl
LIMIT_CONN_MAX_STREAM: "20"
```
## Load Balancer <img src='../../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
<p align='center'><iframe style='display: block;' width='560' height='315' data-src='https://www.youtube-nocookie.com/embed/cOVp0rAt5nw' title='Balanceador de carga' frameborder='0' allow='accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture' allowfullscreen></iframe></p>
Compatibilidad con STREAM :x:
Provides load balancing feature to group of upstreams with optional healthchecks.
| Parámetro | Valor predeterminado | Contexto | Múltiple | Descripción |
| ----------------------------------------- | -------------------- | -------- | -------- | ------------------------------------------------------------------ |
| `LOADBALANCER_HEALTHCHECK_DICT_SIZE` | `10m` | global | no | Shared dict size (datastore for all healthchecks). |
| `LOADBALANCER_UPSTREAM_NAME` | | global | sí | Name of the upstream (used in REVERSE_PROXY_HOST). |
| `LOADBALANCER_UPSTREAM_SERVERS` | | global | sí | List of servers/IPs in the server group. |
| `LOADBALANCER_UPSTREAM_MODE` | `round-robin` | global | sí | Load balancing mode (round-robin or sticky). |
| `LOADBALANCER_UPSTREAM_STICKY_METHOD` | `ip` | global | sí | Sticky session method (ip or cookie). |
| `LOADBALANCER_UPSTREAM_RESOLVE` | `no` | global | sí | Dynamically resolve upstream hostnames. |
| `LOADBALANCER_UPSTREAM_KEEPALIVE` | | global | sí | Number of keepalive connections to cache per worker. |
| `LOADBALANCER_UPSTREAM_KEEPALIVE_TIMEOUT` | `60s` | global | sí | Keepalive timeout for upstream connections. |
| `LOADBALANCER_UPSTREAM_KEEPALIVE_TIME` | `1h` | global | sí | Keepalive time for upstream connections. |
| `LOADBALANCER_HEALTHCHECK_URL` | `/status` | global | sí | The healthcheck URL. |
| `LOADBALANCER_HEALTHCHECK_INTERVAL` | `2000` | global | sí | Healthcheck interval in milliseconds. |
| `LOADBALANCER_HEALTHCHECK_TIMEOUT` | `1000` | global | sí | Healthcheck timeout in milliseconds. |
| `LOADBALANCER_HEALTHCHECK_FALL` | `3` | global | sí | Number of failed healthchecks before marking the server as down. |
| `LOADBALANCER_HEALTHCHECK_RISE` | `1` | global | sí | Number of successful healthchecks before marking the server as up. |
| `LOADBALANCER_HEALTHCHECK_VALID_STATUSES` | `200` | global | sí | HTTP status considered valid in healthchecks. |
| `LOADBALANCER_HEALTHCHECK_CONCURRENCY` | `10` | global | sí | Maximum number of concurrent healthchecks. |
| `LOADBALANCER_HEALTHCHECK_TYPE` | `http` | global | sí | Type of healthcheck (http or https). |
| `LOADBALANCER_HEALTHCHECK_SSL_VERIFY` | `yes` | global | sí | Verify SSL certificate in healthchecks. |
| `LOADBALANCER_HEALTHCHECK_HOST` | | global | sí | Host header for healthchecks (useful for HTTPS). |
## Metrics
Compatibilidad con STREAM :warning:
@ -3439,16 +3589,17 @@ Por ejemplo, `/metrics/requests` devuelve información sobre las solicitudes blo
### Ajustes de Configuración
| Ajuste | Valor por defecto | Contexto | Múltiple | Descripción |
| ------------------------------------ | ----------------- | --------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------- |
| `USE_METRICS` | `yes` | multisite | no | **Habilitar Métricas:** Establezca en `yes` para habilitar la recolección y recuperación de métricas. |
| `METRICS_MEMORY_SIZE` | `16m` | global | no | **Tamaño de la Memoria:** Tamaño del almacenamiento interno para las métricas (p. ej., `16m`, `32m`). |
| `METRICS_MAX_BLOCKED_REQUESTS` | `1000` | global | no | **Máximo de Solicitudes Bloqueadas:** Número máximo de solicitudes bloqueadas para almacenar por trabajador. |
| `METRICS_MAX_BLOCKED_REQUESTS_REDIS` | `100000` | global | no | **Máximo de Solicitudes Bloqueadas en Redis:** Número máximo de solicitudes bloqueadas para almacenar en Redis. |
| `METRICS_SAVE_TO_REDIS` | `yes` | global | no | **Guardar Métricas en Redis:** Establezca en `yes` para guardar las métricas (contadores y tablas) en Redis para la agregación en todo el clúster. |
| Ajuste | Valor por defecto | Contexto | Múltiple | Descripción |
| ------------------------------------ | ----------------- | --------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `USE_METRICS` | `yes` | multisite | no | **Habilitar Métricas:** Establezca en `yes` para habilitar la recolección y recuperación de métricas. |
| `METRICS_MEMORY_SIZE` | `16m` | global | no | **Tamaño de la Memoria:** Tamaño del almacenamiento interno para las métricas (p. ej., `8192`, `16m`, `32m`). |
| `METRICS_MAX_BLOCKED_REQUESTS` | `1k` | global | no | **Máximo de Solicitudes Bloqueadas:** Número máximo de solicitudes bloqueadas para almacenar por trabajador. Acepta la notación abreviada `k`/`m`. |
| `METRICS_MAX_BLOCKED_REQUESTS_REDIS` | `10k` | global | no | **Máximo de Solicitudes Bloqueadas en Redis:** Número máximo de solicitudes bloqueadas para almacenar en Redis. Acepta la notación abreviada `k`/`m`. |
| `MAX_LRU_HISTORY` | `1k` | global | no | **Historial LRU Máximo:** Número de ranuras LRU por trabajador y límite del arreglo de historial de eventos por clave (trazas de bloqueo, trazas de autenticación, etc.). Acepta la notación abreviada `k`/`m`. |
| `METRICS_SAVE_TO_REDIS` | `yes` | global | no | **Guardar Métricas en Redis:** Establezca en `yes` para guardar las métricas (contadores y tablas) en Redis para la agregación en todo el clúster. |
!!! tip "Dimensionamiento de la Asignación de Memoria"
El ajuste `METRICS_MEMORY_SIZE` debe ajustarse en función de su volumen de tráfico y el número de instancias. Para sitios de alto tráfico, considere aumentar este valor para garantizar que todas las métricas se capturen sin pérdida de datos.
El ajuste `METRICS_MEMORY_SIZE` debe ajustarse en función de su volumen de tráfico y el número de instancias. Se admiten valores brutos en bytes y sufijos `k`/`m`. Para sitios de alto tráfico, considere aumentar este valor para garantizar que todas las métricas se capturen sin pérdida de datos.
!!! info "Integración con Redis"
Cuando BunkerWeb está configurado para usar [Redis](#redis), el complemento de métricas sincronizará automáticamente los datos de las solicitudes bloqueadas con el servidor Redis. Esto proporciona una vista centralizada de los eventos de seguridad en múltiples instancias de BunkerWeb.
@ -3468,8 +3619,9 @@ Por ejemplo, `/metrics/requests` devuelve información sobre las solicitudes blo
```yaml
USE_METRICS: "yes"
METRICS_MEMORY_SIZE: "16m"
METRICS_MAX_BLOCKED_REQUESTS: "1000"
METRICS_MAX_BLOCKED_REQUESTS_REDIS: "100000"
METRICS_MAX_BLOCKED_REQUESTS: "1k"
METRICS_MAX_BLOCKED_REQUESTS_REDIS: "10k"
MAX_LRU_HISTORY: "1k"
METRICS_SAVE_TO_REDIS: "yes"
```
@ -3482,6 +3634,7 @@ Por ejemplo, `/metrics/requests` devuelve información sobre las solicitudes blo
METRICS_MEMORY_SIZE: "8m"
METRICS_MAX_BLOCKED_REQUESTS: "500"
METRICS_MAX_BLOCKED_REQUESTS_REDIS: "10000"
MAX_LRU_HISTORY: "500"
METRICS_SAVE_TO_REDIS: "no"
```
@ -3494,6 +3647,7 @@ Por ejemplo, `/metrics/requests` devuelve información sobre las solicitudes blo
METRICS_MEMORY_SIZE: "64m"
METRICS_MAX_BLOCKED_REQUESTS: "5000"
METRICS_MAX_BLOCKED_REQUESTS_REDIS: "500000"
MAX_LRU_HISTORY: "5k"
METRICS_SAVE_TO_REDIS: "yes"
```
@ -3508,6 +3662,8 @@ Por ejemplo, `/metrics/requests` devuelve información sobre las solicitudes blo
## Migration <img src='../../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
Para una guía más detallada, consulta la documentación de [usos avanzados](advanced.md#migration-pro).
Compatibilidad con STREAM :white_check_mark:
Migration of BunkerWeb configuration between instances made easy via the web UI
@ -3592,16 +3748,16 @@ Ya sea que necesite restringir los métodos HTTP, gestionar los tamaños de las
Esta característica se configura utilizando el ajuste `ALLOWED_METHODS`, donde los métodos se enumeran y se separan por un `|` (predeterminado: `GET|POST|HEAD`). Si un cliente intenta utilizar un método no listado, el servidor responderá con un estado **405 - Método No Permitido**.
Para la mayoría de los sitios web, el predeterminado `GET|POST|HEAD` es suficiente. Si su aplicación utiliza API RESTful, es posible que deba incluir métodos como `PUT` y `DELETE`.
Para la mayoría de los sitios web, el predeterminado `GET|POST|HEAD` es suficiente. Si su aplicación utiliza API RESTful, es posible que deba incluir métodos como `PUT` y `DELETE`. Los métodos personalizados en mayúsculas también pueden contener guiones bajos y guiones para la compatibilidad con protocolos no estándar (p. ej., `CCM_POST`, `M-SEARCH`).
!!! success "Beneficios de Seguridad"
- Previene la explotación de métodos HTTP no utilizados o innecesarios
- Reduce la superficie de ataque al deshabilitar métodos potencialmente dañinos
- Bloquea las técnicas de enumeración de métodos HTTP utilizadas por los atacantes
| Ajuste | Valor por defecto | Contexto | Múltiple | Descripción |
| ----------------- | ----------------- | -------- | -------- | ----------- |
| `ALLOWED_METHODS` | `GET | POST | HEAD` | multisite | no | **Métodos HTTP:** Lista de métodos HTTP permitidos, separados por caracteres de barra vertical. |
| Ajuste | Valor por defecto | Contexto | Múltiple | Descripción |
| ----------------- | ----------------- | --------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `ALLOWED_METHODS` | `GET\|POST\|HEAD` | multisite | no | **Métodos HTTP:** Lista de métodos HTTP permitidos, separados por caracteres de barra vertical. Los métodos personalizados en mayúsculas pueden contener guiones bajos y guiones. |
!!! abstract "CORS y Solicitudes de Pre-vuelo"
Si su aplicación admite [Intercambio de Recursos de Origen Cruzado (CORS)](#cors), debe incluir el método `OPTIONS` en el ajuste `ALLOWED_METHODS` para manejar las solicitudes de pre-vuelo. Esto garantiza la funcionalidad adecuada para los navegadores que realizan solicitudes de origen cruzado.
@ -3623,9 +3779,10 @@ Ya sea que necesite restringir los métodos HTTP, gestionar los tamaños de las
- Previene los ataques de carga de archivos
- Reduce el riesgo de agotamiento de los recursos del servidor
| Ajuste | Valor por defecto | Contexto | Múltiple | Descripción |
| ----------------- | ----------------- | --------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------- |
| `MAX_CLIENT_SIZE` | `10m` | multisite | no | **Tamaño Máximo de Solicitud:** El tamaño máximo permitido para los cuerpos de las solicitudes de los clientes (por ejemplo, cargas de archivos). |
| Ajuste | Valor por defecto | Contexto | Múltiple | Descripción |
| ----------------- | ----------------- | --------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `MAX_CLIENT_SIZE` | `10m` | multisite | no | **Tamaño Máximo de Solicitud:** El tamaño máximo permitido para los cuerpos de las solicitudes de los clientes (por ejemplo, cargas de archivos). |
| `MAX_HEADERS` | `100` | global | no | **Cabeceras Máximas:** Número máximo de líneas de cabecera por solicitud. Las solicitudes que superen este límite son rechazadas con `400 Bad Request`. |
!!! tip "Mejores Prácticas de Configuración del Tamaño de la Solicitud"
Si necesita permitir un cuerpo de solicitud de tamaño ilimitado, puede establecer el valor de `MAX_CLIENT_SIZE` en `0`. Sin embargo, esto **no se recomienda** debido a los posibles riesgos de seguridad y rendimiento.
@ -3863,12 +4020,17 @@ Siga estos pasos para configurar y usar ModSecurity:
El equipo de CRS mantiene activamente una lista de exclusiones para aplicaciones populares como WordPress, Nextcloud, Drupal y Cpanel, lo que facilita la integración sin afectar la funcionalidad. Los beneficios de seguridad superan con creces el mínimo esfuerzo de configuración necesario para solucionar los falsos positivos.
!!! warning "Recomendación de seguridad para cargas grandes"
ModSecurity almacena en memoria el cuerpo completo de la solicitud y no puede limitarlo para cargas de varios GB, lo que puede provocar OOM en el worker. Si — **y solo si** — una URL de proxy inverso se usa *exclusivamente* para cargas de archivos (por ejemplo, un endpoint `/upload` dedicado), establezca `REVERSE_PROXY_MODSECURITY_N: "no"` en esa URL para emitir `modsecurity off;` en su bloque `location`. No lo deshabilite en URL de uso mixto: perdería la cobertura del WAF en todo lo servido por esa ubicación.
Para mantener protegidas las cargas después de omitir ModSecurity, combínelo con un plugin de análisis de archivos como [ClamAV](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) o [VirusTotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal); inspeccionan el archivo cargado en sí en lugar del cuerpo bruto de la solicitud.
### Versiones de CRS Disponibles
Seleccione una versión de CRS que se ajuste mejor a sus necesidades de seguridad:
- **`3`**: Estable [v3.3.8](https://github.com/coreruleset/coreruleset/releases/tag/v3.3.8).
- **`4`**: Estable [v4.24.1](https://github.com/coreruleset/coreruleset/releases/tag/v4.24.1) (**predeterminada**).
- **`3`**: Estable [v3.3.9](https://github.com/coreruleset/coreruleset/releases/tag/v3.3.9).
- **`4`**: Estable [v4.25.0](https://github.com/coreruleset/coreruleset/releases/tag/v4.25.0) (**predeterminada**).
!!! warning "Compilación Nocturna Obsoleta"
La opción `nightly` para `MODSECURITY_CRS_VERSION` está obsoleta ya que el proyecto OWASP Core Rule Set ha descontinuado las versiones nocturnas. Si su configuración aún utiliza `nightly`, se usará CRS v4 en su lugar. Por favor, actualice su configuración para usar `MODSECURITY_CRS_VERSION=4`.
@ -4037,11 +4199,13 @@ Compatibilidad con STREAM :x:
BunkerWeb monitoring pro system. This plugin is a prerequisite for some other plugins.
| Parámetro | Valor predeterminado | Contexto | Múltiple | Descripción |
| ------------------------------ | -------------------- | -------- | -------- | --------------------------------------------------------------------------- |
| `USE_MONITORING` | `yes` | global | no | Enable monitoring of BunkerWeb. |
| `MONITORING_METRICS_DICT_SIZE` | `10M` | global | no | Size of the dict to store monitoring metrics. |
| `MONITORING_IGNORE_URLS` | | global | no | List of URLs to ignore when monitoring separated with spaces (e.g. /health) |
| Parámetro | Valor predeterminado | Contexto | Múltiple | Descripción |
| ------------------------------ | -------------------- | -------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `USE_MONITORING` | `yes` | global | no | Enable monitoring of BunkerWeb. |
| `MONITORING_METRICS_DICT_SIZE` | `10M` | global | no | Size of the dict to store monitoring metrics. |
| `MONITORING_IGNORE_URLS` | | global | no | List of URLs to ignore when monitoring separated with spaces (e.g. /health) |
| `MONITORING_TOP_N_DECAY_HOURS` | `6` | global | no | How often (in hours) to halve attacker top-N counters and prune cold entries. Lower = top-N reflects more recent traffic; higher = old attackers persist longer. |
| `MONITORING_TOP_N_TRACK_MAX` | `5000` | global | no | Maximum tracked attacker IPs and URIs per prefix in the bounded top-N sketch. Caps memory under distributed attack via Space-Saving admission. |
## Mutual TLS
@ -4134,6 +4298,10 @@ Siga estos pasos para desplegar Mutual TLS con confianza:
## OpenAPI Validator <img src='../../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
<p align='center'><iframe style='display: block;' width='560' height='315' data-src='https://www.youtube-nocookie.com/embed/3oZOO1XdSlc' title='OpenAPI Validator' frameborder='0' allow='accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture' allowfullscreen></iframe></p>
Para una guía más detallada, consulta la documentación de [usos avanzados](advanced.md#openapi-validator-pro).
Compatibilidad con STREAM :x:
Validates incoming HTTP requests against an OpenAPI / Swagger specification.
@ -4152,47 +4320,56 @@ Validates incoming HTTP requests against an OpenAPI / Swagger specification.
## OpenID Connect <img src='../../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
<p align='center'><iframe style='display: block;' width='560' height='315' data-src='https://www.youtube-nocookie.com/embed/0e4lcXTIIfs' title='OpenID Connect' frameborder='0' allow='accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture' allowfullscreen></iframe></p>
Para una guía más detallada, consulta la documentación de [usos avanzados](advanced.md#openid-connect-pro).
Compatibilidad con STREAM :x:
OpenID Connect authentication plugin providing SSO capabilities with identity providers.
| Parámetro | Valor predeterminado | Contexto | Múltiple | Descripción |
| ----------------------------------------- | ---------------------- | --------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `USE_OPENIDC` | `no` | multisite | no | Enable or disable OpenID Connect authentication. |
| `OPENIDC_DISCOVERY` | | multisite | no | OpenID Connect discovery URL (e.g. https://idp.example.com/.well-known/openid-configuration). |
| `OPENIDC_CLIENT_ID` | | multisite | no | OAuth 2.0 client identifier registered with the IdP. |
| `OPENIDC_CLIENT_SECRET` | | multisite | no | OAuth 2.0 client secret registered with the IdP. |
| `OPENIDC_TOKEN_ENDPOINT_AUTH_METHOD` | `basic` | multisite | no | Token endpoint auth method: basic (recommended, HTTP Basic), post (POST body), secret_jwt (JWT with client secret), private_key_jwt (JWT with RSA key). |
| `OPENIDC_CLIENT_RSA_PRIVATE_KEY` | | multisite | no | PEM-encoded RSA private key for private_key_jwt authentication. |
| `OPENIDC_CLIENT_RSA_PRIVATE_KEY_ID` | | multisite | no | Optional key ID (kid) for private_key_jwt authentication. |
| `OPENIDC_CLIENT_JWT_ASSERTION_EXPIRES_IN` | | multisite | no | JWT assertion lifetime in seconds (empty to use library default). |
| `OPENIDC_REDIRECT_URI` | `/callback` | multisite | no | URI path where the IdP redirects after authentication. |
| `OPENIDC_SCOPE` | `openid email profile` | multisite | no | Space-separated list of OAuth 2.0 scopes to request. |
| `OPENIDC_AUTHORIZATION_PARAMS` | | multisite | no | Additional authorization params as comma-separated key=value pairs (e.g. audience=api,resource=xyz). URL-encode values if needed. |
| `OPENIDC_USE_NONCE` | `yes` | multisite | no | Use nonce in authentication requests to prevent replay attacks. |
| `OPENIDC_USE_PKCE` | `no` | multisite | no | Use PKCE (Proof Key for Code Exchange) for authorization code flow. |
| `OPENIDC_FORCE_REAUTHORIZE` | `no` | multisite | no | Force re-authorization on every request (not recommended for production). |
| `OPENIDC_REFRESH_SESSION_INTERVAL` | | multisite | no | Interval in seconds to silently re-authenticate (empty to disable). |
| `OPENIDC_IAT_SLACK` | `120` | multisite | no | Allowed clock skew in seconds for token validation. |
| `OPENIDC_ACCESS_TOKEN_EXPIRES_IN` | `3600` | multisite | no | Default access token lifetime (seconds) if not provided by IdP. |
| `OPENIDC_RENEW_ACCESS_TOKEN_ON_EXPIRY` | `yes` | multisite | no | Automatically renew access token using refresh token when expired. |
| `OPENIDC_ACCEPT_UNSUPPORTED_ALG` | `no` | multisite | no | Accept tokens signed with unsupported algorithms (not recommended). |
| `OPENIDC_LOGOUT_PATH` | `/logout` | multisite | no | URI path for logout requests. |
| `OPENIDC_REVOKE_TOKENS_ON_LOGOUT` | `no` | multisite | no | Revoke tokens at the IdP when logging out. |
| `OPENIDC_REDIRECT_AFTER_LOGOUT_URI` | | multisite | no | URI to redirect after logout (leave empty for IdP default). |
| `OPENIDC_POST_LOGOUT_REDIRECT_URI` | | multisite | no | URI to redirect after IdP logout is complete. |
| `OPENIDC_TIMEOUT_CONNECT` | `10000` | multisite | no | Connection timeout in milliseconds for IdP requests. |
| `OPENIDC_TIMEOUT_SEND` | `10000` | multisite | no | Send timeout in milliseconds for IdP requests. |
| `OPENIDC_TIMEOUT_READ` | `10000` | multisite | no | Read timeout in milliseconds for IdP requests. |
| `OPENIDC_SSL_VERIFY` | `yes` | multisite | no | Verify SSL certificates when communicating with the IdP. |
| `OPENIDC_KEEPALIVE` | `yes` | multisite | no | Enable HTTP keepalive for connections to the IdP. |
| `OPENIDC_HTTP_PROXY` | | multisite | no | HTTP proxy URL for IdP connections (e.g. http://proxy:8080). |
| `OPENIDC_HTTPS_PROXY` | | multisite | no | HTTPS proxy URL for IdP connections (e.g. http://proxy:8080). |
| `OPENIDC_USER_HEADER` | `X-User` | multisite | no | Header to pass user info to upstream (empty to disable). |
| `OPENIDC_USER_HEADER_CLAIM` | `sub` | multisite | no | ID token claim to use for the user header (e.g. sub, email, preferred_username). |
| `OPENIDC_DISPLAY_CLAIM` | `preferred_username` | multisite | no | Claim to use for display in logs and metrics (e.g. preferred_username, name, email). Falls back to User Header Claim if not found. |
| `OPENIDC_DISCOVERY_DICT_SIZE` | `1m` | global | no | Size of the shared dictionary to cache discovery data. |
| `OPENIDC_JWKS_DICT_SIZE` | `1m` | global | no | Size of the shared dictionary to cache JWKS data. |
| Parámetro | Valor predeterminado | Contexto | Múltiple | Descripción |
| ----------------------------------------- | ---------------------- | --------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `USE_OPENIDC` | `no` | multisite | no | Enable or disable OpenID Connect authentication. |
| `OPENIDC_DISCOVERY` | | multisite | no | OpenID Connect discovery URL (e.g. https://idp.example.com/.well-known/openid-configuration). |
| `OPENIDC_CLIENT_ID` | | multisite | no | OAuth 2.0 client identifier registered with the IdP. |
| `OPENIDC_CLIENT_SECRET` | | multisite | no | OAuth 2.0 client secret registered with the IdP. |
| `OPENIDC_TOKEN_ENDPOINT_AUTH_METHOD` | `basic` | multisite | no | Token endpoint auth method: basic (recommended, HTTP Basic), post (POST body), secret_jwt (JWT with client secret), private_key_jwt (JWT with RSA key). |
| `OPENIDC_CLIENT_RSA_PRIVATE_KEY` | | multisite | no | PEM-encoded RSA private key for private_key_jwt authentication. |
| `OPENIDC_CLIENT_RSA_PRIVATE_KEY_ID` | | multisite | no | Optional key ID (kid) for private_key_jwt authentication. |
| `OPENIDC_CLIENT_JWT_ASSERTION_EXPIRES_IN` | | multisite | no | JWT assertion lifetime in seconds (empty to use library default). |
| `OPENIDC_REDIRECT_URI` | `/callback` | multisite | no | URI path where the IdP redirects after authentication. |
| `OPENIDC_SCOPE` | `openid email profile` | multisite | no | Space-separated list of OAuth 2.0 scopes to request. |
| `OPENIDC_AUTHORIZATION_PARAMS` | | multisite | no | Additional authorization params as comma-separated key=value pairs (e.g. audience=api,resource=xyz). URL-encode values if needed. |
| `OPENIDC_USE_NONCE` | `yes` | multisite | no | Use nonce in authentication requests to prevent replay attacks. |
| `OPENIDC_USE_PKCE` | `no` | multisite | no | Use PKCE (Proof Key for Code Exchange) for authorization code flow. |
| `OPENIDC_FORCE_REAUTHORIZE` | `no` | multisite | no | Force re-authorization on every request (not recommended for production). |
| `OPENIDC_REFRESH_SESSION_INTERVAL` | | multisite | no | Interval in seconds to silently re-authenticate (empty to disable). |
| `OPENIDC_IAT_SLACK` | `120` | multisite | no | Allowed clock skew in seconds for token validation. |
| `OPENIDC_ACCESS_TOKEN_EXPIRES_IN` | `3600` | multisite | no | Default access token lifetime (seconds) if not provided by IdP. |
| `OPENIDC_RENEW_ACCESS_TOKEN_ON_EXPIRY` | `yes` | multisite | no | Automatically renew access token using refresh token when expired. |
| `OPENIDC_ACCEPT_UNSUPPORTED_ALG` | `no` | multisite | no | Accept tokens signed with unsupported algorithms (not recommended). |
| `OPENIDC_LOGOUT_PATH` | `/logout` | multisite | no | URI path for logout requests. |
| `OPENIDC_REVOKE_TOKENS_ON_LOGOUT` | `no` | multisite | no | Revoke tokens at the IdP when logging out. |
| `OPENIDC_REDIRECT_AFTER_LOGOUT_URI` | | multisite | no | URI to redirect after logout (leave empty for IdP default). |
| `OPENIDC_POST_LOGOUT_REDIRECT_URI` | | multisite | no | URI to redirect after IdP logout is complete. |
| `OPENIDC_TIMEOUT_CONNECT` | `10000` | multisite | no | Connection timeout in milliseconds for IdP requests. |
| `OPENIDC_TIMEOUT_SEND` | `10000` | multisite | no | Send timeout in milliseconds for IdP requests. |
| `OPENIDC_TIMEOUT_READ` | `10000` | multisite | no | Read timeout in milliseconds for IdP requests. |
| `OPENIDC_SSL_VERIFY` | `yes` | multisite | no | Verify SSL certificates when communicating with the IdP. |
| `OPENIDC_KEEPALIVE` | `yes` | multisite | no | Enable HTTP keepalive for connections to the IdP. |
| `OPENIDC_HTTP_PROXY` | | multisite | no | HTTP proxy URL for IdP connections (e.g. http://proxy:8080). |
| `OPENIDC_HTTPS_PROXY` | | multisite | no | HTTPS proxy URL for IdP connections (e.g. http://proxy:8080). |
| `OPENIDC_USER_HEADER` | `X-User` | multisite | no | Header to pass user info to upstream (empty to disable). |
| `OPENIDC_USER_HEADER_CLAIM` | `sub` | multisite | no | ID token claim to use for the user header (e.g. sub, email, preferred_username). |
| `OPENIDC_DISPLAY_CLAIM` | `preferred_username` | multisite | no | Claim to use for display in logs and metrics (e.g. preferred_username, name, email). Falls back to User Header Claim if not found. |
| `OPENIDC_DISCOVERY_DICT_SIZE` | `1m` | global | no | Size of the shared dictionary to cache discovery data. |
| `OPENIDC_JWKS_DICT_SIZE` | `1m` | global | no | Size of the shared dictionary to cache JWKS data. |
| `OPENIDC_USE_ACL` | `no` | multisite | no | Enable claim-based access control (ACL) after OIDC authentication. When enabled, only users whose claims match the configured rules will be granted access. |
| `OPENIDC_ACL_MATCH_MODE` | `all` | multisite | no | How multiple ACL rules are evaluated. 'all' means every rule must pass (AND logic). 'any' means at least one rule must pass (OR logic). |
| `OPENIDC_ACL_DENIED_URL` | | multisite | no | URL to redirect to when access is denied by ACL. If empty, returns a 403 Forbidden response. |
| `OPENIDC_ACL_CLAIM` | | multisite | sí | Name of the OIDC claim to check (e.g. groups, email, sub, preferred_username). |
| `OPENIDC_ACL_CLAIM_VALUE` | | multisite | sí | Expected value for the claim. For array claims (e.g. groups), checks if this value is a member. For string claims, checks strict equality. |
## PHP
@ -4329,15 +4506,15 @@ Siga estos pasos para configurar y usar las características Pro:
**P: ¿Qué sucede si mi licencia Pro expira?**
R: Si su licencia Pro expira, se desactivará el acceso a las características y complementos premium. Sin embargo, su instalación de BunkerWeb seguirá funcionando con todas las características de la edición comunitaria intactas. Para recuperar el acceso a las características Pro, simplemente renueve su licencia.
**R:** Si su licencia Pro expira, se desactivará el acceso a las características y complementos premium. Sin embargo, su instalación de BunkerWeb seguirá funcionando con todas las características de la edición comunitaria intactas. Para recuperar el acceso a las características Pro, simplemente renueve su licencia.
**P: ¿Las características Pro interrumpirán mi configuración existente?**
R: No, las características Pro están diseñadas para integrarse sin problemas con su configuración actual de BunkerWeb. Mejoran la funcionalidad sin alterar ni interferir con su configuración existente, garantizando una experiencia fluida y confiable.
**R:** No, las características Pro están diseñadas para integrarse sin problemas con su configuración actual de BunkerWeb. Mejoran la funcionalidad sin alterar ni interferir con su configuración existente, garantizando una experiencia fluida y confiable.
**P: ¿Puedo probar las características Pro antes de comprometerme a una compra?**
R: ¡Absolutamente! BunkerWeb ofrece dos planes Pro para satisfacer sus necesidades:
**R:** ¡Absolutamente! BunkerWeb ofrece dos planes Pro para satisfacer sus necesidades:
- **BunkerWeb PRO Standard:** Acceso completo a las características Pro sin soporte técnico.
- **BunkerWeb PRO Enterprise:** Acceso completo a las características Pro con soporte técnico dedicado.
@ -4730,7 +4907,8 @@ Cuando utilice Redis o Valkey con BunkerWeb, considere estas mejores prácticas
#### Gestión de la Memoria
- **Supervise el uso de la memoria:** Configure Redis con los ajustes `maxmemory` apropiados para evitar errores de falta de memoria
- **Establezca una política de desalojo:** Utilice `maxmemory-policy` (p. ej., `volatile-lru` o `allkeys-lru`) apropiada para su caso de uso
- **Establezca una política de desalojo:** Utilice `maxmemory-policy` (p. ej., `volatile-lru` para uso general o `allkeys-lru` para cargas de trabajo de caché intensivo) apropiada para su caso de uso
- **Valores predeterminados del all-in-one:** La imagen Docker AIO configura Redis con `maxmemory=256mb` y `maxmemory-policy=volatile-lru`; sobrescriba estos valores mediante las variables de entorno `REDIS_MAXMEMORY` y `REDIS_MAXMEMORY_POLICY`. Con `volatile-lru`, los contadores transitorios (límite de tasa, mal comportamiento) se desalojan antes que las claves con TTL importantes para las sesiones y los baneos temporales, y las claves sin expiración (baneos permanentes) quedan exentas. Se recomienda la misma política para servidores Redis o Valkey externos utilizados por BunkerWeb.
- **Evite claves grandes:** Asegúrese de que las claves individuales de Redis se mantengan en un tamaño razonable para evitar la degradación del rendimiento
#### Persistencia de Datos
@ -4743,7 +4921,7 @@ Cuando utilice Redis o Valkey con BunkerWeb, considere estas mejores prácticas
- **Agrupación de conexiones:** BunkerWeb ya implementa esto, pero asegúrese de que otras aplicaciones sigan esta práctica
- **Canalización:** Cuando sea posible, utilice la canalización para operaciones masivas para reducir la sobrecarga de la red
- **Evite operaciones costosas:** Tenga cuidado con comandos como `KEYS` en entornos de producción
- **Evite operaciones costosas:** Tenga cuidado con comandos como KEYS en entornos de producción
- **Compare su carga de trabajo:** Utilice `redis-benchmark` para probar sus patrones de carga de trabajo específicos
### Recursos Adicionales
@ -4760,20 +4938,21 @@ Compatibilidad con STREAM :x:
Regular reporting of important data from BunkerWeb (global, attacks, bans, requests, reasons, AS...). Monitoring pro plugin needed to work.
| Parámetro | Valor predeterminado | Contexto | Múltiple | Descripción |
| ------------------------------ | -------------------- | -------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| `USE_REPORTING_SMTP` | `no` | global | no | Enable sending the report via email. |
| `USE_REPORTING_WEBHOOK` | `no` | global | no | Enable sending the report via webhook. |
| `REPORTING_SCHEDULE` | `weekly` | global | no | The frequency at which reports are sent. |
| `REPORTING_WEBHOOK_URLS` | | global | no | List of webhook URLs to receive the report in Markdown (separated by spaces). |
| `REPORTING_SMTP_EMAILS` | | global | no | List of email addresses to receive the report in HTML format (separated by spaces). |
| `REPORTING_SMTP_HOST` | | global | no | The host server used for SMTP sending. |
| `REPORTING_SMTP_PORT` | `465` | global | no | The port used for SMTP. Please note that there are different standards depending on the type of connection (SSL = 465, TLS = 587). |
| `REPORTING_SMTP_FROM_EMAIL` | | global | no | The email address used as the sender. Note that 2FA must be disabled for this email address. |
| `REPORTING_SMTP_FROM_USER` | | global | no | The user authentication value for sending via the from email address. |
| `REPORTING_SMTP_FROM_PASSWORD` | | global | no | The password authentication value for sending via the from email address. |
| `REPORTING_SMTP_SSL` | `SSL` | global | no | Determine whether or not to use a secure connection for SMTP. |
| `REPORTING_SMTP_SUBJECT` | `BunkerWeb Report` | global | no | The subject line of the email. |
| Parámetro | Valor predeterminado | Contexto | Múltiple | Descripción |
| ------------------------------ | -------------------- | -------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `USE_REPORTING_SMTP` | `no` | global | no | Enable sending the report via email. |
| `USE_REPORTING_WEBHOOK` | `no` | global | no | Enable sending the report via webhook. |
| `REPORTING_SCHEDULE` | `weekly` | global | no | The frequency at which reports are sent. |
| `REPORTING_TOP_N` | `3` | global | no | Number of entries shown in 'Top' tables (IPs, AS, reasons, countries, URIs and offenders). Range: 1-50. Values are clamped at runtime; the upstream metric caps at rank 50 per server. |
| `REPORTING_WEBHOOK_URLS` | | global | no | List of webhook URLs to receive the report in Markdown (separated by spaces). |
| `REPORTING_SMTP_EMAILS` | | global | no | List of email addresses to receive the report in HTML format (separated by spaces). |
| `REPORTING_SMTP_HOST` | | global | no | The host server used for SMTP sending. |
| `REPORTING_SMTP_PORT` | `465` | global | no | The port used for SMTP. Please note that there are different standards depending on the type of connection (SSL = 465, TLS = 587). |
| `REPORTING_SMTP_FROM_EMAIL` | | global | no | The email address used as the sender. Note that 2FA must be disabled for this email address. |
| `REPORTING_SMTP_FROM_USER` | | global | no | The user authentication value for sending via the from email address. |
| `REPORTING_SMTP_FROM_PASSWORD` | | global | no | The password authentication value for sending via the from email address. |
| `REPORTING_SMTP_SSL` | `SSL` | global | no | Determine whether or not to use a secure connection for SMTP. |
| `REPORTING_SMTP_SUBJECT` | `BunkerWeb Report` | global | no | The subject line of the email. |
## Reverse proxy
@ -4813,16 +4992,17 @@ Siga estos pasos para configurar y usar la función de Proxy Inverso:
- **Manejo de Protocolos:** Soporte para HTTP, HTTPS, WebSockets y otros protocolos
- **Interceptación de Errores:** Personalice las páginas de error para una experiencia de usuario consistente
| Ajuste | Valor por defecto | Contexto | Múltiple | Descripción |
| --------------------------------- | ----------------- | --------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------- |
| `USE_REVERSE_PROXY` | `no` | multisite | no | **Habilitar Proxy Inverso:** Establezca en `yes` para habilitar la funcionalidad de proxy inverso. |
| `REVERSE_PROXY_HOST` | | multisite | yes | **Host de Backend:** URL completa del recurso al que se hace proxy (proxy_pass). |
| `REVERSE_PROXY_URL` | `/` | multisite | yes | **URL de Ubicación:** Ruta que se enviará al servidor de backend. |
| `REVERSE_PROXY_BUFFERING` | `yes` | multisite | yes | **Almacenamiento en Búfer de Respuesta:** Habilite o deshabilite el almacenamiento en búfer de las respuestas del recurso al que se hace proxy. |
| `REVERSE_PROXY_REQUEST_BUFFERING` | `yes` | multisite | yes | **Almacenamiento en Búfer de Solicitudes:** Habilite o deshabilite el almacenamiento en búfer de las solicitudes al recurso al que se hace proxy. |
| `REVERSE_PROXY_KEEPALIVE` | `no` | multisite | yes | **Keep-Alive:** Habilite o deshabilite las conexiones keepalive con el recurso al que se hace proxy. |
| `REVERSE_PROXY_CUSTOM_HOST` | | multisite | no | **Host Personalizado:** Anule el encabezado Host enviado al servidor upstream. |
| `REVERSE_PROXY_INTERCEPT_ERRORS` | `yes` | multisite | no | **Interceptar Errores:** Si se deben interceptar y reescribir las respuestas de error del backend. |
| Ajuste | Valor por defecto | Contexto | Múltiple | Descripción |
| --------------------------------- | ----------------- | --------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `USE_REVERSE_PROXY` | `no` | multisite | no | **Habilitar Proxy Inverso:** Establezca en `yes` para habilitar la funcionalidad de proxy inverso. |
| `REVERSE_PROXY_HOST` | | multisite | yes | **Host de Backend:** URL completa del recurso al que se hace proxy (proxy_pass). |
| `REVERSE_PROXY_URL` | `/` | multisite | yes | **URL de Ubicación:** Ruta que se enviará al servidor de backend. |
| `REVERSE_PROXY_BUFFERING` | `yes` | multisite | yes | **Almacenamiento en Búfer de Respuesta:** Habilite o deshabilite el almacenamiento en búfer de las respuestas del recurso al que se hace proxy. |
| `REVERSE_PROXY_REQUEST_BUFFERING` | `yes` | multisite | yes | **Almacenamiento en Búfer de Solicitudes:** Habilite o deshabilite el almacenamiento en búfer de las solicitudes al recurso al que se hace proxy. |
| `REVERSE_PROXY_KEEPALIVE` | `no` | multisite | yes | **Keep-Alive:** Habilite o deshabilite las conexiones keepalive con el recurso al que se hace proxy. |
| `REVERSE_PROXY_HTTP_VERSION` | `1.1` | multisite | yes | **Versión HTTP:** Versión del protocolo HTTP utilizada para hablar con el upstream (`1.0`, `1.1` o `2`). Establezca a `2` para multiplexación HTTP/2 en la conexión upstream. Las ubicaciones WebSocket están fijadas a 1.1 independientemente. |
| `REVERSE_PROXY_CUSTOM_HOST` | | multisite | no | **Host Personalizado:** Anule el encabezado Host enviado al servidor upstream. |
| `REVERSE_PROXY_INTERCEPT_ERRORS` | `yes` | multisite | no | **Interceptar Errores:** Si se deben interceptar y reescribir las respuestas de error del backend. |
!!! tip "Mejores Prácticas"
- Siempre especifique la URL completa en `REVERSE_PROXY_HOST`, incluido el protocolo (http:// o https://)
@ -4965,14 +5145,20 @@ Siga estos pasos para configurar y usar la función de Proxy Inverso:
- **Optimización del Rendimiento:** Afine el manejo de solicitudes para casos de uso específicos
- **Flexibilidad:** Adáptese a los requisitos únicos de la aplicación con configuraciones especializadas
| Ajuste | Valor por defecto | Contexto | Múltiple | Descripción |
| --------------------------------- | ----------------- | --------- | -------- | ----------------------------------------------------------------------------------------------- |
| `REVERSE_PROXY_INCLUDES` | | multisite | yes | **Configuraciones Adicionales:** Incluya configuraciones adicionales en el bloque de ubicación. |
| `REVERSE_PROXY_PASS_REQUEST_BODY` | `yes` | multisite | yes | **Pasar el Cuerpo de la Solicitud:** Habilite o deshabilite el paso del cuerpo de la solicitud. |
| Ajuste | Valor por defecto | Contexto | Múltiple | Descripción |
| --------------------------------- | ----------------- | --------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `REVERSE_PROXY_INCLUDES` | | multisite | yes | **Configuraciones Adicionales:** Incluya configuraciones adicionales en el bloque de ubicación. |
| `REVERSE_PROXY_PASS_REQUEST_BODY` | `yes` | multisite | yes | **Pasar el Cuerpo de la Solicitud:** Habilite o deshabilite el paso del cuerpo de la solicitud. |
| `REVERSE_PROXY_MODSECURITY` | `yes` | multisite | yes | **ModSecurity (por ubicación):** Establézcalo en `no` para emitir `modsecurity off;` en esta ubicación; omite el WAF en endpoints de cargas grandes para evitar OOM (consulte la nota siguiente). |
!!! warning "Consideraciones de Seguridad"
Tenga cuidado al incluir fragmentos de configuración personalizados, ya que pueden anular la configuración de seguridad de BunkerWeb o introducir vulnerabilidades si no se configuran correctamente.
!!! warning "Recomendación de seguridad para cargas grandes"
ModSecurity almacena en memoria el cuerpo completo de la solicitud y no puede limitarlo para cargas de varios GB, lo que puede provocar OOM en el worker. Si — **y solo si** — una URL de proxy inverso se usa *exclusivamente* para cargas de archivos (por ejemplo, un endpoint `/upload` dedicado), establezca `REVERSE_PROXY_MODSECURITY_N: "no"` en esa URL. No lo deshabilite en URL de uso mixto: perdería la cobertura del WAF en todo lo servido por esa ubicación.
Para mantener protegidas las cargas después de omitir ModSecurity, combínelo con un plugin de análisis de archivos como [ClamAV](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) o [VirusTotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal); inspeccionan el archivo cargado en sí en lugar del cuerpo bruto de la solicitud.
=== "Configuración de Caché"
**Ajustes de Almacenamiento en Caché de Respuestas**
@ -5472,34 +5658,36 @@ El complemento de Sesiones proporciona una gestión robusta de sesiones HTTP par
**Cómo funciona:**
1. Cuando un usuario interactúa por primera vez con su sitio web, BunkerWeb crea un identificador de sesión único.
2. Este identificador se almacena de forma segura en una cookie en el navegador del usuario.
3. En solicitudes posteriores, BunkerWeb recupera el identificador de sesión de la cookie y lo utiliza para acceder a los datos de la sesión del usuario.
4. Los datos de la sesión se pueden almacenar localmente o en [Redis](#redis) para entornos distribuidos con múltiples instancias de BunkerWeb.
5. Las sesiones se gestionan automáticamente con tiempos de espera configurables, lo que garantiza la seguridad y la facilidad de uso.
6. La seguridad criptográfica de las sesiones se garantiza mediante una clave secreta que se utiliza para firmar las cookies de sesión.
1. Cuando un usuario interactúa por primera vez con su sitio web, BunkerWeb crea un identificador de sesión único.
2. Este identificador se almacena de forma segura en una cookie en el navegador del usuario.
3. En solicitudes posteriores, BunkerWeb recupera el identificador de sesión de la cookie y lo utiliza para acceder a los datos de la sesión del usuario.
4. Los datos de la sesión se pueden almacenar localmente o en [Redis](#redis) para entornos distribuidos con múltiples instancias de BunkerWeb.
5. Las sesiones se gestionan automáticamente con tiempos de espera configurables, lo que garantiza la seguridad y la facilidad de uso.
6. La seguridad criptográfica de las sesiones se garantiza mediante una clave secreta que se utiliza para firmar las cookies de sesión.
### Cómo usar
Siga estos pasos para configurar y usar la función de Sesiones:
1. **Configure la seguridad de la sesión:** Establezca un `SESSIONS_SECRET` fuerte y único para garantizar que las cookies de sesión no puedan ser falsificadas. (El valor predeterminado es "random", lo que hace que BunkerWeb genere una clave secreta aleatoria).
2. **Elija un nombre de sesión:** Opcionalmente, personalice el `SESSIONS_NAME` para definir cómo se llamará su cookie de sesión en el navegador. (El valor predeterminado es "random", lo que hace que BunkerWeb genere un nombre aleatorio).
3. **Establezca los tiempos de espera de la sesión:** Configure cuánto tiempo permanecen válidas las sesiones con los ajustes de tiempo de espera (`SESSIONS_IDLING_TIMEOUT`, `SESSIONS_ROLLING_TIMEOUT`, `SESSIONS_ABSOLUTE_TIMEOUT`).
4. **Configure la integración con Redis:** Para entornos distribuidos, establezca `USE_REDIS` en "yes" y configure su [conexión Redis](#redis) para compartir los datos de la sesión entre múltiples nodos de BunkerWeb.
5. **Deje que BunkerWeb se encargue del resto:** Una vez configurado, la gestión de sesiones se realiza automáticamente para su sitio web.
1. **Configure la seguridad de la sesión:** Establezca un `SESSIONS_SECRET` fuerte y único para garantizar que las cookies de sesión no puedan ser falsificadas. (El valor predeterminado es "random", lo que hace que BunkerWeb genere una clave secreta aleatoria).
2. **Elija un nombre de sesión:** Opcionalmente, personalice el `SESSIONS_NAME` para definir cómo se llamará su cookie de sesión en el navegador. (El valor predeterminado es "random", lo que hace que BunkerWeb genere un nombre aleatorio).
3. **Establezca los tiempos de espera de la sesión:** Configure cuánto tiempo permanecen válidas las sesiones con los ajustes de tiempo de espera (`SESSIONS_IDLING_TIMEOUT`, `SESSIONS_ROLLING_TIMEOUT`, `SESSIONS_ABSOLUTE_TIMEOUT`).
4. **Comparta la cookie entre subdominios (opcional, por servidor):** De forma predeterminada, la cookie de sesión está limitada al host. Si un servidor determinado aloja varios subdominios del mismo dominio registrable (por ejemplo `a.example.com` y `b.example.com`) y desea que el estado de anti-bot/desafío se comparta, configure `SESSIONS_DOMAIN` con el dominio padre (`example.com`) **solo en ese servidor**. `SESSIONS_DOMAIN` es un ajuste multisite, por lo que los tenants no relacionados en la misma instancia de BunkerWeb nunca reciben un atributo `Domain` compartido entre tenants.
5. **Configure la integración con Redis:** Para entornos distribuidos, establezca `USE_REDIS` en "yes" y configure su [conexión Redis](#redis) para compartir los datos de la sesión entre múltiples nodos de BunkerWeb.
6. **Deje que BunkerWeb se encargue del resto:** Una vez configurado, la gestión de sesiones se realiza automáticamente para su sitio web.
### Ajustes de Configuración
| Ajuste | Valor por defecto | Contexto | Múltiple | Descripción |
| --------------------------- | ----------------- | -------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------- |
| `SESSIONS_SECRET` | `random` | global | no | **Secreto de sesión:** Clave criptográfica utilizada para firmar las cookies de sesión. Debe ser una cadena fuerte y aleatoria única para su sitio. |
| `SESSIONS_NAME` | `random` | global | no | **Nombre de la cookie:** El nombre de la cookie que almacenará el identificador de sesión. |
| `SESSIONS_IDLING_TIMEOUT` | `1800` | global | no | **Tiempo de espera por inactividad:** Tiempo máximo (en segundos) de inactividad antes de que la sesión se invalide. |
| `SESSIONS_ROLLING_TIMEOUT` | `3600` | global | no | **Tiempo de espera renovable:** Tiempo máximo (en segundos) antes de que una sesión deba renovarse. |
| `SESSIONS_ABSOLUTE_TIMEOUT` | `86400` | global | no | **Tiempo de espera absoluto:** Tiempo máximo (en segundos) antes de que una sesión se destruya independientemente de la actividad. |
| `SESSIONS_CHECK_IP` | `yes` | global | no | **Comprobar IP:** Cuando se establece en `yes`, destruye la sesión si la dirección IP del cliente cambia. |
| `SESSIONS_CHECK_USER_AGENT` | `yes` | global | no | **Comprobar User-Agent:** Cuando se establece en `yes`, destruye la sesión si el User-Agent del cliente cambia. |
| Ajuste | Valor por defecto | Contexto | Múltiple | Descripción |
| --------------------------- | ----------------- | --------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `SESSIONS_SECRET` | `random` | global | no | **Secreto de sesión:** Clave criptográfica utilizada para firmar las cookies de sesión. Debe ser una cadena fuerte y aleatoria única para su sitio. |
| `SESSIONS_NAME` | `random` | global | no | **Nombre de la cookie:** El nombre de la cookie que almacenará el identificador de sesión. |
| `SESSIONS_DOMAIN` | | multisite | no | **Dominio de la cookie:** Atributo `Domain` opcional aplicado a la cookie de sesión (por ejemplo `example.com`). Déjelo vacío para mantener la cookie limitada al host. Configúrelo por servidor para compartir el estado de sesión entre subdominios hermanos del mismo dominio registrable. |
| `SESSIONS_IDLING_TIMEOUT` | `1800` | global | no | **Tiempo de espera por inactividad:** Tiempo máximo (en segundos) de inactividad antes de que la sesión se invalide. |
| `SESSIONS_ROLLING_TIMEOUT` | `3600` | global | no | **Tiempo de espera renovable:** Tiempo máximo (en segundos) antes de que una sesión deba renovarse. |
| `SESSIONS_ABSOLUTE_TIMEOUT` | `86400` | global | no | **Tiempo de espera absoluto:** Tiempo máximo (en segundos) antes de que una sesión se destruya independientemente de la actividad. |
| `SESSIONS_CHECK_IP` | `yes` | global | no | **Comprobar IP:** Cuando se establece en `yes`, destruye la sesión si la dirección IP del cliente cambia. |
| `SESSIONS_CHECK_USER_AGENT` | `yes` | global | no | **Comprobar User-Agent:** Cuando se establece en `yes`, destruye la sesión si el User-Agent del cliente cambia. |
!!! warning "Consideraciones de Seguridad"
El ajuste `SESSIONS_SECRET` es fundamental para la seguridad. En entornos de producción:
@ -5570,6 +5758,39 @@ Siga estos pasos para configurar y usar la función de Sesiones:
SESSIONS_ABSOLUTE_TIMEOUT: "604800" # 7 días
```
=== "Sesiones entre subdominios (tenant único)"
Comparta la cookie de sesión entre todos los subdominios de `example.com` para que el estado de anti-bot/desafío se resuelva una sola vez para todo el sitio:
```yaml
SERVER_NAME: "app.example.com api.example.com shop.example.com"
SESSIONS_SECRET: "your-strong-random-secret-key-here"
SESSIONS_NAME: "crossdomainsession"
# SESSIONS_DOMAIN es un ajuste multisite: anteponga el nombre del servidor para que solo se aplique a los hosts coincidentes
app.example.com_SESSIONS_DOMAIN: "example.com"
api.example.com_SESSIONS_DOMAIN: "example.com"
shop.example.com_SESSIONS_DOMAIN: "example.com"
USE_ANTIBOT: "turnstile"
```
=== "Sesiones entre subdominios (tenants mixtos)"
Cuando la misma instancia de BunkerWeb aloja varios dominios registrables no relacionados, limite `SESSIONS_DOMAIN` únicamente a los servidores que deben compartirlo. Los servidores sin esta configuración conservan la cookie limitada al host por defecto, de modo que los tenants permanecen aislados:
```yaml
SERVER_NAME: "app.example.com api.example.com billing.acme.org www.unrelated.io"
SESSIONS_SECRET: "your-strong-random-secret-key-here"
SESSIONS_NAME: "tenantsession"
# Comparta la cookie solo entre los subdominios de example.com
app.example.com_SESSIONS_DOMAIN: "example.com"
api.example.com_SESSIONS_DOMAIN: "example.com"
# billing.acme.org y www.unrelated.io se dejan intencionalmente limitados al host
USE_ANTIBOT: "turnstile"
```
!!! note
`SESSIONS_DOMAIN` siempre debe ser un dominio padre del servidor al que se aplica; por ejemplo, `example.com` es válido tanto para `example.com` como para cualquier host `*.example.com`, y un punto inicial (`.example.com`) se tolera por compatibilidad heredada. Si se establece en un dominio registrable no relacionado, los navegadores rechazarán la cookie.
## SSL
Compatibilidad con STREAM :white_check_mark:
@ -5583,7 +5804,11 @@ El complemento SSL proporciona capacidades robustas de cifrado SSL/TLS para sus
3. Los parámetros de sesión SSL optimizados mejoran el rendimiento de la conexión sin sacrificar la seguridad.
4. La presentación de certificados se configura de acuerdo con las mejores prácticas para garantizar la compatibilidad y la seguridad.
!!! success "Beneficios de Seguridad" - **Protección de Datos:** Cifra los datos en tránsito, previniendo la interceptación y los ataques de intermediario (man-in-the-middle). - **Autenticación:** Verifica la identidad de su servidor a los clientes. - **Integridad:** Asegura que los datos no han sido manipulados durante la transmisión. - **Estándares Modernos:** Configurado para cumplir con las mejores prácticas y los estándares de seguridad de la industria.
!!! success "Beneficios de Seguridad"
- **Protección de Datos:** Cifra los datos en tránsito, previniendo la interceptación y los ataques de intermediario (man-in-the-middle).
- **Autenticación:** Verifica la identidad de su servidor a los clientes.
- **Integridad:** Asegura que los datos no han sido manipulados durante la transmisión.
- **Estándares Modernos:** Configurado para cumplir con las mejores prácticas y los estándares de seguridad de la industria.
### Cómo usar
@ -5673,32 +5898,39 @@ Integrate easily the BunkerWeb UI.
## UI Single Sign-On <img src='../../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
Para una guía más detallada, consulta la documentación de [usos avanzados](advanced.md#ui-single-sign-on-pro).
Compatibilidad con STREAM :x:
Enable SSO authentication for the BunkerWeb web interface by reading headers set by upstream authentication proxies (Authentik, Authelia, Keycloak, Traefik Forward Auth, etc.)
| Parámetro | Valor predeterminado | Contexto | Múltiple | Descripción |
| ----------------------------- | -------------------- | -------- | -------- | ------------------------------------------------------------------------------------------------ |
| `USE_UI_SSO` | `no` | global | no | Enable or disable UI Single Sign-On authentication for the web interface |
| `UI_SSO_HEADER_USERNAME` | `X-User` | global | no | HTTP header containing the authenticated username |
| `UI_SSO_HEADER_EMAIL` | `X-Email` | global | no | HTTP header containing the user's email address |
| `UI_SSO_HEADER_GROUPS` | `X-Groups` | global | no | HTTP header containing the user's groups (comma or space separated) |
| `UI_SSO_HEADER_NAME` | `X-Name` | global | no | HTTP header containing the user's display name |
| `UI_SSO_TRUSTED_IPS` | `127.0.0.1,::1` | global | no | Comma-separated list of trusted IP addresses or CIDR ranges that are allowed to send SSO headers |
| `UI_SSO_AUTO_CREATE_USERS` | `yes` | global | no | Automatically create new users when they authenticate via SSO for the first time |
| `UI_SSO_DEFAULT_ROLE` | `reader` | global | no | Default role assigned to new SSO users when no group mapping matches |
| `UI_SSO_GROUP_ADMIN` | | global | no | Group name that grants admin role (highest priority) |
| `UI_SSO_GROUP_WRITER` | | global | no | Group name that grants writer role |
| `UI_SSO_GROUP_READER` | | global | no | Group name that grants reader role |
| `UI_SSO_FALLBACK_TO_LOGIN` | `yes` | global | no | Allow users to fall back to normal login when SSO headers are not present |
| `UI_SSO_UPDATE_USER_ON_LOGIN` | `yes` | global | no | Update user information (email, role) from SSO headers on each login |
| `UI_SSO_ACCOUNT_LINKING` | `username_or_email` | global | no | How to match incoming SSO users to local accounts |
| `UI_SSO_LOGOUT_REDIRECT_URL` | | global | no | URL to redirect users to after logout (e.g., SSO provider logout endpoint) |
| Parámetro | Valor predeterminado | Contexto | Múltiple | Descripción |
| --------------------------------- | -------------------- | -------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
| `USE_UI_SSO` | `no` | global | no | Enable or disable UI Single Sign-On authentication for the web interface |
| `UI_SSO_PROVIDER` | `custom` | global | no | Select your SSO provider to auto-configure headers and group parsing. Use 'Custom' for manual header configuration. |
| `UI_SSO_HEADER_USERNAME` | `X-User` | global | no | HTTP header containing the authenticated username |
| `UI_SSO_HEADER_EMAIL` | `X-Email` | global | no | HTTP header containing the user's email address |
| `UI_SSO_HEADER_GROUPS` | `X-Groups` | global | no | HTTP header containing the user's groups (comma or space separated) |
| `UI_SSO_HEADER_NAME` | `X-Name` | global | no | HTTP header containing the user's display name |
| `UI_SSO_TRUSTED_IPS` | `127.0.0.1,::1` | global | no | Comma-separated list of trusted IP addresses or CIDR ranges that are allowed to send SSO headers |
| `UI_SSO_AUTO_CREATE_USERS` | `yes` | global | no | Automatically create new users when they authenticate via SSO for the first time |
| `UI_SSO_DEFAULT_ROLE` | `reader` | global | no | Default role assigned to new SSO users when no group mapping matches |
| `UI_SSO_GROUP_ADMIN` | | global | no | Group name that grants admin role (highest priority) |
| `UI_SSO_GROUP_WRITER` | | global | no | Group name that grants writer role |
| `UI_SSO_GROUP_READER` | | global | no | Group name that grants reader role |
| `UI_SSO_FALLBACK_TO_LOGIN` | `yes` | global | no | Allow users to fall back to normal login when SSO headers are not present |
| `UI_SSO_UPDATE_USER_ON_LOGIN` | `yes` | global | no | Update user information (email) from SSO headers on each login |
| `UI_SSO_SYNC_ROLES` | `no` | global | no | Synchronize user roles from SSO group mappings on each login when the groups header is present and at least one group mapping is configured |
| `UI_SSO_SYNC_ROLES_PROTECT_ADMIN` | `yes` | global | no | Prevent SSO role sync from downgrading users who currently have the admin role |
| `UI_SSO_ACCOUNT_LINKING` | `username_or_email` | global | no | How to match incoming SSO users to local accounts |
| `UI_SSO_LOGOUT_REDIRECT_URL` | | global | no | URL to redirect users to after logout (e.g., SSO provider logout endpoint) |
## User Manager <img src='../../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
<p align='center'><iframe style='display: block;' width='560' height='315' data-src='https://www.youtube-nocookie.com/embed/EIohiUf9Fg4' title='Página del Administrador de usuarios' frameborder='0' allow='accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture' allowfullscreen></iframe></p>
<p align='center'><iframe style='display: block;' width='560' height='315' data-src='https://www.youtube-nocookie.com/embed/EIohiUf9Fg4' title='User Manager' frameborder='0' allow='accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture' allowfullscreen></iframe></p>
Para una guía más detallada, consulta la documentación de [usos avanzados](advanced.md#user-manager-pro).
Compatibilidad con STREAM :x:
@ -5896,3 +6128,16 @@ Ejemplos de archivos con el formato esperado:
(?:^|\s)FriendlyScanner(?:\s|$)
TrustedMonitor/\d+\.\d+
```
## Wildcard <img src='../../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
Para una guía más detallada, consulta la documentación de [usos avanzados](advanced.md#wildcard-pro).
Compatibilidad con STREAM :x:
Adds wildcard server_name support (*.domain) for services.
| Parámetro | Valor predeterminado | Contexto | Múltiple | Descripción |
| -------------- | -------------------- | --------- | -------- | ------------------------------------------------------------------------------------------------- |
| `USE_WILDCARD` | `no` | multisite | no | Enable wildcard server_name for this service (adds *.domain for the first domain in SERVER_NAME). |

218
docs/es/integrations.md
View file

@ -1268,7 +1268,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
Por defecto, el contenedor expone:
@ -1284,7 +1284,7 @@ Se requiere un volumen nombrado (o un bind mount) para persistir la base de dato
```yaml
services:
bunkerweb-aio:
image: bunkerity/bunkerweb-all-in-one:1.6.9
image: bunkerity/bunkerweb-all-in-one:1.6.10
volumes:
- bw-storage:/data
...
@ -1340,7 +1340,8 @@ La imagen Todo en Uno viene con varios servicios integrados, que se pueden contr
- `AUTOCONF_MODE=no` (predeterminado) - Habilita el servicio de autoconfiguración
- `USE_REDIS=yes` (predeterminado) - Habilita la instancia de [Redis](#redis-integration) integrada
- `USE_CROWDSEC=no` (predeterminado) - La integración con [CrowdSec](#crowdsec-integration) está deshabilitada por defecto
- `HIDE_SERVICE_LOGS=` (opcional) - Lista separada por comas de servicios cuyos registros se silencian en los logs del contenedor. Valores admitidos: `api`, `autoconf`, `bunkerweb`, `crowdsec`, `redis`, `scheduler`, `ui`, `nginx.access`, `nginx.error`, `modsec`. Los archivos en `/var/log/bunkerweb/<service>.log` se siguen actualizando.
- `HIDE_SERVICE_LOGS=` (opcional) - Lista separada por comas de servicios cuyos registros se silencian en los logs del contenedor. Valores admitidos: `api`, `autoconf`, `bunkerweb`, `crowdsec`, `redis`, `scheduler`, `ui`, `nginx.access`, `nginx.error`, `modsec`.
- **Registros**: La imagen todo en uno envía el stdout y el stderr de cada servicio a la salida del contenedor. Usa `docker logs bunkerweb-aio` (o tu controlador de logs de contenedores preferido) para ver y rotar los logs. La imagen no escribe archivos de log en disco para sus servicios Python.
### Integración de la API
@ -1361,7 +1362,7 @@ docker run -d \
-e API_PASSWORD=StrongP@ssw0rd \
-p 80:8080/tcp -p 443:8443/tcp -p 443:8443/udp \
-p 8888:8888/tcp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
Recomendado (detrás de BunkerWeb) — no publiques el `8888`; en su lugar, haz un proxy inverso:
@ -1369,7 +1370,7 @@ Recomendado (detrás de BunkerWeb) — no publiques el `8888`; en su lugar, haz
```yaml
services:
bunkerweb-aio:
image: bunkerity/bunkerweb-all-in-one:1.6.9
image: bunkerity/bunkerweb-all-in-one:1.6.10
container_name: bunkerweb-aio
ports:
- "80:8080/tcp"
@ -1425,6 +1426,10 @@ La imagen **Todo en Uno** de BunkerWeb incluye Redis listo para usar para la [pe
- Escucha en la interfaz de loopback del contenedor, por lo que solo está disponible para los procesos del contenedor, no para otros contenedores ni para el host.
- Sobrescribe `REDIS_HOST` únicamente cuando tengas un extremo Redis/Valkey externo disponible; de lo contrario, la instancia integrada no se iniciará.
- Para deshabilitar Redis por completo, establece `USE_REDIS=no`.
- **Precedencia de configuración (importante):** el Redis integrado se lanza desde `/var/lib/bunkerweb/redis-runtime.conf`, generado en el arranque copiando `/etc/redis.conf` y añadiendo valores por defecto basados en variables de entorno **solo para las directivas que la configuración no especifica**. Un `/etc/redis.conf` montado siempre gana; las variables de entorno de abajo solo rellenan los huecos.
- **Ajuste de memoria:** los valores por defecto siguen las [buenas prácticas de Redis](features.md#redis-best-practices) — `maxmemory 256mb` y `maxmemory-policy volatile-lru`. Sobrescribe con `REDIS_MAXMEMORY` y `REDIS_MAXMEMORY_POLICY` cuando la configuración no los fije.
- **Sobrescrituras de persistencia:** `REDIS_APPENDONLY=yes|no` alterna AOF (por defecto `yes`); los snapshots RDB se configuran con `REDIS_SAVE` y, opcionalmente, `REDIS_SAVE_0`, `REDIS_SAVE_1`, … aportando cada uno un par `save <segundos> <cambios>` (p. ej. `REDIS_SAVE_0="900 1"`, `REDIS_SAVE_1="300 10"`). Definir cualquiera de ellas reemplaza el conjunto por defecto `900 1 / 300 10 / 60 10000`; un valor vacío emite `save ""`, deshabilitando RDB. Se ignora si la configuración ya declara `save` por su cuenta.
- **Autenticación:** cuando se define `REDIS_PASSWORD` y la configuración no contiene ya `requirepass`, el Redis integrado se lanza con `requirepass` para mantener la coherencia entre el cliente y el servidor de BunkerWeb. El servidor integrado solo admite el usuario predeterminado: define `REDIS_USERNAME` únicamente cuando apuntes a un Redis externo con ACLs.
- Los registros de Redis aparecen con el prefijo `[REDIS]` en los registros de Docker y en `/var/log/bunkerweb/redis.log`.
### Integración con CrowdSec {#crowdsec-integration}
@ -1441,7 +1446,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
* Cuando `USE_CROWDSEC=yes`, el punto de entrada hará lo siguiente:
@ -1496,7 +1501,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
!!! info "Cómo funciona internamente"
@ -1518,7 +1523,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
Notas:
@ -1554,7 +1559,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
* El **registro local** se omite cuando `CROWDSEC_API` no es `127.0.0.1` o `localhost`.
@ -1586,13 +1591,13 @@ Al acceder a estas imágenes preconstruidas desde Docker Hub, puedes obtener y e
Ya sea que estés realizando pruebas, desarrollando aplicaciones o desplegando BunkerWeb en producción, la opción de contenedorización de Docker proporciona flexibilidad y facilidad de uso. Adoptar este método te permite aprovechar al máximo las características de BunkerWeb mientras te beneficias de las ventajas de la tecnología Docker.
```shell
docker pull bunkerity/bunkerweb:1.6.9
docker pull bunkerity/bunkerweb:1.6.10
```
Las imágenes de Docker también están disponibles en [GitHub packages](https://github.com/orgs/bunkerity/packages?repo_name=bunkerweb) y se pueden descargar usando la dirección del repositorio `ghcr.io`:
```shell
docker pull ghcr.io/bunkerity/bunkerweb:1.6.9
docker pull ghcr.io/bunkerity/bunkerweb:1.6.10
```
Los conceptos clave para la integración con Docker incluyen:
@ -1602,7 +1607,7 @@ Los conceptos clave para la integración con Docker incluyen:
- **Redes**: Las redes de Docker desempeñan un papel vital en la integración de BunkerWeb. Estas redes tienen dos propósitos principales: exponer puertos a los clientes y conectarse a los servicios web ascendentes. Al exponer los puertos, BunkerWeb puede aceptar solicitudes entrantes de los clientes, permitiéndoles acceder a los servicios web protegidos. Además, al conectarse a los servicios web ascendentes, BunkerWeb puede enrutar y gestionar el tráfico de manera eficiente, proporcionando una mayor seguridad y rendimiento.
!!! info "Backend de la base de datos"
Ten en cuenta que nuestras instrucciones asumen que estás utilizando SQLite como el backend de base de datos predeterminado, según lo configurado por el ajuste `DATABASE_URI`. Sin embargo, también se admiten otros backends de bases de datos. Consulta los archivos docker-compose en la [carpeta misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) del repositorio para obtener más información.
Ten en cuenta que nuestras instrucciones asumen que estás utilizando SQLite como el backend de base de datos predeterminado, según lo configurado por el ajuste `DATABASE_URI`. Sin embargo, también se admiten otros backends de bases de datos. Consulta los archivos docker-compose en la [carpeta misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations) del repositorio para obtener más información.
### Variables de entorno
@ -1612,7 +1617,7 @@ Las configuraciones se pasan al Programador usando las variables de entorno de D
...
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
- MY_SETTING=value
- ANOTHER_SETTING=another value
@ -1656,7 +1661,7 @@ Esto asegura que las configuraciones sensibles se mantengan fuera del entorno y
El [programador](concepts.md#scheduler) se ejecuta en su propio contenedor, que también está disponible en Docker Hub:
```shell
docker pull bunkerity/bunkerweb-scheduler:1.6.9
docker pull bunkerity/bunkerweb-scheduler:1.6.10
```
!!! info "Configuraciones de BunkerWeb"
@ -1677,7 +1682,7 @@ docker pull bunkerity/bunkerweb-scheduler:1.6.9
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
environment:
# Esto establecerá las configuraciones de la API para el contenedor de BunkerWeb
<<: *bw-api-env
@ -1686,7 +1691,7 @@ docker pull bunkerity/bunkerweb-scheduler:1.6.9
- bw-universe
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
# Esto establecerá las configuraciones de la API para el contenedor del Programador
<<: *bw-api-env
@ -1704,7 +1709,7 @@ Se necesita un volumen para almacenar la base de datos SQLite y las copias de se
...
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
volumes:
- bw-storage:/data
...
@ -1784,14 +1789,14 @@ El programador es el worker del plano de control que lee configuraciones, genera
##### Logging
| Setting | Descripción | Valores aceptados | Predeterminado |
| ------------------------------- | -------------------------------------------------------------------- | --------------------------------------------------- | ------------------------------------------------------------------------------- |
| `LOG_LEVEL`, `CUSTOM_LOG_LEVEL` | Nivel base / override | `debug`, `info`, `warning`, `error`, `critical` | `info` |
| `LOG_TYPES` | Destinos | `stderr`/`file`/`syslog` separados por espacios | `stderr` |
| `SCHEDULER_LOG_TO_FILE` | Habilitar logging a archivo y ruta por defecto | `yes` o `no` | `no` |
| `LOG_FILE_PATH` | Ruta de log personalizada (usada cuando `LOG_TYPES` incluye `file`) | Ruta de archivo | `/var/log/bunkerweb/scheduler.log` con `SCHEDULER_LOG_TO_FILE=yes`, si no unset |
| `LOG_SYSLOG_ADDRESS` | Destino syslog (`udp://host:514`, `tcp://host:514` o ruta de socket) | Host:puerto, host con prefijo de protocolo o socket | unset |
| `LOG_SYSLOG_TAG` | Ident/tag de syslog | Cadena | `bw-scheduler` |
| Setting | Descripción | Valores aceptados | Predeterminado |
| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------- | ---------------------------------------------------------------------------------- |
| `LOG_LEVEL`, `CUSTOM_LOG_LEVEL` | Nivel base / override | `debug`, `info`, `warning`, `error`, `critical` | `info` |
| `LOG_TYPES` | Destinos | `stderr`/`file`/`syslog` separados por espacios | `stderr` |
| `SCHEDULER_LOG_TO_FILE` | Opción heredada de compatibilidad: cuando se define, `LOG_FILE_PATH` toma por defecto `/var/log/bunkerweb/scheduler.log` si `LOG_TYPES` incluye `file` y no definiste `LOG_FILE_PATH` explícitamente. | `yes` o `no` | `no` |
| `LOG_FILE_PATH` | Ruta de log personalizada (usada cuando `LOG_TYPES` incluye `file`) | Ruta de archivo | `/var/log/bunkerweb/scheduler.log` cuando `LOG_TYPES` contiene `file`, si no unset |
| `LOG_SYSLOG_ADDRESS` | Destino syslog (`udp://host:514`, `tcp://host:514` o ruta de socket) | Host:puerto, host con prefijo de protocolo o socket | unset |
| `LOG_SYSLOG_TAG` | Ident/tag de syslog | Cadena | `bw-scheduler` |
### Configuraciones del contenedor de UI
@ -1850,7 +1855,7 @@ x-bw-api-env: &bw-api-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -1863,7 +1868,7 @@ services:
- bw-universe
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "bunkerweb" # Esta configuración es obligatoria para especificar la instancia de BunkerWeb
@ -1896,7 +1901,7 @@ x-bw-api-env: &bw-api-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -1909,7 +1914,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
depends_on:
- bunkerweb
environment:
@ -1962,7 +1967,7 @@ Las distribuciones de Linux compatibles con BunkerWeb (arquitecturas amd64/x86_6
- Debian 13 "Trixie"
- Ubuntu 22.04 "Jammy"
- Ubuntu 24.04 "Noble"
- Fedora 42 y 43
- Fedora 42, 43 y 44
- Red Hat Enterprise Linux (RHEL) 8, 9 y 10
### Script de instalación fácil
@ -1975,8 +1980,8 @@ Para empezar, descarga el script de instalación y su suma de verificación, lue
```bash
# Descargar el script y su suma de verificación
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.10/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.10/install-bunkerweb.sh.sha256
# Verificar la suma de verificación
sha256sum -c install-bunkerweb.sh.sha256
@ -2007,7 +2012,24 @@ El script de instalación fácil es una herramienta poderosa diseñada para simp
#### Instalación interactiva
Cuando se ejecuta sin ninguna opción, el script entra en un modo interactivo que te guía a través del proceso de configuración. Se te pedirá que tomes las siguientes decisiones:
Cuando se ejecuta sin ninguna opción, el script entra en un modo interactivo que te guía a través del proceso de configuración. El flujo interactivo usa una TUI en línea mediante [gum](https://github.com/charmbracelet/gum) — menús con flechas y cursor ``, campos de contraseña enmascarados.
!!! info "gum se obtiene de forma efímera en la primera ejecución interactiva"
El instalador descarga gum la primera vez que se necesita una indicación interactiva y lo ejecuta desde un directorio temporal durante el script — **no se instala nada a nivel del sistema**:
- Descarga el `gum_${VERSION}_${ARCH}.tar.gz` oficial desde la [release de GitHub](https://github.com/charmbracelet/gum/releases) por HTTPS (TLS 1.2+, rechaza redirecciones HTTP, timeout de conexión 10 s / total 30 s).
- Verifica el tarball contra un **SHA256 fijado en este script** (ancla de confianza local — tanto la suma del propio script como la del binario gum deben coincidir).
- Si `cosign` está instalado: también verifica el `checksums.txt` ascendente contra la identidad OIDC de GitHub-Actions de Charm (`https://github.com/charmbracelet/gum/...`) como defensa en profundidad, y cruza-verifica que el hash fijado coincide con el valor que Charm publicó para este tarball exacto.
- Extrae el binario en un directorio temporal con permiso de ejecución (`/var/tmp/bw-gum.XXXXXX` por defecto; `/tmp`, `$XDG_RUNTIME_DIR` o `$HOME/.cache` cuando `/var/tmp` está montado `noexec`).
- Añade el directorio temporal al `PATH` para el resto de la ejecución y lo elimina al salir del script (a través de un trap `EXIT`, incluso ante fallos con `set -e` o señales).
**Lo que queda en disco al salir el instalador:** nada. Sin `/etc/apt/sources.list.d/charm.list`, sin clave GPG en `apt`/`rpm`, sin binario `gum` en `/usr/bin`/`/usr/local/bin`, sin entrada en la base de paquetes. El instalador nunca registra una fuente apt o dnf de terceros.
Si gum no se puede descargar — anfitrión aislado, fallo de red, SHA256 incorrecto — el instalador usa un `whiptail` ya presente en el sistema (comúnmente preinstalado en imágenes cloud Debian/Ubuntu vía el paquete `newt`). Si no hay ni gum ni whiptail disponibles, recurre a **indicaciones de texto plano**.
Pasa `--no-tui` (o establece `BW_INSTALL_TUI=no`) para saltar todos los niveles de TUI, o `--tui` para abortar si ningún nivel de TUI puede renderizar. **Instalaciones aisladas (air-gapped)**: combina `--no-tui` con `--yes` y los flags `--*` / variables `*_INPUT` apropiados; no se hace ninguna llamada de red para la capa de TUI.
Se te pedirá que tomes las siguientes decisiones:
1. **Tipo de instalación**: Selecciona los componentes que quieres instalar.
* **Pila completa (predeterminado)**: Una instalación todo en uno que incluye BunkerWeb, el Programador y la Interfaz de Usuario Web.
@ -2035,10 +2057,12 @@ Para configuraciones no interactivas o automatizadas, el script se puede control
| Opción | Descripción |
| :---------------------- | :------------------------------------------------------------------------------------------------ |
| `-v, --version VERSION` | Especifica la versión de BunkerWeb a instalar (p. ej., `1.6.9`). |
| `-v, --version VERSION` | Especifica la versión de BunkerWeb a instalar (p. ej., `1.6.10`). |
| `-w, --enable-wizard` | Habilita el asistente de configuración. |
| `-n, --no-wizard` | Deshabilita el asistente de configuración. |
| `-y, --yes` | Se ejecuta en modo no interactivo usando las respuestas predeterminadas para todas las preguntas. |
| `--tui` | Fuerza una TUI (gum o whiptail). Aborta si ninguna puede instalarse. |
| `--no-tui` | Deshabilita todos los niveles de TUI y usa indicaciones de texto plano. Equivale a `BW_INSTALL_TUI=no`. |
| `-f, --force` | Fuerza a que la instalación continúe incluso en una versión de SO no compatible. |
| `-q, --quiet` | Instalación silenciosa (suprime la salida). |
| `--api`, `--enable-api` | Habilita el servicio systemd de la API (FastAPI) (deshabilitado por defecto). |
@ -2055,7 +2079,7 @@ Para configuraciones no interactivas o automatizadas, el script se puede control
| `--worker` | Instala solo la instancia de BunkerWeb. |
| `--scheduler-only` | Instala solo el componente del Programador. |
| `--ui-only` | Instala solo el componente de la Interfaz de Usuario Web. |
| `--api-only` | Instala solo el servicio API (puerto 8000). |
| `--api-only` | Instala solo el servicio API (puerto 8888). |
**Integraciones de seguridad:**
@ -2100,7 +2124,7 @@ sudo ./install-bunkerweb.sh --yes
sudo ./install-bunkerweb.sh --worker --no-wizard
# Instalar una versión específica
sudo ./install-bunkerweb.sh --version 1.6.9
sudo ./install-bunkerweb.sh --version 1.6.10
# Configuración del Gestor con instancias de trabajador remotas (se requieren instancias)
sudo ./install-bunkerweb.sh --manager --instances "192.168.1.10 192.168.1.11"
@ -2147,7 +2171,7 @@ sudo ./install-bunkerweb.sh --yes --api
**Disponibilidad del servicio API:**
- El servicio API externo (puerto 8000) está disponible para los tipos de instalación `--full` y `--manager`
- El servicio API externo (puerto 8888) está disponible para los tipos de instalación `--full` y `--manager`
- No está disponible para instalaciones `--worker`, `--scheduler-only` o `--ui-only`
- Usa `--api-only` para una instalación dedicada del servicio API
@ -2208,7 +2232,7 @@ Dependiendo de tus elecciones durante la instalación:
### Instalación mediante el gestor de paquetes
Asegúrate de tener **NGINX 1.28.2 instalado antes de instalar BunkerWeb**. Para todas las distribuciones, es obligatorio usar los paquetes precompilados del [repositorio oficial de NGINX](https://nginx.org/en/linux_packages.html). Compilar NGINX desde el código fuente o usar paquetes de diferentes repositorios no funcionará con los paquetes precompilados oficiales de BunkerWeb. Sin embargo, tienes la opción de compilar BunkerWeb desde el código fuente.
Asegúrate de tener **NGINX 1.30.1 instalado antes de instalar BunkerWeb**. Para todas las distribuciones, es obligatorio usar los paquetes precompilados del [repositorio oficial de NGINX](https://nginx.org/en/linux_packages.html). Compilar NGINX desde el código fuente o usar paquetes de diferentes repositorios no funcionará con los paquetes precompilados oficiales de BunkerWeb. Sin embargo, tienes la opción de compilar BunkerWeb desde el código fuente.
=== "Debian Bookworm/Trixie"
@ -2223,11 +2247,11 @@ Asegúrate de tener **NGINX 1.28.2 instalado antes de instalar BunkerWeb**. Para
| sudo tee /etc/apt/sources.list.d/nginx.list
```
Ahora deberías poder instalar NGINX 1.28.2:
Ahora deberías poder instalar NGINX 1.30.1:
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades nginx=1.28.2-1~$(lsb_release -cs)
sudo apt install -y --allow-downgrades nginx=1.30.1-1~$(lsb_release -cs)
```
!!! warning "Versión de prueba/desarrollo"
@ -2244,12 +2268,12 @@ Asegúrate de tener **NGINX 1.28.2 instalado antes de instalar BunkerWeb**. Para
export UI_WIZARD=no
```
Y finalmente instala BunkerWeb 1.6.9:
Y finalmente instala BunkerWeb 1.6.10:
```shell
curl -s https://repo.bunkerweb.io/install/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.9
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.10
```
Para evitar la actualización de los paquetes de NGINX y/o BunkerWeb al ejecutar `apt upgrade`, puedes usar el siguiente comando:
@ -2271,11 +2295,11 @@ Asegúrate de tener **NGINX 1.28.2 instalado antes de instalar BunkerWeb**. Para
| sudo tee /etc/apt/sources.list.d/nginx.list
```
Ahora deberías poder instalar NGINX 1.28.2:
Ahora deberías poder instalar NGINX 1.30.1:
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades nginx=1.28.2-1~$(lsb_release -cs)
sudo apt install -y --allow-downgrades nginx=1.30.1-1~$(lsb_release -cs)
```
!!! warning "Versión de prueba/desarrollo"
@ -2292,12 +2316,12 @@ Asegúrate de tener **NGINX 1.28.2 instalado antes de instalar BunkerWeb**. Para
export UI_WIZARD=no
```
Y finalmente instala BunkerWeb 1.6.9:
Y finalmente instala BunkerWeb 1.6.10:
```shell
curl -s https://repo.bunkerweb.io/install/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.9
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.10
```
Para evitar la actualización de los paquetes de NGINX y/o BunkerWeb al ejecutar `apt upgrade`, puedes usar el siguiente comando:
@ -2315,10 +2339,10 @@ Asegúrate de tener **NGINX 1.28.2 instalado antes de instalar BunkerWeb**. Para
sudo dnf config-manager setopt updates-testing.enabled=1
```
Fedora ya proporciona NGINX 1.28.2 que soportamos
Fedora ya proporciona NGINX 1.30.1 que soportamos
```shell
sudo dnf install -y --allowerasing nginx-1.28.2
sudo dnf install -y --allowerasing nginx-1.30.1
```
!!! example "Deshabilitar el asistente de configuración"
@ -2328,12 +2352,12 @@ Asegúrate de tener **NGINX 1.28.2 instalado antes de instalar BunkerWeb**. Para
export UI_WIZARD=no
```
Y finalmente instala BunkerWeb 1.6.9:
Y finalmente instala BunkerWeb 1.6.10:
```shell
curl -s https://repo.bunkerweb.io/install/script.rpm.sh | sudo bash && \
sudo dnf makecache && \
sudo -E dnf install -y --allowerasing bunkerweb-1.6.9
sudo -E dnf install -y --allowerasing bunkerweb-1.6.10
```
Para evitar la actualización de los paquetes de NGINX y/o BunkerWeb al ejecutar `dnf upgrade`, puedes usar el siguiente comando:
@ -2365,10 +2389,10 @@ Asegúrate de tener **NGINX 1.28.2 instalado antes de instalar BunkerWeb**. Para
module_hotfixes=true
```
Ahora deberías poder instalar NGINX 1.28.2:
Ahora deberías poder instalar NGINX 1.30.1:
```shell
sudo dnf install --allowerasing nginx-1.28.2
sudo dnf install --allowerasing nginx-1.30.1
```
!!! example "Deshabilitar el asistente de configuración"
@ -2378,12 +2402,12 @@ Asegúrate de tener **NGINX 1.28.2 instalado antes de instalar BunkerWeb**. Para
export UI_WIZARD=no
```
Y finalmente instala BunkerWeb 1.6.9:
Y finalmente instala BunkerWeb 1.6.10:
```shell
curl -s https://repo.bunkerweb.io/install/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo -E dnf install -y --allowerasing bunkerweb-1.6.9
sudo -E dnf install -y --allowerasing bunkerweb-1.6.10
```
Para evitar la actualización de los paquetes de NGINX y/o BunkerWeb al ejecutar `dnf upgrade`, puedes usar el siguiente comando:
@ -2476,7 +2500,7 @@ Al adoptar este enfoque, puedes disfrutar de la reconfiguración en tiempo real
La integración de autoconfiguración de Docker implica el uso del **modo multisitio**. Por favor, consulta la [sección de multisitio](concepts.md#multisite-mode) de la documentación para obtener más información.
!!! info "Backend de la base de datos"
Ten en cuenta que nuestras instrucciones asumen que estás utilizando MariaDB como el backend de base de datos predeterminado, según lo configurado por el ajuste `DATABASE_URI`. Sin embargo, entendemos que puedes preferir utilizar backends alternativos para tu integración con Docker. Si ese es el caso, ten la seguridad de que otros backends de bases de datos también son posibles. Consulta los archivos docker-compose en la [carpeta misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) del repositorio para obtener más información.
Ten en cuenta que nuestras instrucciones asumen que estás utilizando MariaDB como el backend de base de datos predeterminado, según lo configurado por el ajuste `DATABASE_URI`. Sin embargo, entendemos que puedes preferir utilizar backends alternativos para tu integración con Docker. Si ese es el caso, ten la seguridad de que otros backends de bases de datos también son posibles. Consulta los archivos docker-compose en la [carpeta misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations) del repositorio para obtener más información.
Para habilitar las actualizaciones de configuración automatizadas, incluye un contenedor adicional llamado `bw-autoconf` en la pila. Este contenedor aloja el servicio de autoconfiguración, que gestiona los cambios de configuración dinámicos para BunkerWeb.
@ -2490,7 +2514,7 @@ x-bw-env: &bw-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -2505,7 +2529,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "" # No necesitamos especificar la instancia de BunkerWeb aquí, ya que son detectadas automáticamente por el servicio de autoconfiguración
@ -2520,7 +2544,7 @@ services:
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
depends_on:
- bunkerweb
- bw-docker
@ -2599,16 +2623,17 @@ El controlador `bw-autoconf` vigila tu orquestador y escribe cambios en la base
##### Modo y runtime
| Setting | Descripción | Valores aceptados | Predeterminado |
| ------------------------- | ------------------------------------------------------------- | -------------------------------------- | ---------------------------------------- |
| `AUTOCONF_MODE` | Habilitar el controlador de autoconf | `yes` o `no` | `no` |
| `SWARM_MODE` | Observar servicios Swarm en lugar de contenedores Docker | `yes` o `no` | `no` |
| `KUBERNETES_MODE` | Observar ingress/pods de Kubernetes en lugar de Docker | `yes` o `no` | `no` |
| `KUBERNETES_GATEWAY_MODE` | Usar el controlador de Gateway API para Kubernetes | `yes` o `no` | `no` |
| `DOCKER_HOST` | Socket Docker / URL de API remota | p. ej. `unix:///var/run/docker.sock` | `unix:///var/run/docker.sock` |
| `WAIT_RETRY_INTERVAL` | Segundos entre comprobaciones de disponibilidad de instancias | Segundos enteros | `5` |
| `LOG_SYSLOG_TAG` | Tag syslog para logs de autoconf | Cadena | `bw-autoconf` |
| `TZ` | Zona horaria para logs de autoconf y marcas de tiempo | Nombre en base TZ (ej. `Europe/Paris`) | unset (default de contenedor, suele UTC) |
| Setting | Descripción | Valores aceptados | Predeterminado |
| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------- | ---------------------------------------- |
| `AUTOCONF_MODE` | Habilitar el controlador de autoconf | `yes` o `no` | `no` |
| `SWARM_MODE` | Observar servicios Swarm en lugar de contenedores Docker | `yes` o `no` | `no` |
| `KUBERNETES_MODE` | Observar ingress/pods de Kubernetes en lugar de Docker | `yes` o `no` | `no` |
| `KUBERNETES_GATEWAY_MODE` | Usar el controlador de Gateway API para Kubernetes | `yes` o `no` | `no` |
| `DOCKER_HOST` | Socket Docker / URL de API remota | p. ej. `unix:///var/run/docker.sock` | `unix:///var/run/docker.sock` |
| `WAIT_RETRY_INTERVAL` | Segundos entre comprobaciones de disponibilidad de instancias | Segundos enteros | `5` |
| `AUTOCONF_DISABLE_CLEANUP` | Cuando es `yes`, los servicios y configuraciones personalizadas eliminados del orquestador se convierten en borrador (draft) en lugar de eliminarse, por lo que sobreviven a eliminaciones transitorias y pueden borrarse desde la Web UI. | `yes` o `no` | `no` |
| `LOG_SYSLOG_TAG` | Tag syslog para logs de autoconf | Cadena | `bw-autoconf` |
| `TZ` | Zona horaria para logs de autoconf y marcas de tiempo | Nombre en base TZ (ej. `Europe/Paris`) | unset (default de contenedor, suele UTC) |
##### Base de datos y validación
@ -2674,6 +2699,27 @@ networks:
name: bw-services
```
#### Conservar servicios como borradores al eliminarlos {#autoconf-disable-cleanup}
De forma predeterminada, cuando un contenedor, servicio Swarm o Ingress gestionado por autoconf desaparece del orquestador, su fila de servicio en BunkerWeb (y cualquier configuración personalizada asociada) se elimina inmediatamente de la base de datos compartida. Este comportamiento es destructivo: un fallo transitorio no puede distinguirse de un desmontaje intencional, y recuperar el servicio obliga a reconstruir la definición desde cero.
Si se establece `AUTOCONF_DISABLE_CLEANUP=yes` en el contenedor `bw-autoconf`:
- Los servicios eliminados del orquestador pasan a `is_draft = true` en lugar de borrarse. Sus filas `services_settings`, configuraciones personalizadas y cachés de trabajos se conservan.
- Los servicios en borrador quedan excluidos de la configuración NGINX renderizada (no se sirven), por lo que el sitio sigue saliendo de línea al retirar el objeto; solo se conserva el estado.
- Si autoconf vuelve a registrar el mismo servicio (mismo nombre de servidor / host de Ingress), se vuelve a poner automáticamente en línea y se republica; las configuraciones personalizadas existentes se reutilizan.
- Mientras un servicio está en ese estado "draft por autoconf", puede eliminarse desde la página **Servicios** de la Web UI — normalmente los servicios gestionados por autoconf no son eliminables desde la UI, pero el botón **Eliminar** se habilita para los servicios autoconf en borrador, permitiendo limpiar entradas obsoletas. Los servicios autoconf en línea siguen sin poder eliminarse desde la UI.
```yaml
services:
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
AUTOCONF_MODE: "yes"
AUTOCONF_DISABLE_CLEANUP: "yes" # conservar como borradores los servicios eliminados
DATABASE_URI: "mariadb+pymysql://bunkerweb:secret@bw-db:3306/db"
```
### Espacios de nombres {#namespaces}
A partir de la versión `1.6.0`, las pilas de Autoconfiguración de BunkerWeb ahora admiten espacios de nombres. Esta característica te permite gestionar múltiples "*clústeres*" de instancias y servicios de BunkerWeb en el mismo host de Docker. Para aprovechar los espacios de nombres, simplemente establece la etiqueta `NAMESPACE` en tus servicios. Aquí tienes un ejemplo:
@ -2703,13 +2749,13 @@ networks:
...
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
labels:
- "bunkerweb.INSTANCE=yes"
- "bunkerweb.NAMESPACE=my-namespace" # Establece el espacio de nombres para la instancia de BunkerWeb para que el servicio de autoconfiguración pueda detectarla
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
...
NAMESPACES: "my-namespace my-other-namespace" # Solo escucha a estos espacios de nombres
@ -2761,7 +2807,7 @@ Para una configuración óptima, se recomienda definir BunkerWeb como un **[Daem
Dada la presencia de múltiples instancias de BunkerWeb, es necesario establecer un almacén de datos compartido implementado como un servicio de [Redis](https://redis.io/) o [Valkey](https://valkey.io/). Este servicio será utilizado por las instancias para almacenar en caché y compartir datos entre ellas. Se puede encontrar más información sobre la configuración de Redis/Valkey [aquí](features.md#redis).
!!! info "Backend de la base de datos"
Ten en cuenta que nuestras instrucciones asumen que estás utilizando MariaDB como el backend de base de datos predeterminado, según lo configurado por el ajuste `DATABASE_URI`. Sin embargo, entendemos que puedes preferir utilizar backends alternativos para tu integración con Docker. Si ese es el caso, ten la seguridad de que otros backends de bases de datos también son posibles. Consulta los archivos docker-compose en la [carpeta misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) del repositorio para obtener más información.
Ten en cuenta que nuestras instrucciones asumen que estás utilizando MariaDB como el backend de base de datos predeterminado, según lo configurado por el ajuste `DATABASE_URI`. Sin embargo, entendemos que puedes preferir utilizar backends alternativos para tu integración con Docker. Si ese es el caso, ten la seguridad de que otros backends de bases de datos también son posibles. Consulta los archivos docker-compose en la [carpeta misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations) del repositorio para obtener más información.
La configuración de backends de bases de datos en clúster está fuera del alcance de esta documentación.
@ -2876,7 +2922,7 @@ The **BunkerWeb controller** automatically discovers pods with BunkerWeb sidecar
```yaml
controller:
enabled: true
tag: "1.6.9"
tag: "1.6.10"
```
2. For each sidecar, add:
@ -2969,7 +3015,7 @@ In your BunkerWeb chart `values.yaml`, configure the `BUNKERWEB_INSTANCES` envir
```yaml
scheduler:
tag: "1.6.9"
tag: "1.6.10"
extraEnvs:
- name: BUNKERWEB_INSTANCES
value: "http://app1-bunkerweb-workers.namespace.svc.cluster.local:5000 http://app2-bunkerweb-workers.namespace.svc.cluster.local:5000"
@ -3013,7 +3059,7 @@ spec:
# BunkerWeb Sidecar
- name: bunkerweb
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- containerPort: 8080 # Exposed HTTP port
- containerPort: 5000 # Internal API (mandatory)
@ -3284,7 +3330,7 @@ To add a new application protected by BunkerWeb:
#### Archivos YAML completos
En lugar de usar el chart de Helm, también puedes usar las plantillas YAML dentro de la [carpeta misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) del repositorio de GitHub. Ten en cuenta que recomendamos encarecidamente usar el chart de Helm en su lugar.
En lugar de usar el chart de Helm, también puedes usar las plantillas YAML dentro de la [carpeta misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations) del repositorio de GitHub. Ten en cuenta que recomendamos encarecidamente usar el chart de Helm en su lugar.
### Recursos de Ingress
@ -3432,7 +3478,7 @@ metadata:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
imagePullPolicy: Always
env:
- name: NAMESPACES
@ -3605,11 +3651,11 @@ service:
# Configuraciones de BunkerWeb
bunkerweb:
tag: 1.6.9
tag: 1.6.10
# Configuraciones del programador
scheduler:
tag: 1.6.9
tag: 1.6.10
extraEnvs:
# Habilita el módulo de IP real para obtener la IP real de los clientes
- name: USE_REAL_IP
@ -3617,11 +3663,11 @@ scheduler:
# Configuraciones del controlador
controller:
tag: 1.6.9
tag: 1.6.10
# Configuraciones de la UI
ui:
tag: 1.6.9
tag: 1.6.10
```
Instala BunkerWeb con valores personalizados:
@ -4243,7 +4289,7 @@ Dado que se están ejecutando múltiples instancias de BunkerWeb, se debe crear
En cuanto al volumen de la base de datos, la documentación no especifica un enfoque concreto. La elección de una carpeta compartida o un controlador específico para el volumen de la base de datos depende de tu caso de uso particular y se deja como ejercicio para el lector.
!!! info "Backend de la base de datos"
Ten en cuenta que nuestras instrucciones asumen que estás utilizando MariaDB como el backend de base de datos predeterminado, según lo configurado por el ajuste `DATABASE_URI`. Sin embargo, entendemos que puedes preferir utilizar backends alternativos para tu integración con Docker. Si ese es el caso, ten la seguridad de que otros backends de bases de datos también son posibles. Consulta los archivos docker-compose en la [carpeta misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) del repositorio para obtener más información.
Ten en cuenta que nuestras instrucciones asumen que estás utilizando MariaDB como el backend de base de datos predeterminado, según lo configurado por el ajuste `DATABASE_URI`. Sin embargo, entendemos que puedes preferir utilizar backends alternativos para tu integración con Docker. Si ese es el caso, ten la seguridad de que otros backends de bases de datos también son posibles. Consulta los archivos docker-compose en la [carpeta misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations) del repositorio para obtener más información.
La configuración de backends de bases de datos en clúster está fuera del alcance de esta documentación.
@ -4257,7 +4303,7 @@ x-bw-env: &bw-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- published: 80
target: 8080
@ -4286,7 +4332,7 @@ services:
- "bunkerweb.INSTANCE=yes" # Etiqueta obligatoria para que el servicio de autoconfiguración identifique la instancia de BunkerWeb
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "" # No necesitamos especificar la instancia de BunkerWeb aquí, ya que son detectadas automáticamente por el servicio de autoconfiguración
@ -4307,7 +4353,7 @@ services:
- "node.role == worker"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
SWARM_MODE: "yes"
DATABASE_URI: "mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db" # Recuerda establecer una contraseña más segura para la base de datos
@ -4459,7 +4505,7 @@ networks:
...
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
...
deploy:
mode: global
@ -4471,7 +4517,7 @@ networks:
- "bunkerweb.NAMESPACE=my-namespace" # Establece el espacio de nombres para la instancia de BunkerWeb
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
NAMESPACES: "my-namespace my-other-namespace" # Solo escucha a estos espacios de nombres
...

12
docs/es/plugins.md
View file

@ -89,7 +89,7 @@ El primer paso es instalar el plugin colocando sus archivos dentro de la carpeta
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
volumes:
- ./bw-data:/data
...
@ -125,7 +125,7 @@ El primer paso es instalar el plugin colocando sus archivos dentro de la carpeta
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
volumes:
- ./bw-data:/data
...
@ -168,7 +168,7 @@ El primer paso es instalar el plugin colocando sus archivos dentro de la carpeta
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
volumes:
- /shared/bw-plugins:/data/plugins
...
@ -215,7 +215,7 @@ El primer paso es instalar el plugin colocando sus archivos dentro de la carpeta
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -255,7 +255,7 @@ El primer paso es instalar el plugin colocando sus archivos dentro de la carpeta
!!! tip "Plugins existentes"
Si la documentación no es suficiente, puedes echar un vistazo al código fuente existente de los [plugins oficiales](https://github.com/bunkerity/bunkerweb-plugins) y los [plugins del núcleo](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/src/common/core) (ya incluidos en BunkerWeb, pero técnicamente son plugins).
Si la documentación no es suficiente, puedes echar un vistazo al código fuente existente de los [plugins oficiales](https://github.com/bunkerity/bunkerweb-plugins) y los [plugins del núcleo](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/src/common/core) (ya incluidos en BunkerWeb, pero técnicamente son plugins).
Así es como se ve la estructura de un plugin:
```
@ -560,7 +560,7 @@ end
!!! tip "Más ejemplos"
Si quieres ver la lista completa de funciones disponibles, puedes echar un vistazo a los archivos presentes en el [directorio lua](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/src/bw/lua/bunkerweb) del repositorio.
Si quieres ver la lista completa de funciones disponibles, puedes echar un vistazo a los archivos presentes en el [directorio lua](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/src/bw/lua/bunkerweb) del repositorio.
### Trabajos

45
docs/es/quickstart-guide.md
View file

@ -18,7 +18,7 @@ Esta guía de inicio rápido te ayudará a instalar rápidamente BunkerWeb y a p
Proteger las aplicaciones web existentes que ya son accesibles con el protocolo HTTP(S) es el objetivo principal de BunkerWeb: actuará como un [proxy inverso](https://es.wikipedia.org/wiki/Proxy_inverso) clásico con características de seguridad adicionales.
Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) del repositorio para obtener ejemplos del mundo real.
Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/examples) del repositorio para obtener ejemplos del mundo real.
## Configuración básica
@ -33,7 +33,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
Por defecto, el contenedor expone:
@ -52,8 +52,8 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
```bash
```bash
# Download the script and its checksum
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.10/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.10/install-bunkerweb.sh.sha256
# Verify the checksum
sha256sum -c install-bunkerweb.sh.sha256 # Si la comprobación es exitosa, ejecuta el script
@ -67,10 +67,13 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
#### Aspectos destacados del Easy Install
- Detecta tu distribución de Linux y la arquitectura de CPU por adelantado y avisa si estás fuera de la matriz soportada antes de aplicar cambios.
- El flujo interactivo permite elegir el perfil de instalación (full stack, manager, worker, etc.); el modo manager expone siempre la API en `0.0.0.0`, deshabilita el asistente y solicita la IP a incluir en la lista blanca (proporciónala con `--manager-ip` en ejecuciones no interactivas), mientras que el modo worker exige las IP del manager para su lista blanca.
- Las indicaciones interactivas usan una TUI en línea mediante [gum](https://github.com/charmbracelet/gum) — menús con flechas y cursor ``, campos de contraseña enmascarados. En la primera ejecución interactiva, el script descarga el binario `gum` oficial desde la [release de GitHub](https://github.com/charmbracelet/gum/releases) (SHA256 fijado, verificación de firma cosign cuando cosign está instalado), lo ejecuta desde un directorio temporal y elimina ese directorio al salir — **no se instala ningún paquete del sistema, no se añade ninguna fuente apt/dnf, no queda ningún binario**. Si gum no puede obtenerse, el instalador usa un `whiptail` ya instalado en el sistema; si ninguno está disponible, usa indicaciones de texto plano.
- Dos flags controlan la TUI: `--no-tui` (o `BW_INSTALL_TUI=no`) salta todos los niveles de TUI y usa indicaciones de texto plano; `--tui` exige una TUI operativa y aborta si gum no puede descargarse y no hay ningún whiptail existente disponible.
- Cuando el instalador se ejecuta como tubería (`curl … | bash`) o stdin no es un TTY, sale con un error claro en lugar de aceptar silenciosamente cada valor por defecto. Usa `--yes` junto con los flags `--*` / variables de entorno `*_INPUT` apropiados para instalaciones no interactivas.
- El flujo interactivo permite elegir el perfil de instalación (Full Stack, Manager, Worker, etc.); el modo Manager vincula el listener de la API interna a `0.0.0.0`, deshabilita el asistente y solicita la IP a incluir en la lista blanca (proporciónala con `--manager-ip` en ejecuciones no interactivas), mientras que el modo Worker exige las IP del Manager para su lista blanca.
- Las instalaciones de tipo Manager pueden decidir si el servicio Web UI debe iniciarse, aunque el asistente permanezca deshabilitado.
- El resumen indica si el servicio FastAPI se ejecutará, de modo que puedas activarlo o desactivarlo conscientemente mediante `--api` / `--no-api`.
- Las opciones de CrowdSec solo están disponibles para instalaciones full stack; los modos manager/worker las omiten automáticamente para centrarse en el control remoto.
- CrowdSec se ofrece de forma interactiva solo en instalaciones Full Stack. En la CLI, `--crowdsec` y `--crowdsec-appsec` son válidos para Full Stack y Manager; los modos Worker, Scheduler-only, UI-only y API-only los rechazan.
Para métodos de instalación avanzados (gestor de paquetes, tipos de instalación, indicadores no interactivos, integración con CrowdSec, etc.), consulta la [Integración con Linux](integrations.md#linux).
@ -89,7 +92,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
services:
bunkerweb:
# Este es el nombre que se usará para identificar la instancia en el Programador
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -102,7 +105,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # Asegúrate de establecer el nombre de instancia correcto
@ -119,7 +122,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
- bw-db
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
environment:
<<: *bw-env
restart: "unless-stopped"
@ -147,7 +150,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
command: >
redis-server
--maxmemory 256mb
--maxmemory-policy allkeys-lru
--maxmemory-policy volatile-lru
--save 60 1000
--appendonly yes
volumes:
@ -186,7 +189,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -202,7 +205,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: ""
@ -220,7 +223,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
depends_on:
- bw-docker
environment:
@ -243,7 +246,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
environment:
<<: *bw-ui-env
TOTP_ENCRYPTION_KEYS: "mysecret" # Recuerda establecer una clave secreta más segura (consulta la sección de Requisitos previos)
@ -272,7 +275,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
command: >
redis-server
--maxmemory 256mb
--maxmemory-policy allkeys-lru
--maxmemory-policy volatile-lru
--save 60 1000
--appendonly yes
volumes:
@ -338,7 +341,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- published: 80
target: 8080
@ -368,7 +371,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
- "bunkerweb.INSTANCE=yes"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: ""
@ -386,7 +389,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
<<: *bw-ui-env
DOCKER_HOST: "tcp://bw-docker:2375"
@ -415,7 +418,7 @@ Consulta la [carpeta de ejemplos](https://github.com/bunkerity/bunkerweb/tree/v1
- "node.role == manager"
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
environment:
<<: *bw-ui-env
TOTP_ENCRYPTION_KEYS: "mysecret" # Recuerda establecer una clave secreta más segura (consulta la sección de Requisitos previos)
@ -637,7 +640,7 @@ Ahora puedes iniciar sesión con la cuenta de administrador que creaste durante
-e "www.example.com_REVERSE_PROXY_HOST=http://myapp:8080" \
-e "www.example.com_REVERSE_PROXY_URL=/" \
# --- Incluye cualquier otra variable de entorno existente para la UI, Redis, CrowdSec, etc. ---
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
Tu contenedor de aplicación (`myapp`) y el contenedor `bunkerweb-aio` deben estar en la misma red de Docker para que BunkerWeb pueda alcanzarlo usando el nombre de host `myapp`.
@ -659,7 +662,7 @@ Ahora puedes iniciar sesión con la cuenta de administrador que creaste durante
-p 443:8443/tcp \
-p 443:8443/udp \
# ... (todas las demás variables de entorno relevantes como se muestra en el ejemplo principal anterior) ...
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
Asegúrate de reemplazar `myapp` con el nombre o IP real de tu contenedor de aplicación y `http://myapp:8080` con su dirección y puerto correctos.

41
docs/es/upgrading.md
View file

@ -25,16 +25,16 @@
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
...
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
...
```
@ -82,6 +82,9 @@
Si la verificación de la suma de verificación falla, **no ejecutes el script**—puede no ser seguro.
!!! tip "Interfaz de actualización interactiva"
El flujo de actualización usa la misma TUI que las instalaciones nuevas: indicaciones en línea con [gum](https://github.com/charmbracelet/gum), con respaldo en los diálogos `whiptail` y, finalmente, en indicaciones de texto plano si gum no puede obtenerse. El binario `gum` se descarga desde la [release de GitHub](https://github.com/charmbracelet/gum/releases) oficial (SHA256 fijado, verificación cosign cuando cosign está instalado) y se ejecuta desde un directorio temporal que se elimina al salir — no se instala ningún paquete del sistema y no se añade ninguna fuente apt/dnf. Pasa `--no-tui` (o establece `BW_INSTALL_TUI=no`) para saltar todos los niveles de TUI, o `--tui` para exigir una TUI operativa. Para actualizaciones totalmente desatendidas, pasa `-y` / `--yes` con los flags relevantes — las invocaciones por tubería (`curl … | bash`) salen con un error claro en lugar de aceptar silenciosamente cada valor predeterminado. **Actualizaciones aisladas (air-gapped)**: combina `--no-tui --yes` para que no se haga ninguna llamada de red para la capa de TUI.
* **Cómo funciona**:
El mismo script de instalación multipropósito utilizado para instalaciones nuevas también puede realizar una actualización in situ. Cuando detecta una instalación existente y una versión de destino diferente, cambia al modo de actualización y aplica el siguiente flujo de trabajo:
@ -132,6 +135,8 @@
| :---------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------- |
| `-v, --version <X.Y.Z>` | Versión de BunkerWeb de destino a la que actualizar. |
| `-y, --yes` | No interactivo (asume la confirmación de la actualización y habilita la copia de seguridad automática a menos que se use `--no-auto-backup`). |
| `--tui` | Fuerza una TUI (gum o whiptail). Aborta si ninguna puede instalarse. |
| `--no-tui` | Salta todos los niveles de TUI y usa indicaciones de texto plano. Equivale a `BW_INSTALL_TUI=no`. |
| `--backup-dir <RUTA>` | Destino para la copia de seguridad automática previa a la actualización. Se crea si no existe. |
| `--no-auto-backup` | Omitir la copia de seguridad automática (NO recomendado). Debes tener una copia de seguridad manual. |
| `-q, --quiet` | Suprimir la salida (combinar con registro / monitoreo). |
@ -141,20 +146,20 @@
Ejemplos:
```bash
# Actualizar a 1.6.9 interactivamente (pedirá confirmación para la copia de seguridad)
sudo ./install-bunkerweb.sh --version 1.6.9
# Actualizar a 1.6.10 interactivamente (pedirá confirmación para la copia de seguridad)
sudo ./install-bunkerweb.sh --version 1.6.10
# Actualización no interactiva con copia de seguridad automática a un directorio personalizado
sudo ./install-bunkerweb.sh -v 1.6.9 --backup-dir /var/backups/bw-2025-01 -y
sudo ./install-bunkerweb.sh -v 1.6.10 --backup-dir /var/backups/bw-2025-01 -y
# Actualización desatendida silenciosa (salida suprimida) depende de la copia de seguridad automática predeterminada
sudo ./install-bunkerweb.sh -v 1.6.9 -y -q
sudo ./install-bunkerweb.sh -v 1.6.10 -y -q
# Realizar una ejecución de prueba (plan) sin aplicar cambios
sudo ./install-bunkerweb.sh -v 1.6.9 --dry-run
sudo ./install-bunkerweb.sh -v 1.6.10 --dry-run
# Actualizar omitiendo la copia de seguridad automática (NO recomendado)
sudo ./install-bunkerweb.sh -v 1.6.9 --no-auto-backup -y
sudo ./install-bunkerweb.sh -v 1.6.10 --no-auto-backup -y
```
!!! warning "Omitir copias de seguridad"
@ -234,7 +239,7 @@
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades bunkerweb=1.6.9
sudo apt install -y --allow-downgrades bunkerweb=1.6.10
```
Para evitar que el paquete de BunkerWeb se actualice al ejecutar `apt upgrade`, puedes usar el siguiente comando:
@ -260,7 +265,7 @@
```shell
sudo dnf makecache && \
sudo dnf install -y --allowerasing bunkerweb-1.6.9
sudo dnf install -y --allowerasing bunkerweb-1.6.10
```
Para evitar que el paquete de BunkerWeb se actualice al ejecutar `dnf upgrade`, puedes usar el siguiente comando:
@ -657,16 +662,16 @@ Hemos añadido una característica de **espacio de nombres** a las integraciones
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
...
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
...
```
@ -701,7 +706,7 @@ Hemos añadido una característica de **espacio de nombres** a las integraciones
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades bunkerweb=1.6.9
sudo apt install -y --allow-downgrades bunkerweb=1.6.10
```
Para evitar que el paquete de BunkerWeb se actualice al ejecutar `apt upgrade`, puedes usar el siguiente comando:
@ -727,7 +732,7 @@ Hemos añadido una característica de **espacio de nombres** a las integraciones
```shell
sudo dnf makecache && \
sudo dnf install -y --allowerasing bunkerweb-1.6.9
sudo dnf install -y --allowerasing bunkerweb-1.6.10
```
Para evitar que el paquete de BunkerWeb se actualice al ejecutar `dnf upgrade`, puedes usar el siguiente comando:

14
docs/es/web-ui.md
View file

@ -35,7 +35,7 @@ La UI requiere scheduler/API de BunkerWeb/redis/base de datos accesibles.
Usa las imágenes publicadas y el layout del [guía rápida](quickstart-guide.md#__tabbed_1_3) para levantar el stack, luego completa el asistente en el navegador.
```bash
docker compose -f https://raw.githubusercontent.com/bunkerity/bunkerweb/v1.6.9-rc1/misc/integrations/docker-compose.yml up -d
docker compose -f https://raw.githubusercontent.com/bunkerity/bunkerweb/v1.6.10-rc1/misc/integrations/docker-compose.yml up -d
```
Visita el hostname del scheduler (ej. `https://www.example.com/changeme`) y ejecuta el asistente `/setup` para configurar la UI, el scheduler y la instancia.
@ -52,7 +52,7 @@ La UI requiere scheduler/API de BunkerWeb/redis/base de datos accesibles.
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -63,7 +63,7 @@ La UI requiere scheduler/API de BunkerWeb/redis/base de datos accesibles.
networks: [bw-universe, bw-services]
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *service-env
BUNKERWEB_INSTANCES: "bunkerweb"
@ -83,7 +83,7 @@ La UI requiere scheduler/API de BunkerWeb/redis/base de datos accesibles.
networks: [bw-universe, bw-db]
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
environment:
<<: *service-env
ADMIN_USERNAME: "admin"
@ -165,7 +165,7 @@ La UI requiere scheduler/API de BunkerWeb/redis/base de datos accesibles.
```
Los códigos de recuperación se muestran una sola vez; si pierdes las llaves de cifrado, se eliminan los secretos TOTP almacenados.
- Sesiones: duración por defecto 12 h (`SESSION_LIFETIME_HOURS`). Sesiones fijadas a IP y User-Agent; `CHECK_PRIVATE_IP=no` relaja el control de IP solo en rangos privados. `ALWAYS_REMEMBER=yes` fuerza cookies persistentes.
- Sesiones: duración de inactividad por defecto 12 h (`SESSION_LIFETIME_HOURS`), refrescada en cada petición. Se aplica un límite absoluto vía `SESSION_ABSOLUTE_HOURS` (por defecto `168` = 7 días) — superado ese tiempo, los usuarios son desconectados aunque sigan activos. Rotación opcional del identificador de sesión (`SESSION_ROLLING_HOURS`, por defecto `0` = deshabilitada) regenera el ID de sesión en ese intervalo. Sesiones fijadas a IP y User-Agent; `CHECK_PRIVATE_IP=no` relaja el control de IP solo en rangos privados. `ALWAYS_REMEMBER=yes` fuerza cookies persistentes.
- Ajusta `PROXY_NUMBERS` si varios proxies añaden `X-Forwarded-*`.
## Fuentes de configuración y prioridad
@ -205,7 +205,9 @@ La UI requiere scheduler/API de BunkerWeb/redis/base de datos accesibles.
| `FLASK_SECRET` | Secreto de firma de sesión (persistido en `/var/lib/bunkerweb/.flask_secret`) | Cadena hex/base64/opaca | generado automáticamente |
| `TOTP_ENCRYPTION_KEYS` (`TOTP_SECRETS`) | Claves para cifrar TOTP (espacio o JSON) | Cadenas / JSON | generadas si faltan |
| `BISCUIT_PUBLIC_KEY`, `BISCUIT_PRIVATE_KEY` | Claves Biscuit (hex) para tokens de UI | Cadenas hex | autogeneradas y guardadas |
| `SESSION_LIFETIME_HOURS` | Duración de sesión | Número (horas) | `12` |
| `SESSION_LIFETIME_HOURS` | Duración de inactividad de sesión (TTL deslizante, refrescada por petición) | Número (horas) | `12` |
| `SESSION_ABSOLUTE_HOURS` | Límite absoluto de sesión independiente de la actividad | Número (horas) | `168` |
| `SESSION_ROLLING_HOURS` | Intervalo de rotación del ID de sesión (`0` deshabilita la rotación) | Número (horas) | `0` |
| `ALWAYS_REMEMBER` | Activar siempre “remember me” | `yes` o `no` | `no` |
| `CHECK_PRIVATE_IP` | Ligar sesión a IP (relaja en redes privadas con `no`) | `yes` o `no` | `yes` |
| `PROXY_NUMBERS` | Saltos de proxy confiables para `X-Forwarded-*` | Entero | `1` |

560
docs/features.md
View file

@ -124,22 +124,24 @@ Switching to `detect` mode can help you identify and resolve potential false pos
=== "Worker Settings"
| Setting | Default | Context | Multiple | Description |
| ---------------------- | ------- | ------- | -------- | --------------------------------------------------------------------------------------- |
| `WORKER_PROCESSES` | `auto` | global | No | **Worker Processes:** Number of worker processes. Set to `auto` to use available cores. |
| `WORKER_CONNECTIONS` | `1024` | global | No | **Worker Connections:** Maximum number of connections per worker. |
| `WORKER_RLIMIT_NOFILE` | `2048` | global | No | **File Descriptors Limit:** Maximum number of open files per worker. |
| Setting | Default | Context | Multiple | Description |
| ------------------------- | ------- | ------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `WORKER_PROCESSES` | `auto` | global | No | **Worker Processes:** Number of worker processes. Set to `auto` to use available cores. |
| `WORKER_CONNECTIONS` | `1024` | global | No | **Worker Connections:** Maximum number of connections per worker. |
| `WORKER_RLIMIT_NOFILE` | `2048` | global | No | **File Descriptors Limit:** Maximum number of open files per worker. |
| `WORKER_SHUTDOWN_TIMEOUT` | `30s` | global | No | **Worker Shutdown Timeout:** Timeout for graceful shutdown of worker processes. Old workers are forcefully terminated after this delay during a reload. |
=== "Memory Settings"
| Setting | Default | Context | Multiple | Description |
| ------------------------------ | ------- | ------- | -------- | ------------------------------------------------------------------------------- |
| `WORKERLOCK_MEMORY_SIZE` | `48k` | global | No | **Workerlock Memory Size:** Size of lua_shared_dict for initialization workers. |
| `DATASTORE_MEMORY_SIZE` | `64m` | global | No | **Datastore Memory Size:** Size of the internal datastore. |
| `CACHESTORE_MEMORY_SIZE` | `64m` | global | No | **Cachestore Memory Size:** Size of the internal cachestore. |
| `CACHESTORE_IPC_MEMORY_SIZE` | `16m` | global | No | **Cachestore IPC Memory Size:** Size of the internal cachestore (ipc). |
| `CACHESTORE_MISS_MEMORY_SIZE` | `16m` | global | No | **Cachestore Miss Memory Size:** Size of the internal cachestore (miss). |
| `CACHESTORE_LOCKS_MEMORY_SIZE` | `16m` | global | No | **Cachestore Locks Memory Size:** Size of the internal cachestore (locks). |
| Setting | Default | Context | Multiple | Description |
| ------------------------------ | ------- | ------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `WORKERLOCK_MEMORY_SIZE` | `48k` | global | No | **Workerlock Memory Size:** Size of lua_shared_dict for initialization workers (for example `8192`, `48k`, `16m`). |
| `DATASTORE_MEMORY_SIZE` | `64m` | global | No | **Datastore Memory Size:** Size of the internal datastore (for example `8192`, `64k`, `64m`). |
| `DATASTORE_LRU_SIZE` | `1k` | global | No | **Datastore LRU Size:** Slot count for the shared per-worker datastore LRU. Accepts a plain integer or `k`/`m` shorthand (for example `1k`, `10k`, `1m`). |
| `CACHESTORE_MEMORY_SIZE` | `64m` | global | No | **Cachestore Memory Size:** Size of the internal cachestore (for example `8192`, `64k`, `64m`). |
| `CACHESTORE_IPC_MEMORY_SIZE` | `16m` | global | No | **Cachestore IPC Memory Size:** Size of the internal cachestore (ipc) (for example `8192`, `16k`, `16m`). |
| `CACHESTORE_MISS_MEMORY_SIZE` | `16m` | global | No | **Cachestore Miss Memory Size:** Size of the internal cachestore (miss) (for example `8192`, `16k`, `16m`). |
| `CACHESTORE_LOCKS_MEMORY_SIZE` | `16m` | global | No | **Cachestore Locks Memory Size:** Size of the internal cachestore (locks) (for example `8192`, `16k`, `16m`). |
=== "Logging Settings"
@ -245,9 +247,60 @@ Switching to `detect` mode can help you identify and resolve potential false pos
LISTEN_STREAM_PORT_SSL: ""
```
## ACME <img src='../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
For a more detailed guide, see the [advanced usages](advanced.md#acme) documentation.
STREAM support :white_check_mark:
Advanced ACME certificate management with custom CA support, certificate monitoring dashboard, expiry alerting, CT log monitoring, and enhanced OCSP stapling. Complements the built-in Let's Encrypt plugin.
| Setting | Default | Context | Multiple | Description |
| ----------------------------------- | ----------- | --------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `USE_ACME` | `no` | multisite | no | Enable ACME certificate management for this service using a custom ACME-compatible Certificate Authority. |
| `ACME_PASSTHROUGH` | `no` | multisite | no | Pass through ACME HTTP-01 challenge requests to the upstream server. |
| `ACME_DIRECTORY_URL` | | multisite | no | ACME directory URL of the Certificate Authority (e.g. https://ca.example.com/acme/directory for Step CA, https://vault.example.com/v1/pki/acme/directory for Vault PKI). |
| `ACME_EMAIL` | | multisite | no | Email address for ACME account registration and notifications. |
| `ACME_EAB_KID` | | multisite | no | External Account Binding Key ID (required by some CAs like Sectigo, Google Trust Services). |
| `ACME_EAB_HMAC_KEY` | | multisite | no | External Account Binding HMAC key (base64-encoded, required when EAB Key ID is set). |
| `ACME_CA_CERT_PATH` | | multisite | no | File path to the root CA certificate for private ACME servers (Step CA, Vault PKI). Required when the CA root is not in the system trust store. |
| `ACME_CHALLENGE` | `http` | multisite | no | ACME challenge type. HTTP-01 is simplest; DNS-01 is required for wildcard certificates; TLS-ALPN-01 works when port 80 is unavailable. |
| `ACME_DNS_PROVIDER` | | multisite | no | DNS provider for DNS-01 challenges. |
| `ACME_DNS_CREDENTIAL_ITEM` | | multisite | yes | Configuration item for the DNS provider credentials (e.g. 'cloudflare_api_token 123456'). Values can be base64 encoded. |
| `ACME_DNS_CREDENTIAL_DECODE_BASE64` | `yes` | multisite | yes | Automatically decode base64 encoded DNS provider credentials. |
| `ACME_DNS_PROPAGATION` | `default` | multisite | no | Time to wait for DNS propagation in seconds for DNS challenges. |
| `ACME_DNS_ALIAS` | | multisite | no | Target zone for DNS-01 CNAME delegation. Passed as --dns-<provider>-domain-alias to certbot and applied to every challenge for the cert, so DNS credentials only need to control the alias zone. Prerequisite: each cert domain must already have a CNAME `_acme-challenge.<domain>` -> `_acme-challenge.<target>` (and the target zone must resolve). Example: 'alias.acmeplay.org'. Silently ignored on older runtimes or with incompatible DNS providers (e.g. route53). |
| `ACME_KEY_TYPE` | `ecdsa` | multisite | no | Key type for the certificate. ECDSA is smaller and faster; RSA has broader compatibility. |
| `ACME_KEY_SIZE` | `256` | multisite | no | Key size in bits. For ECDSA: 256 or 384. For RSA: 2048 or 4096. |
| `ACME_PREFERRED_CHAIN` | | multisite | no | Preferred certificate chain issuer CN. Selects the preferred chain when the CA provides multiple. |
| `ACME_RENEWAL_DAYS` | `30` | multisite | no | Renew the certificate when it has fewer than this many days until expiry. |
| `ACME_SSL_VERIFY` | `yes` | multisite | no | Verify SSL certificates when communicating with the ACME server. Disable only for testing with self-signed CA certs. |
| `ACME_WILDCARD` | `no` | multisite | no | Request wildcard certificate (requires DNS-01 challenge). |
| `ACME_MUST_STAPLE` | `no` | multisite | no | Request the OCSP Must-Staple extension in the certificate. |
| `ACME_MAX_RETRIES` | `3` | multisite | no | Number of times to retry certificate generation on failure (0 disables retries). |
| `USE_ACME_MONITORING` | `yes` | global | no | Enable certificate expiry monitoring and status tracking for all managed certificates (including OSS Let's Encrypt certificates). |
| `ACME_ALERT_DAYS` | `30 14 7 1` | global | no | Space-separated list of day thresholds that trigger expiry alerts. |
| `USE_ACME_ALERT_WEBHOOK` | `no` | global | no | Send certificate alerts via webhook. |
| `ACME_ALERT_WEBHOOK_URLS` | | global | no | Space-separated list of webhook URLs for certificate alerts. |
| `USE_ACME_ALERT_EMAIL` | `no` | global | no | Send certificate alerts via email. |
| `ACME_ALERT_SMTP_EMAILS` | | global | no | Space-separated list of email recipients for certificate alerts. |
| `ACME_ALERT_SMTP_HOST` | | global | no | SMTP host for certificate alert emails. |
| `ACME_ALERT_SMTP_PORT` | `465` | global | no | SMTP port for certificate alert emails (SSL=465, TLS=587). |
| `ACME_ALERT_SMTP_FROM_EMAIL` | | global | no | Sender email address for certificate alerts. |
| `ACME_ALERT_SMTP_FROM_USER` | | global | no | SMTP authentication user for certificate alert emails. |
| `ACME_ALERT_SMTP_FROM_PASSWORD` | | global | no | SMTP authentication password for certificate alert emails. |
| `ACME_ALERT_SMTP_SSL` | `SSL` | global | no | Connection type for certificate alert SMTP. |
| `USE_ACME_CT_MONITORING` | `no` | global | no | Enable Certificate Transparency log monitoring. Queries crt.sh to detect unauthorized certificate issuance for your domains. |
| `ACME_CT_MONITORED_DOMAINS` | | global | no | Space-separated list of domains to monitor in CT logs. Leave empty to auto-detect from configured services. |
| `USE_ACME_OCSP_STAPLING` | `no` | multisite | no | Enable enhanced OCSP stapling with proactive response fetching and caching. |
| `ACME_OCSP_CACHE_SIZE` | `1m` | global | no | Size of the shared dictionary for OCSP response caching. |
## Anti DDoS <img src='../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
For a more detailed guide, see the [advanced usages](advanced.md#anti-ddos-pro) documentation.
STREAM support :x:
Provides enhanced protection against DDoS attacks by analyzing and filtering suspicious traffic.
@ -278,9 +331,9 @@ Attackers often use automated tools (bots) to try and exploit your website. To p
Follow these steps to enable and configure the Antibot feature:
1. **Choose a challenge type:** Decide which type of antibot challenge to use (e.g., [captcha](#__tabbed_3_3), [hcaptcha](#__tabbed_3_5), [javascript](#__tabbed_3_2)).
1. **Choose a challenge type:** Decide which type of antibot challenge to use (e.g., [captcha](#__tabbed_3_3), [hcaptcha](#__tabbed_3_5), [capjs](#__tabbed_3_8), [javascript](#__tabbed_3_2)).
2. **Enable the feature:** Set the `USE_ANTIBOT` setting to your chosen challenge type in your BunkerWeb configuration.
3. **Configure the settings:** Adjust the other `ANTIBOT_*` settings as needed. For reCAPTCHA, hCaptcha, Turnstile, and mCaptcha, you must create an account with the respective service and obtain API keys.
3. **Configure the settings:** Adjust the other `ANTIBOT_*` settings as needed. For reCAPTCHA, hCaptcha, and Turnstile, create an account with the respective service and obtain API keys. For mCaptcha and Cap.js, you can either self-host the provider or use a hosted service, then configure the required sitekey and secret.
4. **Important:** Ensure the `ANTIBOT_URI` is a unique URL on your site that is not in use.
!!! important "About the `ANTIBOT_URI` Setting"
@ -318,6 +371,9 @@ BunkerWeb allows you to specify certain users, IPs, or requests that should bypa
- When both `ANTIBOT_IGNORE_COUNTRY` and `ANTIBOT_ONLY_COUNTRY` are set, the ignore list takes precedence—countries listed in both will bypass the challenge.
- Private or unknown IP addresses bypass the challenge when `ANTIBOT_ONLY_COUNTRY` is set because no country code can be determined.
!!! tip "Sharing challenge state across subdomains"
The antibot state (including `turnstile`, `hcaptcha`, `recaptcha`, `mcaptcha`, `captcha`, `javascript` and `cookie`) is persisted in the BunkerWeb [session cookie](#sessions). By default that cookie is scoped to the exact host that served it, so a user who solves the challenge on `a.example.com` will be challenged again on `b.example.com`. To solve the challenge once for every sibling subdomain of the same registrable domain, set [`SESSIONS_DOMAIN`](#sessions) to the parent domain (for example `example.com`) **for each relevant server**. `SESSIONS_DOMAIN` is a multisite setting — configure it per-server so unrelated tenants hosted on the same BunkerWeb instance never receive a cross-tenant `Domain` attribute.
**Examples:**
- `ANTIBOT_IGNORE_URI: "^/api/ ^/webhook/ ^/assets/"`
@ -497,6 +553,29 @@ BunkerWeb allows you to specify certain users, IPs, or requests that should bypa
Refer to the [Common Settings](#common-settings) for additional configuration options.
=== "Cap.js"
[Cap.js](https://capjs.js.org/) is a self-hosted, open-source, privacy-friendly proof-of-work CAPTCHA. Instead of delegating verification to a third-party service, you run the Cap.js server yourself and BunkerWeb verifies tokens against that server.
Use the frontend URL for the browser-facing endpoint that serves the widget. If BunkerWeb can reach the Cap.js server through an internal address, set the backend URL to that internal endpoint; otherwise leave it empty and BunkerWeb will use the frontend URL for `/siteverify`.
**Configuration Settings:**
| Setting | Default | Context | Multiple | Description |
| ---------------------------- | ------- | --------- | -------- | ------------------------------------------------------------------------------------------------------------------------ |
| `USE_ANTIBOT` | `no` | multisite | no | **Enable Antibot:** Set to `capjs` to enable the Cap.js challenge. |
| `ANTIBOT_CAPJS_FRONTEND_URL` | | multisite | no | **Cap.js Frontend URL:** Browser-facing URL of the Cap.js server that serves the widget. |
| `ANTIBOT_CAPJS_BACKEND_URL` | | multisite | no | **Cap.js Backend URL:** Optional internal URL BunkerWeb uses for `/siteverify`; falls back to the frontend URL if empty. |
| `ANTIBOT_CAPJS_SITEKEY` | | multisite | no | **Cap.js Sitekey:** The sitekey for the Cap.js challenge. |
| `ANTIBOT_CAPJS_SECRET` | | multisite | no | **Cap.js Secret:** The secret key BunkerWeb uses to verify Cap.js tokens. |
!!! note "Operator requirements"
- Use HTTPS for `ANTIBOT_CAPJS_FRONTEND_URL` in production. The browser worker requires `crypto.subtle` in a secure context, and HTTPS prevents MITM changes to the widget.
- Configure CORS on the Cap.js sitekey to allow the protected origin.
- Set both `ANTIBOT_CAPJS_FRONTEND_URL` and `ANTIBOT_CAPJS_BACKEND_URL` to origins only: scheme, host, and optional port, with no path.
Refer to the [Common Settings](#common-settings) for additional configuration options.
### Example Configurations
=== "Cookie Challenge"
@ -609,6 +688,21 @@ BunkerWeb allows you to specify certain users, IPs, or requests that should bypa
ANTIBOT_TIME_VALID: "86400"
```
=== "Cap.js Challenge"
Example configuration for enabling the Cap.js challenge:
```yaml
USE_ANTIBOT: "capjs"
ANTIBOT_CAPJS_FRONTEND_URL: "https://cap.example.com"
ANTIBOT_CAPJS_BACKEND_URL: "http://cap-server:3000"
ANTIBOT_CAPJS_SITEKEY: "your-site-key"
ANTIBOT_CAPJS_SECRET: "your-secret-key"
ANTIBOT_URI: "/challenge"
ANTIBOT_TIME_RESOLVE: "60"
ANTIBOT_TIME_VALID: "86400"
```
## Auth basic
STREAM support :x:
@ -1334,6 +1428,8 @@ Pro tip: When viewing your alerts, click the "columns" option and check the "con
## Cache <img src='../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
For a more detailed guide, see the [advanced usages](advanced.md#cache-pro) documentation.
STREAM support :x:
Provides caching functionality at the reverse proxy level.
@ -1383,12 +1479,12 @@ Follow these steps to configure and use the Client Cache feature:
### Configuration Settings
| Setting | Default | Context | Multiple | Description |
| ------------------------- | -------------------------- | --------- | -------- | ---------------------------------------------------------------------------------------------- |
| `USE_CLIENT_CACHE` | `no` | multisite | no | **Enable Client Cache:** Set to `yes` to enable client-side caching of static files. |
| `CLIENT_CACHE_EXTENSIONS` | `jpg | jpeg | png | bmp | ico | svg | tif | css | js | otf | ttf | eot | woff | woff2` | global | no | **Cacheable Extensions:** List of file extensions (separated by pipes) that should be cached by the client. |
| `CLIENT_CACHE_CONTROL` | `public, max-age=15552000` | multisite | no | **Cache-Control Header:** Value for the Cache-Control HTTP header to control caching behavior. |
| `CLIENT_CACHE_ETAG` | `yes` | multisite | no | **Enable ETags:** Set to `yes` to send the HTTP ETag header for static resources. |
| Setting | Default | Context | Multiple | Description |
| ------------------------- | ------------------------------------------------------------------------- | --------- | -------- | ----------------------------------------------------------------------------------------------------------- |
| `USE_CLIENT_CACHE` | `no` | multisite | no | **Enable Client Cache:** Set to `yes` to enable client-side caching of static files. |
| `CLIENT_CACHE_EXTENSIONS` | `jpg\|jpeg\|png\|bmp\|ico\|svg\|tif\|css\|js\|otf\|ttf\|eot\|woff\|woff2` | global | no | **Cacheable Extensions:** List of file extensions (separated by pipes) that should be cached by the client. |
| `CLIENT_CACHE_CONTROL` | `public, max-age=15552000` | multisite | no | **Cache-Control Header:** Value for the Cache-Control HTTP header to control caching behavior. |
| `CLIENT_CACHE_ETAG` | `yes` | multisite | no | **Enable ETags:** Set to `yes` to send the HTTP ETag header for static resources. |
!!! tip "Optimizing Cache Settings"
For frequently updated content, consider using shorter max-age values. For content that rarely changes (like versioned JavaScript libraries or logos), use longer cache times. The default value of 15552000 seconds (180 days) is appropriate for most static assets.
@ -1770,7 +1866,7 @@ Follow one of the environment-specific guides below so the CrowdSec agent ingest
services:
bunkerweb:
# This is the name that will be used to identify the instance in the Scheduler
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -1787,7 +1883,7 @@ Follow one of the environment-specific guides below so the CrowdSec agent ingest
syslog-address: "udp://10.20.30.254:514" # The IP address of the syslog service
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # Make sure to set the correct instance name
@ -1821,7 +1917,7 @@ Follow one of the environment-specific guides below so the CrowdSec agent ingest
- bw-db
crowdsec:
image: crowdsecurity/crowdsec:v1.7.6 # Use the latest version but always pin the version for a better stability/security
image: crowdsecurity/crowdsec:v1.7.8 # Use the latest version but always pin the version for a better stability/security
volumes:
- cs-data:/var/lib/crowdsec/data # To persist the CrowdSec data
- bw-logs:/var/log:ro # The logs of BunkerWeb for CrowdSec to parse
@ -2029,6 +2125,8 @@ Apply the following environment variables (or values via the scheduler UI/API) s
## Custom Pages <img src='../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
For a more detailed guide, see the [advanced usages](advanced.md#custom-pages-pro) documentation.
STREAM support :x:
Tweak BunkerWeb error/antibot/default pages with custom HTML.
@ -2043,6 +2141,7 @@ Tweak BunkerWeb error/antibot/default pages with custom HTML.
| `CUSTOM_ANTIBOT_HCAPTCHA_PAGE` | | multisite | no | Full path of the custom antibot hcaptcha page (must be readable by the scheduler) (Can be a lua template). |
| `CUSTOM_ANTIBOT_TURNSTILE_PAGE` | | multisite | no | Full path of the custom antibot turnstile page (must be readable by the scheduler) (Can be a lua template). |
| `CUSTOM_ANTIBOT_MCAPTCHA_PAGE` | | multisite | no | Full path of the custom antibot mcaptcha page (must be readable by the scheduler) (Can be a lua template). |
| `CUSTOM_ANTIBOT_CAPJS_PAGE` | | multisite | no | Full path of the custom antibot Cap.js page (must be readable by the scheduler) (Can be a lua template). |
## Custom SSL certificate
@ -2330,6 +2429,10 @@ Follow these steps to configure and use the DNSBL feature:
## Easy Resolve <img src='../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
<p align='center'><iframe style='display: block;' width='560' height='315' data-src='https://www.youtube-nocookie.com/embed/45vX0WJqjxo' title='Easy Resolve' frameborder='0' allow='accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture' allowfullscreen></iframe></p>
For a more detailed guide, see the [advanced usages](advanced.md#easy-resolve-pro) documentation.
STREAM support :x:
Provides a simpler way to fix false positives in reports.
@ -3000,6 +3103,49 @@ Follow these steps to configure and use the HTML Injection feature:
INJECT_BODY: "<div id=\"cookie-banner\" class=\"cookie-banner\">This website uses cookies to ensure you get the best experience. <button onclick=\"acceptCookies()\">Accept</button></div><script>function acceptCookies() { document.getElementById('cookie-banner').style.display = 'none'; localStorage.setItem('cookies-accepted', 'true'); } if(localStorage.getItem('cookies-accepted') === 'true') { document.getElementById('cookie-banner').style.display = 'none'; }</script>"
```
## LDAP SSO <img src='../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
For a more detailed guide, see the [advanced usages](advanced.md#ldap-sso-pro) documentation.
STREAM support :x:
LDAP-based single sign-on plugin with session-backed authentication.
| Setting | Default | Context | Multiple | Description |
| --------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | --------- | -------- | ---------------------------------------------------------------------------------- |
| `USE_LDAP` | `no` | multisite | no | Enable or disable LDAP SSO authentication. |
| `LDAP_HOST` | | multisite | no | LDAP server hostname or IP address. |
| `LDAP_PORT` | `389` | multisite | no | LDAP server port (389 for LDAP/STARTTLS, 636 for LDAPS). |
| `LDAP_LDAPS` | `no` | multisite | no | Use LDAPS (TLS from connection start). |
| `LDAP_STARTTLS` | `no` | multisite | no | Use STARTTLS upgrade on LDAP connection. |
| `LDAP_SSL_VERIFY` | `yes` | multisite | no | Verify server TLS certificate. |
| `LDAP_TIMEOUT` | `10000` | multisite | no | LDAP socket timeout in milliseconds. |
| `LDAP_KEEPALIVE_TIMEOUT` | `60000` | multisite | no | LDAP keepalive timeout in milliseconds. |
| `LDAP_KEEPALIVE_POOL_SIZE` | `10` | multisite | no | LDAP keepalive connection pool size. |
| `LDAP_KEEPALIVE_POOL_NAME` | | multisite | no | Optional custom LDAP keepalive pool name. |
| `LDAP_BIND_DN` | | multisite | no | Optional service account DN used to perform LDAP user searches. |
| `LDAP_BIND_PASSWORD` | | multisite | no | Password for LDAP Bind DN service account. |
| `LDAP_USER_SEARCH_BASE_DN` | | multisite | no | Base DN for user discovery search (enables enterprise search mode when set). |
| `LDAP_USER_SEARCH_FILTER` | `(&(objectClass=person)(\|(uid={username})(mail={username})(sAMAccountName={username})(userPrincipalName={username})))` | multisite | no | LDAP user search filter template. Use {username} placeholder. |
| `LDAP_AUTHZ_FILTER` | | multisite | no | Optional extra LDAP authorization filter (AND-ed with user search filter). |
| `LDAP_USER_SEARCH_SCOPE` | `subtree` | multisite | no | LDAP search scope for user lookup. |
| `LDAP_USER_SEARCH_DEREF_ALIASES` | `always` | multisite | no | LDAP alias dereferencing mode during user lookup. |
| `LDAP_USER_SEARCH_SIZE_LIMIT` | `10` | multisite | no | Maximum number of LDAP entries returned by user search. |
| `LDAP_USER_SEARCH_TIME_LIMIT` | `10` | multisite | no | Maximum LDAP user search time in seconds. |
| `LDAP_USER_SEARCH_ATTRIBUTES` | `dn` | multisite | no | Attributes requested during user search (space separated). |
| `LDAP_USER_SEARCH_DN_FIELD` | `object_name` | multisite | no | Preferred field name in search response to extract user DN (e.g. object_name, dn). |
| `LDAP_USER_SEARCH_REQUIRE_UNIQUE` | `yes` | multisite | no | Require exactly one search result before authenticating user. |
| `LDAP_USER_DN_TEMPLATE` | `uid={username},ou=people,dc=example,dc=com` | multisite | no | User DN template used for direct bind fallback. Must include {username} when set. |
| `LDAP_USERNAME_REGEX` | `^[A-Za-z0-9@._-]+$` | multisite | no | PCRE regex used to validate submitted usernames. |
| `LDAP_LOGIN_PATH` | `/ldap/login` | multisite | no | Login page path exposed by the LDAP plugin. |
| `LDAP_LOGOUT_PATH` | `/ldap/logout` | multisite | no | Logout path exposed by the LDAP plugin. |
| `LDAP_SESSION_TTL` | `3600` | multisite | no | LDAP session validity duration in seconds. |
| `LDAP_REALM` | `LDAP SSO` | multisite | no | Authentication realm displayed on LDAP login form. |
| `LDAP_USER_HEADER` | `X-User` | multisite | no | Header to pass authenticated username to upstream (empty to disable). |
| `LDAP_REDIRECT_AFTER_LOGIN` | `/` | multisite | no | Fallback relative path after successful login when no redirect target is provided. |
| `LDAP_REDIRECT_AFTER_LOGOUT` | `/` | multisite | no | Relative path to redirect users to after logout. |
## Let's Encrypt
STREAM support :white_check_mark:
@ -3067,6 +3213,7 @@ Follow these steps to configure and use the Let's Encrypt feature:
| `LETS_ENCRYPT_PROFILE` | `classic` | multisite | no | **Certificate Profile:** Select the certificate profile to use. Options: `classic` (general-purpose), `tlsserver` (optimized for TLS servers), or `shortlived` (7-day certificates). |
| `LETS_ENCRYPT_CUSTOM_PROFILE` | | multisite | no | **Custom Certificate Profile:** Enter a custom certificate profile if your ACME server supports non-standard profiles. This overrides `LETS_ENCRYPT_PROFILE` if set. |
| `LETS_ENCRYPT_MAX_RETRIES` | `3` | multisite | no | **Maximum Retries:** Number of times to retry certificate generation on failure. Set to `0` to disable retries. Useful for handling temporary network issues or API rate limits. |
| `LETS_ENCRYPT_MAX_LOG_BACKUPS` | `50` | global | no | **Maximum Certbot Log Backups:** Number of rotated `letsencrypt.log` backups certbot keeps per job. Certbot's own default of 1000 piles up quickly; `50` is a sensible cap. Set to `0` to keep only the live log. |
!!! info "Information and behavior"
- The `LETS_ENCRYPT_DNS_CREDENTIAL_ITEM` setting is a multiple setting and can be used to set multiple items for the DNS provider. The items will be saved as a cache file, and Certbot will read the credentials from it.
@ -3364,37 +3511,6 @@ The Limit plugin in BunkerWeb provides robust capabilities to enforce limiting p
LIMIT_CONN_MAX_STREAM: "20"
```
## Load Balancer <img src='../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
<p align='center'><iframe style='display: block;' width='560' height='315' data-src='https://www.youtube-nocookie.com/embed/cOVp0rAt5nw' title='Load Balancer' frameborder='0' allow='accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture' allowfullscreen></iframe></p>
STREAM support :x:
Provides load balancing feature to group of upstreams with optional healthchecks.
| Setting | Default | Context | Multiple | Description |
| ----------------------------------------- | ------------- | ------- | -------- | ------------------------------------------------------------------ |
| `LOADBALANCER_HEALTHCHECK_DICT_SIZE` | `10m` | global | no | Shared dict size (datastore for all healthchecks). |
| `LOADBALANCER_UPSTREAM_NAME` | | global | yes | Name of the upstream (used in REVERSE_PROXY_HOST). |
| `LOADBALANCER_UPSTREAM_SERVERS` | | global | yes | List of servers/IPs in the server group. |
| `LOADBALANCER_UPSTREAM_MODE` | `round-robin` | global | yes | Load balancing mode (round-robin or sticky). |
| `LOADBALANCER_UPSTREAM_STICKY_METHOD` | `ip` | global | yes | Sticky session method (ip or cookie). |
| `LOADBALANCER_UPSTREAM_RESOLVE` | `no` | global | yes | Dynamically resolve upstream hostnames. |
| `LOADBALANCER_UPSTREAM_KEEPALIVE` | | global | yes | Number of keepalive connections to cache per worker. |
| `LOADBALANCER_UPSTREAM_KEEPALIVE_TIMEOUT` | `60s` | global | yes | Keepalive timeout for upstream connections. |
| `LOADBALANCER_UPSTREAM_KEEPALIVE_TIME` | `1h` | global | yes | Keepalive time for upstream connections. |
| `LOADBALANCER_HEALTHCHECK_URL` | `/status` | global | yes | The healthcheck URL. |
| `LOADBALANCER_HEALTHCHECK_INTERVAL` | `2000` | global | yes | Healthcheck interval in milliseconds. |
| `LOADBALANCER_HEALTHCHECK_TIMEOUT` | `1000` | global | yes | Healthcheck timeout in milliseconds. |
| `LOADBALANCER_HEALTHCHECK_FALL` | `3` | global | yes | Number of failed healthchecks before marking the server as down. |
| `LOADBALANCER_HEALTHCHECK_RISE` | `1` | global | yes | Number of successful healthchecks before marking the server as up. |
| `LOADBALANCER_HEALTHCHECK_VALID_STATUSES` | `200` | global | yes | HTTP status considered valid in healthchecks. |
| `LOADBALANCER_HEALTHCHECK_CONCURRENCY` | `10` | global | yes | Maximum number of concurrent healthchecks. |
| `LOADBALANCER_HEALTHCHECK_TYPE` | `http` | global | yes | Type of healthcheck (http or https). |
| `LOADBALANCER_HEALTHCHECK_SSL_VERIFY` | `yes` | global | yes | Verify SSL certificate in healthchecks. |
| `LOADBALANCER_HEALTHCHECK_HOST` | | global | yes | Host header for healthchecks (useful for HTTPS). |
## Metrics
STREAM support :warning:
@ -3488,16 +3604,17 @@ For example, `/metrics/requests` returns information about blocked requests.
### Configuration Settings
| Setting | Default | Context | Multiple | Description |
| ------------------------------------ | -------- | --------- | -------- | -------------------------------------------------------------------------------------------------------------------- |
| `USE_METRICS` | `yes` | multisite | no | **Enable Metrics:** Set to `yes` to enable collection and retrieval of metrics. |
| `METRICS_MEMORY_SIZE` | `16m` | global | no | **Memory Size:** Size of the internal storage for metrics (e.g., `16m`, `32m`). |
| `METRICS_MAX_BLOCKED_REQUESTS` | `1000` | global | no | **Max Blocked Requests:** Maximum number of blocked requests to store per worker. |
| `METRICS_MAX_BLOCKED_REQUESTS_REDIS` | `100000` | global | no | **Max Redis Blocked Requests:** Maximum number of blocked requests to store in Redis. |
| `METRICS_SAVE_TO_REDIS` | `yes` | global | no | **Save Metrics to Redis:** Set to `yes` to save metrics (counters and tables) to Redis for cluster-wide aggregation. |
| Setting | Default | Context | Multiple | Description |
| ------------------------------------ | ------- | --------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |
| `USE_METRICS` | `yes` | multisite | no | **Enable Metrics:** Set to `yes` to enable collection and retrieval of metrics. |
| `METRICS_MEMORY_SIZE` | `16m` | global | no | **Memory Size:** Size of the internal storage for metrics (e.g., `8192`, `16m`, `32m`). |
| `METRICS_MAX_BLOCKED_REQUESTS` | `1k` | global | no | **Max Blocked Requests:** Maximum number of blocked requests to store per worker. Accepts `k`/`m` shorthand. |
| `METRICS_MAX_BLOCKED_REQUESTS_REDIS` | `10k` | global | no | **Max Redis Blocked Requests:** Maximum number of blocked requests to store in Redis. Accepts `k`/`m` shorthand. |
| `MAX_LRU_HISTORY` | `1k` | global | no | **Max LRU History:** Per-worker LRU slot count and per-key event-history array cap (block trails, auth trails, etc.). Accepts `k`/`m` shorthand. |
| `METRICS_SAVE_TO_REDIS` | `yes` | global | no | **Save Metrics to Redis:** Set to `yes` to save metrics (counters and tables) to Redis for cluster-wide aggregation. |
!!! tip "Sizing Memory Allocation"
The `METRICS_MEMORY_SIZE` setting should be adjusted based on your traffic volume and the number of instances. For high-traffic sites, consider increasing this value to ensure all metrics are captured without data loss.
The `METRICS_MEMORY_SIZE` setting should be adjusted based on your traffic volume and the number of instances. Raw byte values and `k`/`m` suffixes are supported. For high-traffic sites, consider increasing this value to ensure all metrics are captured without data loss.
!!! info "Redis Integration"
When BunkerWeb is configured to use [Redis](#redis), the metrics plugin will automatically synchronize blocked request data to the Redis server. This provides a centralized view of security events across multiple BunkerWeb instances.
@ -3517,8 +3634,9 @@ For example, `/metrics/requests` returns information about blocked requests.
```yaml
USE_METRICS: "yes"
METRICS_MEMORY_SIZE: "16m"
METRICS_MAX_BLOCKED_REQUESTS: "1000"
METRICS_MAX_BLOCKED_REQUESTS_REDIS: "100000"
METRICS_MAX_BLOCKED_REQUESTS: "1k"
METRICS_MAX_BLOCKED_REQUESTS_REDIS: "10k"
MAX_LRU_HISTORY: "1k"
METRICS_SAVE_TO_REDIS: "yes"
```
@ -3531,6 +3649,7 @@ For example, `/metrics/requests` returns information about blocked requests.
METRICS_MEMORY_SIZE: "8m"
METRICS_MAX_BLOCKED_REQUESTS: "500"
METRICS_MAX_BLOCKED_REQUESTS_REDIS: "10000"
MAX_LRU_HISTORY: "500"
METRICS_SAVE_TO_REDIS: "no"
```
@ -3543,6 +3662,7 @@ For example, `/metrics/requests` returns information about blocked requests.
METRICS_MEMORY_SIZE: "64m"
METRICS_MAX_BLOCKED_REQUESTS: "5000"
METRICS_MAX_BLOCKED_REQUESTS_REDIS: "500000"
MAX_LRU_HISTORY: "5k"
METRICS_SAVE_TO_REDIS: "yes"
```
@ -3557,6 +3677,8 @@ For example, `/metrics/requests` returns information about blocked requests.
## Migration <img src='../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
For a more detailed guide, see the [advanced usages](advanced.md#migration-pro) documentation.
STREAM support :white_check_mark:
Migration of BunkerWeb configuration between instances made easy via the web UI
@ -3641,16 +3763,16 @@ Whether you need to restrict HTTP methods, manage request sizes, optimize file c
This feature is configured using the `ALLOWED_METHODS` setting, where methods are listed and separated by a `|` (default: `GET|POST|HEAD`). If a client attempts to use a method not listed, the server will respond with a **405 - Method Not Allowed** status.
For most websites, the default `GET|POST|HEAD` is sufficient. If your application uses RESTful APIs, you may need to include methods like `PUT` and `DELETE`.
For most websites, the default `GET|POST|HEAD` is sufficient. If your application uses RESTful APIs, you may need to include methods like `PUT` and `DELETE`. Custom uppercase methods may also contain underscores and dashes for compatibility with non-standard protocols (e.g. `CCM_POST`, `M-SEARCH`).
!!! success "Security Benefits"
- Prevents exploitation of unused or unnecessary HTTP methods
- Reduces the attack surface by disabling potentially harmful methods
- Blocks HTTP method enumeration techniques used by attackers
| Setting | Default | Context | Multiple | Description |
| ----------------- | ------- | ------- | -------- | ----------- |
| `ALLOWED_METHODS` | `GET | POST | HEAD` | multisite | no | **HTTP Methods:** List of HTTP methods that are allowed, separated by pipe characters. |
| Setting | Default | Context | Multiple | Description |
| ----------------- | ----------------- | --------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------- |
| `ALLOWED_METHODS` | `GET\|POST\|HEAD` | multisite | no | **HTTP Methods:** List of HTTP methods that are allowed, separated by pipe characters. Custom uppercase methods may contain underscores and dashes. |
!!! abstract "CORS and Pre-flight Requests"
If your application supports [Cross-Origin Resource Sharing (CORS)](#cors), you should include the `OPTIONS` method in the `ALLOWED_METHODS` setting to handle pre-flight requests. This ensures proper functionality for browsers making cross-origin requests.
@ -3672,9 +3794,10 @@ Whether you need to restrict HTTP methods, manage request sizes, optimize file c
- Prevents file upload attacks
- Reduces the risk of server resource exhaustion
| Setting | Default | Context | Multiple | Description |
| ----------------- | ------- | --------- | -------- | -------------------------------------------------------------------------------------------------- |
| `MAX_CLIENT_SIZE` | `10m` | multisite | no | **Maximum Request Size:** The maximum allowed size for client request bodies (e.g., file uploads). |
| Setting | Default | Context | Multiple | Description |
| ----------------- | ------- | --------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `MAX_CLIENT_SIZE` | `10m` | multisite | no | **Maximum Request Size:** The maximum allowed size for client request bodies (e.g., file uploads). |
| `MAX_HEADERS` | `100` | global | no | **Maximum Headers:** Maximum number of header lines per request. Requests exceeding this limit are rejected with `400 Bad Request`. |
!!! tip "Request Size Configuration Best Practices"
If you need to allow a request body of unlimited size, you can set the `MAX_CLIENT_SIZE` value to `0`. However, this is **not recommended** due to potential security and performance risks.
@ -3859,6 +3982,7 @@ Whether you need to restrict HTTP methods, manage request sizes, optimize file c
OPEN_FILE_CACHE_ERRORS: "yes"
OPEN_FILE_CACHE_MIN_USES: "3"
OPEN_FILE_CACHE_VALID: "60s"
```
## ModSecurity
@ -3911,12 +4035,17 @@ Follow these steps to configure and use ModSecurity:
The CRS team actively maintains a list of exclusions for popular applications such as WordPress, Nextcloud, Drupal, and Cpanel, making it easier to integrate without impacting functionality. The security benefits far outweigh the minimal configuration effort required to address false positives.
!!! warning "Safety recommendation for large uploads"
ModSecurity buffers the full request body in memory and cannot cap it for multi-GB uploads, which can OOM the worker. If — **and only if** — a reverse-proxy URL is used *exclusively* for file uploads (e.g. a dedicated `/upload` endpoint), set `REVERSE_PROXY_MODSECURITY_N: "no"` on that URL to emit `modsecurity off;` in its `location` block. Do not disable it on mixed-use URLs: you would lose WAF coverage on everything served by that location.
To keep uploads protected after bypassing ModSecurity, pair this with a file-scanning plugin such as [ClamAV](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) or [VirusTotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) — they inspect the uploaded file itself instead of the raw request body.
### Available CRS Versions
Select a CRS version to best match your security needs:
- **`3`**: Stable [v3.3.8](https://github.com/coreruleset/coreruleset/releases/tag/v3.3.8).
- **`4`**: Stable [v4.24.1](https://github.com/coreruleset/coreruleset/releases/tag/v4.24.1) (**default**).
- **`3`**: Stable [v3.3.9](https://github.com/coreruleset/coreruleset/releases/tag/v3.3.9).
- **`4`**: Stable [v4.25.0](https://github.com/coreruleset/coreruleset/releases/tag/v4.25.0) (**default**).
!!! warning "Nightly Build Deprecated"
The `nightly` option for `MODSECURITY_CRS_VERSION` has been deprecated as the OWASP Core Rule Set project has discontinued nightly releases. If your configuration still uses `nightly`, CRS v4 will be used instead. Please update your configuration to use `MODSECURITY_CRS_VERSION=4`.
@ -4085,11 +4214,13 @@ STREAM support :x:
BunkerWeb monitoring pro system. This plugin is a prerequisite for some other plugins.
| Setting | Default | Context | Multiple | Description |
| ------------------------------ | ------- | ------- | -------- | --------------------------------------------------------------------------- |
| `USE_MONITORING` | `yes` | global | no | Enable monitoring of BunkerWeb. |
| `MONITORING_METRICS_DICT_SIZE` | `10M` | global | no | Size of the dict to store monitoring metrics. |
| `MONITORING_IGNORE_URLS` | | global | no | List of URLs to ignore when monitoring separated with spaces (e.g. /health) |
| Setting | Default | Context | Multiple | Description |
| ------------------------------ | ------- | ------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `USE_MONITORING` | `yes` | global | no | Enable monitoring of BunkerWeb. |
| `MONITORING_METRICS_DICT_SIZE` | `10M` | global | no | Size of the dict to store monitoring metrics. |
| `MONITORING_IGNORE_URLS` | | global | no | List of URLs to ignore when monitoring separated with spaces (e.g. /health) |
| `MONITORING_TOP_N_DECAY_HOURS` | `6` | global | no | How often (in hours) to halve attacker top-N counters and prune cold entries. Lower = top-N reflects more recent traffic; higher = old attackers persist longer. |
| `MONITORING_TOP_N_TRACK_MAX` | `5000` | global | no | Maximum tracked attacker IPs and URIs per prefix in the bounded top-N sketch. Caps memory under distributed attack via Space-Saving admission. |
## Mutual TLS
@ -4182,6 +4313,10 @@ Follow these steps to deploy mutual TLS with confidence:
## OpenAPI Validator <img src='../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
<p align='center'><iframe style='display: block;' width='560' height='315' data-src='https://www.youtube-nocookie.com/embed/3oZOO1XdSlc' title='OpenAPI Validator' frameborder='0' allow='accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture' allowfullscreen></iframe></p>
For a more detailed guide, see the [advanced usages](advanced.md#openapi-validator-pro) documentation.
STREAM support :x:
Validates incoming HTTP requests against an OpenAPI / Swagger specification.
@ -4200,47 +4335,56 @@ Validates incoming HTTP requests against an OpenAPI / Swagger specification.
## OpenID Connect <img src='../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
<p align='center'><iframe style='display: block;' width='560' height='315' data-src='https://www.youtube-nocookie.com/embed/0e4lcXTIIfs' title='OpenID Connect' frameborder='0' allow='accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture' allowfullscreen></iframe></p>
For a more detailed guide, see the [advanced usages](advanced.md#openid-connect-pro) documentation.
STREAM support :x:
OpenID Connect authentication plugin providing SSO capabilities with identity providers.
| Setting | Default | Context | Multiple | Description |
| ----------------------------------------- | ---------------------- | --------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `USE_OPENIDC` | `no` | multisite | no | Enable or disable OpenID Connect authentication. |
| `OPENIDC_DISCOVERY` | | multisite | no | OpenID Connect discovery URL (e.g. https://idp.example.com/.well-known/openid-configuration). |
| `OPENIDC_CLIENT_ID` | | multisite | no | OAuth 2.0 client identifier registered with the IdP. |
| `OPENIDC_CLIENT_SECRET` | | multisite | no | OAuth 2.0 client secret registered with the IdP. |
| `OPENIDC_TOKEN_ENDPOINT_AUTH_METHOD` | `basic` | multisite | no | Token endpoint auth method: basic (recommended, HTTP Basic), post (POST body), secret_jwt (JWT with client secret), private_key_jwt (JWT with RSA key). |
| `OPENIDC_CLIENT_RSA_PRIVATE_KEY` | | multisite | no | PEM-encoded RSA private key for private_key_jwt authentication. |
| `OPENIDC_CLIENT_RSA_PRIVATE_KEY_ID` | | multisite | no | Optional key ID (kid) for private_key_jwt authentication. |
| `OPENIDC_CLIENT_JWT_ASSERTION_EXPIRES_IN` | | multisite | no | JWT assertion lifetime in seconds (empty to use library default). |
| `OPENIDC_REDIRECT_URI` | `/callback` | multisite | no | URI path where the IdP redirects after authentication. |
| `OPENIDC_SCOPE` | `openid email profile` | multisite | no | Space-separated list of OAuth 2.0 scopes to request. |
| `OPENIDC_AUTHORIZATION_PARAMS` | | multisite | no | Additional authorization params as comma-separated key=value pairs (e.g. audience=api,resource=xyz). URL-encode values if needed. |
| `OPENIDC_USE_NONCE` | `yes` | multisite | no | Use nonce in authentication requests to prevent replay attacks. |
| `OPENIDC_USE_PKCE` | `no` | multisite | no | Use PKCE (Proof Key for Code Exchange) for authorization code flow. |
| `OPENIDC_FORCE_REAUTHORIZE` | `no` | multisite | no | Force re-authorization on every request (not recommended for production). |
| `OPENIDC_REFRESH_SESSION_INTERVAL` | | multisite | no | Interval in seconds to silently re-authenticate (empty to disable). |
| `OPENIDC_IAT_SLACK` | `120` | multisite | no | Allowed clock skew in seconds for token validation. |
| `OPENIDC_ACCESS_TOKEN_EXPIRES_IN` | `3600` | multisite | no | Default access token lifetime (seconds) if not provided by IdP. |
| `OPENIDC_RENEW_ACCESS_TOKEN_ON_EXPIRY` | `yes` | multisite | no | Automatically renew access token using refresh token when expired. |
| `OPENIDC_ACCEPT_UNSUPPORTED_ALG` | `no` | multisite | no | Accept tokens signed with unsupported algorithms (not recommended). |
| `OPENIDC_LOGOUT_PATH` | `/logout` | multisite | no | URI path for logout requests. |
| `OPENIDC_REVOKE_TOKENS_ON_LOGOUT` | `no` | multisite | no | Revoke tokens at the IdP when logging out. |
| `OPENIDC_REDIRECT_AFTER_LOGOUT_URI` | | multisite | no | URI to redirect after logout (leave empty for IdP default). |
| `OPENIDC_POST_LOGOUT_REDIRECT_URI` | | multisite | no | URI to redirect after IdP logout is complete. |
| `OPENIDC_TIMEOUT_CONNECT` | `10000` | multisite | no | Connection timeout in milliseconds for IdP requests. |
| `OPENIDC_TIMEOUT_SEND` | `10000` | multisite | no | Send timeout in milliseconds for IdP requests. |
| `OPENIDC_TIMEOUT_READ` | `10000` | multisite | no | Read timeout in milliseconds for IdP requests. |
| `OPENIDC_SSL_VERIFY` | `yes` | multisite | no | Verify SSL certificates when communicating with the IdP. |
| `OPENIDC_KEEPALIVE` | `yes` | multisite | no | Enable HTTP keepalive for connections to the IdP. |
| `OPENIDC_HTTP_PROXY` | | multisite | no | HTTP proxy URL for IdP connections (e.g. http://proxy:8080). |
| `OPENIDC_HTTPS_PROXY` | | multisite | no | HTTPS proxy URL for IdP connections (e.g. http://proxy:8080). |
| `OPENIDC_USER_HEADER` | `X-User` | multisite | no | Header to pass user info to upstream (empty to disable). |
| `OPENIDC_USER_HEADER_CLAIM` | `sub` | multisite | no | ID token claim to use for the user header (e.g. sub, email, preferred_username). |
| `OPENIDC_DISPLAY_CLAIM` | `preferred_username` | multisite | no | Claim to use for display in logs and metrics (e.g. preferred_username, name, email). Falls back to User Header Claim if not found. |
| `OPENIDC_DISCOVERY_DICT_SIZE` | `1m` | global | no | Size of the shared dictionary to cache discovery data. |
| `OPENIDC_JWKS_DICT_SIZE` | `1m` | global | no | Size of the shared dictionary to cache JWKS data. |
| Setting | Default | Context | Multiple | Description |
| ----------------------------------------- | ---------------------- | --------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `USE_OPENIDC` | `no` | multisite | no | Enable or disable OpenID Connect authentication. |
| `OPENIDC_DISCOVERY` | | multisite | no | OpenID Connect discovery URL (e.g. https://idp.example.com/.well-known/openid-configuration). |
| `OPENIDC_CLIENT_ID` | | multisite | no | OAuth 2.0 client identifier registered with the IdP. |
| `OPENIDC_CLIENT_SECRET` | | multisite | no | OAuth 2.0 client secret registered with the IdP. |
| `OPENIDC_TOKEN_ENDPOINT_AUTH_METHOD` | `basic` | multisite | no | Token endpoint auth method: basic (recommended, HTTP Basic), post (POST body), secret_jwt (JWT with client secret), private_key_jwt (JWT with RSA key). |
| `OPENIDC_CLIENT_RSA_PRIVATE_KEY` | | multisite | no | PEM-encoded RSA private key for private_key_jwt authentication. |
| `OPENIDC_CLIENT_RSA_PRIVATE_KEY_ID` | | multisite | no | Optional key ID (kid) for private_key_jwt authentication. |
| `OPENIDC_CLIENT_JWT_ASSERTION_EXPIRES_IN` | | multisite | no | JWT assertion lifetime in seconds (empty to use library default). |
| `OPENIDC_REDIRECT_URI` | `/callback` | multisite | no | URI path where the IdP redirects after authentication. |
| `OPENIDC_SCOPE` | `openid email profile` | multisite | no | Space-separated list of OAuth 2.0 scopes to request. |
| `OPENIDC_AUTHORIZATION_PARAMS` | | multisite | no | Additional authorization params as comma-separated key=value pairs (e.g. audience=api,resource=xyz). URL-encode values if needed. |
| `OPENIDC_USE_NONCE` | `yes` | multisite | no | Use nonce in authentication requests to prevent replay attacks. |
| `OPENIDC_USE_PKCE` | `no` | multisite | no | Use PKCE (Proof Key for Code Exchange) for authorization code flow. |
| `OPENIDC_FORCE_REAUTHORIZE` | `no` | multisite | no | Force re-authorization on every request (not recommended for production). |
| `OPENIDC_REFRESH_SESSION_INTERVAL` | | multisite | no | Interval in seconds to silently re-authenticate (empty to disable). |
| `OPENIDC_IAT_SLACK` | `120` | multisite | no | Allowed clock skew in seconds for token validation. |
| `OPENIDC_ACCESS_TOKEN_EXPIRES_IN` | `3600` | multisite | no | Default access token lifetime (seconds) if not provided by IdP. |
| `OPENIDC_RENEW_ACCESS_TOKEN_ON_EXPIRY` | `yes` | multisite | no | Automatically renew access token using refresh token when expired. |
| `OPENIDC_ACCEPT_UNSUPPORTED_ALG` | `no` | multisite | no | Accept tokens signed with unsupported algorithms (not recommended). |
| `OPENIDC_LOGOUT_PATH` | `/logout` | multisite | no | URI path for logout requests. |
| `OPENIDC_REVOKE_TOKENS_ON_LOGOUT` | `no` | multisite | no | Revoke tokens at the IdP when logging out. |
| `OPENIDC_REDIRECT_AFTER_LOGOUT_URI` | | multisite | no | URI to redirect after logout (leave empty for IdP default). |
| `OPENIDC_POST_LOGOUT_REDIRECT_URI` | | multisite | no | URI to redirect after IdP logout is complete. |
| `OPENIDC_TIMEOUT_CONNECT` | `10000` | multisite | no | Connection timeout in milliseconds for IdP requests. |
| `OPENIDC_TIMEOUT_SEND` | `10000` | multisite | no | Send timeout in milliseconds for IdP requests. |
| `OPENIDC_TIMEOUT_READ` | `10000` | multisite | no | Read timeout in milliseconds for IdP requests. |
| `OPENIDC_SSL_VERIFY` | `yes` | multisite | no | Verify SSL certificates when communicating with the IdP. |
| `OPENIDC_KEEPALIVE` | `yes` | multisite | no | Enable HTTP keepalive for connections to the IdP. |
| `OPENIDC_HTTP_PROXY` | | multisite | no | HTTP proxy URL for IdP connections (e.g. http://proxy:8080). |
| `OPENIDC_HTTPS_PROXY` | | multisite | no | HTTPS proxy URL for IdP connections (e.g. http://proxy:8080). |
| `OPENIDC_USER_HEADER` | `X-User` | multisite | no | Header to pass user info to upstream (empty to disable). |
| `OPENIDC_USER_HEADER_CLAIM` | `sub` | multisite | no | ID token claim to use for the user header (e.g. sub, email, preferred_username). |
| `OPENIDC_DISPLAY_CLAIM` | `preferred_username` | multisite | no | Claim to use for display in logs and metrics (e.g. preferred_username, name, email). Falls back to User Header Claim if not found. |
| `OPENIDC_DISCOVERY_DICT_SIZE` | `1m` | global | no | Size of the shared dictionary to cache discovery data. |
| `OPENIDC_JWKS_DICT_SIZE` | `1m` | global | no | Size of the shared dictionary to cache JWKS data. |
| `OPENIDC_USE_ACL` | `no` | multisite | no | Enable claim-based access control (ACL) after OIDC authentication. When enabled, only users whose claims match the configured rules will be granted access. |
| `OPENIDC_ACL_MATCH_MODE` | `all` | multisite | no | How multiple ACL rules are evaluated. 'all' means every rule must pass (AND logic). 'any' means at least one rule must pass (OR logic). |
| `OPENIDC_ACL_DENIED_URL` | | multisite | no | URL to redirect to when access is denied by ACL. If empty, returns a 403 Forbidden response. |
| `OPENIDC_ACL_CLAIM` | | multisite | yes | Name of the OIDC claim to check (e.g. groups, email, sub, preferred_username). |
| `OPENIDC_ACL_CLAIM_VALUE` | | multisite | yes | Expected value for the claim. For array claims (e.g. groups), checks if this value is a member. For string claims, checks strict equality. |
## PHP
@ -4377,15 +4521,15 @@ Follow these steps to configure and use the Pro features:
**Q: What happens if my Pro license expires?**
A: If your Pro license expires, access to premium features and plugins will be disabled. However, your BunkerWeb installation will continue to operate with all community edition features intact. To regain access to Pro features, simply renew your license.
**A:** If your Pro license expires, access to premium features and plugins will be disabled. However, your BunkerWeb installation will continue to operate with all community edition features intact. To regain access to Pro features, simply renew your license.
**Q: Will Pro features disrupt my existing configuration?**
A: No, Pro features are designed to integrate seamlessly with your current BunkerWeb setup. They enhance functionality without altering or interfering with your existing configuration, ensuring a smooth and reliable experience.
**A:** No, Pro features are designed to integrate seamlessly with your current BunkerWeb setup. They enhance functionality without altering or interfering with your existing configuration, ensuring a smooth and reliable experience.
**Q: Can I try Pro features before committing to a purchase?**
A: Absolutely! BunkerWeb offers two Pro plans to suit your needs:
**A:** Absolutely! BunkerWeb offers two Pro plans to suit your needs:
- **BunkerWeb PRO Standard:** Full access to Pro features without technical support.
- **BunkerWeb PRO Enterprise:** Full access to Pro features with dedicated technical support.
@ -4777,7 +4921,8 @@ When using Redis or Valkey with BunkerWeb, consider these best practices to ensu
#### Memory Management
- **Monitor memory usage:** Configure Redis with appropriate `maxmemory` settings to prevent out-of-memory errors
- **Set an eviction policy:** Use `maxmemory-policy` (e.g., `volatile-lru` or `allkeys-lru`) appropriate for your use case
- **Set an eviction policy:** Use `maxmemory-policy` (e.g., `volatile-lru` for general use or `allkeys-lru` for cache-heavy workloads) appropriate for your use case
- **All-in-one defaults:** The AIO Docker image ships Redis with `maxmemory=256mb` and `maxmemory-policy=volatile-lru`; override via the `REDIS_MAXMEMORY` and `REDIS_MAXMEMORY_POLICY` environment variables. With `volatile-lru`, transient counters (rate-limit, bad-behavior) are evicted before keys with TTLs that matter for sessions and timed bans, and keys without an expiry (permanent bans) are immune. The same policy is recommended for external Redis or Valkey servers used by BunkerWeb.
- **Avoid large keys:** Ensure individual Redis keys are kept to a reasonable size to prevent performance degradation
#### Data Persistence
@ -4805,20 +4950,21 @@ STREAM support :x:
Regular reporting of important data from BunkerWeb (global, attacks, bans, requests, reasons, AS...). Monitoring pro plugin needed to work.
| Setting | Default | Context | Multiple | Description |
| ------------------------------ | ------------------ | ------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| `USE_REPORTING_SMTP` | `no` | global | no | Enable sending the report via email. |
| `USE_REPORTING_WEBHOOK` | `no` | global | no | Enable sending the report via webhook. |
| `REPORTING_SCHEDULE` | `weekly` | global | no | The frequency at which reports are sent. |
| `REPORTING_WEBHOOK_URLS` | | global | no | List of webhook URLs to receive the report in Markdown (separated by spaces). |
| `REPORTING_SMTP_EMAILS` | | global | no | List of email addresses to receive the report in HTML format (separated by spaces). |
| `REPORTING_SMTP_HOST` | | global | no | The host server used for SMTP sending. |
| `REPORTING_SMTP_PORT` | `465` | global | no | The port used for SMTP. Please note that there are different standards depending on the type of connection (SSL = 465, TLS = 587). |
| `REPORTING_SMTP_FROM_EMAIL` | | global | no | The email address used as the sender. Note that 2FA must be disabled for this email address. |
| `REPORTING_SMTP_FROM_USER` | | global | no | The user authentication value for sending via the from email address. |
| `REPORTING_SMTP_FROM_PASSWORD` | | global | no | The password authentication value for sending via the from email address. |
| `REPORTING_SMTP_SSL` | `SSL` | global | no | Determine whether or not to use a secure connection for SMTP. |
| `REPORTING_SMTP_SUBJECT` | `BunkerWeb Report` | global | no | The subject line of the email. |
| Setting | Default | Context | Multiple | Description |
| ------------------------------ | ------------------ | ------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `USE_REPORTING_SMTP` | `no` | global | no | Enable sending the report via email. |
| `USE_REPORTING_WEBHOOK` | `no` | global | no | Enable sending the report via webhook. |
| `REPORTING_SCHEDULE` | `weekly` | global | no | The frequency at which reports are sent. |
| `REPORTING_TOP_N` | `3` | global | no | Number of entries shown in 'Top' tables (IPs, AS, reasons, countries, URIs and offenders). Range: 1-50. Values are clamped at runtime; the upstream metric caps at rank 50 per server. |
| `REPORTING_WEBHOOK_URLS` | | global | no | List of webhook URLs to receive the report in Markdown (separated by spaces). |
| `REPORTING_SMTP_EMAILS` | | global | no | List of email addresses to receive the report in HTML format (separated by spaces). |
| `REPORTING_SMTP_HOST` | | global | no | The host server used for SMTP sending. |
| `REPORTING_SMTP_PORT` | `465` | global | no | The port used for SMTP. Please note that there are different standards depending on the type of connection (SSL = 465, TLS = 587). |
| `REPORTING_SMTP_FROM_EMAIL` | | global | no | The email address used as the sender. Note that 2FA must be disabled for this email address. |
| `REPORTING_SMTP_FROM_USER` | | global | no | The user authentication value for sending via the from email address. |
| `REPORTING_SMTP_FROM_PASSWORD` | | global | no | The password authentication value for sending via the from email address. |
| `REPORTING_SMTP_SSL` | `SSL` | global | no | Determine whether or not to use a secure connection for SMTP. |
| `REPORTING_SMTP_SUBJECT` | `BunkerWeb Report` | global | no | The subject line of the email. |
## Reverse proxy
@ -4858,16 +5004,17 @@ Follow these steps to configure and use the Reverse Proxy feature:
- **Protocol Handling:** Support for HTTP, HTTPS, WebSockets, and other protocols
- **Error Interception:** Customize error pages for a consistent user experience
| Setting | Default | Context | Multiple | Description |
| --------------------------------- | ------- | --------- | -------- | ---------------------------------------------------------------------------------------- |
| `USE_REVERSE_PROXY` | `no` | multisite | no | **Enable Reverse Proxy:** Set to `yes` to enable reverse proxy functionality. |
| `REVERSE_PROXY_HOST` | | multisite | yes | **Backend Host:** Full URL of the proxied resource (proxy_pass). |
| `REVERSE_PROXY_URL` | `/` | multisite | yes | **Location URL:** Path that will be proxied to the backend server. |
| `REVERSE_PROXY_BUFFERING` | `yes` | multisite | yes | **Response Buffering:** Enable or disable buffering of responses from proxied resource. |
| `REVERSE_PROXY_REQUEST_BUFFERING` | `yes` | multisite | yes | **Request Buffering:** Enable or disable buffering of requests to the proxied resource. |
| `REVERSE_PROXY_KEEPALIVE` | `no` | multisite | yes | **Keep-Alive:** Enable or disable keepalive connections with the proxied resource. |
| `REVERSE_PROXY_CUSTOM_HOST` | | multisite | no | **Custom Host:** Override Host header sent to upstream server. |
| `REVERSE_PROXY_INTERCEPT_ERRORS` | `yes` | multisite | no | **Intercept Errors:** Whether to intercept and rewrite error responses from the backend. |
| Setting | Default | Context | Multiple | Description |
| --------------------------------- | ------- | --------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `USE_REVERSE_PROXY` | `no` | multisite | no | **Enable Reverse Proxy:** Set to `yes` to enable reverse proxy functionality. |
| `REVERSE_PROXY_HOST` | | multisite | yes | **Backend Host:** Full URL of the proxied resource (proxy_pass). |
| `REVERSE_PROXY_URL` | `/` | multisite | yes | **Location URL:** Path that will be proxied to the backend server. |
| `REVERSE_PROXY_BUFFERING` | `yes` | multisite | yes | **Response Buffering:** Enable or disable buffering of responses from proxied resource. |
| `REVERSE_PROXY_REQUEST_BUFFERING` | `yes` | multisite | yes | **Request Buffering:** Enable or disable buffering of requests to the proxied resource. |
| `REVERSE_PROXY_KEEPALIVE` | `no` | multisite | yes | **Keep-Alive:** Enable or disable keepalive connections with the proxied resource. |
| `REVERSE_PROXY_HTTP_VERSION` | `1.1` | multisite | yes | **HTTP Version:** Protocol version used to talk to the upstream (`1.0`, `1.1`, or `2`). Set to `2` for HTTP/2 multiplexing on the upstream leg. WebSocket locations stay on 1.1 regardless. |
| `REVERSE_PROXY_CUSTOM_HOST` | | multisite | no | **Custom Host:** Override Host header sent to upstream server. |
| `REVERSE_PROXY_INTERCEPT_ERRORS` | `yes` | multisite | no | **Intercept Errors:** Whether to intercept and rewrite error responses from the backend. |
!!! tip "Best Practices"
- Always specify the full URL in `REVERSE_PROXY_HOST` including the protocol (http:// or https://)
@ -5010,14 +5157,20 @@ Follow these steps to configure and use the Reverse Proxy feature:
- **Performance Optimization:** Fine-tune request handling for specific use cases
- **Flexibility:** Adapt to unique application requirements with specialized configurations
| Setting | Default | Context | Multiple | Description |
| --------------------------------- | ------- | --------- | -------- | ---------------------------------------------------------------------------- |
| `REVERSE_PROXY_INCLUDES` | | multisite | yes | **Additional Configurations:** Include additional configs in location block. |
| `REVERSE_PROXY_PASS_REQUEST_BODY` | `yes` | multisite | yes | **Pass Request Body:** Enable or disable passing the request body. |
| Setting | Default | Context | Multiple | Description |
| --------------------------------- | ------- | --------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `REVERSE_PROXY_INCLUDES` | | multisite | yes | **Additional Configurations:** Include additional configs in location block. |
| `REVERSE_PROXY_PASS_REQUEST_BODY` | `yes` | multisite | yes | **Pass Request Body:** Enable or disable passing the request body. |
| `REVERSE_PROXY_MODSECURITY` | `yes` | multisite | yes | **ModSecurity (per location):** Set to `no` to emit `modsecurity off;` in this location — bypasses the WAF on large-upload endpoints to avoid OOM (see note below). |
!!! warning "Security Considerations"
Be careful when including custom configuration snippets as they may override BunkerWeb's security settings or introduce vulnerabilities if not properly configured.
!!! warning "Safety recommendation for large uploads"
ModSecurity buffers the full request body in memory and cannot cap it for multi-GB uploads, which can OOM the worker. If — **and only if** — a reverse-proxy URL is used *exclusively* for file uploads (e.g. a dedicated `/upload` endpoint), set `REVERSE_PROXY_MODSECURITY_N: "no"` on that URL. Do not disable it on mixed-use URLs: you would lose WAF coverage on everything served by that location.
To keep uploads protected after bypassing ModSecurity, pair this with a file-scanning plugin such as [ClamAV](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav) or [VirusTotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) — they inspect the uploaded file itself instead of the raw request body.
=== "Caching Configuration"
**Response Caching Settings**
@ -5531,20 +5684,22 @@ Follow these steps to configure and use the Sessions feature:
1. **Configure session security:** Set a strong, unique `SESSIONS_SECRET` to ensure session cookies cannot be forged. (The default value is "random" which triggers BunkerWeb to generate a random secret key.)
2. **Choose a session name:** Optionally customize the `SESSIONS_NAME` to define what your session cookie will be called in the browser. (The default value is "random" which triggers BunkerWeb to generate a random name.)
3. **Set session timeouts:** Configure how long sessions remain valid with the timeout settings (`SESSIONS_IDLING_TIMEOUT`, `SESSIONS_ROLLING_TIMEOUT`, `SESSIONS_ABSOLUTE_TIMEOUT`).
4. **Configure Redis integration:** For distributed environments, set `USE_REDIS` to "yes" and configure your [Redis connection](#redis) to share session data across multiple BunkerWeb nodes.
5. **Let BunkerWeb handle the rest:** Once configured, session management happens automatically for your website.
4. **Share the cookie across subdomains (optional, per-server):** By default the session cookie is host-only. If a given server hosts several subdomains of the same registrable domain (for example `a.example.com` and `b.example.com`) and you want antibot/challenge state to carry over, set `SESSIONS_DOMAIN` to the parent domain (`example.com`) **on that server only**. `SESSIONS_DOMAIN` is a multisite setting, so unrelated tenants on the same BunkerWeb instance never receive a cross-tenant `Domain` attribute.
5. **Configure Redis integration:** For distributed environments, set `USE_REDIS` to "yes" and configure your [Redis connection](#redis) to share session data across multiple BunkerWeb nodes.
6. **Let BunkerWeb handle the rest:** Once configured, session management happens automatically for your website.
### Configuration Settings
| Setting | Default | Context | Multiple | Description |
| --------------------------- | -------- | ------- | -------- | -------------------------------------------------------------------------------------------------------------------------- |
| `SESSIONS_SECRET` | `random` | global | no | **Session Secret:** Cryptographic key used to sign session cookies. Should be a strong, random string unique to your site. |
| `SESSIONS_NAME` | `random` | global | no | **Cookie Name:** The name of the cookie that will store the session identifier. |
| `SESSIONS_IDLING_TIMEOUT` | `1800` | global | no | **Idling Timeout:** Maximum time (in seconds) of inactivity before the session is invalidated. |
| `SESSIONS_ROLLING_TIMEOUT` | `3600` | global | no | **Rolling Timeout:** Maximum time (in seconds) before a session must be renewed. |
| `SESSIONS_ABSOLUTE_TIMEOUT` | `86400` | global | no | **Absolute Timeout:** Maximum time (in seconds) before a session is destroyed regardless of activity. |
| `SESSIONS_CHECK_IP` | `yes` | global | no | **Check IP:** When set to `yes`, destroys the session if the client IP address changes. |
| `SESSIONS_CHECK_USER_AGENT` | `yes` | global | no | **Check User-Agent:** When set to `yes`, destroys the session if the client User-Agent changes. |
| Setting | Default | Context | Multiple | Description |
| --------------------------- | -------- | --------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `SESSIONS_SECRET` | `random` | global | no | **Session Secret:** Cryptographic key used to sign session cookies. Should be a strong, random string unique to your site. |
| `SESSIONS_NAME` | `random` | global | no | **Cookie Name:** The name of the cookie that will store the session identifier. |
| `SESSIONS_DOMAIN` | | multisite | no | **Cookie Domain:** Optional `Domain` attribute set on the session cookie (for example `example.com`). Leave empty to keep the cookie hostonly. Set it per-server to share session state (antibot, challenges, …) across sibling subdomains of the same registrable domain. |
| `SESSIONS_IDLING_TIMEOUT` | `1800` | global | no | **Idling Timeout:** Maximum time (in seconds) of inactivity before the session is invalidated. |
| `SESSIONS_ROLLING_TIMEOUT` | `3600` | global | no | **Rolling Timeout:** Maximum time (in seconds) before a session must be renewed. |
| `SESSIONS_ABSOLUTE_TIMEOUT` | `86400` | global | no | **Absolute Timeout:** Maximum time (in seconds) before a session is destroyed regardless of activity. |
| `SESSIONS_CHECK_IP` | `yes` | global | no | **Check IP:** When set to `yes`, destroys the session if the client IP address changes. |
| `SESSIONS_CHECK_USER_AGENT` | `yes` | global | no | **Check User-Agent:** When set to `yes`, destroys the session if the client User-Agent changes. |
!!! warning "Security Considerations"
The `SESSIONS_SECRET` setting is critical for security. In production environments:
@ -5615,6 +5770,39 @@ Follow these steps to configure and use the Sessions feature:
SESSIONS_ABSOLUTE_TIMEOUT: "604800" # 7 days
```
=== "Cross-subdomain Sessions (single tenant)"
Share the session cookie across every subdomain of `example.com` so antibot/challenge state is solved once for the whole site:
```yaml
SERVER_NAME: "app.example.com api.example.com shop.example.com"
SESSIONS_SECRET: "your-strong-random-secret-key-here"
SESSIONS_NAME: "crossdomainsession"
# SESSIONS_DOMAIN is a multisite setting: prefix with the server name so it only applies to matching hosts
app.example.com_SESSIONS_DOMAIN: "example.com"
api.example.com_SESSIONS_DOMAIN: "example.com"
shop.example.com_SESSIONS_DOMAIN: "example.com"
USE_ANTIBOT: "turnstile"
```
=== "Cross-subdomain Sessions (mixed tenants)"
When the same BunkerWeb instance hosts multiple unrelated registrable domains, scope `SESSIONS_DOMAIN` only to the servers that should share it. Unset servers keep the default host-only cookie so tenants stay isolated:
```yaml
SERVER_NAME: "app.example.com api.example.com billing.acme.org www.unrelated.io"
SESSIONS_SECRET: "your-strong-random-secret-key-here"
SESSIONS_NAME: "tenantsession"
# Share the cookie across example.com subdomains only
app.example.com_SESSIONS_DOMAIN: "example.com"
api.example.com_SESSIONS_DOMAIN: "example.com"
# billing.acme.org and www.unrelated.io are intentionally left as host-only
USE_ANTIBOT: "turnstile"
```
!!! note
`SESSIONS_DOMAIN` must always be a parent of the server it is applied to — for example `example.com` is valid for both `example.com` and any `*.example.com` host, and a leading dot (`.example.com`) is tolerated for legacy compatibility. Setting it to an unrelated registrable domain will cause browsers to reject the cookie.
## SSL
STREAM support :white_check_mark:
@ -5722,33 +5910,40 @@ Integrate easily the BunkerWeb UI.
## UI Single Sign-On <img src='../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
For a more detailed guide, see the [advanced usages](advanced.md#ui-single-sign-on-pro) documentation.
STREAM support :x:
Enable SSO authentication for the BunkerWeb web interface by reading headers set by upstream authentication proxies (Authentik, Authelia, Keycloak, Traefik Forward Auth, etc.)
| Setting | Default | Context | Multiple | Description |
| ----------------------------- | ------------------- | ------- | -------- | ------------------------------------------------------------------------------------------------ |
| `USE_UI_SSO` | `no` | global | no | Enable or disable UI Single Sign-On authentication for the web interface |
| `UI_SSO_HEADER_USERNAME` | `X-User` | global | no | HTTP header containing the authenticated username |
| `UI_SSO_HEADER_EMAIL` | `X-Email` | global | no | HTTP header containing the user's email address |
| `UI_SSO_HEADER_GROUPS` | `X-Groups` | global | no | HTTP header containing the user's groups (comma or space separated) |
| `UI_SSO_HEADER_NAME` | `X-Name` | global | no | HTTP header containing the user's display name |
| `UI_SSO_TRUSTED_IPS` | `127.0.0.1,::1` | global | no | Comma-separated list of trusted IP addresses or CIDR ranges that are allowed to send SSO headers |
| `UI_SSO_AUTO_CREATE_USERS` | `yes` | global | no | Automatically create new users when they authenticate via SSO for the first time |
| `UI_SSO_DEFAULT_ROLE` | `reader` | global | no | Default role assigned to new SSO users when no group mapping matches |
| `UI_SSO_GROUP_ADMIN` | | global | no | Group name that grants admin role (highest priority) |
| `UI_SSO_GROUP_WRITER` | | global | no | Group name that grants writer role |
| `UI_SSO_GROUP_READER` | | global | no | Group name that grants reader role |
| `UI_SSO_FALLBACK_TO_LOGIN` | `yes` | global | no | Allow users to fall back to normal login when SSO headers are not present |
| `UI_SSO_UPDATE_USER_ON_LOGIN` | `yes` | global | no | Update user information (email, role) from SSO headers on each login |
| `UI_SSO_ACCOUNT_LINKING` | `username_or_email` | global | no | How to match incoming SSO users to local accounts |
| `UI_SSO_LOGOUT_REDIRECT_URL` | | global | no | URL to redirect users to after logout (e.g., SSO provider logout endpoint) |
| Setting | Default | Context | Multiple | Description |
| --------------------------------- | ------------------- | ------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
| `USE_UI_SSO` | `no` | global | no | Enable or disable UI Single Sign-On authentication for the web interface |
| `UI_SSO_PROVIDER` | `custom` | global | no | Select your SSO provider to auto-configure headers and group parsing. Use 'Custom' for manual header configuration. |
| `UI_SSO_HEADER_USERNAME` | `X-User` | global | no | HTTP header containing the authenticated username |
| `UI_SSO_HEADER_EMAIL` | `X-Email` | global | no | HTTP header containing the user's email address |
| `UI_SSO_HEADER_GROUPS` | `X-Groups` | global | no | HTTP header containing the user's groups (comma or space separated) |
| `UI_SSO_HEADER_NAME` | `X-Name` | global | no | HTTP header containing the user's display name |
| `UI_SSO_TRUSTED_IPS` | `127.0.0.1,::1` | global | no | Comma-separated list of trusted IP addresses or CIDR ranges that are allowed to send SSO headers |
| `UI_SSO_AUTO_CREATE_USERS` | `yes` | global | no | Automatically create new users when they authenticate via SSO for the first time |
| `UI_SSO_DEFAULT_ROLE` | `reader` | global | no | Default role assigned to new SSO users when no group mapping matches |
| `UI_SSO_GROUP_ADMIN` | | global | no | Group name that grants admin role (highest priority) |
| `UI_SSO_GROUP_WRITER` | | global | no | Group name that grants writer role |
| `UI_SSO_GROUP_READER` | | global | no | Group name that grants reader role |
| `UI_SSO_FALLBACK_TO_LOGIN` | `yes` | global | no | Allow users to fall back to normal login when SSO headers are not present |
| `UI_SSO_UPDATE_USER_ON_LOGIN` | `yes` | global | no | Update user information (email) from SSO headers on each login |
| `UI_SSO_SYNC_ROLES` | `no` | global | no | Synchronize user roles from SSO group mappings on each login when the groups header is present and at least one group mapping is configured |
| `UI_SSO_SYNC_ROLES_PROTECT_ADMIN` | `yes` | global | no | Prevent SSO role sync from downgrading users who currently have the admin role |
| `UI_SSO_ACCOUNT_LINKING` | `username_or_email` | global | no | How to match incoming SSO users to local accounts |
| `UI_SSO_LOGOUT_REDIRECT_URL` | | global | no | URL to redirect users to after logout (e.g., SSO provider logout endpoint) |
## User Manager <img src='../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
<p align='center'><iframe style='display: block;' width='560' height='315' data-src='https://www.youtube-nocookie.com/embed/EIohiUf9Fg4' title='User Manager' frameborder='0' allow='accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture' allowfullscreen></iframe></p>
For a more detailed guide, see the [advanced usages](advanced.md#user-manager-pro) documentation.
STREAM support :x:
Add the possibility to manage users on the web interface
@ -5946,3 +6141,16 @@ Example files that match the expected format:
(?:^|\s)FriendlyScanner(?:\s|$)
TrustedMonitor/\d+\.\d+
```
## Wildcard <img src='../assets/img/pro-icon.svg' alt='crown pro icon' height='24px' width='24px' style='transform : translateY(3px);'> (PRO)
For a more detailed guide, see the [advanced usages](advanced.md#wildcard-pro) documentation.
STREAM support :x:
Adds wildcard server_name support (*.domain) for services.
| Setting | Default | Context | Multiple | Description |
| -------------- | ------- | --------- | -------- | ------------------------------------------------------------------------------------------------- |
| `USE_WILDCARD` | `no` | multisite | no | Enable wildcard server_name for this service (adds *.domain for the first domain in SERVER_NAME). |

965
docs/fr/advanced.md
View file

File diff suppressed because it is too large Load diff

10
docs/fr/api.md
View file

@ -41,7 +41,7 @@ Choisissez la saveur adaptée à votre environnement.
services:
bunkerweb:
# Nom utilisé par le scheduler pour identifier linstance
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -54,7 +54,7 @@ Choisissez la saveur adaptée à votre environnement.
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # Assurez-vous de mettre le bon nom dinstance
@ -76,7 +76,7 @@ Choisissez la saveur adaptée à votre environnement.
- bw-db
bw-api:
image: bunkerity/bunkerweb-api:1.6.9
image: bunkerity/bunkerweb-api:1.6.10
environment:
<<: *bw-env
API_USERNAME: "admin"
@ -108,7 +108,7 @@ Choisissez la saveur adaptée à votre environnement.
command: >
redis-server
--maxmemory 256mb
--maxmemory-policy allkeys-lru
--maxmemory-policy volatile-lru
--save 60 1000
--appendonly yes
volumes:
@ -143,7 +143,7 @@ Choisissez la saveur adaptée à votre environnement.
-e SERVICE_API=yes \
-e API_WHITELIST_IPS="127.0.0.0/8" \
-p 80:8080/tcp -p 443:8443/tcp -p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
=== "Linux"

4
docs/fr/concepts.md
View file

@ -105,7 +105,7 @@ Veuillez noter que le mode multisite est implicite lors de l'utilisation de l'in
!!! info "Aller plus loin"
Vous trouverez des exemples concrets du mode multisite dans la section [Utilisations avancées](advanced.md) de la documentation et dans le répertoire [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) du dépôt.
Vous trouverez des exemples concrets du mode multisite dans la section [Utilisations avancées](advanced.md) de la documentation et dans le répertoire [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/examples) du dépôt.
## Configurations personnalisées {#custom-configurations}
@ -126,7 +126,7 @@ La gestion des configurations personnalisées à partir de l'interface utilisate
!!! info "Aller plus loin"
Vous trouverez des exemples concrets de configurations personnalisées dans la section [Utilisations avancées](advanced.md#custom-configurations) de la documentation et dans le répertoire [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) du dépôt.
Vous trouverez des exemples concrets de configurations personnalisées dans la section [Utilisations avancées](advanced.md#custom-configurations) de la documentation et dans le répertoire [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/examples) du dépôt.
## Base de données

1636
docs/fr/features.md
View file

File diff suppressed because it is too large Load diff

229
docs/fr/integrations.md
View file

@ -350,7 +350,7 @@ services:
- "traefik.http.routers.service1.entrypoints=websecure"
- "traefik.http.routers.service1.tls.certresolver=myresolver"
- "traefik.http.services.service1.loadbalancer.server.port=8080"
- "traefik.http.routers.service1.middlewares=security-headers"
- "traefik.http.routers.service1.middlewares=security-headers,compress"
api-service:
image: your-api:latest
@ -360,7 +360,7 @@ services:
- "traefik.http.routers.api.entrypoints=websecure"
- "traefik.http.routers.api.tls.certresolver=myresolver"
- "traefik.http.services.api.loadbalancer.server.port=3000"
- "traefik.http.routers.api.middlewares=security-headers,rate-limit"
- "traefik.http.routers.api.middlewares=security-headers,rate-limit,compress"
```
**Configuration dynamique (dynamic.yml) :**
@ -385,6 +385,9 @@ http:
burst: 100
average: 50
compress:
compress: {}
routers:
service1:
rule: "Host(`exemple.com`)"
@ -393,6 +396,7 @@ http:
certResolver: "myresolver"
middlewares:
- "security-headers"
- "compress"
api:
rule: "Host(`api.exemple.com`)"
@ -402,6 +406,7 @@ http:
middlewares:
- "security-headers"
- "rate-limit"
- "compress"
services:
service1:
@ -421,6 +426,8 @@ http:
interval: "30s"
```
Si le middleware est défini dans `dynamic.yml`, la modification du fichier suffit généralement car Traefik recharge automatiquement les changements du file provider. Si le middleware est défini via des labels Docker, il faut recréer le conteneur concerné pour que Docker expose les nouveaux labels à Traefik.
</details>
##### Apache
@ -1268,7 +1275,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
Par défaut, le conteneur expose :
@ -1283,7 +1290,7 @@ Un volume nommé (ou un bind mount) est nécessaire pour conserver la base SQLit
```yaml
services:
bunkerweb-aio:
image: bunkerity/bunkerweb-all-in-one:1.6.9
image: bunkerity/bunkerweb-all-in-one:1.6.10
container_name: bunkerweb-aio
volumes:
- bw-storage:/data
@ -1340,7 +1347,8 @@ L'image tout-en-un est livrée avec plusieurs services intégrés, qui peuvent
- `AUTOCONF_MODE=no` (par défaut) - Active le service autoconf
- `USE_REDIS=yes` (par défaut) : active l' [ instance](#redis-integration) Redis intégrée
- `USE_CROWDSEC=no` (par défaut) - [ L'intégration CrowdSec](#crowdsec-integration) est désactivée par défaut
- `HIDE_SERVICE_LOGS=` (optionnel) - Liste de services séparés par des virgules à masquer dans les logs du conteneur. Valeurs acceptées : `api`, `autoconf`, `bunkerweb`, `crowdsec`, `redis`, `scheduler`, `ui`, `nginx.access`, `nginx.error`, `modsec`. Les fichiers sous `/var/log/bunkerweb/<service>.log` continuent d'être alimentés.
- `HIDE_SERVICE_LOGS=` (optionnel) - Liste de services séparés par des virgules à masquer dans les logs du conteneur. Valeurs acceptées : `api`, `autoconf`, `bunkerweb`, `crowdsec`, `redis`, `scheduler`, `ui`, `nginx.access`, `nginx.error`, `modsec`.
- **Journalisation** : L'image tout-en-un diffuse stdout et stderr de chaque service vers la sortie du conteneur. Utilisez `docker logs bunkerweb-aio` (ou votre pilote de journalisation de conteneur préféré) pour consulter les logs et gérer leur rotation. L'image n'écrit pas de fichiers de log sur disque pour ses services Python.
### Intégration de l'API
@ -1361,7 +1369,7 @@ docker run -d \
-e API_PASSWORD=StrongP@ssw0rd \
-p 80:8080/tcp -p 443:8443/tcp -p 443:8443/udp \
-p 8888:8888/tcp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
Configuration recommandée (derrière BunkerWeb) — ne publiez pas `8888`; utilisez plutôt un proxy inverse :
@ -1369,7 +1377,7 @@ Configuration recommandée (derrière BunkerWeb) — ne publiez pas `8888`; u
```yaml
services:
bunkerweb-aio:
image: bunkerity/bunkerweb-all-in-one:1.6.9
image: bunkerity/bunkerweb-all-in-one:1.6.10
container_name: bunkerweb-aio
ports:
- "80:8080/tcp"
@ -1425,6 +1433,10 @@ L'image **BunkerWeb All-In-One** inclut Redis prêt à l'emploi pour la [persist
- Il écoute sur l'interface loopback du conteneur; il est donc accessible depuis les processus du conteneur, mais pas depuis d'autres conteneurs ni l'hôte.
- Ne redéfinissez `REDIS_HOST` que si vous disposez d'un point de terminaison Redis/Valkey externe, autrement l'instance embarquée ne sera pas lancée.
- Pour désactiver Redis complètement, définissez `USE_REDIS=no`.
- **Précédence de configuration (important) :** le Redis embarqué est lancé depuis `/var/lib/bunkerweb/redis-runtime.conf`, généré au démarrage en copiant `/etc/redis.conf` puis en ajoutant des valeurs par défaut tirées de l'environnement **uniquement pour les directives sur lesquelles la conf reste muette**. Un fichier `/etc/redis.conf` monté l'emporte donc toujours ; les variables d'environnement ci-dessous ne servent qu'à combler les manques.
- **Réglage mémoire :** les valeurs par défaut suivent les [bonnes pratiques Redis](features.md#redis-best-practices) — `maxmemory 256mb` et `maxmemory-policy volatile-lru`. Surchargez via `REDIS_MAXMEMORY` et `REDIS_MAXMEMORY_POLICY` lorsque la conf ne les fixe pas.
- **Surcharges de persistance :** `REDIS_APPENDONLY=yes|no` bascule l'AOF (défaut `yes`) ; les snapshots RDB se configurent avec `REDIS_SAVE` et, en option, `REDIS_SAVE_0`, `REDIS_SAVE_1`, … chacune fournissant une paire `save <secondes> <modifications>` (ex. `REDIS_SAVE_0="900 1"`, `REDIS_SAVE_1="300 10"`). Dès qu'une de ces variables est définie, elles remplacent les valeurs par défaut intégrées `900 1 / 300 10 / 60 10000` ; une chaîne vide produit `save ""` et désactive le RDB. Ignoré dès que la conf déclare elle-même `save`.
- **Authentification :** lorsque `REDIS_PASSWORD` est défini et que la conf ne contient pas déjà `requirepass`, le Redis embarqué est lancé avec `requirepass`, ce qui maintient la cohérence entre client et serveur BunkerWeb. Le serveur embarqué ne prend en charge que l'utilisateur par défaut — ne définissez `REDIS_USERNAME` que pour cibler un Redis externe avec des ACLs.
- Les journaux Redis apparaissent avec le préfixe `[REDIS]` dans les journaux Docker et dans `/var/log/bunkerweb/redis.log`.
### Intégration CrowdSec {#crowdsec-integration}
@ -1441,7 +1453,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
* Lorsque `USE_CROWDSEC=yes`, le point d'entrée :
@ -1496,7 +1508,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
!!! info "Comment ça marche en interne"
@ -1517,7 +1529,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
Notes :
@ -1553,7 +1565,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
* **L'enregistrement local** est ignoré lorsque n' `CROWDSEC_API` est pas `127.0.0.1` ou `localhost`.
@ -1587,13 +1599,13 @@ En accédant à ces images prédéfinies à partir de Docker Hub, vous pouvez ra
Que vous effectuiez des tests, développiez des applications ou déployiez BunkerWeb en production, l'option de conteneurisation Docker offre flexibilité et facilité d'utilisation. L'adoption de cette méthode vous permet de tirer pleinement parti des fonctionnalités de BunkerWeb tout en tirant parti des avantages de la technologie Docker.
```shell
docker pull bunkerity/bunkerweb:1.6.9
docker pull bunkerity/bunkerweb:1.6.10
```
Les images Docker sont également disponibles sur [les packages GitHub](https://github.com/orgs/bunkerity/packages?repo_name=bunkerweb) et peuvent être téléchargées à l'aide de l'adresse du `ghcr.io` dépôt :
```shell
docker pull ghcr.io/bunkerity/bunkerweb:1.6.9
docker pull ghcr.io/bunkerity/bunkerweb:1.6.10
```
Les concepts clés de l'intégration Docker sont les suivants :
@ -1603,7 +1615,7 @@ Les concepts clés de l'intégration Docker sont les suivants :
- **Réseaux**: Les réseaux Docker jouent un rôle essentiel dans l'intégration de BunkerWeb. Ces réseaux ont deux objectifs principaux : exposer les ports aux clients et se connecter aux services Web en amont. En exposant les ports, BunkerWeb peut accepter les demandes entrantes des clients, leur permettant d'accéder aux services Web protégés. De plus, en se connectant aux services Web en amont, BunkerWeb peut acheminer et gérer efficacement le trafic, offrant ainsi une sécurité et des performances améliorées.
!!! info "Backend de base de données"
Veuillez noter que nos instructions supposent que vous utilisez SQLite comme backend de base de données par défaut, tel que configuré par le `DATABASE_URI` paramètre. Cependant, d'autres backends de base de données sont également pris en charge. Pour plus d'informations, consultez les fichiers docker-compose dans le [dossier misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) du dépôt.
Veuillez noter que nos instructions supposent que vous utilisez SQLite comme backend de base de données par défaut, tel que configuré par le `DATABASE_URI` paramètre. Cependant, d'autres backends de base de données sont également pris en charge. Pour plus d'informations, consultez les fichiers docker-compose dans le [dossier misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations) du dépôt.
### Variables d'environnement
@ -1613,7 +1625,7 @@ Les paramètres sont transmis au Scheduler à l'aide de variables d'environnemen
...
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
- MY_SETTING=value
- ANOTHER_SETTING=another value
@ -1657,7 +1669,7 @@ Cela garantit que les paramètres sensibles sont tenus à l'écart de l'environn
Le [Scheduler](concepts.md#scheduler) s'exécute dans son propre conteneur, qui est également disponible sur Docker Hub :
```shell
docker pull bunkerity/bunkerweb-scheduler:1.6.9
docker pull bunkerity/bunkerweb-scheduler:1.6.10
```
!!! info "Paramètres BunkerWeb"
@ -1678,7 +1690,7 @@ docker pull bunkerity/bunkerweb-scheduler:1.6.9
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
environment:
# Paramètres API pour le conteneur BunkerWeb
<<: *bw-api-env
@ -1687,7 +1699,7 @@ docker pull bunkerity/bunkerweb-scheduler:1.6.9
- bw-universe
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
# Paramètres API pour le conteneur Scheduler
<<: *bw-api-env
@ -1705,7 +1717,7 @@ Un volume est nécessaire pour stocker la base de données SQLite et les sauvega
...
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
volumes:
- bw-storage:/data
...
@ -1785,14 +1797,14 @@ Le Scheduler est le worker du plan de contrôle qui lit les paramètres, rend le
##### Logging
| Setting | Description | Valeurs acceptées | Défaut |
| ------------------------------- | ---------------------------------------------------------------------- | ----------------------------------------------- | -------------------------------------------------------------------------------- |
| `LOG_LEVEL`, `CUSTOM_LOG_LEVEL` | Niveau de log de base / override | `debug`, `info`, `warning`, `error`, `critical` | `info` |
| `LOG_TYPES` | Destinations | `stderr`/`file`/`syslog` séparés par espaces | `stderr` |
| `SCHEDULER_LOG_TO_FILE` | Activer le log fichier et définir le chemin par défaut | `yes` ou `no` | `no` |
| `LOG_FILE_PATH` | Chemin de log personnalisé (utilisé quand `LOG_TYPES` inclut `file`) | Chemin de fichier | `/var/log/bunkerweb/scheduler.log` avec `SCHEDULER_LOG_TO_FILE=yes`, sinon unset |
| `LOG_SYSLOG_ADDRESS` | Cible syslog (`udp://host:514`, `tcp://host:514`, ou chemin de socket) | Host:port, hôte préfixé protocole ou socket | unset |
| `LOG_SYSLOG_TAG` | Ident/tag syslog | Chaîne | `bw-scheduler` |
| Setting | Description | Valeurs acceptées | Défaut |
| ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- | --------------------------------------------------------------------------------- |
| `LOG_LEVEL`, `CUSTOM_LOG_LEVEL` | Niveau de log de base / override | `debug`, `info`, `warning`, `error`, `critical` | `info` |
| `LOG_TYPES` | Destinations | `stderr`/`file`/`syslog` séparés par espaces | `stderr` |
| `SCHEDULER_LOG_TO_FILE` | Option historique de compatibilité : lorsqu'elle est définie, `LOG_FILE_PATH` prend par défaut la valeur `/var/log/bunkerweb/scheduler.log` si `LOG_TYPES` inclut `file` et que vous n'avez pas défini `LOG_FILE_PATH` explicitement. | `yes` ou `no` | `no` |
| `LOG_FILE_PATH` | Chemin de log personnalisé (utilisé quand `LOG_TYPES` inclut `file`) | Chemin de fichier | `/var/log/bunkerweb/scheduler.log` quand `LOG_TYPES` contient `file`, sinon unset |
| `LOG_SYSLOG_ADDRESS` | Cible syslog (`udp://host:514`, `tcp://host:514`, ou chemin de socket) | Host:port, hôte préfixé protocole ou socket | unset |
| `LOG_SYSLOG_TAG` | Ident/tag syslog | Chaîne | `bw-scheduler` |
### Paramètres du conteneur UI
@ -1851,7 +1863,7 @@ x-bw-api-env: &bw-api-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -1864,7 +1876,7 @@ services:
- bw-universe
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "bunkerweb" # This setting is mandatory to specify the BunkerWeb instance
@ -1897,7 +1909,7 @@ x-bw-api-env: &bw-api-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -1910,7 +1922,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
depends_on:
- bunkerweb
environment:
@ -1963,7 +1975,7 @@ Les distributions Linux prises en charge par BunkerWeb (architectures amd64/x86_
- Debian 13 "Trixie"
- Ubuntu 22.04 "Jammy"
- Ubuntu 24.04 "Noble"
- Fedora 42 et 43
- Fedora 42, 43 et 44
- Red Hat Enterprise Linux (RHEL) 8, 9 et 10
### Script d'installation facile
@ -1976,8 +1988,8 @@ Pour commencer, téléchargez le script d'installation et sa somme de contrôle,
```bash
# Download the script and its checksum
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.10/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.10/install-bunkerweb.sh.sha256
# Verify the checksum
sha256sum -c install-bunkerweb.sh.sha256
@ -2008,7 +2020,24 @@ Le script d'installation facile est un outil puissant conçu pour rationaliser l
#### Installation interactive
Lorsqu'il est exécuté sans aucune option, le script passe en mode interactif qui vous guide tout au long du processus d'installation. Il vous sera demandé de faire les choix suivants :
Lorsqu'il est exécuté sans aucune option, le script passe en mode interactif qui vous guide tout au long du processus d'installation. Le flux interactif utilise une TUI en ligne via [gum](https://github.com/charmbracelet/gum) — menus à flèches avec curseur `` et champs de mot de passe masqués.
!!! info "gum est récupéré de façon éphémère au premier lancement interactif"
L'installateur télécharge gum la première fois qu'une invite interactive est nécessaire et l'exécute depuis un répertoire temporaire pendant la durée du script — **rien n'est installé à l'échelle du système** :
- Télécharge le binaire `gum_${VERSION}_${ARCH}.tar.gz` officiel depuis la [release GitHub](https://github.com/charmbracelet/gum/releases) via HTTPS (TLS 1.2+, refuse les redirections HTTP, timeout connexion 10 s / total 30 s).
- Vérifie l'archive contre un **SHA256 épinglé dans ce script** (le point de confiance local — la somme de contrôle du script lui-même et celle du binaire gum doivent toutes deux correspondre).
- Si `cosign` est installé : vérifie également le `checksums.txt` amont contre l'identité OIDC GitHub-Actions de Charm (`https://github.com/charmbracelet/gum/...`) en défense en profondeur, et croise-vérifie que le hash épinglé correspond à la valeur publiée par Charm pour cette archive.
- Extrait le binaire dans un répertoire temporaire exécutable (`/var/tmp/bw-gum.XXXXXX` par défaut ; `/tmp`, `$XDG_RUNTIME_DIR` ou `$HOME/.cache` quand `/var/tmp` est monté `noexec`).
- Ajoute le répertoire temporaire au `PATH` pour la durée du script et le supprime à la sortie (via un trap `EXIT`, même en cas d'échec sous `set -e` ou de signal).
**Ce qui reste sur le disque après la fin de l'installateur :** rien. Pas de `/etc/apt/sources.list.d/charm.list`, pas de clé GPG dans `apt`/`rpm`, pas de binaire `gum` dans `/usr/bin`/`/usr/local/bin`, aucune entrée de paquet. L'installateur n'enregistre jamais de source apt ou dnf tierce.
Si gum ne peut pas être téléchargé — hôte hors réseau, panne réseau, somme SHA256 incorrecte — l'installateur utilise un `whiptail` déjà présent sur le système (souvent préinstallé sur les images cloud Debian/Ubuntu via le paquet `newt`). À défaut, il bascule sur les **invites en texte brut**.
Passez `--no-tui` (ou définissez `BW_INSTALL_TUI=no`) pour ignorer tous les niveaux de TUI, ou `--tui` pour abandonner si aucune TUI ne peut s'afficher. **Installations isolées (air-gapped)** : combinez `--no-tui` avec `--yes` et les drapeaux `--*` / variables `*_INPUT` appropriés ; aucun appel réseau n'est effectué pour la couche TUI.
Il vous sera demandé de faire les choix suivants :
1. **Type d'installation**: sélectionnez les composants que vous souhaitez installer.
* **Full Stack (par défaut)**: une installation tout-en-un comprenant BunkerWeb, le Scheduler et l'interface utilisateur Web.
@ -2033,12 +2062,14 @@ Pour les configurations non interactives ou automatisées, le script peut être
| Option | Description |
| ----------------------- | -------------------------------------------------------------------------------------------------------- |
| `-v, --version VERSION` | Spécifie la version de BunkerWeb à installer (par exemple, `1.6.9`). |
| `-v, --version VERSION` | Spécifie la version de BunkerWeb à installer (par exemple, `1.6.10`). |
| `-w, --enable-wizard` | Active l'assistant de configuration. |
| `-n, --no-wizard` | Désactive l'assistant d'installation. |
| `--api`, `--enable-api` | Active le service API (FastAPI) systemd (désactivé par défaut). |
| `--no-api` | Désactive explicitement le service API. |
| `-y, --yes` | S'exécute en mode non interactif en utilisant les réponses par défaut pour toutes les invites. |
| `--tui` | Force une TUI (gum ou whiptail). Échec immédiat si aucune des deux ne peut être installée. |
| `--no-tui` | Désactive toutes les couches de TUI et utilise les invites en texte brut. Équivaut à `BW_INSTALL_TUI=no`. |
| `-f, --force` | Force l'installation à se poursuivre même sur une version du système d'exploitation non prise en charge. |
| `-q, --quiet` | Installation silencieuse (suppression de la sortie). |
| `-h, --help` | Affiche le message d'aide avec toutes les options disponibles. |
@ -2053,7 +2084,7 @@ Pour les configurations non interactives ou automatisées, le script peut être
| `--worker` | Installe uniquement l'instance BunkerWeb. |
| `--scheduler-only` | Installe uniquement le composant Scheduler. |
| `--ui-only` | Installe uniquement le composant Interface utilisateur Web. |
| `--api-only` | Installe uniquement le service API (port 8000). |
| `--api-only` | Installe uniquement le service API (port 8888). |
**Intégrations de sécurité :**
@ -2098,7 +2129,7 @@ sudo ./install-bunkerweb.sh --yes
sudo ./install-bunkerweb.sh --worker --no-wizard
# Install a specific version
sudo ./install-bunkerweb.sh --version 1.6.9
sudo ./install-bunkerweb.sh --version 1.6.10
# Manager setup with remote worker instances (instances required)
sudo ./install-bunkerweb.sh --manager --instances "192.168.1.10 192.168.1.11"
@ -2142,7 +2173,7 @@ sudo ./install-bunkerweb.sh --dry-run
**Disponibilité du service API :**
- Le service API externe (port 8000) est disponible pour les types d'installation `--full` et `--manager`
- Le service API externe (port 8888) est disponible pour les types d'installation `--full` et `--manager`
- Il n'est pas disponible pour les installations `--worker`, `--scheduler-only` ou `--ui-only`
- Utilisez `--api-only` pour une installation dédiée du service API
@ -2203,7 +2234,7 @@ En fonction de vos choix lors de l'installation :
### Installation à l'aide du gestionnaire de paquets
Veuillez vous assurer que **NGINX 1.28.2 est installé avant d'installer BunkerWeb**. Pour toutes les distributions, il est obligatoire d'utiliser des paquets préconstruits à partir du [dépôt officiel NGINX](https://nginx.org/en/linux_packages.html). La compilation de NGINX à partir des sources ou l'utilisation de paquets provenant de différents dépôts ne fonctionnera pas avec les paquets officiels préconstruits de BunkerWeb. Cependant, vous avez la possibilité de construire BunkerWeb à partir des sources.
Veuillez vous assurer que **NGINX 1.30.1 est installé avant d'installer BunkerWeb**. Pour toutes les distributions, il est obligatoire d'utiliser des paquets préconstruits à partir du [dépôt officiel NGINX](https://nginx.org/en/linux_packages.html). La compilation de NGINX à partir des sources ou l'utilisation de paquets provenant de différents dépôts ne fonctionnera pas avec les paquets officiels préconstruits de BunkerWeb. Cependant, vous avez la possibilité de construire BunkerWeb à partir des sources.
=== "Debian Bookworm/Trixie"
@ -2218,11 +2249,11 @@ Veuillez vous assurer que **NGINX 1.28.2 est installé avant d'installer BunkerW
| sudo tee /etc/apt/sources.list.d/nginx.list
```
Vous devriez maintenant pouvoir installer NGINX 1.28.2 :
Vous devriez maintenant pouvoir installer NGINX 1.30.1 :
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades nginx=1.28.2-1~$(lsb_release -cs)
sudo apt install -y --allow-downgrades nginx=1.30.1-1~$(lsb_release -cs)
```
!!! warning "Version testing/dev"
@ -2239,12 +2270,12 @@ Veuillez vous assurer que **NGINX 1.28.2 est installé avant d'installer BunkerW
export UI_WIZARD=no
```
Et enfin, installez BunkerWeb 1.6.9 :
Et enfin, installez BunkerWeb 1.6.10 :
```shell
curl -s https://repo.bunkerweb.io/install/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.9
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.10
```
Pour empêcher la mise à jour des paquets NGINX et/ou BunkerWeb lors de l'exécution de `apt upgrade`, vous pouvez utiliser la commande suivante :
@ -2266,11 +2297,11 @@ Veuillez vous assurer que **NGINX 1.28.2 est installé avant d'installer BunkerW
| sudo tee /etc/apt/sources.list.d/nginx.list
```
Vous devriez maintenant pouvoir installer NGINX 1.28.2 :
Vous devriez maintenant pouvoir installer NGINX 1.30.1 :
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades nginx=1.28.2-1~$(lsb_release -cs)
sudo apt install -y --allow-downgrades nginx=1.30.1-1~$(lsb_release -cs)
```
!!! warning "Version testing/dev"
@ -2287,12 +2318,12 @@ Veuillez vous assurer que **NGINX 1.28.2 est installé avant d'installer BunkerW
export UI_WIZARD=no
```
Et enfin, installez BunkerWeb 1.6.9 :
Et enfin, installez BunkerWeb 1.6.10 :
```shell
curl -s https://repo.bunkerweb.io/install/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.9
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.10
```
Pour empêcher la mise à jour des paquets NGINX et/ou BunkerWeb lors de l'exécution de `apt upgrade`, vous pouvez utiliser la commande suivante :
@ -2310,10 +2341,10 @@ Veuillez vous assurer que **NGINX 1.28.2 est installé avant d'installer BunkerW
sudo dnf config-manager setopt updates-testing.enabled=1
```
Fedora fournit déjà NGINX 1.28.2, que nous prenons en charge
Fedora fournit déjà NGINX 1.30.1, que nous prenons en charge
```shell
sudo dnf install -y --allowerasing nginx-1.28.2
sudo dnf install -y --allowerasing nginx-1.30.1
```
!!! example "Désactiver l'assistant d'installation"
@ -2323,12 +2354,12 @@ Veuillez vous assurer que **NGINX 1.28.2 est installé avant d'installer BunkerW
export UI_WIZARD=no
```
Et enfin, installez BunkerWeb 1.6.9 :
Et enfin, installez BunkerWeb 1.6.10 :
```shell
curl -s https://repo.bunkerweb.io/install/script.rpm.sh | sudo bash && \
sudo dnf makecache && \
sudo -E dnf install -y --allowerasing bunkerweb-1.6.9
sudo -E dnf install -y --allowerasing bunkerweb-1.6.10
```
Pour empêcher la mise à jour des paquets NGINX et/ou BunkerWeb lors de l'exécution de `dnf upgrade`, vous pouvez utiliser la commande suivante :
@ -2360,10 +2391,10 @@ Veuillez vous assurer que **NGINX 1.28.2 est installé avant d'installer BunkerW
module_hotfixes=true
```
Vous devriez maintenant pouvoir installer NGINX 1.28.2 :
Vous devriez maintenant pouvoir installer NGINX 1.30.1 :
```shell
sudo dnf install --allowerasing nginx-1.28.2
sudo dnf install --allowerasing nginx-1.30.1
```
!!! example "Désactiver l'assistant d'installation"
@ -2373,12 +2404,12 @@ Veuillez vous assurer que **NGINX 1.28.2 est installé avant d'installer BunkerW
export UI_WIZARD=no
```
Enfin, installez BunkerWeb 1.6.9 :
Enfin, installez BunkerWeb 1.6.10 :
```shell
curl -s https://repo.bunkerweb.io/install/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo -E dnf install -y --allowerasing bunkerweb-1.6.9
sudo -E dnf install -y --allowerasing bunkerweb-1.6.10
```
Pour empêcher la mise à jour des paquets NGINX et/ou BunkerWeb lors de l'exécution de `dnf upgrade`, vous pouvez utiliser la commande suivante :
@ -2471,7 +2502,7 @@ En adoptant cette approche, vous pouvez profiter d'une reconfiguration en temps
L'intégration de Docker autoconf implique l'utilisation du **mode multisite**. Pour plus d'informations, reportez-vous à la [section multisite](concepts.md#multisite-mode) de la documentation.
!!! info "Backend de base de données"
Veuillez noter que nos instructions supposent que vous utilisez MariaDB comme backend de base de données par défaut, tel que configuré par le `DATABASE_URI` paramètre. Cependant, nous comprenons que vous préférerez peut-être utiliser d'autres backends pour votre intégration Docker. Si c'est le cas, soyez assuré que d'autres backends de base de données sont toujours possibles. Pour plus d'informations, consultez les fichiers docker-compose dans le [dossier misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) du dépôt.
Veuillez noter que nos instructions supposent que vous utilisez MariaDB comme backend de base de données par défaut, tel que configuré par le `DATABASE_URI` paramètre. Cependant, nous comprenons que vous préférerez peut-être utiliser d'autres backends pour votre intégration Docker. Si c'est le cas, soyez assuré que d'autres backends de base de données sont toujours possibles. Pour plus d'informations, consultez les fichiers docker-compose dans le [dossier misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations) du dépôt.
Pour activer les mises à jour automatiques de la configuration, incluez un conteneur supplémentaire appelé `bw-autoconf` dans la pile. Ce conteneur héberge le service autoconf, qui gère les modifications de configuration dynamiques pour BunkerWeb.
@ -2485,7 +2516,7 @@ x-bw-env: &bw-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -2500,7 +2531,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "" # We don't need to specify the BunkerWeb instance here as they are automatically detected by the autoconf service
@ -2515,7 +2546,7 @@ services:
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
depends_on:
- bunkerweb
- bw-docker
@ -2594,16 +2625,17 @@ Le contrôleur `bw-autoconf` surveille votre orchestrateur et écrit les changem
##### Mode & runtime
| Setting | Description | Valeurs acceptées | Défaut |
| ------------------------- | --------------------------------------------------------------- | ----------------------------------- | ------------------------------------- |
| `AUTOCONF_MODE` | Activer le contrôleur autoconf | `yes` ou `no` | `no` |
| `SWARM_MODE` | Surveiller les services Swarm au lieu des conteneurs Docker | `yes` ou `no` | `no` |
| `KUBERNETES_MODE` | Surveiller les ingress/pods Kubernetes au lieu de Docker | `yes` ou `no` | `no` |
| `KUBERNETES_GATEWAY_MODE` | Utiliser le contrôleur Gateway API pour Kubernetes | `yes` ou `no` | `no` |
| `DOCKER_HOST` | Socket Docker / URL API distante | ex. `unix:///var/run/docker.sock` | `unix:///var/run/docker.sock` |
| `WAIT_RETRY_INTERVAL` | Secondes entre les vérifications de disponibilité des instances | Secondes entières | `5` |
| `LOG_SYSLOG_TAG` | Tag syslog pour les logs autoconf | Chaîne | `bw-autoconf` |
| `TZ` | Fuseau horaire pour les logs autoconf et les horodatages | Nom de base TZ (ex. `Europe/Paris`) | unset (défaut conteneur, souvent UTC) |
| Setting | Description | Valeurs acceptées | Défaut |
| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------- | ------------------------------------- |
| `AUTOCONF_MODE` | Activer le contrôleur autoconf | `yes` ou `no` | `no` |
| `SWARM_MODE` | Surveiller les services Swarm au lieu des conteneurs Docker | `yes` ou `no` | `no` |
| `KUBERNETES_MODE` | Surveiller les ingress/pods Kubernetes au lieu de Docker | `yes` ou `no` | `no` |
| `KUBERNETES_GATEWAY_MODE` | Utiliser le contrôleur Gateway API pour Kubernetes | `yes` ou `no` | `no` |
| `DOCKER_HOST` | Socket Docker / URL API distante | ex. `unix:///var/run/docker.sock` | `unix:///var/run/docker.sock` |
| `WAIT_RETRY_INTERVAL` | Secondes entre les vérifications de disponibilité des instances | Secondes entières | `5` |
| `AUTOCONF_DISABLE_CLEANUP` | Lorsque défini à `yes`, les services et configurations personnalisées retirés de l'orchestrateur sont convertis en brouillon (draft) au lieu d'être supprimés, afin de survivre aux suppressions transitoires et de pouvoir être supprimés depuis l'interface Web. | `yes` ou `no` | `no` |
| `LOG_SYSLOG_TAG` | Tag syslog pour les logs autoconf | Chaîne | `bw-autoconf` |
| `TZ` | Fuseau horaire pour les logs autoconf et les horodatages | Nom de base TZ (ex. `Europe/Paris`) | unset (défaut conteneur, souvent UTC) |
##### Base de données & validation
@ -2669,6 +2701,27 @@ networks:
name: bw-services
```
#### Conserver les services en brouillon à la suppression {#autoconf-disable-cleanup}
Par défaut, lorsqu'un conteneur, service Swarm ou Ingress géré par autoconf disparaît de l'orchestrateur, sa ligne de service BunkerWeb (et toutes les configurations personnalisées associées) est immédiatement supprimée de la base de données partagée. Ce comportement est destructif : une suppression transitoire ne se distingue pas d'un démontage volontaire, et restaurer le service impose de refaire la définition de zéro.
Définir `AUTOCONF_DISABLE_CLEANUP=yes` sur le conteneur `bw-autoconf` modifie ce comportement :
- Les services retirés de l'orchestrateur passent à `is_draft = true` au lieu d'être supprimés. Leurs lignes `services_settings`, configurations personnalisées et caches de jobs sont conservés.
- Les services en brouillon sont exclus de la configuration NGINX rendue (ils ne sont pas servis), donc retirer l'objet orchestrateur met bien le site hors ligne — seul l'état est préservé.
- Si le même service est à nouveau enregistré par autoconf (même nom de serveur / host d'Ingress), il est automatiquement repassé en ligne et republié ; les configurations personnalisées existantes sont réutilisées.
- Tant qu'un service est dans cet état «&nbsp;brouillon autoconf&nbsp;», il peut être supprimé depuis la page **Services** de l'interface Web — habituellement les services autoconf ne sont pas supprimables depuis l'UI, mais le bouton **Supprimer** s'active pour les services autoconf en brouillon afin de nettoyer les entrées obsolètes. Les services autoconf en ligne restent non supprimables depuis l'UI.
```yaml
services:
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
AUTOCONF_MODE: "yes"
AUTOCONF_DISABLE_CLEANUP: "yes" # garder les services supprimés en brouillon
DATABASE_URI: "mariadb+pymysql://bunkerweb:secret@bw-db:3306/db"
```
### Espaces de noms {#namespaces}
À partir de la version `1.6.0`, les piles Autoconf de BunkerWeb supportent désormais les espaces de noms. Cette fonctionnalité vous permet de gérer plusieurs «* clusters *» d'instances et de services BunkerWeb sur le même hôte Docker. Pour tirer parti des espaces de noms, il vous suffit de définir l' `NAMESPACE` étiquette sur vos services. Voici un exemple :
@ -2698,13 +2751,13 @@ networks:
...
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
labels:
- "bunkerweb.INSTANCE=yes"
- "bunkerweb.NAMESPACE=my-namespace" # Définir l'espace de noms pour l'instance BunkerWeb afin que le service autoconf puisse la détecter
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
...
NAMESPACES: "my-namespace my-other-namespace" # Écouter uniquement ces espaces de noms
@ -2755,7 +2808,7 @@ Pour une configuration optimale, il est recommandé de définir BunkerWeb en tan
Compte tenu de la présence de plusieurs instances BunkerWeb, il est nécessaire d'établir un magasin de données partagé implémenté en tant que [ service Redis](https://redis.io/) ou [Valkey](https://valkey.io/). Ce service sera utilisé par les instances pour mettre en cache et partager des données entre elles. Vous trouverez de plus amples informations sur les paramètres Redis/Valkey [ici](features.md#redis).
!!! info "Backend de base de données"
Veuillez noter que nos instructions supposent que vous utilisez MariaDB comme backend de base de données par défaut, tel que configuré par le `DATABASE_URI` paramètre. Cependant, nous comprenons que vous préférerez peut-être utiliser d'autres backends pour votre intégration Docker. Si c'est le cas, soyez assuré que d'autres backends de base de données sont toujours possibles. Pour plus d'informations, consultez les fichiers docker-compose dans le [dossier misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) du dépôt.
Veuillez noter que nos instructions supposent que vous utilisez MariaDB comme backend de base de données par défaut, tel que configuré par le `DATABASE_URI` paramètre. Cependant, nous comprenons que vous préférerez peut-être utiliser d'autres backends pour votre intégration Docker. Si c'est le cas, soyez assuré que d'autres backends de base de données sont toujours possibles. Pour plus d'informations, consultez les fichiers docker-compose dans le [dossier misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations) du dépôt.
La configuration des backends de base de données en cluster est hors du périmètre de cette documentation.
@ -2870,7 +2923,7 @@ Le **controller BunkerWeb** découvre automatiquement les pods avec sidecars Bun
```yaml
controller:
enabled: true
tag: "1.6.9"
tag: "1.6.10"
```
2. Pour chaque sidecar, ajoutez :
@ -2963,7 +3016,7 @@ Dans votre fichier `values.yaml` du chart BunkerWeb, configurez la variable d'en
```yaml
scheduler:
tag: "1.6.9"
tag: "1.6.10"
extraEnvs:
- name: BUNKERWEB_INSTANCES
value: "http://app1-bunkerweb-workers.namespace.svc.cluster.local:5000 http://app2-bunkerweb-workers.namespace.svc.cluster.local:5000"
@ -3005,7 +3058,7 @@ spec:
# Sidecar BunkerWeb
- name: bunkerweb
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- containerPort: 8080 # Port HTTP exposé
- containerPort: 5000 # API interne (obligatoire)
@ -3249,7 +3302,7 @@ Pour ajouter une nouvelle application protégée par BunkerWeb :
#### Fichiers YAML complets
Au lieu d'utiliser la charte Helm, vous pouvez également utiliser les modèles YAML dans le [dossier misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) du référentiel GitHub. Veuillez noter que nous vous recommandons vivement d'utiliser le tableau de barre à la place.
Au lieu d'utiliser la charte Helm, vous pouvez également utiliser les modèles YAML dans le [dossier misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations) du référentiel GitHub. Veuillez noter que nous vous recommandons vivement d'utiliser le tableau de barre à la place.
### Ressources d'entrée
@ -3397,7 +3450,7 @@ metadata:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
imagePullPolicy: Always
env:
- name: NAMESPACES
@ -3571,11 +3624,11 @@ service:
# BunkerWeb settings
bunkerweb:
tag: 1.6.9
tag: 1.6.10
# Scheduler settings
scheduler:
tag: 1.6.9
tag: 1.6.10
extraEnvs:
# Enable real IP module to get real IP of clients
- name: USE_REAL_IP
@ -3583,11 +3636,11 @@ scheduler:
# Controller settings
controller:
tag: 1.6.9
tag: 1.6.10
# UI settings
ui:
tag: 1.6.9
tag: 1.6.10
```
Installez BunkerWeb avec des valeurs personnalisées :
@ -4208,7 +4261,7 @@ Pour une configuration optimale, il est recommandé de planifier le **service Bu
En ce qui concerne le volume de la base de données, la documentation ne spécifie pas d'approche spécifique. Le choix d'un dossier partagé ou d'un pilote spécifique pour le volume de base de données dépend de votre cas d'utilisation unique et est laissé à la disposition du lecteur.
!!! info "Backend de base de données"
Veuillez noter que nos instructions supposent que vous utilisez MariaDB comme backend de base de données par défaut, tel que configuré par le `DATABASE_URI` paramètre. Cependant, nous comprenons que vous préférerez peut-être utiliser d'autres backends pour votre intégration Docker. Si c'est le cas, soyez assuré que d'autres backends de base de données sont toujours possibles. Pour plus d'informations, consultez les fichiers docker-compose dans le [dossier misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) du dépôt.
Veuillez noter que nos instructions supposent que vous utilisez MariaDB comme backend de base de données par défaut, tel que configuré par le `DATABASE_URI` paramètre. Cependant, nous comprenons que vous préférerez peut-être utiliser d'autres backends pour votre intégration Docker. Si c'est le cas, soyez assuré que d'autres backends de base de données sont toujours possibles. Pour plus d'informations, consultez les fichiers docker-compose dans le [dossier misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations) du dépôt.
La configuration des backends de base de données en cluster est hors du périmètre de cette documentation.
@ -4222,7 +4275,7 @@ x-bw-env: &bw-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- published: 80
target: 8080
@ -4251,7 +4304,7 @@ services:
- "bunkerweb.INSTANCE=yes" # Mandatory label for the autoconf service to identify the BunkerWeb instance
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "" # We don't need to specify the BunkerWeb instance here as they are automatically detected by the autoconf service
@ -4272,7 +4325,7 @@ services:
- "node.role == worker"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
SWARM_MODE: "yes"
DATABASE_URI: "mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db" # Remember to set a stronger password for the database
@ -4424,7 +4477,7 @@ networks:
...
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
...
deploy:
mode: global
@ -4436,7 +4489,7 @@ networks:
- "bunkerweb.NAMESPACE=my-namespace" # Set the namespace for the BunkerWeb instance
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
NAMESPACES: "my-namespace my-other-namespace" # Only listen to these namespaces
...

12
docs/fr/plugins.md
View file

@ -89,7 +89,7 @@ La première étape consiste à installer le plugin en plaçant ses fichiers dan
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
volumes:
- ./bw-data:/data
...
@ -125,7 +125,7 @@ La première étape consiste à installer le plugin en plaçant ses fichiers dan
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
volumes:
- ./bw-data:/data
...
@ -168,7 +168,7 @@ La première étape consiste à installer le plugin en plaçant ses fichiers dan
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
volumes:
- /shared/bw-plugins:/data/plugins
...
@ -215,7 +215,7 @@ La première étape consiste à installer le plugin en plaçant ses fichiers dan
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -255,7 +255,7 @@ La première étape consiste à installer le plugin en plaçant ses fichiers dan
!!! tip "Plugins existants"
Si la documentation n'est pas suffisante, vous pouvez consulter le code source existant des [plugins officiels](https://github.com/bunkerity/bunkerweb-plugins) et des [plugins core](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/src/common/core) (déjà inclus dans BunkerWeb mais ce sont des plugins, techniquement parlant).
Si la documentation n'est pas suffisante, vous pouvez consulter le code source existant des [plugins officiels](https://github.com/bunkerity/bunkerweb-plugins) et des [plugins core](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/src/common/core) (déjà inclus dans BunkerWeb mais ce sont des plugins, techniquement parlant).
À quoi ressemble la structure d'un plugin :
```
@ -560,7 +560,7 @@ end
!!! tip "Plus d'exemples"
Si vous souhaitez voir la liste complète des fonctions disponibles, vous pouvez consulter les fichiers présents dans le [répertoire lua](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/src/bw/lua/bunkerweb) du dépôt.
Si vous souhaitez voir la liste complète des fonctions disponibles, vous pouvez consulter les fichiers présents dans le [répertoire lua](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/src/bw/lua/bunkerweb) du dépôt.
### Emplois

45
docs/fr/quickstart-guide.md
View file

@ -18,7 +18,7 @@ Ce guide de démarrage rapide vous aidera à installer rapidement BunkerWeb et
Protéger les applications web existantes déjà accessibles avec le protocole HTTP(S) est l'objectif principal de BunkerWeb : il agira comme un [proxy inverse classique](https://en.wikipedia.org/wiki/Reverse_proxy) avec des fonctionnalités de sécurité supplémentaires.
Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) du dépôt pour obtenir des exemples concrets.
Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/examples) du dépôt pour obtenir des exemples concrets.
## Configuration de base
@ -33,7 +33,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
Par défaut, le conteneur expose :
@ -51,8 +51,8 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
```bash
# Download the script and its checksum
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.10/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.10/install-bunkerweb.sh.sha256
# Verify the checksum
sha256sum -c install-bunkerweb.sh.sha256
@ -68,10 +68,13 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
#### Points forts d'Easy Install
- Détecte votre distribution Linux et l'architecture CPU en amont et avertit si vous sortez de la matrice supportée avant toute modification.
- Le flux interactif vous laisse choisir le profil d'installation (full stack, manager, worker, etc.) ; le mode manager expose toujours l'API sur `0.0.0.0`, désactive l'assistant et demande l'IP à autoriser (passez-la avec `--manager-ip` en mode non interactif), tandis que le mode worker exige les IP du manager pour sa liste blanche.
- Les invites interactives utilisent une TUI en ligne via [gum](https://github.com/charmbracelet/gum) — menus à flèches avec curseur ``, champs de mot de passe masqués. À la première exécution interactive, le script télécharge le binaire `gum` officiel depuis la [release GitHub](https://github.com/charmbracelet/gum/releases) (SHA256 épinglé, signature cosign vérifiée si cosign est installé), l'exécute depuis un répertoire temporaire et supprime ce répertoire à la fin du script — **aucun paquet système n'est installé, aucune source apt/dnf n'est ajoutée, aucun binaire ne reste sur le système**. Si gum ne peut pas être obtenu, l'installateur utilise un `whiptail` déjà présent sur le système ; à défaut, il utilise des invites en texte brut.
- Deux drapeaux contrôlent la TUI : `--no-tui` (ou `BW_INSTALL_TUI=no`) saute tous les niveaux de TUI et utilise les invites en texte brut ; `--tui` exige une TUI fonctionnelle et abandonne si gum ne peut pas être récupéré et qu'aucun whiptail existant n'est disponible.
- Lorsque l'installateur est lancé en pipe (`curl … | bash`) ou que stdin n'est pas un TTY, il sort avec une erreur claire au lieu d'accepter silencieusement chaque valeur par défaut. Utilisez `--yes` avec les drapeaux `--*` / variables d'environnement `*_INPUT` appropriés pour les installations non interactives.
- Le flux interactif vous laisse choisir le profil d'installation (Full Stack, Manager, Worker, etc.) ; le mode Manager lie l'écouteur de l'API interne à `0.0.0.0`, désactive l'assistant et demande l'IP à autoriser (passez-la avec `--manager-ip` en mode non interactif), tandis que le mode Worker exige les IP du Manager pour sa liste blanche.
- Les installations Manager peuvent toujours décider si le service Web UI doit démarrer, même si l'assistant reste désactivé.
- Le récapitulatif indique si le service FastAPI sera lancé, ce qui vous permet de l'activer ou de le désactiver volontairement via `--api` / `--no-api`.
- Les options CrowdSec ne sont disponibles que pour les installations full stack ; les modes manager/worker les ignorent automatiquement pour se concentrer sur le pilotage distant.
- CrowdSec est proposé en mode interactif uniquement pour les installations Full Stack. En CLI, `--crowdsec` et `--crowdsec-appsec` sont valides pour Full Stack et Manager ; les modes Worker, Scheduler-only, UI-only et API-only les refusent.
Pour des méthodes d'installation avancées (gestionnaire de paquets, types d'installation, options non interactives, intégration CrowdSec, etc.), consultez l'[intégration Linux](integrations.md#linux).
@ -90,7 +93,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
services:
bunkerweb:
# This is the name that will be used to identify the instance in the Scheduler
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -103,7 +106,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # Make sure to set the correct instance name
@ -120,7 +123,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
- bw-db
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
environment:
<<: *bw-env
restart: "unless-stopped"
@ -148,7 +151,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
command: >
redis-server
--maxmemory 256mb
--maxmemory-policy allkeys-lru
--maxmemory-policy volatile-lru
--save 60 1000
--appendonly yes
volumes:
@ -187,7 +190,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -203,7 +206,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: ""
@ -221,7 +224,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
depends_on:
- bw-docker
environment:
@ -244,7 +247,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
environment:
<<: *bw-ui-env
TOTP_ENCRYPTION_KEYS: "mysecret" # Remember to set a stronger secret key (see the Prerequisites section)
@ -273,7 +276,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
command: >
redis-server
--maxmemory 256mb
--maxmemory-policy allkeys-lru
--maxmemory-policy volatile-lru
--save 60 1000
--appendonly yes
volumes:
@ -339,7 +342,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- published: 80
target: 8080
@ -369,7 +372,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
- "bunkerweb.INSTANCE=yes"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: ""
@ -387,7 +390,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
<<: *bw-ui-env
DOCKER_HOST: "tcp://bw-docker:2375"
@ -416,7 +419,7 @@ Consultez le [dossier examples](https://github.com/bunkerity/bunkerweb/tree/v1.6
- "node.role == manager"
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
environment:
<<: *bw-ui-env
TOTP_ENCRYPTION_KEYS: "mysecret" # Remember to set a stronger secret key (see the Prerequisites section)
@ -638,7 +641,7 @@ Vous pouvez maintenant vous connecter avec le compte administrateur que vous ave
-e "www.example.com_REVERSE_PROXY_HOST=http://myapp:8080" \
-e "www.example.com_REVERSE_PROXY_URL=/" \
# --- Include any other existing environment variables for UI, Redis, CrowdSec, etc. ---
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
Votre conteneur d'application (`myapp`) et le conteneur `bunkerweb-aio` doivent être sur le même réseau Docker pour que BunkerWeb puisse y accéder en utilisant le nom d'hôte `myapp`.
@ -660,7 +663,7 @@ Vous pouvez maintenant vous connecter avec le compte administrateur que vous ave
-p 443:8443/tcp \
-p 443:8443/udp \
# ... (all other relevant environment variables as shown in the main example above) ...
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
Assurez-vous de remplacer `myapp` par le nom réel ou l'adresse IP de votre conteneur d'application et `http://myapp:8080` par son adresse et son port corrects.

41
docs/fr/upgrading.md
View file

@ -25,16 +25,16 @@
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
...
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
...
```
@ -82,6 +82,9 @@
Si la vérification de la somme échoue, **n'exécutez pas le script** — il pourrait être dangereux.
!!! tip "Interface de mise à niveau interactive"
Le flux de mise à niveau utilise la même TUI que les nouvelles installations : invites en ligne avec [gum](https://github.com/charmbracelet/gum), avec un repli sur les boîtes de dialogue `whiptail` puis sur les invites en texte brut si gum ne peut pas être obtenu. Le binaire `gum` est téléchargé depuis la [release GitHub](https://github.com/charmbracelet/gum/releases) officielle (SHA256 épinglé, signature cosign vérifiée si cosign est installé) et exécuté depuis un répertoire temporaire supprimé à la fin du script — aucun paquet système n'est installé et aucune source apt/dnf n'est ajoutée. Passez `--no-tui` (ou définissez `BW_INSTALL_TUI=no`) pour ignorer toutes les couches de TUI, ou `--tui` pour exiger une TUI fonctionnelle. Pour des mises à niveau entièrement automatisées, passez `-y` / `--yes` avec les drapeaux pertinents — les invocations en pipe (`curl … | bash`) s'arrêtent avec une erreur claire au lieu d'accepter silencieusement chaque valeur par défaut. **Mises à niveau hors réseau (air-gapped)** : combinez `--no-tui --yes` pour qu'aucun appel réseau ne soit fait pour la couche TUI.
* **Comment ça marche** :
Le même script d'installation polyvalent utilisé pour les nouvelles installations peut également effectuer une mise à niveau sur place. Lorsqu'il détecte une installation existante et une version cible différente, il passe en mode mise à niveau et applique le flux de travail suivant :
@ -132,6 +135,8 @@
| ----------------------- | ----------------------------------------------------------------------------------------------------------------------------- |
| `-v, --version <X.Y.Z>` | Ciblez la version de BunkerWeb à mettre à niveau. |
| `-y, --yes` | Non interactif (suppose la confirmation de la mise à niveau et active la sauvegarde automatique, sauf si `--no-auto-backup`). |
| `--tui` | Force une TUI (gum ou whiptail). Abandonne si aucune des deux ne peut être installée. |
| `--no-tui` | Ignore toutes les couches de TUI et utilise les invites en texte brut. Équivaut à `BW_INSTALL_TUI=no`. |
| `--backup-dir <PATH>` | Destination de la sauvegarde automatique de pré-mise à niveau. Créé s'il est manquant. |
| `--no-auto-backup` | Ignorez la sauvegarde automatique (NON recommandé). Vous devez disposer d'une sauvegarde manuelle. |
| `-q, --quiet` | Suppression de la sortie (combinée avec l'enregistrement/la surveillance). |
@ -141,20 +146,20 @@
Exemples:
```bash
# Upgrade to 1.6.9 interactively (will prompt for backup)
sudo ./install-bunkerweb.sh --version 1.6.9
# Upgrade to 1.6.10 interactively (will prompt for backup)
sudo ./install-bunkerweb.sh --version 1.6.10
# Non-interactive upgrade with automatic backup to custom directory
sudo ./install-bunkerweb.sh -v 1.6.9 --backup-dir /var/backups/bw-2025-01 -y
sudo ./install-bunkerweb.sh -v 1.6.10 --backup-dir /var/backups/bw-2025-01 -y
# Silent unattended upgrade (logs suppressed) relies on default auto-backup
sudo ./install-bunkerweb.sh -v 1.6.9 -y -q
sudo ./install-bunkerweb.sh -v 1.6.10 -y -q
# Perform a dry run (plan) without applying changes
sudo ./install-bunkerweb.sh -v 1.6.9 --dry-run
sudo ./install-bunkerweb.sh -v 1.6.10 --dry-run
# Upgrade skipping automatic backup (NOT recommended)
sudo ./install-bunkerweb.sh -v 1.6.9 --no-auto-backup -y
sudo ./install-bunkerweb.sh -v 1.6.10 --no-auto-backup -y
```
!!! warning "Sauter les sauvegardes"
@ -234,7 +239,7 @@
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades bunkerweb=1.6.9
sudo apt install -y --allow-downgrades bunkerweb=1.6.10
```
Pour empêcher le paquet BunkerWeb d'être mis à niveau lors de l'exécution de `apt upgrade`, vous pouvez utiliser la commande suivante :
@ -260,7 +265,7 @@
```shell
sudo dnf makecache && \
sudo dnf install -y --allowerasing bunkerweb-1.6.9
sudo dnf install -y --allowerasing bunkerweb-1.6.10
```
Pour empêcher le paquet BunkerWeb d'être mis à niveau lors de l'exécution de `dnf upgrade`, vous pouvez utiliser la commande suivante :
@ -657,16 +662,16 @@ Nous avons ajouté une fonctionnalité d**'espace de noms** aux intégrations au
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
...
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
...
```
@ -701,7 +706,7 @@ Nous avons ajouté une fonctionnalité d**'espace de noms** aux intégrations au
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades bunkerweb=1.6.9
sudo apt install -y --allow-downgrades bunkerweb=1.6.10
```
Pour empêcher le paquet BunkerWeb d'être mis à niveau lors de l'exécution de `apt upgrade`, vous pouvez utiliser la commande suivante :
@ -727,7 +732,7 @@ Nous avons ajouté une fonctionnalité d**'espace de noms** aux intégrations au
```shell
sudo dnf makecache && \
sudo dnf install -y --allowerasing bunkerweb-1.6.9
sudo dnf install -y --allowerasing bunkerweb-1.6.10
```
Pour empêcher le paquet BunkerWeb d'être mis à niveau lors de l'exécution de `dnf upgrade`, vous pouvez utiliser la commande suivante :

14
docs/fr/web-ui.md
View file

@ -35,7 +35,7 @@ LUI attend que le scheduler/lAPI BunkerWeb/le redis/la base soient accessi
Utilisez les images publiées et le layout du [guide de démarrage rapide](quickstart-guide.md#__tabbed_1_3) pour monter la stack, puis terminez la configuration dans le navigateur.
```bash
docker compose -f https://raw.githubusercontent.com/bunkerity/bunkerweb/v1.6.9-rc1/misc/integrations/docker-compose.yml up -d
docker compose -f https://raw.githubusercontent.com/bunkerity/bunkerweb/v1.6.10-rc1/misc/integrations/docker-compose.yml up -d
```
Ouvrez le nom dhôte du scheduler (par ex. `https://www.example.com/changeme`) et lancez lassistant `/setup` pour configurer lUI, le scheduler et linstance.
@ -52,7 +52,7 @@ LUI attend que le scheduler/lAPI BunkerWeb/le redis/la base soient accessi
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -63,7 +63,7 @@ LUI attend que le scheduler/lAPI BunkerWeb/le redis/la base soient accessi
networks: [bw-universe, bw-services]
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *service-env
BUNKERWEB_INSTANCES: "bunkerweb"
@ -83,7 +83,7 @@ LUI attend que le scheduler/lAPI BunkerWeb/le redis/la base soient accessi
networks: [bw-universe, bw-db]
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
environment:
<<: *service-env
ADMIN_USERNAME: "admin"
@ -165,7 +165,7 @@ LUI attend que le scheduler/lAPI BunkerWeb/le redis/la base soient accessi
```
Les codes de récupération sont affichés une seule fois dans lUI ; perdre les clés de chiffrement supprime les secrets TOTP stockés.
- Sessions: durée par défaut 12 h (`SESSION_LIFETIME_HOURS`). Sessions liées à lIP et au User-Agent ; `CHECK_PRIVATE_IP=no` relâche le contrôle dIP pour les plages privées uniquement. `ALWAYS_REMEMBER=yes` force les cookies persistants.
- Sessions: durée dinactivité par défaut 12 h (`SESSION_LIFETIME_HOURS`), rafraîchie à chaque requête. Un plafond absolu est imposé par `SESSION_ABSOLUTE_HOURS` (par défaut `168` = 7 jours) — au-delà, les utilisateurs sont déconnectés quelle que soit leur activité. Rotation optionnelle de lidentifiant de session (`SESSION_ROLLING_HOURS`, par défaut `0` = désactivée) régénère le SID à cet intervalle. Sessions liées à lIP et au User-Agent ; `CHECK_PRIVATE_IP=no` relâche le contrôle dIP pour les plages privées uniquement. `ALWAYS_REMEMBER=yes` force les cookies persistants.
- Pensez à régler `PROXY_NUMBERS` si plusieurs proxies ajoutent des `X-Forwarded-*`.
## Sources de configuration et priorité
@ -205,7 +205,9 @@ LUI attend que le scheduler/lAPI BunkerWeb/le redis/la base soient accessi
| `FLASK_SECRET` | Secret de signature de session (persisté dans `/var/lib/bunkerweb/.flask_secret`) | Chaîne hex/base64/opacité | généré automatiquement |
| `TOTP_ENCRYPTION_KEYS` (`TOTP_SECRETS`) | Clés de chiffrement TOTP (espaces ou map JSON) | Chaînes / JSON | générées si absent |
| `BISCUIT_PUBLIC_KEY`, `BISCUIT_PRIVATE_KEY` | Clés Biscuit (hex) pour générer des tokens UI | Chaînes hex | auto-générées et stockées |
| `SESSION_LIFETIME_HOURS` | Durée de session | Nombre (heures) | `12` |
| `SESSION_LIFETIME_HOURS` | Durée dinactivité de session (TTL glissante, rafraîchie à chaque requête) | Nombre (heures) | `12` |
| `SESSION_ABSOLUTE_HOURS` | Plafond absolu de session indépendant de lactivité | Nombre (heures) | `168` |
| `SESSION_ROLLING_HOURS` | Intervalle de rotation du SID (`0` désactive la rotation) | Nombre (heures) | `0` |
| `ALWAYS_REMEMBER` | Toujours activer le cookie “remember me” | `yes` ou `no` | `no` |
| `CHECK_PRIVATE_IP` | Lier la session à lIP (relâchement sur plages privées si `no`) | `yes` ou `no` | `yes` |
| `PROXY_NUMBERS` | Nombre de sauts proxy à faire confiance pour `X-Forwarded-*` | Entier | `1` |

169
docs/hooks/llmstxt.py Normal file
View file

@ -0,0 +1,169 @@
"""MkDocs hook to generate llms.txt and llms-full.txt for AI agent consumption."""
from logging import getLogger
from pathlib import Path
from re import DOTALL, MULTILINE, compile as re_compile, split
log = getLogger("mkdocs.hooks.llmstxt")
SITE_NAME = "BunkerWeb documentation"
DESCRIPTION = (
"BunkerWeb is a next-generation, open-source Web Application Firewall (WAF). "
"Based on NGINX under the hood, it protects web services to make them secure "
"by default. It integrates seamlessly into existing environments (Linux, Docker, "
"Swarm, Kubernetes) as a reverse proxy and is fully configurable via environment "
"variables or an awesome web UI. "
"Source: https://github.com/bunkerity/bunkerweb"
)
SECTIONS = {
"Getting Started": {
"index.md": "Introduction and overview of BunkerWeb",
"concepts.md": "Core concepts — multisite, settings contexts, security modes",
"quickstart-guide.md": "Quick start guide for first-time setup",
},
"Integration Guides": {
"integrations.md": "Docker, Kubernetes, Swarm, Linux, and Ansible setup",
},
"Configuration Reference": {
"features.md": "Complete settings reference — all plugins, all options",
},
"Advanced Usage": {
"advanced.md": "Custom configs, headers, ModSecurity, PHP, streaming, and more",
},
"Web UI & API": {
"web-ui.md": "Web UI usage guide",
"api.md": "REST API documentation",
},
"Plugin System": {
"plugins.md": "Writing and using external plugins",
},
"Operations": {
"upgrading.md": "Version migration and upgrade guides",
"troubleshooting.md": "Common issues and solutions",
},
}
# Patterns to strip from markdown content for LLM consumption.
# These operate OUTSIDE fenced code blocks only (see _clean_markdown).
_STRIP_PATTERNS = [
re_compile(r"<figure[^>]*>.*?</figure>", DOTALL),
re_compile(r"<iframe[^>]*>.*?</iframe>", DOTALL),
re_compile(r"<img[^>]*>"),
]
# Image markdown: preserve alt text as [Image: description]
_IMAGE_RE = re_compile(r"!\[([^\]]*)\]\([^)]*\)(\{[^}]*\})?")
_COLLAPSE_BLANK_LINES = re_compile(r"\n{3,}")
# Convert relative .md links to absolute URLs
_RELATIVE_LINK_RE = re_compile(r"\]\((?!http)([a-zA-Z][^)]*?)\.md(#[^)]*?)?\)")
def _clean_markdown(content, base_url):
"""Remove images, iframes, and HTML blocks from markdown content.
Processes only text outside fenced code blocks to avoid corrupting code examples.
"""
# Split on fenced code block boundaries (``` or ~~~)
parts = split(r"(^```.*?^```|^~~~.*?^~~~)", content, flags=MULTILINE | DOTALL)
cleaned_parts = []
for i, part in enumerate(parts):
if i % 2 == 1:
# Inside a fenced code block — keep as-is
cleaned_parts.append(part)
else:
# Outside code blocks — apply stripping
for pattern in _STRIP_PATTERNS:
part = pattern.sub("", part)
# Preserve image alt text
part = _IMAGE_RE.sub(lambda m: f"[Image: {m.group(1)}]" if m.group(1) else "", part)
# Convert relative .md links to absolute
if base_url:
part = _RELATIVE_LINK_RE.sub(
lambda m: f"]({base_url}/{m.group(1).replace('.md', '')}/{m.group(2) or ''})",
part,
)
cleaned_parts.append(part)
return _COLLAPSE_BLANK_LINES.sub("\n\n", "".join(cleaned_parts)).strip()
def _get_page_title(content):
"""Extract the first H1 title from markdown content."""
for line in content.split("\n"):
if line.startswith("# "):
return line[2:].strip()
return None
def on_post_build(config, **kwargs):
"""Generate llms.txt and llms-full.txt after the build completes."""
site_dir = Path(config["site_dir"])
base_url = (config.get("site_url") or "").rstrip("/")
# Always read from the project-root docs/ directory (English source),
# not config["docs_dir"] which the i18n plugin changes per locale.
config_file = config.get("config_file_path")
if config_file:
docs_dir = Path(config_file).parent / "docs"
else:
docs_dir = Path(config["docs_dir"])
# Build llms.txt index
lines = [f"# {SITE_NAME}\n"]
lines.append(f"> {DESCRIPTION}\n")
# Build llms-full.txt content
full_parts = [f"# {SITE_NAME}\n"]
full_parts.append(f"> {DESCRIPTION}\n")
for section_name, pages in SECTIONS.items():
lines.append(f"## {section_name}\n")
full_section_parts = []
for filename, description in pages.items():
src_path = docs_dir / filename
if not src_path.exists():
log.warning("llmstxt: Source file '%s' not found. Skipping.", filename)
continue
content = src_path.read_text(encoding="utf-8")
title = _get_page_title(content) or filename.replace(".md", "").replace("-", " ").title()
# Page URL: filename without .md extension becomes directory/
page_slug = filename.replace(".md", "")
if page_slug == "index":
md_url = f"{base_url}/index.md"
else:
md_url = f"{base_url}/{page_slug}/index.md"
lines.append(f"- [{title}]({md_url}): {description}")
# Clean content for full output
cleaned = _clean_markdown(content, base_url)
full_section_parts.append(cleaned)
# Write per-page .md companion file next to the HTML output
if page_slug == "index":
companion_path = site_dir / "index.md"
else:
companion_dir = site_dir / page_slug
companion_dir.mkdir(parents=True, exist_ok=True)
companion_path = companion_dir / "index.md"
companion_path.write_text(cleaned, encoding="utf-8")
lines.append("")
full_parts.append(f"# {section_name}\n")
full_parts.append("\n\n".join(full_section_parts))
full_parts.append("")
# Write llms.txt
llms_txt = site_dir / "llms.txt"
llms_txt.write_text("\n".join(lines), encoding="utf-8")
log.info("llmstxt: Generated %s", llms_txt)
# Write llms-full.txt
llms_full = site_dir / "llms-full.txt"
llms_full.write_text("\n".join(full_parts), encoding="utf-8")
log.info("llmstxt: Generated %s (%dKB)", llms_full, llms_full.stat().st_size // 1024)

356
docs/integrations.md
View file

@ -350,7 +350,7 @@ services:
- "traefik.http.routers.service1.entrypoints=websecure"
- "traefik.http.routers.service1.tls.certresolver=myresolver"
- "traefik.http.services.service1.loadbalancer.server.port=8080"
- "traefik.http.routers.service1.middlewares=security-headers"
- "traefik.http.routers.service1.middlewares=security-headers,compress"
api-service:
image: your-api:latest
@ -360,7 +360,7 @@ services:
- "traefik.http.routers.api.entrypoints=websecure"
- "traefik.http.routers.api.tls.certresolver=myresolver"
- "traefik.http.services.api.loadbalancer.server.port=3000"
- "traefik.http.routers.api.middlewares=security-headers,rate-limit"
- "traefik.http.routers.api.middlewares=security-headers,rate-limit,compress"
```
**Dynamic configuration (dynamic.yml):**
@ -385,6 +385,9 @@ http:
burst: 100
average: 50
compress:
compress: {}
routers:
service1:
rule: "Host(`example.com`)"
@ -393,6 +396,7 @@ http:
certResolver: "myresolver"
middlewares:
- "security-headers"
- "compress"
api:
rule: "Host(`api.example.com`)"
@ -402,6 +406,7 @@ http:
middlewares:
- "security-headers"
- "rate-limit"
- "compress"
services:
service1:
@ -421,6 +426,8 @@ http:
interval: "30s"
```
If you define the middleware in `dynamic.yml`, updating the file is generally enough because Traefik reloads file-provider changes automatically. If you define the middleware through Docker labels, you must recreate the affected container for Docker to expose the updated labels to Traefik.
</details>
##### Apache
@ -1268,7 +1275,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
By default, the container exposes:
@ -1283,18 +1290,19 @@ The All-In-One image comes with several built-in services, which can be controll
- `SERVICE_UI=yes` (default) - Enables the web UI service
- `SERVICE_SCHEDULER=yes` (default) - Enables the Scheduler service
- `SERVICE_API=no` (default) - Enables the API service (FastAPI control plane)
- `SERVICE_API=no` (default) - Disables the API service (FastAPI control plane)
- `AUTOCONF_MODE=no` (default) - Enables the autoconf service
- `USE_REDIS=yes` (default) - Enables the built-in [Redis](#redis-integration) instance
- `USE_CROWDSEC=no` (default) - [CrowdSec](#crowdsec-integration) integration is disabled by default
- `HIDE_SERVICE_LOGS=` (optional) - Comma-separated list of services to silence in container logs. Accepted values: `api`, `autoconf`, `bunkerweb`, `crowdsec`, `redis`, `scheduler`, `ui`, `nginx.access`, `nginx.error`, `modsec`. Logs still reach `/var/log/bunkerweb/<service>.log`.
- `HIDE_SERVICE_LOGS=` (optional) - Comma-separated list of services to silence in container logs. Accepted values: `api`, `autoconf`, `bunkerweb`, `crowdsec`, `redis`, `scheduler`, `ui`, `nginx.access`, `nginx.error`, `modsec`.
- **Logging**: The all-in-one image streams every service's stdout and stderr to the container output. Use `docker logs bunkerweb-aio` (or your preferred container logging driver) to view and rotate logs — the image does not write on-disk log files for its Python services.
A named volume (or bind mount) is required to persist the SQLite database, cache, and backups stored under `/data` inside the container:
```yaml
services:
bunkerweb-aio:
image: bunkerity/bunkerweb-all-in-one:1.6.9
image: bunkerity/bunkerweb-all-in-one:1.6.10
container_name: bunkerweb-aio
ports:
- "80:8080/tcp"
@ -1366,7 +1374,7 @@ docker run -d \
-e API_PASSWORD=StrongP@ssw0rd \
-p 80:8080/tcp -p 443:8443/tcp -p 443:8443/udp \
-p 8888:8888/tcp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
Recommended (behind BunkerWeb) — do not publish `8888`; reverseproxy it instead:
@ -1374,7 +1382,7 @@ Recommended (behind BunkerWeb) — do not publish `8888`; reverseproxy it ins
```yaml
services:
bunkerweb-aio:
image: bunkerity/bunkerweb-all-in-one:1.6.9
image: bunkerity/bunkerweb-all-in-one:1.6.10
container_name: bunkerweb-aio
ports:
- "80:8080/tcp"
@ -1430,6 +1438,10 @@ The BunkerWeb **All-In-One** image includes Redis out-of-the-box for the [persis
- It listens on the container loopback interface, so it is available to processes inside the container but not from other containers or the host.
- Override `REDIS_HOST` only when you have an external Redis/Valkey endpoint to connect to—doing so prevents the embedded instance from launching.
- To disable Redis entirely, set `USE_REDIS=no`.
- **Config precedence (important):** the embedded Redis is launched from `/var/lib/bunkerweb/redis-runtime.conf`, built at boot by copying `/etc/redis.conf` and appending env-driven defaults **only for directives the conf file is silent about**. A mounted custom `/etc/redis.conf` therefore always wins; the env vars below only fill the gaps.
- **Memory tuning:** out-of-the-box defaults follow the [Redis Best Practices](features.md#redis-best-practices) — `maxmemory 256mb` and `maxmemory-policy volatile-lru`. Override via `REDIS_MAXMEMORY` and `REDIS_MAXMEMORY_POLICY` when the conf does not pin them.
- **Persistence overrides:** `REDIS_APPENDONLY=yes|no` toggles AOF (default `yes`); RDB snapshots are configured with `REDIS_SAVE` plus optional `REDIS_SAVE_0`, `REDIS_SAVE_1`, … each providing one `save <seconds> <changes>` pair (e.g. `REDIS_SAVE_0="900 1"`, `REDIS_SAVE_1="300 10"`). Setting any of these env vars replaces the built-in `900 1 / 300 10 / 60 10000` default set; an empty value emits `save ""`, disabling RDB. Ignored when the conf already declares `save` itself.
- **Authentication:** when `REDIS_PASSWORD` is set and the conf does not already define `requirepass`, the embedded Redis is launched with `requirepass` so the BunkerWeb client and server stay in sync. The embedded server only supports the default user — set `REDIS_USERNAME` only when pointing at an external Redis with ACLs.
- Redis logs appear with the `[REDIS]` prefix in Docker logs and in `/var/log/bunkerweb/redis.log`.
### CrowdSec Integration {#crowdsec-integration}
@ -1446,7 +1458,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
* When `USE_CROWDSEC=yes`, the entrypoint will:
@ -1501,7 +1513,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
!!! info "How it works internally"
@ -1523,7 +1535,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
Notes:
@ -1559,7 +1571,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
* **Local registration** is skipped when `CROWDSEC_API` is not `127.0.0.1` or `localhost`.
@ -1593,13 +1605,13 @@ By accessing these prebuilt images from Docker Hub, you can quickly pull and run
Whether you're conducting tests, developing applications, or deploying BunkerWeb in production, the Docker containerization option provides flexibility and ease of use. Embracing this method empowers you to take full advantage of BunkerWeb's features while leveraging the benefits of Docker technology.
```shell
docker pull bunkerity/bunkerweb:1.6.9
docker pull bunkerity/bunkerweb:1.6.10
```
Docker images are also available on [GitHub packages](https://github.com/orgs/bunkerity/packages?repo_name=bunkerweb) and can be downloaded using the `ghcr.io` repository address:
```shell
docker pull ghcr.io/bunkerity/bunkerweb:1.6.9
docker pull ghcr.io/bunkerity/bunkerweb:1.6.10
```
Key concepts for Docker integration include:
@ -1609,7 +1621,7 @@ Key concepts for Docker integration include:
- **Networks**: Docker networks play a vital role in the integration of BunkerWeb. These networks serve two main purposes: exposing ports to clients and connecting to upstream web services. By exposing ports, BunkerWeb can accept incoming requests from clients, allowing them to access the protected web services. Additionally, by connecting to upstream web services, BunkerWeb can efficiently route and manage traffic, providing enhanced security and performance.
!!! info "Database backend"
Please note that our instructions assume you are using SQLite as the default database backend, as configured by the `DATABASE_URI` setting. However, other database backends are also supported. See the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) of the repository for more information.
Please note that our instructions assume you are using SQLite as the default database backend, as configured by the `DATABASE_URI` setting. However, other database backends are also supported. See the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations) of the repository for more information.
### Environment variables
@ -1619,7 +1631,7 @@ Settings are passed to the Scheduler using Docker environment variables:
...
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
- MY_SETTING=value
- ANOTHER_SETTING=another value
@ -1663,7 +1675,7 @@ This ensures sensitive settings are kept out of the environment and logs.
The [scheduler](concepts.md#scheduler) runs in its own container, which is also available on Docker Hub:
```shell
docker pull bunkerity/bunkerweb-scheduler:1.6.9
docker pull bunkerity/bunkerweb-scheduler:1.6.10
```
!!! info "BunkerWeb settings"
@ -1684,7 +1696,7 @@ docker pull bunkerity/bunkerweb-scheduler:1.6.9
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
environment:
# This will set the API settings for the BunkerWeb container
<<: *bw-api-env
@ -1693,7 +1705,7 @@ docker pull bunkerity/bunkerweb-scheduler:1.6.9
- bw-universe
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
# This will set the API settings for the Scheduler container
<<: *bw-api-env
@ -1711,7 +1723,7 @@ A volume is needed to store the SQLite database and backups used by the schedule
...
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
volumes:
- bw-storage:/data
...
@ -1791,14 +1803,14 @@ The scheduler is the control-plane worker that reads settings, renders configs,
##### Logging
| Setting | Description | Accepted values | Default |
| ------------------------------- | ------------------------------------------------------------------ | ----------------------------------------------- | ------------------------------------------------------------------------------- |
| `LOG_LEVEL`, `CUSTOM_LOG_LEVEL` | Base/override log level | `debug`, `info`, `warning`, `error`, `critical` | `info` |
| `LOG_TYPES` | Destinations | Space-separated `stderr`/`file`/`syslog` | `stderr` |
| `SCHEDULER_LOG_TO_FILE` | Enable file logging and default path | `yes` or `no` | `no` |
| `LOG_FILE_PATH` | Custom log file path (used when `LOG_TYPES` includes file) | File path | `/var/log/bunkerweb/scheduler.log` when `SCHEDULER_LOG_TO_FILE=yes`, else unset |
| `LOG_SYSLOG_ADDRESS` | Syslog target (`udp://host:514`, `tcp://host:514`, or socket path) | Host:port, proto-prefixed host, or socket path | unset |
| `LOG_SYSLOG_TAG` | Syslog ident/tag | String | `bw-scheduler` |
| Setting | Description | Accepted values | Default |
| ------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- | ------------------------------------------------------------------------------- |
| `LOG_LEVEL`, `CUSTOM_LOG_LEVEL` | Base/override log level | `debug`, `info`, `warning`, `error`, `critical` | `info` |
| `LOG_TYPES` | Destinations | Space-separated `stderr`/`file`/`syslog` | `stderr` |
| `SCHEDULER_LOG_TO_FILE` | Legacy convenience: when set, `LOG_FILE_PATH` defaults to `/var/log/bunkerweb/scheduler.log` if `LOG_TYPES` includes `file` and you didn't set `LOG_FILE_PATH` explicitly. | `yes`/`no` | `no` |
| `LOG_FILE_PATH` | Custom log file path (used when `LOG_TYPES` includes `file`) | File path | `/var/log/bunkerweb/scheduler.log` when `LOG_TYPES` contains `file`, else unset |
| `LOG_SYSLOG_ADDRESS` | Syslog target (`udp://host:514`, `tcp://host:514`, or socket path) | Host:port, proto-prefixed host, or socket path | unset |
| `LOG_SYSLOG_TAG` | Syslog ident/tag | String | `bw-scheduler` |
### UI container settings
@ -1857,7 +1869,7 @@ x-bw-api-env: &bw-api-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -1870,7 +1882,7 @@ services:
- bw-universe
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "bunkerweb" # This setting is mandatory to specify the BunkerWeb instance
@ -1903,7 +1915,7 @@ x-bw-api-env: &bw-api-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -1916,7 +1928,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
depends_on:
- bunkerweb
environment:
@ -1969,7 +1981,7 @@ Supported Linux distributions for BunkerWeb (amd64/x86_64 and arm64/aarch64 arch
- Debian 13 "Trixie"
- Ubuntu 22.04 "Jammy"
- Ubuntu 24.04 "Noble"
- Fedora 42 and 43
- Fedora 42, 43 and 44
- Red Hat Enterprise Linux (RHEL) 8, 9 and 10
### Easy installation script
@ -1982,8 +1994,8 @@ To get started, download the installation script and its checksum, then verify t
```bash
# Download the script and its checksum
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.10/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.10/install-bunkerweb.sh.sha256
# Verify the checksum
sha256sum -c install-bunkerweb.sh.sha256
@ -2005,8 +2017,8 @@ sudo ./install-bunkerweb.sh
The easy install script is a powerful tool designed to streamline the setup of BunkerWeb on a fresh Linux system. It automates the following key steps:
1. **System Analysis**: Detects your operating system and verifies it against the list of supported distributions.
2. **Installation Customization**: In interactive mode, it prompts you to choose an installation type (All-In-One, Manager, Worker, etc.) and decide whether to enable the web-based setup wizard.
3. **Optional Integrations**: Offers to automatically install and configure the [CrowdSec Security Engine](#crowdsec-integration-with-the-script) and Redis/Valkey for shared cache/session data.
2. **Installation Customization**: In interactive mode, it prompts you to choose an installation type (Full Stack, Manager, Worker, etc.) and decide whether to enable the web-based setup wizard when the selected mode supports it.
3. **Optional Integrations**: Offers to automatically install and configure the [CrowdSec Security Engine](#crowdsec-integration-with-the-script) and Redis/Valkey when they are compatible with the selected installation type.
4. **Dependency Management**: Installs the correct version of NGINX required by BunkerWeb from official sources and locks the version to prevent unintended upgrades.
5. **BunkerWeb Installation**: Adds the BunkerWeb package repository, installs the necessary packages, and locks the version.
6. **Service Configuration**: Sets up and enables the `systemd` services corresponding to your chosen installation type.
@ -2014,7 +2026,26 @@ The easy install script is a powerful tool designed to streamline the setup of B
#### Interactive Installation
When run without any options, the script enters an interactive mode that guides you through the setup process. You will be asked to make the following choices:
When run without any options, the script enters an interactive mode that guides you through the setup process. The interactive flow uses an inline TUI — arrow-key menus with a `` cursor and masked password fields — provided by [gum](https://github.com/charmbracelet/gum) (Charmbracelet, MIT, ~5 MB static binary).
!!! info "gum is fetched ephemerally on first interactive run"
The installer fetches gum the first time it needs an interactive prompt and runs it from a tempdir for the duration of the script — **nothing is installed system-wide**:
- Downloads the official `gum_${VERSION}_${ARCH}.tar.gz` from the [GitHub release](https://github.com/charmbracelet/gum/releases) over HTTPS (TLS 1.2+, refuses HTTP redirects, connect-timeout 10 s / total-timeout 30 s).
- Verifies the tarball against a **SHA256 pinned in this script** (the local trust anchor — both the script's own checksum and the gum binary must match).
- If `cosign` is installed: also verifies the upstream `checksums.txt` against Charm's GitHub-Actions OIDC identity (`https://github.com/charmbracelet/gum/...`) as defense-in-depth, and cross-checks that the pinned hash is the value Charm published for this exact tarball.
- Extracts the binary into an exec-capable tempdir (`/var/tmp/bw-gum.XXXXXX` by default; `/tmp`, `$XDG_RUNTIME_DIR`, or `$HOME/.cache` when `/var/tmp` is mounted `noexec`).
- Adds the tempdir to `PATH` for the rest of the run and removes it on script exit (via an `EXIT` trap, even on `set -e` failures or signals).
**What stays on disk after the installer exits:** nothing. No `/etc/apt/sources.list.d/charm.list`, no GPG key in `apt`/`rpm`, no `gum` binary in `/usr/bin`/`/usr/local/bin`, no package-db entry. The installer never registers a third-party apt or dnf source.
If gum cannot be downloaded — air-gapped host, network failure, SHA256 mismatch — the installer uses any `whiptail` already present on the system (commonly preinstalled on Debian/Ubuntu cloud images via the `newt` package). If neither gum nor whiptail is available, it falls back to **plain text prompts**.
Pass `--no-tui` (or set `BW_INSTALL_TUI=no`) to skip every TUI tier, or `--tui` to abort if no TUI tier can render. **Air-gapped installs**: pass `--no-tui` together with `--yes` and the relevant `--*` flags / `*_INPUT` env vars; no network call is made for the TUI layer.
If the installer is piped (`curl … | bash`) or stdin is otherwise not a TTY, it exits with a clear error rather than falling through every default — use `--yes` together with the appropriate `--*` flags for non-interactive installs in that case.
You will be asked to make the following choices:
1. **Installation Type**: Select the components you want to install.
* **Full Stack (default)**: An all-in-one installation including BunkerWeb, the Scheduler, and the Web UI.
@ -2023,16 +2054,18 @@ When run without any options, the script enters an interactive mode that guides
* **Scheduler Only**: Installs only the Scheduler component.
* **Web UI Only**: Installs only the Web UI component.
* **API Only**: Installs only the API service for programmatic access.
2. **Setup Wizard**: Choose whether to enable the web-based configuration wizard. This is highly recommended for first-time users.
3. **CrowdSec Integration**: Opt-in to install the CrowdSec security engine for advanced, real-time threat protection. Available for Full Stack installations only.
2. **Setup Wizard**: Choose whether to enable the web-based configuration wizard when the selected mode includes the Web UI and supports the wizard. Manager mode always disables the wizard.
3. **CrowdSec Integration**: Opt-in to install the CrowdSec security engine for advanced, real-time threat protection. The interactive prompt is shown for Full Stack installations only; CLI flags can also enable CrowdSec for Manager installations.
4. **CrowdSec AppSec**: If you choose to install CrowdSec, you can also enable the Application Security (AppSec) component, which adds WAF capabilities.
5. **Redis/Valkey Integration**: Enable Redis/Valkey to share session data, metrics, and security data across nodes for seamless clustering and load balancing. You can install locally or point to an existing server. Available for Full Stack and Manager installations only.
5. **DNS Resolvers**: For Full Stack, Manager, and Worker installations, you can optionally specify custom DNS resolver IPs.
6. **Internal API HTTPS**: For Full Stack, Manager, and Worker installations, choose whether to enable HTTPS for internal API communication between the scheduler/manager and BunkerWeb/worker instances (default: HTTP only).
7. **API Service**: For Full Stack and Manager installations, choose whether to enable the optional external API service. It is disabled by default on Linux installations.
6. **Database**: For Full Stack and Manager installations, choose SQLite, a local MariaDB/PostgreSQL install, or an existing external database.
7. **Web UI Admin User**: For UI-bearing installations, choose whether to pre-create the first admin user. The installer defaults to creating one when the wizard is disabled.
8. **DNS Resolvers**: For Full Stack, Manager, and Worker installations, you can optionally specify custom DNS resolver IPs.
9. **Internal API HTTPS**: For Full Stack, Manager, and Worker installations, choose whether to enable HTTPS for internal API communication between the scheduler/manager and BunkerWeb/worker instances (default: HTTP only).
10. **API Service**: For Full Stack and Manager installations, choose whether to enable the optional external API service. It is disabled by default on Linux installations.
!!! info "Manager and Scheduler installations"
If you choose the **Manager** or **Scheduler Only** installation type, you will also be prompted to provide the IP addresses or hostnames of your BunkerWeb worker instances.
If you choose the **Manager** or **Scheduler Only** installation type, you will also be prompted for the IP addresses or hostnames of your BunkerWeb worker instances. This list is optional during install; if you leave it empty, the installer warns and you can add workers later.
#### Command-Line Options
@ -2042,14 +2075,20 @@ For non-interactive or automated setups, the script can be controlled with comma
| Option | Description |
| ----------------------- | --------------------------------------------------------------------- |
| `-v, --version VERSION` | Specifies the BunkerWeb version to install (e.g., `1.6.9`). |
| `-v, --version VERSION` | Specifies the BunkerWeb version to install (e.g., `1.6.10`). |
| `-w, --enable-wizard` | Enables the setup wizard. |
| `-n, --no-wizard` | Disables the setup wizard. |
| `-y, --yes` | Runs in non-interactive mode using default answers for all prompts. |
| `--tui` | Require a TUI (downloaded gum or existing whiptail) and abort if no TUI tier can render. |
| `--no-tui` | Disable all TUI tiers and use the legacy plain-text prompts. Equivalent to `BW_INSTALL_TUI=no`. |
| `-f, --force` | Forces the installation to proceed even on an unsupported OS version. |
| `-q, --quiet` | Silent installation (suppress output). |
| `--force-type-change` | Allow `--<type>` to differ from the detected install type on upgrade (intentional HA migrations only). |
| `-q, --quiet` | Silent installation (suppress output; implies `--yes`). |
| `--api`, `--enable-api` | Enables the API (FastAPI) systemd service (disabled by default). |
| `--no-api` | Explicitly disables the API service. |
| `--server-ip IP` | IP printed in post-install URLs. Overrides auto-detection and can also be set with `SERVER_IP_INPUT`. |
| `--epel` | Install `epel-release` on RHEL-family distributions if it is missing. |
| `--no-epel` | Do not install `epel-release` on RHEL-family distributions. |
| `-h, --help` | Displays the help message with all available options. |
| `--dry-run` | Show what would be installed without doing it. |
@ -2062,7 +2101,7 @@ For non-interactive or automated setups, the script can be controlled with comma
| `--worker` | Installs only the BunkerWeb instance. |
| `--scheduler-only` | Installs only the Scheduler component. |
| `--ui-only` | Installs only the Web UI component. |
| `--api-only` | Installs only the API service (port 8000). |
| `--api-only` | Installs only the API service (port 8888). |
**Security Integrations:**
@ -2073,12 +2112,13 @@ For non-interactive or automated setups, the script can be controlled with comma
| `--crowdsec-appsec` | Install CrowdSec with AppSec component (includes WAF capabilities). |
| `--redis` | Install and configure Redis locally. |
| `--no-redis` | Skip Redis integration. |
| `--redis-flavor FLAVOR` | Local install flavor: `redis` (default) or `valkey`. |
**Advanced Options:**
| Option | Description |
| --------------------------- | ----------------------------------------------------------------------------------- |
| `--instances "IP1 IP2"` | Space-separated list of BunkerWeb instances (required for manager/scheduler modes). |
| `--instances "IP1 IP2"` | Space-separated list of BunkerWeb instances (optional for manager/scheduler modes; you can add workers later). |
| `--manager-ip IPs` | Manager/Scheduler IPs to whitelist (required for worker in non-interactive mode). |
| `--dns-resolvers "IP1 IP2"` | Custom DNS resolver IPs (for full, manager, or worker installations). |
| `--api-https` | Enable HTTPS for internal API communication (default: HTTP only). |
@ -2089,11 +2129,51 @@ For non-interactive or automated setups, the script can be controlled with comma
| `--redis-database DB` | Redis database number. |
| `--redis-username USER` | Redis username (Redis 6+). |
| `--redis-password PASS` | Redis password. |
| `--redis-bind IP` | Redis/Valkey bind address for a local Manager install (default prompt: `0.0.0.0`). |
| `--redis-no-password` | Skip the auto-generated `requirepass` when binding Redis/Valkey beyond loopback. |
| `--redis-maxmemory MB` | Memory cap in MB; `0` or `unlimited` keeps the distribution default. |
| `--redis-maxmemory-policy POLICY` | Eviction policy for local Redis/Valkey (default: `volatile-lru`). |
| `--redis-ssl` | Enable SSL/TLS for Redis connection. |
| `--redis-no-ssl` | Disable SSL/TLS for Redis connection. |
| `--redis-ssl-verify` | Verify Redis SSL certificate. |
| `--redis-no-ssl-verify` | Do not verify Redis SSL certificate. |
**Database Options (`--full` / `--manager` only):**
| Option | Description |
| ----------------------- | ----------------------------------------------------------------------------------------------------------------- |
| `--database ENGINE` | Strategy: `mariadb` or `postgresql` (auto-install locally), `external` (use an existing remote DB), `none` (SQLite). |
| `--db-engine ENGINE` | External-DB engine: `mariadb`, `mysql`, or `postgresql`. Implies `--database external` when set on its own. |
| `--db-host HOST` | External DB host (FQDN or IP). |
| `--db-port PORT` | External DB TCP port (defaults: 3306 for `mariadb`/`mysql`, 5432 for `postgresql`). |
| `--db-name NAME` | Database name (default: `bw_db`). |
| `--db-user USER` | Database user (default: `bunkerweb`). |
| `--db-password PASS` | Database password — required for `--database external`. Rules: 8+ chars, no quotes/backslash/backtick. |
| `--db-ssl` | Use SSL/TLS for the external DB connection. |
| `--db-no-ssl` | Do not use SSL/TLS for the external DB connection. |
| `--db-ssl-verify` | Verify the external DB server certificate. |
| `--db-no-ssl-verify` | Use SSL but skip certificate verification. |
| `--db-skip-probe` | Do not probe external DB connectivity from this host. Useful when the engine client is not installed locally, or when the DB is only reachable from the scheduler's network segment. |
**Web UI Admin User (`--full` / `--manager` / `--ui-only` only):**
When no UI admin flag is provided, the interactive installer offers a Web UI admin-user prompt for UI-bearing install types. The default answer flips based on wizard state: **Yes** when the wizard is disabled (manager mode always; other modes when `--no-wizard` is passed) because otherwise the UI has no initial login. **No** when the wizard is enabled because the wizard collects the admin user on first boot. Operators can still opt in to pre-create the admin even with the wizard enabled, which skips the wizard's admin step.
| Option | Description |
| --------------------------- | -------------------------------------------------------------------------------------------------------- |
| `--ui-admin-user NAME` | Pre-create the first Web UI admin user with this name (skips the setup wizard for the admin step). |
| `--ui-admin-password PASS` | Password for the admin user. Implies admin creation; the username defaults to `admin` if omitted. Auto-generated when omitted. Rules: 8+ chars, lower/upper/digit/special. |
| `--no-ui-admin` | Skip the admin-user creation prompt entirely. If the wizard is disabled, the UI remains without an initial login until credentials are configured another way. |
| `--ui-https-selfsigned` | (`--manager` only) Generate a self-signed cert and enable HTTPS on the Web UI listener. |
| `--no-ui-https-selfsigned` | (`--manager` only) Disable manager UI self-signed HTTPS. |
!!! warning "External database notes"
- `--database external` requires `--db-engine`, `--db-host`, and `--db-password` in non-interactive mode. `--db-name` and `--db-user` have defaults.
- For production, always pair `--db-ssl` with `--db-ssl-verify`. `--db-no-ssl-verify` accepts unauthenticated certificates and leaves the channel open to active MitM.
- The installer probes connectivity once the DSN is built. If the engine client (`mariadb` / `mysql` / `psql`) is not installed locally, it warns and skips the probe. If the probe runs and fails, interactive mode asks whether to write the DSN anyway; non-interactive mode aborts unless `--db-skip-probe` is set.
- Replace `YourStrongDbPassword` / `YourStrongUiPassw0rd!` in the examples below with values from a secrets manager before running the command.
**Example Usage:**
```bash
@ -2103,13 +2183,13 @@ sudo ./install-bunkerweb.sh
# Non-interactive installation with defaults (full stack, wizard enabled)
sudo ./install-bunkerweb.sh --yes
# Install a Worker node without the setup wizard
# Install a Worker node interactively without the setup wizard
sudo ./install-bunkerweb.sh --worker --no-wizard
# Install a specific version
sudo ./install-bunkerweb.sh --version 1.6.9
sudo ./install-bunkerweb.sh --version 1.6.10
# Manager setup with remote worker instances (instances required)
# Manager setup with remote worker instances (optional at install time)
sudo ./install-bunkerweb.sh --manager --instances "192.168.1.10 192.168.1.11"
# Manager with HTTPS internal API communication
@ -2121,9 +2201,30 @@ sudo ./install-bunkerweb.sh --worker --dns-resolvers "1.1.1.1 1.0.0.1" --api-htt
# Full installation with CrowdSec and AppSec
sudo ./install-bunkerweb.sh --crowdsec-appsec
# Manager installation with CrowdSec enabled from the CLI
sudo ./install-bunkerweb.sh --manager --crowdsec
# Full installation using an existing Redis server
sudo ./install-bunkerweb.sh --redis-host redis.example.com --redis-password "your-strong-password"
# Full installation against an existing external MariaDB
sudo ./install-bunkerweb.sh --yes --no-wizard \
--database external --db-engine mariadb \
--db-host mariadb.example.com --db-port 3306 \
--db-name bw_db --db-user bunkerweb --db-password 'YourStrongDbPassword' \
--db-ssl --db-ssl-verify \
--ui-admin-user admin --ui-admin-password 'YourStrongUiPassw0rd!'
# Full installation against an existing external PostgreSQL
sudo ./install-bunkerweb.sh --yes --no-wizard \
--database external --db-engine postgresql \
--db-host pg.example.com --db-port 5432 \
--db-name bw_db --db-user bunkerweb --db-password 'YourStrongDbPassword' \
--ui-admin-user admin --ui-admin-password 'YourStrongUiPassw0rd!'
# Pre-create the admin user on a full install (random password printed at the end)
sudo ./install-bunkerweb.sh --no-wizard --ui-admin-user admin
# Silent non-interactive installation
sudo ./install-bunkerweb.sh --quiet --yes
@ -2139,8 +2240,8 @@ sudo ./install-bunkerweb.sh --yes --api
# Error: API service not available for worker installations
# sudo ./install-bunkerweb.sh --worker --api # This will fail
# Error: Instances required for manager in non-interactive mode
# sudo ./install-bunkerweb.sh --manager --yes # This will fail without --instances
# Manager non-interactive install without initial workers (the installer warns; add workers later)
sudo ./install-bunkerweb.sh --manager --yes
# Install API-only mode
sudo ./install-bunkerweb.sh --api-only
@ -2153,8 +2254,9 @@ sudo ./install-bunkerweb.sh --manager --instances "192.168.1.10 192.168.1.11" --
**CrowdSec Limitations:**
- CrowdSec options (`--crowdsec`, `--crowdsec-appsec`) are only compatible with `--full` (default) installation type
- They cannot be used with `--manager`, `--worker`, `--scheduler-only`, `--ui-only`, or `--api-only` installations
- CrowdSec options (`--crowdsec`, `--crowdsec-appsec`) are compatible with `--full` (default) and `--manager` installation types
- The interactive CrowdSec prompt is shown for Full Stack only; use CLI flags for Manager
- They cannot be used with `--worker`, `--scheduler-only`, `--ui-only`, or `--api-only` installations
**Redis Limitations:**
@ -2163,24 +2265,24 @@ sudo ./install-bunkerweb.sh --manager --instances "192.168.1.10 192.168.1.11" --
**API Service Availability:**
- The external API service (port 8000) is available for `--full` and `--manager` installation types
- The external API service (port 8888) is available for `--full` and `--manager` installation types
- It is not available for `--worker`, `--scheduler-only`, or `--ui-only` installations
- Use `--api-only` for a dedicated API service installation
**Instances Requirements:**
- The `--instances` option is only valid with `--manager` and `--scheduler-only` installation types
- When using `--manager` or `--scheduler-only` with `--yes` (non-interactive mode), the `--instances` option is mandatory
- The list is optional during install; if it is empty, the installer warns and you can add workers later
- Format: `--instances "192.168.1.10 192.168.1.11 192.168.1.12"`
**Interactive vs Non-Interactive:**
- Interactive mode (default) will prompt for missing required values
- Non-interactive mode (`--yes`) requires all necessary options to be provided via command line
- Non-interactive mode (`--yes`) still requires values that cannot be safely defaulted, such as `--manager-ip` for Worker installs and the minimum external database fields (`--db-engine`, `--db-host`, and `--db-password`)
#### CrowdSec Integration with the Script {#crowdsec-integration-with-the-script}
If you opt to install CrowdSec during the interactive setup, the script fully automates its integration with BunkerWeb:
If you opt to install CrowdSec during the interactive setup or with the CLI flags, the script fully automates its integration with BunkerWeb:
- It adds the official CrowdSec repository and installs the agent.
- It creates a new acquisition file to make CrowdSec parse BunkerWeb's logs (`access.log`, `error.log`, and `modsec_audit.log`).
@ -2216,16 +2318,16 @@ Once installation is complete, the script provides mode-specific next steps to h
| Mode | Components | Ports | Configuration Files |
| -------------- | -------------------------- | ---------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
| Full Stack | BunkerWeb + Scheduler + UI | HTTP/HTTPS (80/443), UI (7000), Internal API (5000), Optional: External API (8000) | `/etc/bunkerweb/variables.env`, `/etc/bunkerweb/scheduler.env`, `/etc/bunkerweb/ui.env`, Optional: `/etc/bunkerweb/api.env` |
| Manager | Scheduler + UI | UI (7000), Internal API (5000), Optional: External API (8000) | `/etc/bunkerweb/scheduler.env`, `/etc/bunkerweb/ui.env`, `/etc/bunkerweb/variables.env`, Optional: `/etc/bunkerweb/api.env` |
| Full Stack | BunkerWeb + Scheduler + UI | HTTP/HTTPS (80/443), UI (7000), Internal API (5000), Optional: External API (8888) | `/etc/bunkerweb/variables.env`, `/etc/bunkerweb/scheduler.env`, `/etc/bunkerweb/ui.env`, Optional: `/etc/bunkerweb/api.env` |
| Manager | Scheduler + UI | UI (7000), Internal API (5000), Optional: External API (8888) | `/etc/bunkerweb/scheduler.env`, `/etc/bunkerweb/ui.env`, `/etc/bunkerweb/variables.env`, Optional: `/etc/bunkerweb/api.env` |
| Worker | BunkerWeb only | HTTP/HTTPS (80/443) | `/etc/bunkerweb/variables.env` |
| Scheduler Only | Scheduler | Internal API (5000) | `/etc/bunkerweb/scheduler.env`, `/etc/bunkerweb/variables.env` |
| UI Only | Web UI | UI (7000) | `/etc/bunkerweb/ui.env` |
| API Only | External API | API (8000) | `/etc/bunkerweb/api.env` |
| API Only | External API | API (8888) | `/etc/bunkerweb/api.env` |
**With setup wizard enabled (Full Stack or Manager):**
**With setup wizard enabled (Full Stack only):**
1. Access the setup wizard at: `https://your-server-ip/setup` (Full Stack) or `http://your-server-ip:7000/setup` (Manager)
1. Access the setup wizard at: `https://your-server-ip/setup`
2. Follow the guided configuration to set up your first protected service
3. Configure SSL/TLS certificates and other security settings
@ -2233,19 +2335,19 @@ Once installation is complete, the script provides mode-specific next steps to h
Depending on your installation type:
- **Full Stack**: Edit `/etc/bunkerweb/variables.env` for BunkerWeb settings, then restart: `sudo systemctl restart bunkerweb-scheduler`
- **Manager**: Configure the database connection (`DATABASE_URI`) in `/etc/bunkerweb/scheduler.env` and manage worker instances via the Web UI at `http://your-server-ip:7000`
- **Full Stack**: Edit `/etc/bunkerweb/variables.env` for BunkerWeb settings, then restart: `sudo systemctl restart bunkerweb bunkerweb-scheduler`
- **Manager**: If you did not configure a database during install, configure the shared database connection (`DATABASE_URI`) for the Scheduler and Web UI. The Web UI listens on `127.0.0.1:7000` by default; expose it intentionally through a reverse proxy, SSH tunnel, or by changing `LISTEN_ADDR`.
- **Worker**: Edit `/etc/bunkerweb/variables.env` for BunkerWeb settings, then restart: `sudo systemctl restart bunkerweb`
- **Scheduler Only**: Configure `DATABASE_URI` in `/etc/bunkerweb/scheduler.env`, then restart: `sudo systemctl restart bunkerweb-scheduler`
- **UI Only**: Configure `DATABASE_URI` in `/etc/bunkerweb/ui.env`, then restart: `sudo systemctl restart bunkerweb-ui`
- **API Only**: Configure `DATABASE_URI` in `/etc/bunkerweb/api.env`, then restart: `sudo systemctl restart bunkerweb-api`
!!! info "Database Configuration"
For Manager, Scheduler, UI, and API installations, you must configure a shared database using the `DATABASE_URI` setting. The format is: `mariadb+pymysql://user:password@host:port/database` (or `postgresql://`, `mysql+pymysql://`, `sqlite:////path/to/db.sqlite`).
Standalone Manager, Scheduler, UI, and API deployments need a shared database using the `DATABASE_URI` setting. When the easy install script installs or wires a database for Full Stack or Manager mode, it writes `DATABASE_URI` to `/etc/bunkerweb/variables.env`; otherwise set it manually in the service environment files. The format is: `mariadb+pymysql://user:password@host:port/database` (or `postgresql://`, `mysql+pymysql://`, `sqlite:////path/to/db.sqlite`).
### Installation using package manager
Please ensure that you have **NGINX 1.28.2 installed before installing BunkerWeb**. For all distributions, it is mandatory to use prebuilt packages from the [official NGINX repository](https://nginx.org/en/linux_packages.html). Compiling NGINX from source or using packages from different repositories will not work with the official prebuilt packages of BunkerWeb. However, you have the option to build BunkerWeb from source.
Please ensure that you have **NGINX 1.30.1 installed before installing BunkerWeb**. For all distributions, it is mandatory to use prebuilt packages from the [official NGINX repository](https://nginx.org/en/linux_packages.html). Compiling NGINX from source or using packages from different repositories will not work with the official prebuilt packages of BunkerWeb. However, you have the option to build BunkerWeb from source.
=== "Debian Bookworm/Trixie"
@ -2260,11 +2362,11 @@ Please ensure that you have **NGINX 1.28.2 installed before installing BunkerWeb
| sudo tee /etc/apt/sources.list.d/nginx.list
```
You should now be able to install NGINX 1.28.2:
You should now be able to install NGINX 1.30.1:
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades nginx=1.28.2-1~$(lsb_release -cs)
sudo apt install -y --allow-downgrades nginx=1.30.1-1~$(lsb_release -cs)
```
!!! warning "Testing/dev version"
@ -2281,12 +2383,12 @@ Please ensure that you have **NGINX 1.28.2 installed before installing BunkerWeb
export UI_WIZARD=no
```
And finally install BunkerWeb 1.6.9:
And finally install BunkerWeb 1.6.10:
```shell
curl -s https://repo.bunkerweb.io/install/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.9
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.10
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command:
@ -2308,11 +2410,11 @@ Please ensure that you have **NGINX 1.28.2 installed before installing BunkerWeb
| sudo tee /etc/apt/sources.list.d/nginx.list
```
You should now be able to install NGINX 1.28.2:
You should now be able to install NGINX 1.30.1:
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades nginx=1.28.2-1~$(lsb_release -cs)
sudo apt install -y --allow-downgrades nginx=1.30.1-1~$(lsb_release -cs)
```
!!! warning "Testing/dev version"
@ -2329,12 +2431,12 @@ Please ensure that you have **NGINX 1.28.2 installed before installing BunkerWeb
export UI_WIZARD=no
```
And finally install BunkerWeb 1.6.9:
And finally install BunkerWeb 1.6.10:
```shell
curl -s https://repo.bunkerweb.io/install/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.9
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.10
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command:
@ -2352,10 +2454,10 @@ Please ensure that you have **NGINX 1.28.2 installed before installing BunkerWeb
sudo dnf config-manager setopt updates-testing.enabled=1
```
Fedora already provides NGINX 1.28.2 that we support
Fedora already provides NGINX 1.30.1 that we support
```shell
sudo dnf install -y --allowerasing nginx-1.28.2
sudo dnf install -y --allowerasing nginx-1.30.1
```
!!! example "Disable the setup wizard"
@ -2365,12 +2467,12 @@ Please ensure that you have **NGINX 1.28.2 installed before installing BunkerWeb
export UI_WIZARD=no
```
And finally install BunkerWeb 1.6.9:
And finally install BunkerWeb 1.6.10:
```shell
curl -s https://repo.bunkerweb.io/install/script.rpm.sh | sudo bash && \
sudo dnf makecache && \
sudo -E dnf install -y --allowerasing bunkerweb-1.6.9
sudo -E dnf install -y --allowerasing bunkerweb-1.6.10
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command:
@ -2402,10 +2504,10 @@ Please ensure that you have **NGINX 1.28.2 installed before installing BunkerWeb
module_hotfixes=true
```
You should now be able to install NGINX 1.28.2:
You should now be able to install NGINX 1.30.1:
```shell
sudo dnf install --allowerasing nginx-1.28.2
sudo dnf install --allowerasing nginx-1.30.1
```
!!! example "Disable the setup wizard"
@ -2415,12 +2517,12 @@ Please ensure that you have **NGINX 1.28.2 installed before installing BunkerWeb
export UI_WIZARD=no
```
And finally install BunkerWeb 1.6.9:
And finally install BunkerWeb 1.6.10:
```shell
curl -s https://repo.bunkerweb.io/install/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo -E dnf install -y --allowerasing bunkerweb-1.6.9
sudo -E dnf install -y --allowerasing bunkerweb-1.6.10
```
To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command:
@ -2513,7 +2615,7 @@ By adopting this approach, you can enjoy real-time reconfiguration of BunkerWeb
The Docker autoconf integration implies the use of **multisite mode**. Please refer to the [multisite section](concepts.md#multisite-mode) of the documentation for more information.
!!! info "Database backend"
Please be aware that our instructions assume you are using MariaDB as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) of the repository for more information.
Please be aware that our instructions assume you are using MariaDB as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations) of the repository for more information.
To enable automated configuration updates, include an additional container called `bw-autoconf` in the stack. This container hosts the autoconf service, which manages dynamic configuration changes for BunkerWeb.
@ -2527,7 +2629,7 @@ x-bw-env: &bw-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -2542,7 +2644,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "" # We don't need to specify the BunkerWeb instance here as they are automatically detected by the autoconf service
@ -2557,7 +2659,7 @@ services:
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
depends_on:
- bunkerweb
- bw-docker
@ -2636,16 +2738,17 @@ The `bw-autoconf` controller watches your orchestrator and writes changes to the
##### Mode & runtime
| Setting | Description | Accepted values | Default |
| ------------------------- | ------------------------------------------------- | --------------------------------------- | -------------------------------------- |
| `AUTOCONF_MODE` | Enable the autoconf controller | `yes` or `no` | `no` |
| `SWARM_MODE` | Watch Swarm services instead of Docker containers | `yes` or `no` | `no` |
| `KUBERNETES_MODE` | Watch Kubernetes ingresses/pods instead of Docker | `yes` or `no` | `no` |
| `KUBERNETES_GATEWAY_MODE` | Use the Gateway API controller for Kubernetes | `yes` or `no` | `no` |
| `DOCKER_HOST` | Docker socket / remote API URL | e.g., `unix:///var/run/docker.sock` | `unix:///var/run/docker.sock` |
| `WAIT_RETRY_INTERVAL` | Seconds between readiness checks for instances | Integer seconds | `5` |
| `LOG_SYSLOG_TAG` | Syslog tag for autoconf logs | String | `bw-autoconf` |
| `TZ` | Time zone used for autoconf logs and timestamps | TZ database name (e.g., `Europe/Paris`) | unset (container default, usually UTC) |
| Setting | Description | Accepted values | Default |
| -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------- | -------------------------------------- |
| `AUTOCONF_MODE` | Enable the autoconf controller | `yes` or `no` | `no` |
| `SWARM_MODE` | Watch Swarm services instead of Docker containers | `yes` or `no` | `no` |
| `KUBERNETES_MODE` | Watch Kubernetes ingresses/pods instead of Docker | `yes` or `no` | `no` |
| `KUBERNETES_GATEWAY_MODE` | Use the Gateway API controller for Kubernetes | `yes` or `no` | `no` |
| `DOCKER_HOST` | Docker socket / remote API URL | e.g., `unix:///var/run/docker.sock` | `unix:///var/run/docker.sock` |
| `WAIT_RETRY_INTERVAL` | Seconds between readiness checks for instances | Integer seconds | `5` |
| `AUTOCONF_DISABLE_CLEANUP` | When `yes`, services and custom configs removed from the orchestrator are converted to draft instead of being hard-deleted, so they survive transient removals and can be deleted from the Web UI. | `yes` or `no` | `no` |
| `LOG_SYSLOG_TAG` | Syslog tag for autoconf logs | String | `bw-autoconf` |
| `TZ` | Time zone used for autoconf logs and timestamps | TZ database name (e.g., `Europe/Paris`) | unset (container default, usually UTC) |
##### Database & validation
@ -2710,6 +2813,27 @@ networks:
name: bw-services
```
#### Preserving services as drafts on removal {#autoconf-disable-cleanup}
By default, when a container, Swarm service, or Ingress managed by autoconf disappears from the orchestrator, its BunkerWeb service row (and any associated custom configs) is immediately deleted from the shared database. This is destructive: an operator cannot distinguish a genuine teardown from a transient glitch, and recovering requires recreating the service definition from scratch.
Setting `AUTOCONF_DISABLE_CLEANUP=yes` on the `bw-autoconf` container changes this behavior:
- Services removed from the orchestrator are flipped to `is_draft = true` instead of being deleted. Their `services_settings` rows, custom configs, and job caches are preserved.
- Draft services are excluded from the rendered NGINX configuration (they are not served), so removing the orchestration object still takes the site offline — it just keeps the state around.
- If the same service is later re-registered by autoconf (same server name / Ingress host), it is automatically flipped back to online and republished; existing custom configs are reused.
- While a service is in this "drafted by autoconf" state, it can be deleted from the Web UI Services page — normally autoconf-owned services are undeletable from the UI, but the Delete button becomes enabled for draft autoconf services so operators can prune stale entries. Online autoconf services remain undeletable from the UI.
```yaml
services:
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
AUTOCONF_MODE: "yes"
AUTOCONF_DISABLE_CLEANUP: "yes" # keep removed services as drafts
DATABASE_URI: "mariadb+pymysql://bunkerweb:secret@bw-db:3306/db"
```
### Namespaces {#namespaces}
Starting from version `1.6.0`, BunkerWeb's Autoconf stacks now support namespaces. This feature enables you to manage multiple "*clusters*" of BunkerWeb instances and services on the same Docker host. To take advantage of namespaces, simply set the `NAMESPACE` label on your services. Here's an example:
@ -2739,13 +2863,13 @@ networks:
...
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
labels:
- "bunkerweb.INSTANCE=yes"
- "bunkerweb.NAMESPACE=my-namespace" # Set the namespace for the BunkerWeb instance so the autoconf service can detect it
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
...
NAMESPACES: "my-namespace my-other-namespace" # Only listen to these namespaces
@ -2805,7 +2929,7 @@ Further information about the Redis/Valkey settings can be found [here](features
as configured by the `DATABASE_URI` setting.
However, we understand that you may prefer to utilize alternative backends for your Docker integration.
If that is the case, rest assured that other database backends are still possible.
See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations)
See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations)
of the repository for more information.
Clustered database backends setup are out-of-the-scope of this documentation.
@ -2922,7 +3046,7 @@ The **BunkerWeb controller** automatically discovers pods with BunkerWeb sidecar
```yaml
controller:
enabled: true
tag: "1.6.9"
tag: "1.6.10"
```
2. For each sidecar, add:
@ -3015,7 +3139,7 @@ In your BunkerWeb chart `values.yaml`, configure the `BUNKERWEB_INSTANCES` envir
```yaml
scheduler:
tag: "1.6.9"
tag: "1.6.10"
extraEnvs:
- name: BUNKERWEB_INSTANCES
value: "http://app1-bunkerweb-workers.namespace.svc.cluster.local:5000 http://app2-bunkerweb-workers.namespace.svc.cluster.local:5000"
@ -3059,7 +3183,7 @@ spec:
# BunkerWeb Sidecar
- name: bunkerweb
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- containerPort: 8080 # Exposed HTTP port
- containerPort: 5000 # Internal API (mandatory)
@ -3330,7 +3454,7 @@ To add a new application protected by BunkerWeb:
#### Full YAML files
Instead of using the helm chart, you can also use the YAML boilerplates inside the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) of the GitHub repository. Please note that we highly recommend to use the helm chart instead.
Instead of using the helm chart, you can also use the YAML boilerplates inside the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations) of the GitHub repository. Please note that we highly recommend to use the helm chart instead.
### Ingress resources
@ -3478,7 +3602,7 @@ metadata:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
imagePullPolicy: Always
env:
- name: NAMESPACES
@ -3652,11 +3776,11 @@ service:
# BunkerWeb settings
bunkerweb:
tag: 1.6.9
tag: 1.6.10
# Scheduler settings
scheduler:
tag: 1.6.9
tag: 1.6.10
extraEnvs:
# Enable real IP module to get real IP of clients
- name: USE_REAL_IP
@ -3664,11 +3788,11 @@ scheduler:
# Controller settings
controller:
tag: 1.6.9
tag: 1.6.10
# UI settings
ui:
tag: 1.6.9
tag: 1.6.10
```
Install BunkerWeb with custom values:
@ -4289,7 +4413,7 @@ Since multiple instances of BunkerWeb are running, a shared data store implement
As for the database volume, the documentation does not specify a specific approach. Choosing either a shared folder or a specific driver for the database volume is dependent on your unique use-case and is left as an exercise for the reader.
!!! info "Database backend"
Please be aware that our instructions assume you are using MariaDB as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations) of the repository for more information.
Please be aware that our instructions assume you are using MariaDB as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations) of the repository for more information.
Clustered database backends setup are out-of-the-scope of this documentation.
@ -4303,7 +4427,7 @@ x-bw-env: &bw-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- published: 80
target: 8080
@ -4332,7 +4456,7 @@ services:
- "bunkerweb.INSTANCE=yes" # Mandatory label for the autoconf service to identify the BunkerWeb instance
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "" # We don't need to specify the BunkerWeb instance here as they are automatically detected by the autoconf service
@ -4353,7 +4477,7 @@ services:
- "node.role == worker"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
SWARM_MODE: "yes"
DATABASE_URI: "mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db" # Remember to set a stronger password for the database
@ -4505,7 +4629,7 @@ networks:
...
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
...
deploy:
mode: global
@ -4517,7 +4641,7 @@ networks:
- "bunkerweb.NAMESPACE=my-namespace" # Set the namespace for the BunkerWeb instance
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
NAMESPACES: "my-namespace my-other-namespace" # Only listen to these namespaces
...

150
docs/json2md.py
View file

@ -4,6 +4,7 @@ from io import StringIO
from json import loads
from glob import glob
from pathlib import Path
import re
from pytablewriter import MarkdownTableWriter
import requests
import zipfile
@ -14,6 +15,59 @@ from os import getenv, path
DOCS_LANG = getenv("DOCS_LANG", "en")
LANG = DOCS_LANG.split("-")[0].lower()
# PRO plugins to exclude from the generated features documentation.
# Match is done on the plugin "id" field from plugin.json.
# Keep "alerting" here while it is in alpha testing.
PRO_PLUGINS_IGNORE = ("alerting",)
PRO_PLUGIN_DOCS = {
"migration": {"advanced_anchor": "migration-pro"},
"anti-ddos": {"advanced_anchor": "anti-ddos-pro"},
"user-manager": {
"advanced_anchor": "user-manager-pro",
"youtube": {
"url": "https://www.youtube-nocookie.com/embed/EIohiUf9Fg4",
"title": "User Manager",
},
},
"ui-single-sign-on": {"advanced_anchor": "ui-single-sign-on-pro"},
"easy-resolve": {
"advanced_anchor": "easy-resolve-pro",
"youtube": {
"url": "https://www.youtube-nocookie.com/embed/45vX0WJqjxo",
"title": "Easy Resolve",
},
},
"load-balancer": {
"advanced_anchor": "load-balancer-pro",
"youtube": {
"url": "https://www.youtube-nocookie.com/embed/cOVp0rAt5nw?si=iVhDio8o8S4F_uag",
"title": "Load Balancer",
},
},
"custom-pages": {"advanced_anchor": "custom-pages-pro"},
"openid-connect": {
"advanced_anchor": "openid-connect-pro",
"youtube": {
"url": "https://www.youtube-nocookie.com/embed/0e4lcXTIIfs",
"title": "OpenID Connect",
},
},
"ldap-sso": {"advanced_anchor": "ldap-sso-pro"},
"openapi-validator": {
"advanced_anchor": "openapi-validator-pro",
"youtube": {
"url": "https://www.youtube-nocookie.com/embed/3oZOO1XdSlc",
"title": "OpenAPI Validator",
},
},
"cache": {"advanced_anchor": "cache-pro"},
"acme": {"advanced_anchor": "acme"},
"wildcard": {"advanced_anchor": "wildcard-pro"},
}
PRO_PLUGIN_DOCS["loadbalancer"] = PRO_PLUGIN_DOCS["load-balancer"]
I18N = {
"en": {
"features_title": "# Features",
@ -31,17 +85,7 @@ I18N = {
"no": "no",
# Badge
"pro_badge": " (PRO)",
# PRO plugins links
"pro_yt_links": {
"user_manager": {
"url": "https://www.youtube-nocookie.com/embed/EIohiUf9Fg4",
"title": "User Manager",
},
"loadbalancer": {
"url": "https://www.youtube-nocookie.com/embed/cOVp0rAt5nw",
"title": "Load Balancer",
},
},
"pro_advanced_link": "For a more detailed guide, see the [advanced usages]({href}) documentation.",
},
"fr": {
"features_title": "# Fonctionnalités",
@ -59,17 +103,7 @@ I18N = {
"no": "non",
# Badge
"pro_badge": " (PRO)",
# PRO plugins links
"pro_yt_links": {
"user_manager": {
"url": "https://www.youtube-nocookie.com/embed/EIohiUf9Fg4",
"title": "Gestionnaire d'utilisateurs",
},
"loadbalancer": {
"url": "https://www.youtube-nocookie.com/embed/cOVp0rAt5nw",
"title": "Équilibreur de charge",
},
},
"pro_advanced_link": "Pour un guide plus détaillé, consultez la documentation des [utilisations avancées]({href}).",
},
"de": {
"features_title": "# Funktionen",
@ -84,17 +118,7 @@ I18N = {
"yes": "ja",
"no": "nein",
"pro_badge": " (PRO)",
# PRO plugins links
"pro_yt_links": {
"user_manager": {
"url": "https://www.youtube-nocookie.com/embed/EIohiUf9Fg4",
"title": "Benutzer-Manager",
},
"loadbalancer": {
"url": "https://www.youtube-nocookie.com/embed/cOVp0rAt5nw",
"title": "Load Balancer",
},
},
"pro_advanced_link": "Eine ausführlichere Anleitung finden Sie in der Dokumentation zur [erweiterten Nutzung]({href}).",
},
"es": {
"features_title": "# Características",
@ -109,17 +133,7 @@ I18N = {
"yes": "",
"no": "no",
"pro_badge": " (PRO)",
# PRO plugins links
"pro_yt_links": {
"user_manager": {
"url": "https://www.youtube-nocookie.com/embed/EIohiUf9Fg4",
"title": "Página del Administrador de usuarios",
},
"loadbalancer": {
"url": "https://www.youtube-nocookie.com/embed/cOVp0rAt5nw",
"title": "Balanceador de carga",
},
},
"pro_advanced_link": "Para una guía más detallada, consulta la documentación de [usos avanzados]({href}).",
},
"zh": {
"features_title": "# 功能",
@ -134,17 +148,7 @@ I18N = {
"yes": "",
"no": "",
"pro_badge": " (PRO)",
# PRO plugins links
"pro_yt_links": {
"user_manager": {
"url": "https://www.youtube-nocookie.com/embed/EIohiUf9Fg4",
"title": "用户管理器页面",
},
"loadbalancer": {
"url": "https://www.youtube-nocookie.com/embed/cOVp0rAt5nw",
"title": "负载均衡器",
},
},
"pro_advanced_link": "如需更详细的指南,请参阅[高级用法]({href})文档。",
},
}
@ -154,6 +158,20 @@ def tr(key: str):
return I18N.get(LANG, base).get(key, base.get(key, key))
def normalize_doc_key(value):
return re.sub(r"[^a-z0-9]+", "-", value.casefold()).strip("-")
def get_pro_plugin_docs(data):
for value in (data.get("id", ""), data.get("name", "")):
if not value:
continue
plugin_docs = PRO_PLUGIN_DOCS.get(normalize_doc_key(value))
if plugin_docs:
return plugin_docs
return {}
def generate_docs_for_lang(lang: str):
"""Generate documentation for a specific language."""
global LANG
@ -217,6 +235,9 @@ def generate_docs_for_lang(lang: str):
with open(pro, "r") as f:
with suppress(Exception):
pro_plugin = loads(f.read())
if pro_plugin.get("id") in PRO_PLUGINS_IGNORE:
print(f"Skipping PRO plugin '{pro_plugin.get('id')}' (in PRO_PLUGINS_IGNORE)")
continue
pro_plugin["dir"] = plugin_dir
core_settings[pro_plugin["name"]] = pro_plugin
core_settings[pro_plugin["name"]]["is_pro"] = True
@ -232,13 +253,18 @@ def generate_docs_for_lang(lang: str):
)
print(f"## {data['name']}{pro_crown}\n", file=doc)
if "is_pro" in data and data["id"] in tr_lang("pro_yt_links"):
yt_info = tr_lang("pro_yt_links")[data["id"]]
pro_docs = get_pro_plugin_docs(data) if "is_pro" in data else {}
yt_info = pro_docs.get("youtube")
if yt_info:
print(
f"<p align='center'><iframe style='display: block;' width='560' height='315' data-src='{yt_info['url']}' title='{yt_info['title']}' frameborder='0' allow='accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture' allowfullscreen></iframe></p>\n",
file=doc,
)
advanced_anchor = pro_docs.get("advanced_anchor")
if advanced_anchor:
print(tr_lang("pro_advanced_link").format(href=f"advanced.md#{advanced_anchor}") + "\n", file=doc)
print(f"{stream_support(data['stream'])}\n", file=doc)
# Check if README.md exists and use its content instead
@ -251,15 +277,17 @@ def generate_docs_for_lang(lang: str):
print(print_md_table(data["settings"], tr_lang), file=doc)
# Finalize content
# Note: do NOT unescape "\|" here. pytablewriter auto-escapes pipes in cell
# values as "\|" so that defaults like "GET|POST|HEAD" render as a literal
# pipe inside a Markdown table cell instead of splitting it into columns.
# README files included via get_readme_content() also rely on that escaping.
doc.seek(0)
content = doc.read()
doc = StringIO(content.replace("\\|", "|"))
doc.seek(0)
content = doc.read().rstrip() + "\n"
# Ensure output directory per language
out_dir = Path("docs") if lang == "en" else Path("docs", lang)
out_dir.mkdir(parents=True, exist_ok=True)
Path(out_dir, "features.md").write_text(doc.read(), encoding="utf-8")
Path(out_dir, "features.md").write_text(content, encoding="utf-8")
print(f"Generated features.md for language: {lang}")

12
docs/plugins.md
View file

@ -89,7 +89,7 @@ The first step is to install the plugin by placing its files inside the correspo
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
volumes:
- ./bw-data:/data
...
@ -125,7 +125,7 @@ The first step is to install the plugin by placing its files inside the correspo
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
volumes:
- ./bw-data:/data
...
@ -168,7 +168,7 @@ The first step is to install the plugin by placing its files inside the correspo
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
volumes:
- /shared/bw-plugins:/data/plugins
...
@ -215,7 +215,7 @@ The first step is to install the plugin by placing its files inside the correspo
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -255,7 +255,7 @@ The first step is to install the plugin by placing its files inside the correspo
!!! tip "Existing plugins"
If the documentation is not enough, you can have a look at the existing source code of [official plugins](https://github.com/bunkerity/bunkerweb-plugins) and the [core plugins](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/src/common/core) (already included in BunkerWeb but they are plugins, technically speaking).
If the documentation is not enough, you can have a look at the existing source code of [official plugins](https://github.com/bunkerity/bunkerweb-plugins) and the [core plugins](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/src/common/core) (already included in BunkerWeb but they are plugins, technically speaking).
What a plugin structure looks like:
```
@ -563,7 +563,7 @@ end
!!! tip "More examples"
If you want to see the full list of available functions, you can have a look at the files present in the [lua directory](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/src/bw/lua/bunkerweb) of the repository.
If you want to see the full list of available functions, you can have a look at the files present in the [lua directory](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/src/bw/lua/bunkerweb) of the repository.
### Jobs

45
docs/quickstart-guide.md
View file

@ -18,7 +18,7 @@ This quickstart guide will help you to quickly install BunkerWeb and secure a we
Protecting existing web applications already accessible with the HTTP(S) protocol is the main goal of BunkerWeb: it will act as a classical [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) with extra security features.
See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) of the repository to get real-world examples.
See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/examples) of the repository to get real-world examples.
## Basic setup
@ -33,7 +33,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/exa
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
By default, the container exposes:
@ -51,8 +51,8 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/exa
```bash
# Download the script and its checksum
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.10/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.10/install-bunkerweb.sh.sha256
# Verify the checksum
sha256sum -c install-bunkerweb.sh.sha256
@ -68,10 +68,13 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/exa
#### Easy Install Highlights
- Detects your Linux distribution and CPU architecture up front and warns if you are outside the supported matrix before making any change.
- The interactive flow lets you pick the installation profile (full stack, manager, worker, etc.); manager mode always exposes the API on `0.0.0.0`, disables the setup wizard, and asks for the whitelist IP (pass it with `--manager-ip` for non-interactive runs), while worker mode requires the manager IPs for its whitelist.
- Interactive prompts use an inline TUI via [gum](https://github.com/charmbracelet/gum) — arrow-key menus with a `` cursor, masked password fields. On first interactive run the installer downloads the official `gum` binary from the [GitHub release](https://github.com/charmbracelet/gum/releases) (SHA256-pinned, with optional cosign signature verification when cosign is installed), runs it from a tempdir, and removes the tempdir on exit — **no system package is installed, no apt/dnf source is added, no binary is left behind**. If gum cannot be obtained, the installer uses any pre-installed `whiptail` for boxed dialogs; if neither is available it falls back to plain text prompts.
- TUI behavior is controlled by two flags: `--no-tui` (or `BW_INSTALL_TUI=no`) skips every TUI tier and uses plain text prompts; `--tui` requires a working TUI and aborts if gum cannot be fetched and no existing whiptail is available.
- When the installer is piped (`curl … | bash`) or stdin is not a TTY, it exits with a clear error instead of falling through every default. Use `--yes` together with the appropriate `--*` flags / `*_INPUT` env vars for non-interactive installs.
- The interactive flow lets you pick the installation profile (Full Stack, Manager, Worker, etc.); Manager mode binds the internal API listener to `0.0.0.0`, disables the setup wizard, and asks for the whitelist IP (pass it with `--manager-ip` for non-interactive runs), while Worker mode requires the Manager IPs for its whitelist.
- Manager installations can still decide whether the Web UI service should start even though the wizard remains disabled.
- The summary now shows whether the FastAPI service will run so you can intentionally enable or disable it with `--api` / `--no-api`.
- CrowdSec options are only available for full-stack installs; manager/worker modes skip them automatically so the workflow stays focused on remote control.
- CrowdSec is prompted interactively for Full Stack installs. On the CLI, `--crowdsec` and `--crowdsec-appsec` are valid for Full Stack and Manager installs; Worker, Scheduler-only, UI-only, and API-only modes reject them.
For advanced installation methods (package manager, installation types, non-interactive flags, CrowdSec integration, etc.), see the [Linux Integration](integrations.md#linux).
@ -90,7 +93,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/exa
services:
bunkerweb:
# This is the name that will be used to identify the instance in the Scheduler
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -103,7 +106,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/exa
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # Make sure to set the correct instance name
@ -120,7 +123,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/exa
- bw-db
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
environment:
<<: *bw-env
restart: "unless-stopped"
@ -148,7 +151,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/exa
command: >
redis-server
--maxmemory 256mb
--maxmemory-policy allkeys-lru
--maxmemory-policy volatile-lru
--save 60 1000
--appendonly yes
volumes:
@ -187,7 +190,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/exa
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -203,7 +206,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/exa
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: ""
@ -221,7 +224,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/exa
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
depends_on:
- bw-docker
environment:
@ -244,7 +247,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/exa
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
environment:
<<: *bw-ui-env
TOTP_ENCRYPTION_KEYS: "mysecret" # Remember to set a stronger secret key (see the Prerequisites section)
@ -273,7 +276,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/exa
command: >
redis-server
--maxmemory 256mb
--maxmemory-policy allkeys-lru
--maxmemory-policy volatile-lru
--save 60 1000
--appendonly yes
volumes:
@ -339,7 +342,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/exa
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- published: 80
target: 8080
@ -369,7 +372,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/exa
- "bunkerweb.INSTANCE=yes"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: ""
@ -387,7 +390,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/exa
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
<<: *bw-ui-env
DOCKER_HOST: "tcp://bw-docker:2375"
@ -416,7 +419,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/exa
- "node.role == manager"
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
environment:
<<: *bw-ui-env
TOTP_ENCRYPTION_KEYS: "mysecret" # Remember to set a stronger secret key (see the Prerequisites section)
@ -638,7 +641,7 @@ You can now log in with the administrator account you created during the setup w
-e "www.example.com_REVERSE_PROXY_HOST=http://myapp:8080" \
-e "www.example.com_REVERSE_PROXY_URL=/" \
# --- Include any other existing environment variables for UI, Redis, CrowdSec, etc. ---
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
Your application container (`myapp`) and the `bunkerweb-aio` container must be on the same Docker network for BunkerWeb to reach it using the hostname `myapp`.
@ -660,7 +663,7 @@ You can now log in with the administrator account you created during the setup w
-p 443:8443/tcp \
-p 443:8443/udp \
# ... (all other relevant environment variables as shown in the main example above) ...
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
Make sure to replace `myapp` with the actual name or IP of your application container and `http://myapp:8080` with its correct address and port.

6
docs/requirements.in
View file

@ -1,5 +1,5 @@
mike==2.1.3
mkdocs-material[imaging]==9.6.21
mike==2.2.0
mkdocs-material[imaging]==9.7.6
mkdocs-print-site-plugin==2.8
mkdocs-static-i18n==1.3.0
mkdocs-static-i18n==1.3.1
pytablewriter==1.2.1

612
docs/requirements.txt
View file

@ -1,33 +1,32 @@
#
# This file is autogenerated by pip-compile with Python 3.10
# This file is autogenerated by pip-compile with Python 3.11
# by the following command:
#
# pip-compile --allow-unsafe --generate-hashes --strip-extras requirements.in
#
babel==2.17.0 \
--hash=sha256:0c54cffb19f690cdcc52a3b50bcbf71e07a808d1c80d549f2459b9d2cf0afb9d \
--hash=sha256:4d0b53093fdfb4b21c92b5213dba5a1b23885afa8383709427046b21c366e5f2
babel==2.18.0 \
--hash=sha256:b80b99a14bd085fcacfa15c9165f651fbb3406e66cc603abf11c5750937c992d \
--hash=sha256:e2b422b277c2b9a9630c1d7903c2a00d0830c409c59ac8cae9081c92f1aeba35
# via mkdocs-material
backrefs==5.9 \
--hash=sha256:6907635edebbe9b2dc3de3a2befff44d74f30a4562adbb8b36f21252ea19c5cf \
--hash=sha256:7fdf9771f63e6028d7fee7e0c497c81abda597ea45d6b8f89e8ad76994f5befa \
--hash=sha256:808548cb708d66b82ee231f962cb36faaf4f2baab032f2fbb783e9c2fdddaa59 \
--hash=sha256:cc37b19fa219e93ff825ed1fed8879e47b4d89aa7a1884860e2db64ccd7c676b \
--hash=sha256:db8e8ba0e9de81fcd635f440deab5ae5f2591b54ac1ebe0550a2ca063488cd9f \
--hash=sha256:df5e169836cc8acb5e440ebae9aad4bf9d15e226d3bad049cf3f6a5c20cc8dc9 \
--hash=sha256:f48ee18f6252b8f5777a22a00a09a85de0ca931658f1dd96d4406a34f3748c60
backrefs==7.0 \
--hash=sha256:4989bb9e1e99eb23647c7160ed51fb21d0b41b5d200f2d3017da41e023097e82 \
--hash=sha256:a0fa7360c63509e9e077e174ef4e6d3c21c8db94189b9d957289ae6d794b9475 \
--hash=sha256:a6448b28180e3ca01134c9cf09dcebafad8531072e09903c5451748a05f24bc9 \
--hash=sha256:b57cd227ea556b0aed3dc9b8da4628db4eabc0402c6d7fcfc69283a93955f7e9 \
--hash=sha256:ca42ce6a49ace3d75684dfa9937f3373902a63284ecb385ce36d15e5dcb41c12 \
--hash=sha256:f2c52955d631b9e1ac4cd56209f0a3a946d592b98e7790e77699339ae01c102a
# via mkdocs-material
cairocffi==1.7.1 \
--hash=sha256:2e48ee864884ec4a3a34bfa8c9ab9999f688286eb714a15a43ec9d068c36557b \
--hash=sha256:9803a0e11f6c962f3b0ae2ec8ba6ae45e957a146a004697a1ac1bbf16b073b3f
# via cairosvg
cairosvg==2.8.2 \
--hash=sha256:07cbf4e86317b27a92318a4cac2a4bb37a5e9c1b8a27355d06874b22f85bef9f \
--hash=sha256:eab46dad4674f33267a671dce39b64be245911c901c70d65d2b7b0821e852bf5
cairosvg==2.9.0 \
--hash=sha256:1debb00cd2da11350d8b6f5ceb739f1b539196d71d5cf5eb7363dbd1bfbc8dc5 \
--hash=sha256:4b82d07d145377dffdfc19d9791bd5fb65539bb4da0adecf0bdbd9cd4ffd7c68
# via mkdocs-material
certifi==2025.8.3 \
--hash=sha256:e564105f78ded564e3ae7c923924435e1daa7463faeab5bb932bc53ffae63407 \
--hash=sha256:f6c12493cfb1b06ba2ff328595af9350c65d6644968e5d3a2ffd78699af217a5
certifi==2026.4.22 \
--hash=sha256:3cb2210c8f88ba2318d29b0388d1023c8492ff72ecdde4ebdaddbb13a31b1c4a \
--hash=sha256:8d455352a37b71bf76a79caa83a3d6c25afee4a385d632127b6afb3963f1c580
# via requests
cffi==2.0.0 \
--hash=sha256:00bdf7acc5f795150faa6957054fbbca2439db2f775ce831222b66f192f03beb \
@ -115,106 +114,156 @@ cffi==2.0.0 \
--hash=sha256:fc7de24befaeae77ba923797c7c87834c73648a05a4bde34b3b7e5588973a453 \
--hash=sha256:fe562eb1a64e67dd297ccc4f5addea2501664954f2692b69a76449ec7913ecbf
# via cairocffi
chardet==5.2.0 \
--hash=sha256:1b3b6ff479a8c414bc3fa2c0852995695c4a026dcd6d0633b2dd092ca39c1cf7 \
--hash=sha256:e1cf59446890a00105fe7b7912492ea04b6e6f06d4b742b2c788469e34c82970
chardet==6.0.0.post1 \
--hash=sha256:6b78048c3c97c7b2ed1fbad7a18f76f5a6547f7d34dbab536cc13887c9a92fa4 \
--hash=sha256:c894a36800549adf7bb5f2af47033281b75fdfcd2aa0f0243be0ad22a52e2dcb
# via mbstrdecoder
charset-normalizer==3.4.3 \
--hash=sha256:00237675befef519d9af72169d8604a067d92755e84fe76492fef5441db05b91 \
--hash=sha256:02425242e96bcf29a49711b0ca9f37e451da7c70562bc10e8ed992a5a7a25cc0 \
--hash=sha256:027b776c26d38b7f15b26a5da1044f376455fb3766df8fc38563b4efbc515154 \
--hash=sha256:07a0eae9e2787b586e129fdcbe1af6997f8d0e5abaa0bc98c0e20e124d67e601 \
--hash=sha256:0cacf8f7297b0c4fcb74227692ca46b4a5852f8f4f24b3c766dd94a1075c4884 \
--hash=sha256:0e78314bdc32fa80696f72fa16dc61168fda4d6a0c014e0380f9d02f0e5d8a07 \
--hash=sha256:0f2be7e0cf7754b9a30eb01f4295cc3d4358a479843b31f328afd210e2c7598c \
--hash=sha256:13faeacfe61784e2559e690fc53fa4c5ae97c6fcedb8eb6fb8d0a15b475d2c64 \
--hash=sha256:14c2a87c65b351109f6abfc424cab3927b3bdece6f706e4d12faaf3d52ee5efe \
--hash=sha256:1606f4a55c0fd363d754049cdf400175ee96c992b1f8018b993941f221221c5f \
--hash=sha256:16a8770207946ac75703458e2c743631c79c59c5890c80011d536248f8eaa432 \
--hash=sha256:18343b2d246dc6761a249ba1fb13f9ee9a2bcd95decc767319506056ea4ad4dc \
--hash=sha256:18b97b8404387b96cdbd30ad660f6407799126d26a39ca65729162fd810a99aa \
--hash=sha256:1bb60174149316da1c35fa5233681f7c0f9f514509b8e399ab70fea5f17e45c9 \
--hash=sha256:1e8ac75d72fa3775e0b7cb7e4629cec13b7514d928d15ef8ea06bca03ef01cae \
--hash=sha256:1ef99f0456d3d46a50945c98de1774da86f8e992ab5c77865ea8b8195341fc19 \
--hash=sha256:2001a39612b241dae17b4687898843f254f8748b796a2e16f1051a17078d991d \
--hash=sha256:23b6b24d74478dc833444cbd927c338349d6ae852ba53a0d02a2de1fce45b96e \
--hash=sha256:252098c8c7a873e17dd696ed98bbe91dbacd571da4b87df3736768efa7a792e4 \
--hash=sha256:257f26fed7d7ff59921b78244f3cd93ed2af1800ff048c33f624c87475819dd7 \
--hash=sha256:2c322db9c8c89009a990ef07c3bcc9f011a3269bc06782f916cd3d9eed7c9312 \
--hash=sha256:30a96e1e1f865f78b030d65241c1ee850cdf422d869e9028e2fc1d5e4db73b92 \
--hash=sha256:30d006f98569de3459c2fc1f2acde170b7b2bd265dc1943e87e1a4efe1b67c31 \
--hash=sha256:31a9a6f775f9bcd865d88ee350f0ffb0e25936a7f930ca98995c05abf1faf21c \
--hash=sha256:320e8e66157cc4e247d9ddca8e21f427efc7a04bbd0ac8a9faf56583fa543f9f \
--hash=sha256:34a7f768e3f985abdb42841e20e17b330ad3aaf4bb7e7aeeb73db2e70f077b99 \
--hash=sha256:3653fad4fe3ed447a596ae8638b437f827234f01a8cd801842e43f3d0a6b281b \
--hash=sha256:3cd35b7e8aedeb9e34c41385fda4f73ba609e561faedfae0a9e75e44ac558a15 \
--hash=sha256:3cfb2aad70f2c6debfbcb717f23b7eb55febc0bb23dcffc0f076009da10c6392 \
--hash=sha256:416175faf02e4b0810f1f38bcb54682878a4af94059a1cd63b8747244420801f \
--hash=sha256:41d1fc408ff5fdfb910200ec0e74abc40387bccb3252f3f27c0676731df2b2c8 \
--hash=sha256:42e5088973e56e31e4fa58eb6bd709e42fc03799c11c42929592889a2e54c491 \
--hash=sha256:4ca4c094de7771a98d7fbd67d9e5dbf1eb73efa4f744a730437d8a3a5cf994f0 \
--hash=sha256:511729f456829ef86ac41ca78c63a5cb55240ed23b4b737faca0eb1abb1c41bc \
--hash=sha256:53cd68b185d98dde4ad8990e56a58dea83a4162161b1ea9272e5c9182ce415e0 \
--hash=sha256:585f3b2a80fbd26b048a0be90c5aae8f06605d3c92615911c3a2b03a8a3b796f \
--hash=sha256:5b413b0b1bfd94dbf4023ad6945889f374cd24e3f62de58d6bb102c4d9ae534a \
--hash=sha256:5d8d01eac18c423815ed4f4a2ec3b439d654e55ee4ad610e153cf02faf67ea40 \
--hash=sha256:6aab0f181c486f973bc7262a97f5aca3ee7e1437011ef0c2ec04b5a11d16c927 \
--hash=sha256:6cf8fd4c04756b6b60146d98cd8a77d0cdae0e1ca20329da2ac85eed779b6849 \
--hash=sha256:6fb70de56f1859a3f71261cbe41005f56a7842cc348d3aeb26237560bfa5e0ce \
--hash=sha256:6fce4b8500244f6fcb71465d4a4930d132ba9ab8e71a7859e6a5d59851068d14 \
--hash=sha256:70bfc5f2c318afece2f5838ea5e4c3febada0be750fcf4775641052bbba14d05 \
--hash=sha256:73dc19b562516fc9bcf6e5d6e596df0b4eb98d87e4f79f3ae71840e6ed21361c \
--hash=sha256:74d77e25adda8581ffc1c720f1c81ca082921329452eba58b16233ab1842141c \
--hash=sha256:78deba4d8f9590fe4dae384aeff04082510a709957e968753ff3c48399f6f92a \
--hash=sha256:86df271bf921c2ee3818f0522e9a5b8092ca2ad8b065ece5d7d9d0e9f4849bcc \
--hash=sha256:88ab34806dea0671532d3f82d82b85e8fc23d7b2dd12fa837978dad9bb392a34 \
--hash=sha256:8999f965f922ae054125286faf9f11bc6932184b93011d138925a1773830bbe9 \
--hash=sha256:8dcfc373f888e4fb39a7bc57e93e3b845e7f462dacc008d9749568b1c4ece096 \
--hash=sha256:939578d9d8fd4299220161fdd76e86c6a251987476f5243e8864a7844476ba14 \
--hash=sha256:96b2b3d1a83ad55310de8c7b4a2d04d9277d5591f40761274856635acc5fcb30 \
--hash=sha256:a2d08ac246bb48479170408d6c19f6385fa743e7157d716e144cad849b2dd94b \
--hash=sha256:b256ee2e749283ef3ddcff51a675ff43798d92d746d1a6e4631bf8c707d22d0b \
--hash=sha256:b5e3b2d152e74e100a9e9573837aba24aab611d39428ded46f4e4022ea7d1942 \
--hash=sha256:b89bc04de1d83006373429975f8ef9e7932534b8cc9ca582e4db7d20d91816db \
--hash=sha256:bd28b817ea8c70215401f657edef3a8aa83c29d447fb0b622c35403780ba11d5 \
--hash=sha256:c60e092517a73c632ec38e290eba714e9627abe9d301c8c8a12ec32c314a2a4b \
--hash=sha256:c6dbd0ccdda3a2ba7c2ecd9d77b37f3b5831687d8dc1b6ca5f56a4880cc7b7ce \
--hash=sha256:c6e490913a46fa054e03699c70019ab869e990270597018cef1d8562132c2669 \
--hash=sha256:c6f162aabe9a91a309510d74eeb6507fab5fff92337a15acbe77753d88d9dcf0 \
--hash=sha256:c6fd51128a41297f5409deab284fecbe5305ebd7e5a1f959bee1c054622b7018 \
--hash=sha256:cc34f233c9e71701040d772aa7490318673aa7164a0efe3172b2981218c26d93 \
--hash=sha256:cc9370a2da1ac13f0153780040f465839e6cccb4a1e44810124b4e22483c93fe \
--hash=sha256:ccf600859c183d70eb47e05a44cd80a4ce77394d1ac0f79dbd2dd90a69a3a049 \
--hash=sha256:ce571ab16d890d23b5c278547ba694193a45011ff86a9162a71307ed9f86759a \
--hash=sha256:cf1ebb7d78e1ad8ec2a8c4732c7be2e736f6e5123a4146c5b89c9d1f585f8cef \
--hash=sha256:d0e909868420b7049dafd3a31d45125b31143eec59235311fc4c57ea26a4acd2 \
--hash=sha256:d22dbedd33326a4a5190dd4fe9e9e693ef12160c77382d9e87919bce54f3d4ca \
--hash=sha256:d716a916938e03231e86e43782ca7878fb602a125a91e7acb8b5112e2e96ac16 \
--hash=sha256:d79c198e27580c8e958906f803e63cddb77653731be08851c7df0b1a14a8fc0f \
--hash=sha256:d95bfb53c211b57198bb91c46dd5a2d8018b3af446583aab40074bf7988401cb \
--hash=sha256:e28e334d3ff134e88989d90ba04b47d84382a828c061d0d1027b1b12a62b39b1 \
--hash=sha256:ec557499516fc90fd374bf2e32349a2887a876fbf162c160e3c01b6849eaf557 \
--hash=sha256:fb6fecfd65564f208cbf0fba07f107fb661bcd1a7c389edbced3f7a493f70e37 \
--hash=sha256:fb731e5deb0c7ef82d698b0f4c5bb724633ee2a489401594c5c88b02e6cb15f7 \
--hash=sha256:fb7f67a1bfa6e40b438170ebdc8158b78dc465a5a67b6dde178a46987b244a72 \
--hash=sha256:fd10de089bcdcd1be95a2f73dbe6254798ec1bda9f450d5828c96f93e2536b9c \
--hash=sha256:fdabf8315679312cfa71302f9bd509ded4f2f263fb5b765cf1433b39106c3cc9
charset-normalizer==3.4.7 \
--hash=sha256:007d05ec7321d12a40227aae9e2bc6dca73f3cb21058999a1df9e193555a9dcc \
--hash=sha256:03853ed82eeebbce3c2abfdbc98c96dc205f32a79627688ac9a27370ea61a49c \
--hash=sha256:07d9e39b01743c3717745f4c530a6349eadbfa043c7577eef86c502c15df2c67 \
--hash=sha256:08e721811161356f97b4059a9ba7bafb23ea5ee2255402c42881c214e173c6b4 \
--hash=sha256:0c96c3b819b5c3e9e165495db84d41914d6894d55181d2d108cc1a69bfc9cce0 \
--hash=sha256:0ea948db76d31190bf08bd371623927ee1339d5f2a0b4b1b4a4439a65298703c \
--hash=sha256:0f7eb884681e3938906ed0434f20c63046eacd0111c4ba96f27b76084cd679f5 \
--hash=sha256:12a6fff75f6bc66711b73a2f0addfc4c8c15a20e805146a02d147a318962c444 \
--hash=sha256:12d8baf840cc7889b37c7c770f478adea7adce3dcb3944d02ec87508e2dcf153 \
--hash=sha256:14265bfe1f09498b9d8ec91e9ec9fa52775edf90fcbde092b25f4a33d444fea9 \
--hash=sha256:16d971e29578a5e97d7117866d15889a4a07befe0e87e703ed63cd90cb348c01 \
--hash=sha256:177a0ba5f0211d488e295aaf82707237e331c24788d8d76c96c5a41594723217 \
--hash=sha256:1a87ca9d5df6fe460483d9a5bbf2b18f620cbed41b432e2bddb686228282d10b \
--hash=sha256:1c2a768fdd44ee4a9339a9b0b130049139b8ce3c01d2ce09f67f5a68048d477c \
--hash=sha256:1c2aed2e5e41f24ea8ef1590b8e848a79b56f3a5564a65ceec43c9d692dc7d8a \
--hash=sha256:1dc8b0ea451d6e69735094606991f32867807881400f808a106ee1d963c46a83 \
--hash=sha256:1efde3cae86c8c273f1eb3b287be7d8499420cf2fe7585c41d370d3e790054a5 \
--hash=sha256:202389074300232baeb53ae2569a60901f7efadd4245cf3a3bf0617d60b439d7 \
--hash=sha256:203104ed3e428044fd943bc4bf45fa73c0730391f9621e37fe39ecf477b128cb \
--hash=sha256:2257141f39fe65a3fdf38aeccae4b953e5f3b3324f4ff0daf9f15b8518666a2c \
--hash=sha256:298930cec56029e05497a76988377cbd7457ba864beeea92ad7e844fe74cd1f1 \
--hash=sha256:2cd4a60d0e2fb04537162c62bbbb4182f53541fe0ede35cdf270a1c1e723cc42 \
--hash=sha256:2d6eb928e13016cea4f1f21d1e10c1cebd5a421bc57ddf5b1142ae3f86824fab \
--hash=sha256:2fe249cb4651fd12605b7288b24751d8bfd46d35f12a20b1ba33dea122e690df \
--hash=sha256:30b8d1d8c52a48c2c5690e152c169b673487a2a58de1ec7393196753063fcd5e \
--hash=sha256:320ade88cfb846b8cd6b4ddf5ee9e80ee0c1f52401f2456b84ae1ae6a1a5f207 \
--hash=sha256:3534e7dcbdcf757da6b85a0bbf5b6868786d5982dd959b065e65481644817a18 \
--hash=sha256:36836d6ff945a00b88ba1e4572d721e60b5b8c98c155d465f56ad19d68f23734 \
--hash=sha256:38c0109396c4cfc574d502df99742a45c72c08eff0a36158b6f04000043dbf38 \
--hash=sha256:3946fa46a0cf3e4c8cb1cc52f56bb536310d34f25f01ca9b6c16afa767dab110 \
--hash=sha256:3bec022aec2c514d9cf199522a802bd007cd588ab17ab2525f20f9c34d067c18 \
--hash=sha256:3c9a494bc5ec77d43cea229c4f6db1e4d8fe7e1bbffa8b6f0f0032430ff8ab44 \
--hash=sha256:3dce51d0f5e7951f8bb4900c257dad282f49190fdbebecd4ba99bcc41fef404d \
--hash=sha256:3dedcc22d73ec993f42055eff4fcfed9318d1eeb9a6606c55892a26964964e48 \
--hash=sha256:4042d5c8f957e15221d423ba781e85d553722fc4113f523f2feb7b188cc34c5e \
--hash=sha256:481551899c856c704d58119b5025793fa6730adda3571971af568f66d2424bb5 \
--hash=sha256:4dc1e73c36828f982bfe79fadf5919923f8a6f4df2860804db9a98c48824ce8d \
--hash=sha256:4e5163c14bffd570ef2affbfdd77bba66383890797df43dc8b4cc7d6f500bf53 \
--hash=sha256:511ef87c8aec0783e08ac18565a16d435372bc1ac25a91e6ac7f5ef2b0bff790 \
--hash=sha256:532bc9bf33a68613fd7d65e4b1c71a6a38d7d42604ecf239c77392e9b4e8998c \
--hash=sha256:54523e136b8948060c0fa0bc7b1b50c32c186f2fceee897a495406bb6e311d2b \
--hash=sha256:5649fd1c7bade02f320a462fdefd0b4bd3ce036065836d4f42e0de958038e116 \
--hash=sha256:56be790f86bfb2c98fb742ce566dfb4816e5a83384616ab59c49e0604d49c51d \
--hash=sha256:5b77459df20e08151cd6f8b9ef8ef1f961ef73d85c21a555c7eed5b79410ec10 \
--hash=sha256:5ed6ab538499c8644b8a3e18debabcd7ce684f3fa91cf867521a7a0279cab2d6 \
--hash=sha256:6178f72c5508bfc5fd446a5905e698c6212932f25bcdd4b47a757a50605a90e2 \
--hash=sha256:6370e8686f662e6a3941ee48ed4742317cafbe5707e36406e9df792cdb535776 \
--hash=sha256:64f02c6841d7d83f832cd97ccf8eb8a906d06eb95d5276069175c696b024b60a \
--hash=sha256:65bcd23054beab4d166035cabbc868a09c1a49d1efe458fe8e4361215df40265 \
--hash=sha256:66671f93accb62ed07da56613636f3641f1a12c13046ce91ffc923721f23c008 \
--hash=sha256:6696b7688f54f5af4462118f0bfa7c1621eeb87154f77fa04b9295ce7a8f2943 \
--hash=sha256:6785f414ae0f3c733c437e0f3929197934f526d19dfaa75e18fdb4f94c6fb374 \
--hash=sha256:67f6279d125ca0046a7fd386d01b311c6363844deac3e5b069b514ba3e63c246 \
--hash=sha256:6c114670c45346afedc0d947faf3c7f701051d2518b943679c8ff88befe14f8e \
--hash=sha256:6e0d51f618228538a3e8f46bd246f87a6cd030565e015803691603f55e12afb5 \
--hash=sha256:6ed74185b2db44f41ef35fd1617c5888e59792da9bbc9190d6c7300617182616 \
--hash=sha256:708838739abf24b2ceb208d0e22403dd018faeef86ddac04319a62ae884c4f15 \
--hash=sha256:715479b9a2802ecac752a3b0efa2b0b60285cf962ee38414211abdfccc233b41 \
--hash=sha256:733784b6d6def852c814bce5f318d25da2ee65dd4839a0718641c696e09a2960 \
--hash=sha256:750e02e074872a3fad7f233b47734166440af3cdea0add3e95163110816d6752 \
--hash=sha256:752a45dc4a6934060b3b0dab47e04edc3326575f82be64bc4fc293914566503e \
--hash=sha256:7579e913a5339fb8fa133f6bbcfd8e6749696206cf05acdbdca71a1b436d8e72 \
--hash=sha256:7641bb8895e77f921102f72833904dcd9901df5d6d72a2ab8f31d04b7e51e4e7 \
--hash=sha256:7804338df6fcc08105c7745f1502ba68d900f45fd770d5bdd5288ddccb8a42d8 \
--hash=sha256:80d04837f55fc81da168b98de4f4b797ef007fc8a79ab71c6ec9bc4dd662b15b \
--hash=sha256:813c0e0132266c08eb87469a642cb30aaff57c5f426255419572aaeceeaa7bf4 \
--hash=sha256:82b271f5137d07749f7bf32f70b17ab6eaabedd297e75dce75081a24f76eb545 \
--hash=sha256:84c018e49c3bf790f9c2771c45e9313a08c2c2a6342b162cd650258b57817706 \
--hash=sha256:8751d2787c9131302398b11e6c8068053dcb55d5a8964e114b6e196cf16cb366 \
--hash=sha256:8778f0c7a52e56f75d12dae53ae320fae900a8b9b4164b981b9c5ce059cd1fcb \
--hash=sha256:87fad7d9ba98c86bcb41b2dc8dbb326619be2562af1f8ff50776a39e55721c5a \
--hash=sha256:8d828b6667a32a728a1ad1d93957cdf37489c57b97ae6c4de2860fa749b8fc1e \
--hash=sha256:8e385e4267ab76874ae30db04c627faaaf0b509e1ccc11a95b3fc3e83f855c00 \
--hash=sha256:92a0a01ead5e668468e952e4238cccd7c537364eb7d851ab144ab6627dbbe12f \
--hash=sha256:94e1885b270625a9a828c9793b4d52a64445299baa1fea5a173bf1d3dd9a1a5a \
--hash=sha256:a180c5e59792af262bf263b21a3c49353f25945d8d9f70628e73de370d55e1e1 \
--hash=sha256:a277ab8928b9f299723bc1a2dabb1265911b1a76341f90a510368ca44ad9ab66 \
--hash=sha256:a5fe03b42827c13cdccd08e6c0247b6a6d4b5e3cdc53fd1749f5896adcdc2356 \
--hash=sha256:a6c5863edfbe888d9eff9c8b8087354e27618d9da76425c119293f11712a6319 \
--hash=sha256:a89c23ef8d2c6b27fd200a42aa4ac72786e7c60d40efdc76e6011260b6e949c4 \
--hash=sha256:adb2597b428735679446b46c8badf467b4ca5f5056aae4d51a19f9570301b1ad \
--hash=sha256:ae196f021b5e7c78e918242d217db021ed2a6ace2bc6ae94c0fc596221c7f58d \
--hash=sha256:ae89db9e5f98a11a4bf50407d4363e7b09b31e55bc117b4f7d80aab97ba009e5 \
--hash=sha256:aed52fea0513bac0ccde438c188c8a471c4e0f457c2dd20cdbf6ea7a450046c7 \
--hash=sha256:aef65cd602a6d0e0ff6f9930fcb1c8fec60dd2cfcb6facaf4bdb0e5873042db0 \
--hash=sha256:af21eb4409a119e365397b2adbaca4c9ccab56543a65d5dbd9f920d6ac29f686 \
--hash=sha256:b14b2d9dac08e28bb8046a1a0434b1750eb221c8f5b87a68f4fa11a6f97b5e34 \
--hash=sha256:bb6d88045545b26da47aa879dd4a89a71d1dce0f0e549b1abcb31dfe4a8eac49 \
--hash=sha256:bb8cc7534f51d9a017b93e3e85b260924f909601c3df002bcdb58ddb4dc41a5c \
--hash=sha256:bc17a677b21b3502a21f66a8cc64f5bfad4df8a0b8434d661666f8ce90ac3af1 \
--hash=sha256:bd6c2a1c7573c64738d716488d2cdd3c00e340e4835707d8fdb8dc1a66ef164e \
--hash=sha256:bd9b23791fe793e4968dba0c447e12f78e425c59fc0e3b97f6450f4781f3ee60 \
--hash=sha256:c03a41a8784091e67a39648f70c5f97b5b6a37f216896d44d2cdcb82615339a0 \
--hash=sha256:c0f081d69a6e58272819b70288d3221a6ee64b98df852631c80f293514d3b274 \
--hash=sha256:c35abb8bfff0185efac5878da64c45dafd2b37fb0383add1be155a763c1f083d \
--hash=sha256:c36c333c39be2dbca264d7803333c896ab8fa7d4d6f0ab7edb7dfd7aea6e98c0 \
--hash=sha256:c45e9440fb78f8ddabcf714b68f936737a121355bf59f3907f4e17721b9d1aae \
--hash=sha256:c593052c465475e64bbfe5dbd81680f64a67fdc752c56d7a0ae205dc8aeefe0f \
--hash=sha256:cdd68a1fb318e290a2077696b7eb7a21a49163c455979c639bf5a5dcdc46617d \
--hash=sha256:ce3412fbe1e31eb81ea42f4169ed94861c56e643189e1e75f0041f3fe7020abe \
--hash=sha256:cf1493cd8607bec4d8a7b9b004e699fcf8f9103a9284cc94962cb73d20f9d4a3 \
--hash=sha256:cf29836da5119f3c8a8a70667b0ef5fdca3bb12f80fd06487cfa575b3909b393 \
--hash=sha256:d4a48e5b3c2a489fae013b7589308a40146ee081f6f509e047e0e096084ceca1 \
--hash=sha256:d560742f3c0d62afaccf9f41fe485ed69bd7661a241f86a3ef0f0fb8b1a397af \
--hash=sha256:d6038d37043bced98a66e68d3aa2b6a35505dc01328cd65217cefe82f25def44 \
--hash=sha256:d61f00a0869d77422d9b2aba989e2d24afa6ffd552af442e0e58de4f35ea6d00 \
--hash=sha256:d635aab80466bc95771bb78d5370e74d36d1fe31467b6b29b8b57b2a3cd7d22c \
--hash=sha256:dca4bbc466a95ba9c0234ef56d7dd9509f63da22274589ebd4ed7f1f4d4c54e3 \
--hash=sha256:dd915403e231e6b1809fe9b6d9fc55cf8fb5e02765ac625d9cd623342a7905d7 \
--hash=sha256:e044c39e41b92c845bc815e5ae4230804e8e7bc29e399b0437d64222d92809dd \
--hash=sha256:e060d01aec0a910bdccb8be71faf34e7799ce36950f8294c8bf612cba65a2c9e \
--hash=sha256:e1421b502d83040e6d7fb2fb18dff63957f720da3d77b2fbd3187ceb63755d7b \
--hash=sha256:e17b8d5d6a8c47c85e68ca8379def1303fd360c3e22093a807cd34a71cd082b8 \
--hash=sha256:e5f4d355f0a2b1a31bc3edec6795b46324349c9cb25eed068049e4f472fb4259 \
--hash=sha256:e712b419df8ba5e42b226c510472b37bd57b38e897d3eca5e8cfd410a29fa859 \
--hash=sha256:e74327fb75de8986940def6e8dee4f127cc9752bee7355bb323cc5b2659b6d46 \
--hash=sha256:e80c8378d8f3d83cd3164da1ad2df9e37a666cdde7b1cb2298ed0b558064be30 \
--hash=sha256:e8ac484bf18ce6975760921bb6148041faa8fef0547200386ea0b52b5d27bf7b \
--hash=sha256:eca9705049ad3c7345d574e3510665cb2cf844c2f2dcfe675332677f081cbd46 \
--hash=sha256:ed065083d0898c9d5b4bbec7b026fd755ff7454e6e8b73a67f8c744b13986e24 \
--hash=sha256:edac0f1ab77644605be2cbba52e6b7f630731fc42b34cb0f634be1a6eface56a \
--hash=sha256:effc3f449787117233702311a1b7d8f59cba9ced946ba727bdc329ec69028e24 \
--hash=sha256:f22dec1690b584cea26fade98b2435c132c1b5f68e39f5a0b7627cd7ae31f1dc \
--hash=sha256:f495a1652cf3fbab2eb0639776dad966c2fb874d79d87ca07f9d5f059b8bd215 \
--hash=sha256:f496c9c3cc02230093d8330875c4c3cdfc3b73612a5fd921c65d39cbcef08063 \
--hash=sha256:f59099f9b66f0d7145115e6f80dd8b1d847176df89b234a5a6b3f00437aa0832 \
--hash=sha256:f59ad4c0e8f6bba240a9bb85504faa1ab438237199d4cce5f622761507b8f6a6 \
--hash=sha256:fbccdc05410c9ee21bbf16a35f4c1d16123dcdeb8a1d38f33654fa21d0234f79 \
--hash=sha256:fea24543955a6a729c45a73fe90e08c743f0b3334bbf3201e6c4bc1b0c7fa464
# via requests
click==8.3.0 \
--hash=sha256:9b9f285302c6e3064f4330c05f05b81945b2a39544279343e6e7c5f27a9baddc \
--hash=sha256:e7b8232224eba16f4ebe410c25ced9f7875cb5f3263ffc93cc3e8da705e229c4
click==8.4.0 \
--hash=sha256:40c50b7c6c6adac2823d411041ec84f3f103f1b280d5e9ce0d7f998995832f81 \
--hash=sha256:638f1338fe1235c8f4e008e4a8a254fb5c5fbdcbb40ece3c9142ebb78e792973
# via mkdocs
colorama==0.4.6 \
--hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \
--hash=sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6
# via mkdocs-material
cssselect2==0.8.0 \
--hash=sha256:46fc70ebc41ced7a32cd42d58b1884d72ade23d21e5a4eaaf022401c13f0e76e \
--hash=sha256:7674ffb954a3b46162392aee2a3a0aedb2e14ecf99fcc28644900f4e6e3e9d3a
cssselect2==0.9.0 \
--hash=sha256:6a99e5f91f9a016a304dd929b0966ca464bcfda15177b6fb4a118fc0fb5d9563 \
--hash=sha256:759aa22c216326356f65e62e791d66160a0f9c91d1424e8d8adc5e74dddfc6fb
# via cairosvg
dataproperty==1.1.0 \
--hash=sha256:b038437a4097d1a1c497695c3586ea34bea67fdd35372b9a50f30bf044d77d04 \
--hash=sha256:c61fcb2e2deca35e6d1eb1f251a7f22f0dcde63e80e61f0cc18c19f42abfd25b
dataproperty==1.1.1 \
--hash=sha256:a83af82a234edda5378a36fb092bc90dd554646c5e58202a310acf468ae81bc8 \
--hash=sha256:cf026aa002dbd6c57c619ec6741ffd61ae7bf2f20481951d8af2dff44480340e
# via
# pytablewriter
# tabledata
@ -226,18 +275,10 @@ ghp-import==2.1.0 \
--hash=sha256:8337dd7b50877f163d4c0289bc1f1c7f127550241988d568c1db512c4324a619 \
--hash=sha256:9c535c4c61193c2df8871222567d7fd7e5014d835f97dc7b7439069e2413d343
# via mkdocs
idna==3.10 \
--hash=sha256:12f65c9b470abda6dc35cf8e63cc574b1c52b11df2c86030af0ac09b01b13ea9 \
--hash=sha256:946d195a0d259cbba61165e88e65941f16e9b36ea6ddb97f00452bae8b1287d3
idna==3.15 \
--hash=sha256:048adeaf8c2d788c40fee287673ccaa74c24ffd8dcf09ffa555a2fbb59f10ac8 \
--hash=sha256:ca962446ea538f7092a95e057da437618e886f4d349216d2b1e294abfdb65fdc
# via requests
importlib-metadata==8.7.0 \
--hash=sha256:d13b81ad223b890aa16c5471f2ac3056cf76c5f10f82d6f9292f0b415f389000 \
--hash=sha256:e5dd1551894c77868a30651cef00984d50e1002d06942a7101d34870c5f02afd
# via mike
importlib-resources==6.5.2 \
--hash=sha256:185f87adef5bcc288449d98fb4fba07cea78bc036455dd44c5fc4a2fe78fed2c \
--hash=sha256:789cfdc3ed28c78b67a06acb8126751ced69a3d5f79c095a98298cd8a760ccec
# via mike
jinja2==3.1.6 \
--hash=sha256:0137fb05990d35f1275a587e9aee6d56da821fc83491a0fb838183be43f66d6d \
--hash=sha256:85ece4451f492d0c13c5dd7c13a64681a86afae63a5f347908daf103ce6d2f67
@ -245,9 +286,9 @@ jinja2==3.1.6 \
# mike
# mkdocs
# mkdocs-material
markdown==3.9 \
--hash=sha256:9f4d91ed810864ea88a6f32c07ba8bee1346c0cc1f6b1f9f6c822f2a9667d280 \
--hash=sha256:d2900fe1782bd33bdbbd56859defef70c2e78fc46668f8eb9df3128138f2cb6a
markdown==3.10.2 \
--hash=sha256:994d51325d25ad8aa7ce4ebaec003febcce822c3f8c911e3b17c52f7f589f950 \
--hash=sha256:e91464b71ae3ee7afd3017d9f358ef0baf158fd9a298db92f1d4761133824c36
# via
# mkdocs
# mkdocs-material
@ -345,9 +386,9 @@ markupsafe==3.0.3 \
# via
# jinja2
# mkdocs
mbstrdecoder==1.1.4 \
--hash=sha256:03dae4ec50ec0d2ff4743e63fdbd5e0022815857494d35224b60775d3d934a8c \
--hash=sha256:8105ef9cf6b7d7d69fe7fd6b68a2d8f281ca9b365d7a9b670be376b2e6c81b21
mbstrdecoder==1.1.5 \
--hash=sha256:4a50fe113d4abecfd86e8f716b2e413cce03d63af83ec3c7cdbe81dec0e519ed \
--hash=sha256:8cbfba26938befd8a35e3cc06ca0632f61320b7b2be7df32550b895e1725b1ce
# via
# dataproperty
# pytablewriter
@ -358,9 +399,9 @@ mergedeep==1.3.4 \
# via
# mkdocs
# mkdocs-get-deps
mike==2.1.3 \
--hash=sha256:abd79b8ea483fb0275b7972825d3082e5ae67a41820f8d8a0dc7a3f49944e810 \
--hash=sha256:d90c64077e84f06272437b464735130d380703a76a5738b152932884c60c062a
mike==2.2.0 \
--hash=sha256:1e3858e32c0f125aac14432fc7848434358f9ae0962c5c5cde387ad47f6ad25e \
--hash=sha256:e1f4981c1152eec7c2490a3401142292cc47d686194188416db2648fdfe1d040
# via -r requirements.in
mkdocs==1.6.1 \
--hash=sha256:7b432f01d928c084353ab39c57282f29f92136665bdd6abf7c1ec8d822ef86f2 \
@ -369,13 +410,13 @@ mkdocs==1.6.1 \
# mike
# mkdocs-material
# mkdocs-static-i18n
mkdocs-get-deps==0.2.0 \
--hash=sha256:162b3d129c7fad9b19abfdcb9c1458a651628e4b1dea628ac68790fb3061c60c \
--hash=sha256:2bf11d0b133e77a0dd036abeeb06dec8775e46efa526dc70667d8863eefc6134
mkdocs-get-deps==0.2.2 \
--hash=sha256:8ee8d5f316cdbbb2834bc1df6e69c08fe769a83e040060de26d3c19fad3599a1 \
--hash=sha256:e7878cbeac04860b8b5e0ca31d3abad3df9411a75a32cde82f8e44b6c16ff650
# via mkdocs
mkdocs-material==9.6.21 \
--hash=sha256:aa6a5ab6fb4f6d381588ac51da8782a4d3757cb3d1b174f81a2ec126e1f22c92 \
--hash=sha256:b01aa6d2731322438056f360f0e623d3faae981f8f2d8c68b1b973f4f2657870
mkdocs-material==9.7.6 \
--hash=sha256:00bdde50574f776d328b1862fe65daeaf581ec309bd150f7bff345a098c64a69 \
--hash=sha256:71b84353921b8ea1ba84fe11c50912cc512da8fe0881038fcc9a0761c0e635ba
# via
# -r requirements.in
# mkdocs-print-site-plugin
@ -387,13 +428,13 @@ mkdocs-print-site-plugin==2.8 \
--hash=sha256:838bd0a9b7141c11c0f1fdaa51ffe70c35740bec1f07c0806f8018e92f93f9da \
--hash=sha256:ab1c89cdb468352975e3bb3bb0ef25dcc2bb88931b03f173206dc95ab02f843f
# via -r requirements.in
mkdocs-static-i18n==1.3.0 \
--hash=sha256:65731e1e4ec6d719693e24fee9340f5516460b2b7244d2a89bed4ce3cfa6a173 \
--hash=sha256:7905d52fff71d2c108b6c344fd223e848ca7e39ddf319b70864dfa47dba85d6b
mkdocs-static-i18n==1.3.1 \
--hash=sha256:4036e24795a150c9c4d4b001ed24a43aec01335f76188dbe5a5d8fb4a27eba65 \
--hash=sha256:a6125ea7db6cc1a900d76a967f262535af09831160a93c56d7f0d522a79b5faf
# via -r requirements.in
packaging==25.0 \
--hash=sha256:29572ef2b1f17581046b3a2227d5c611fb25ec70ca1ba8554b24b0e69331a484 \
--hash=sha256:d443872c98d677bf60f6a1f2f8c1cb748e8fe762d2bf9d3148b5599295b0fc4f
packaging==26.2 \
--hash=sha256:5fc45236b9446107ff2415ce77c807cee2862cb6fac22b8a73826d0693b0980e \
--hash=sha256:ff452ff5a3e828ce110190feff1178bb1f2ea2281fa2075aadb987c2fb221661
# via
# mkdocs
# typepy
@ -401,143 +442,128 @@ paginate==0.5.7 \
--hash=sha256:22bd083ab41e1a8b4f3690544afb2c60c25e5c9a63a30fa2f483f6c60c8e5945 \
--hash=sha256:b885e2af73abcf01d9559fd5216b57ef722f8c42affbb63942377668e35c7591
# via mkdocs-material
pathspec==0.12.1 \
--hash=sha256:a0d503e138a4c123b27490a4f7beda6a01c6f288df0e4a8b79c7eb0dc7b4cc08 \
--hash=sha256:a482d51503a1ab33b1c67a6c3813a26953dbdc71c31dacaef9a838c4e29f5712
pathspec==1.1.1 \
--hash=sha256:17db5ecd524104a120e173814c90367a96a98d07c45b2e10c2f3919fff91bf5a \
--hash=sha256:a00ce642f577bf7f473932318056212bc4f8bfdf53128c78bbd5af0b9b20b189
# via mkdocs
pathvalidate==3.3.1 \
--hash=sha256:5263baab691f8e1af96092fa5137ee17df5bdfbd6cff1fcac4d6ef4bc2e1735f \
--hash=sha256:b18c07212bfead624345bb8e1d6141cdcf15a39736994ea0b94035ad2b1ba177
# via pytablewriter
pillow==11.3.0 \
--hash=sha256:023f6d2d11784a465f09fd09a34b150ea4672e85fb3d05931d89f373ab14abb2 \
--hash=sha256:02a723e6bf909e7cea0dac1b0e0310be9d7650cd66222a5f1c571455c0a45214 \
--hash=sha256:040a5b691b0713e1f6cbe222e0f4f74cd233421e105850ae3b3c0ceda520f42e \
--hash=sha256:05f6ecbeff5005399bb48d198f098a9b4b6bdf27b8487c7f38ca16eeb070cd59 \
--hash=sha256:068d9c39a2d1b358eb9f245ce7ab1b5c3246c7c8c7d9ba58cfa5b43146c06e50 \
--hash=sha256:0743841cabd3dba6a83f38a92672cccbd69af56e3e91777b0ee7f4dba4385632 \
--hash=sha256:092c80c76635f5ecb10f3f83d76716165c96f5229addbd1ec2bdbbda7d496e06 \
--hash=sha256:0b275ff9b04df7b640c59ec5a3cb113eefd3795a8df80bac69646ef699c6981a \
--hash=sha256:0bce5c4fd0921f99d2e858dc4d4d64193407e1b99478bc5cacecba2311abde51 \
--hash=sha256:1019b04af07fc0163e2810167918cb5add8d74674b6267616021ab558dc98ced \
--hash=sha256:106064daa23a745510dabce1d84f29137a37224831d88eb4ce94bb187b1d7e5f \
--hash=sha256:118ca10c0d60b06d006be10a501fd6bbdfef559251ed31b794668ed569c87e12 \
--hash=sha256:13f87d581e71d9189ab21fe0efb5a23e9f28552d5be6979e84001d3b8505abe8 \
--hash=sha256:155658efb5e044669c08896c0c44231c5e9abcaadbc5cd3648df2f7c0b96b9a6 \
--hash=sha256:1904e1264881f682f02b7f8167935cce37bc97db457f8e7849dc3a6a52b99580 \
--hash=sha256:19d2ff547c75b8e3ff46f4d9ef969a06c30ab2d4263a9e287733aa8b2429ce8f \
--hash=sha256:1a992e86b0dd7aeb1f053cd506508c0999d710a8f07b4c791c63843fc6a807ac \
--hash=sha256:1b9c17fd4ace828b3003dfd1e30bff24863e0eb59b535e8f80194d9cc7ecf860 \
--hash=sha256:1c627742b539bba4309df89171356fcb3cc5a9178355b2727d1b74a6cf155fbd \
--hash=sha256:1cd110edf822773368b396281a2293aeb91c90a2db00d78ea43e7e861631b722 \
--hash=sha256:1f85acb69adf2aaee8b7da124efebbdb959a104db34d3a2cb0f3793dbae422a8 \
--hash=sha256:23cff760a9049c502721bdb743a7cb3e03365fafcdfc2ef9784610714166e5a4 \
--hash=sha256:2465a69cf967b8b49ee1b96d76718cd98c4e925414ead59fdf75cf0fd07df673 \
--hash=sha256:2a3117c06b8fb646639dce83694f2f9eac405472713fcb1ae887469c0d4f6788 \
--hash=sha256:2aceea54f957dd4448264f9bf40875da0415c83eb85f55069d89c0ed436e3542 \
--hash=sha256:2d6fcc902a24ac74495df63faad1884282239265c6839a0a6416d33faedfae7e \
--hash=sha256:30807c931ff7c095620fe04448e2c2fc673fcbb1ffe2a7da3fb39613489b1ddd \
--hash=sha256:30b7c02f3899d10f13d7a48163c8969e4e653f8b43416d23d13d1bbfdc93b9f8 \
--hash=sha256:3828ee7586cd0b2091b6209e5ad53e20d0649bbe87164a459d0676e035e8f523 \
--hash=sha256:3cee80663f29e3843b68199b9d6f4f54bd1d4a6b59bdd91bceefc51238bcb967 \
--hash=sha256:3e184b2f26ff146363dd07bde8b711833d7b0202e27d13540bfe2e35a323a809 \
--hash=sha256:41342b64afeba938edb034d122b2dda5db2139b9a4af999729ba8818e0056477 \
--hash=sha256:41742638139424703b4d01665b807c6468e23e699e8e90cffefe291c5832b027 \
--hash=sha256:4445fa62e15936a028672fd48c4c11a66d641d2c05726c7ec1f8ba6a572036ae \
--hash=sha256:45dfc51ac5975b938e9809451c51734124e73b04d0f0ac621649821a63852e7b \
--hash=sha256:465b9e8844e3c3519a983d58b80be3f668e2a7a5db97f2784e7079fbc9f9822c \
--hash=sha256:48d254f8a4c776de343051023eb61ffe818299eeac478da55227d96e241de53f \
--hash=sha256:4c834a3921375c48ee6b9624061076bc0a32a60b5532b322cc0ea64e639dd50e \
--hash=sha256:4c96f993ab8c98460cd0c001447bff6194403e8b1d7e149ade5f00594918128b \
--hash=sha256:504b6f59505f08ae014f724b6207ff6222662aab5cc9542577fb084ed0676ac7 \
--hash=sha256:527b37216b6ac3a12d7838dc3bd75208ec57c1c6d11ef01902266a5a0c14fc27 \
--hash=sha256:5418b53c0d59b3824d05e029669efa023bbef0f3e92e75ec8428f3799487f361 \
--hash=sha256:59a03cdf019efbfeeed910bf79c7c93255c3d54bc45898ac2a4140071b02b4ae \
--hash=sha256:5e05688ccef30ea69b9317a9ead994b93975104a677a36a8ed8106be9260aa6d \
--hash=sha256:6359a3bc43f57d5b375d1ad54a0074318a0844d11b76abccf478c37c986d3cfc \
--hash=sha256:643f189248837533073c405ec2f0bb250ba54598cf80e8c1e043381a60632f58 \
--hash=sha256:65dc69160114cdd0ca0f35cb434633c75e8e7fad4cf855177a05bf38678f73ad \
--hash=sha256:67172f2944ebba3d4a7b54f2e95c786a3a50c21b88456329314caaa28cda70f6 \
--hash=sha256:676b2815362456b5b3216b4fd5bd89d362100dc6f4945154ff172e206a22c024 \
--hash=sha256:6a418691000f2a418c9135a7cf0d797c1bb7d9a485e61fe8e7722845b95ef978 \
--hash=sha256:6abdbfd3aea42be05702a8dd98832329c167ee84400a1d1f61ab11437f1717eb \
--hash=sha256:6be31e3fc9a621e071bc17bb7de63b85cbe0bfae91bb0363c893cbe67247780d \
--hash=sha256:7107195ddc914f656c7fc8e4a5e1c25f32e9236ea3ea860f257b0436011fddd0 \
--hash=sha256:71f511f6b3b91dd543282477be45a033e4845a40278fa8dcdbfdb07109bf18f9 \
--hash=sha256:7859a4cc7c9295f5838015d8cc0a9c215b77e43d07a25e460f35cf516df8626f \
--hash=sha256:7966e38dcd0fa11ca390aed7c6f20454443581d758242023cf36fcb319b1a874 \
--hash=sha256:79ea0d14d3ebad43ec77ad5272e6ff9bba5b679ef73375ea760261207fa8e0aa \
--hash=sha256:7aee118e30a4cf54fdd873bd3a29de51e29105ab11f9aad8c32123f58c8f8081 \
--hash=sha256:7b161756381f0918e05e7cb8a371fff367e807770f8fe92ecb20d905d0e1c149 \
--hash=sha256:7c8ec7a017ad1bd562f93dbd8505763e688d388cde6e4a010ae1486916e713e6 \
--hash=sha256:7d1aa4de119a0ecac0a34a9c8bde33f34022e2e8f99104e47a3ca392fd60e37d \
--hash=sha256:7db51d222548ccfd274e4572fdbf3e810a5e66b00608862f947b163e613b67dd \
--hash=sha256:819931d25e57b513242859ce1876c58c59dc31587847bf74cfe06b2e0cb22d2f \
--hash=sha256:83e1b0161c9d148125083a35c1c5a89db5b7054834fd4387499e06552035236c \
--hash=sha256:857844335c95bea93fb39e0fa2726b4d9d758850b34075a7e3ff4f4fa3aa3b31 \
--hash=sha256:8797edc41f3e8536ae4b10897ee2f637235c94f27404cac7297f7b607dd0716e \
--hash=sha256:8924748b688aa210d79883357d102cd64690e56b923a186f35a82cbc10f997db \
--hash=sha256:89bd777bc6624fe4115e9fac3352c79ed60f3bb18651420635f26e643e3dd1f6 \
--hash=sha256:8dc70ca24c110503e16918a658b869019126ecfe03109b754c402daff12b3d9f \
--hash=sha256:91da1d88226663594e3f6b4b8c3c8d85bd504117d043740a8e0ec449087cc494 \
--hash=sha256:921bd305b10e82b4d1f5e802b6850677f965d8394203d182f078873851dada69 \
--hash=sha256:932c754c2d51ad2b2271fd01c3d121daaa35e27efae2a616f77bf164bc0b3e94 \
--hash=sha256:93efb0b4de7e340d99057415c749175e24c8864302369e05914682ba642e5d77 \
--hash=sha256:97afb3a00b65cc0804d1c7abddbf090a81eaac02768af58cbdcaaa0a931e0b6d \
--hash=sha256:97f07ed9f56a3b9b5f49d3661dc9607484e85c67e27f3e8be2c7d28ca032fec7 \
--hash=sha256:98a9afa7b9007c67ed84c57c9e0ad86a6000da96eaa638e4f8abe5b65ff83f0a \
--hash=sha256:9ab6ae226de48019caa8074894544af5b53a117ccb9d3b3dcb2871464c829438 \
--hash=sha256:9c412fddd1b77a75aa904615ebaa6001f169b26fd467b4be93aded278266b288 \
--hash=sha256:a1bc6ba083b145187f648b667e05a2534ecc4b9f2784c2cbe3089e44868f2b9b \
--hash=sha256:a418486160228f64dd9e9efcd132679b7a02a5f22c982c78b6fc7dab3fefb635 \
--hash=sha256:a4d336baed65d50d37b88ca5b60c0fa9d81e3a87d4a7930d3880d1624d5b31f3 \
--hash=sha256:a6444696fce635783440b7f7a9fc24b3ad10a9ea3f0ab66c5905be1c19ccf17d \
--hash=sha256:a7bc6e6fd0395bc052f16b1a8670859964dbd7003bd0af2ff08342eb6e442cfe \
--hash=sha256:b4b8f3efc8d530a1544e5962bd6b403d5f7fe8b9e08227c6b255f98ad82b4ba0 \
--hash=sha256:b5f56c3f344f2ccaf0dd875d3e180f631dc60a51b314295a3e681fe8cf851fbe \
--hash=sha256:be5463ac478b623b9dd3937afd7fb7ab3d79dd290a28e2b6df292dc75063eb8a \
--hash=sha256:c37d8ba9411d6003bba9e518db0db0c58a680ab9fe5179f040b0463644bc9805 \
--hash=sha256:c84d689db21a1c397d001aa08241044aa2069e7587b398c8cc63020390b1c1b8 \
--hash=sha256:c96d333dcf42d01f47b37e0979b6bd73ec91eae18614864622d9b87bbd5bbf36 \
--hash=sha256:cadc9e0ea0a2431124cde7e1697106471fc4c1da01530e679b2391c37d3fbb3a \
--hash=sha256:cc3e831b563b3114baac7ec2ee86819eb03caa1a2cef0b481a5675b59c4fe23b \
--hash=sha256:cd8ff254faf15591e724dc7c4ddb6bf4793efcbe13802a4ae3e863cd300b493e \
--hash=sha256:d000f46e2917c705e9fb93a3606ee4a819d1e3aa7a9b442f6444f07e77cf5e25 \
--hash=sha256:d9da3df5f9ea2a89b81bb6087177fb1f4d1c7146d583a3fe5c672c0d94e55e12 \
--hash=sha256:e5c5858ad8ec655450a7c7df532e9842cf8df7cc349df7225c60d5d348c8aada \
--hash=sha256:e67d793d180c9df62f1f40aee3accca4829d3794c95098887edc18af4b8b780c \
--hash=sha256:ea944117a7974ae78059fcc1800e5d3295172bb97035c0c1d9345fca1419da71 \
--hash=sha256:eb76541cba2f958032d79d143b98a3a6b3ea87f0959bbe256c0b5e416599fd5d \
--hash=sha256:ec1ee50470b0d050984394423d96325b744d55c701a439d2bd66089bff963d3c \
--hash=sha256:ee92f2fd10f4adc4b43d07ec5e779932b4eb3dbfbc34790ada5a6669bc095aa6 \
--hash=sha256:f0f5d8f4a08090c6d6d578351a2b91acf519a54986c055af27e7a93feae6d3f1 \
--hash=sha256:f1f182ebd2303acf8c380a54f615ec883322593320a9b00438eb842c1f37ae50 \
--hash=sha256:f8a5827f84d973d8636e9dc5764af4f0cf2318d26744b3d902931701b0d46653 \
--hash=sha256:f944255db153ebb2b19c51fe85dd99ef0ce494123f21b9db4877ffdfc5590c7c \
--hash=sha256:fdae223722da47b024b867c1ea0be64e0df702c5e0a60e27daad39bf960dd1e4 \
--hash=sha256:fe27fb049cdcca11f11a7bfda64043c37b30e6b91f10cb5bab275806c32f6ab3
pillow==12.2.0 \
--hash=sha256:00a2865911330191c0b818c59103b58a5e697cae67042366970a6b6f1b20b7f9 \
--hash=sha256:01afa7cf67f74f09523699b4e88c73fb55c13346d212a59a2db1f86b0a63e8c5 \
--hash=sha256:03e7e372d5240cc23e9f07deca4d775c0817bffc641b01e9c3af208dbd300987 \
--hash=sha256:03f6fab9219220f041c74aeaa2939ff0062bd5c364ba9ce037197f4c6d498cd9 \
--hash=sha256:042db20a421b9bafecc4b84a8b6e444686bd9d836c7fd24542db3e7df7baad9b \
--hash=sha256:0538bd5e05efec03ae613fd89c4ce0368ecd2ba239cc25b9f9be7ed426b0af1f \
--hash=sha256:0a34329707af4f73cf1782a36cd2289c0368880654a2c11f027bcee9052d35dd \
--hash=sha256:0c838a5125cee37e68edec915651521191cef1e6aa336b855f495766e77a366e \
--hash=sha256:144748b3af2d1b358d41286056d0003f47cb339b8c43a9ea42f5fea4d8c66b6e \
--hash=sha256:1610dd6c61621ae1cf811bef44d77e149ce3f7b95afe66a4512f8c59f25d9ebe \
--hash=sha256:1e1757442ed87f4912397c6d35a0db6a7b52592156014706f17658ff58bbf795 \
--hash=sha256:22db17c68434de69d8ecfc2fe821569195c0c373b25cccb9cbdacf2c6e53c601 \
--hash=sha256:25373b66e0dd5905ed63fa3cae13c82fbddf3079f2c8bf15c6fb6a35586324c1 \
--hash=sha256:2bb4a8d594eacdfc59d9e5ad972aa8afdd48d584ffd5f13a937a664c3e7db0ed \
--hash=sha256:2c727a6d53cb0018aadd8018c2b938376af27914a68a492f59dfcaca650d5eea \
--hash=sha256:2d192a155bbcec180f8564f693e6fd9bccff5a7af9b32e2e4bf8c9c69dbad6b5 \
--hash=sha256:2e589959f10d9824d39b350472b92f0ce3b443c0a3442ebf41c40cb8361c5b97 \
--hash=sha256:2e5a76d03a6c6dcef67edabda7a52494afa4035021a79c8558e14af25313d453 \
--hash=sha256:325ca0528c6788d2a6c3d40e3568639398137346c3d6e66bb61db96b96511c98 \
--hash=sha256:34c0d99ecccea270c04882cb3b86e7b57296079c9a4aff88cb3b33563d95afaa \
--hash=sha256:390ede346628ccc626e5730107cde16c42d3836b89662a115a921f28440e6a3b \
--hash=sha256:394167b21da716608eac917c60aa9b969421b5dcbbe02ae7f013e7b85811c69d \
--hash=sha256:3997232e10d2920a68d25191392e3a4487d8183039e1c74c2297f00ed1c50705 \
--hash=sha256:3adc9215e8be0448ed6e814966ecf3d9952f0ea40eb14e89a102b87f450660d8 \
--hash=sha256:3e080565d8d7c671db5802eedfb438e5565ffa40115216eabb8cd52d0ecce024 \
--hash=sha256:4a6c9fa44005fa37a91ebfc95d081e8079757d2e904b27103f4f5fa6f0bf78c0 \
--hash=sha256:4bfd07bc812fbd20395212969e41931001fd59eb55a60658b0e5710872e95286 \
--hash=sha256:4e6c62e9d237e9b65fac06857d511e90d8461a32adcc1b9065ea0c0fa3a28150 \
--hash=sha256:50d8520da2a6ce0af445fa6d648c4273c3eeefbc32d7ce049f22e8b5c3daecc2 \
--hash=sha256:51c4167c34b0d8ba05b547a3bb23578d0ba17b80a5593f93bd8ecb123dd336a3 \
--hash=sha256:56a3f9c60a13133a98ecff6197af34d7824de9b7b38c3654861a725c970c197b \
--hash=sha256:56b25336f502b6ed02e889f4ece894a72612fe885889a6e8c4c80239ff6e5f5f \
--hash=sha256:57850958fe9c751670e49b2cecf6294acc99e562531f4bd317fa5ddee2068463 \
--hash=sha256:58f62cc0f00fd29e64b29f4fd923ffdb3859c9f9e6105bfc37ba1d08994e8940 \
--hash=sha256:5c0a9f29ca8e79f09de89293f82fc9b0270bb4af1d58bc98f540cc4aedf03166 \
--hash=sha256:5cdfebd752ec52bf5bb4e35d9c64b40826bc5b40a13df7c3cda20a2c03a0f5ed \
--hash=sha256:5d04bfa02cc2d23b497d1e90a0f927070043f6cbf303e738300532379a4b4e0f \
--hash=sha256:5d2fd0fa6b5d9d1de415060363433f28da8b1526c1c129020435e186794b3795 \
--hash=sha256:62f5409336adb0663b7caa0da5c7d9e7bdbaae9ce761d34669420c2a801b2780 \
--hash=sha256:632ff19b2778e43162304d50da0181ce24ac5bb8180122cbe1bf4673428328c7 \
--hash=sha256:6562ace0d3fb5f20ed7290f1f929cae41b25ae29528f2af1722966a0a02e2aa1 \
--hash=sha256:673aa32138f3e7531ccdbca7b3901dba9b70940a19ccecc6a37c77d5fdeb05b5 \
--hash=sha256:6a6e67ea2e6feda684ed370f9a1c52e7a243631c025ba42149a2cc5934dec295 \
--hash=sha256:6a9adfc6d24b10f89588096364cc726174118c62130c817c2837c60cf08a392b \
--hash=sha256:6bb77b2dcb06b20f9f4b4a8454caa581cd4dd0643a08bacf821216a16d9c8354 \
--hash=sha256:6e6b2a0c538fc200b38ff9eb6628228b77908c319a005815f2dde585a0664b60 \
--hash=sha256:71cde9a1e1551df7d34a25462fc60325e8a11a82cc2e2f54578e5e9a1e153d65 \
--hash=sha256:7371b48c4fa448d20d2714c9a1f775a81155050d383333e0a6c15b1123dda005 \
--hash=sha256:766cef22385fa1091258ad7e6216792b156dc16d8d3fa607e7545b2b72061f1c \
--hash=sha256:7b14cc0106cd9aecda615dd6903840a058b4700fcb817687d0ee4fc8b6e389be \
--hash=sha256:7f84204dee22a783350679a0333981df803dac21a0190d706a50475e361c93f5 \
--hash=sha256:8023abc91fba39036dbce14a7d6535632f99c0b857807cbbbf21ecc9f4717f06 \
--hash=sha256:80b2da48193b2f33ed0c32c38140f9d3186583ce7d516526d462645fd98660ae \
--hash=sha256:8297651f5b5679c19968abefd6bb84d95fe30ef712eb1b2d9b2d31ca61267f4c \
--hash=sha256:88d387ff40b3ff7c274947ed3125dedf5262ec6919d83946753b5f3d7c67ea4c \
--hash=sha256:88ddbc66737e277852913bd1e07c150cc7bb124539f94c4e2df5344494e0a612 \
--hash=sha256:8bd7903a5f2a4545f6fd5935c90058b89d30045568985a71c79f5fd6edf9b91e \
--hash=sha256:8be29e59487a79f173507c30ddf57e733a357f67881430449bb32614075a40ab \
--hash=sha256:8c984051042858021a54926eb597d6ee3012393ce9c181814115df4c60b9a808 \
--hash=sha256:8cbeb542b2ebc6fcdacabf8aca8c1a97c9b3ad3927d46b8723f9d4f033288a0f \
--hash=sha256:8e9c4f5b3c546fa3458a29ab22646c1c6c787ea8f5ef51300e5a60300736905e \
--hash=sha256:90e6f81de50ad6b534cab6e5aef77ff6e37722b2f5d908686f4a5c9eba17a909 \
--hash=sha256:975385f4776fafde056abb318f612ef6285b10a1f12b8570f3647ad0d74b48ec \
--hash=sha256:9a8a34cc89c67a65ea7437ce257cea81a9dad65b29805f3ecee8c8fe8ff25ffe \
--hash=sha256:9aba9a17b623ef750a4d11b742cbafffeb48a869821252b30ee21b5e91392c50 \
--hash=sha256:9f08483a632889536b8139663db60f6724bfcb443c96f1b18855860d7d5c0fd4 \
--hash=sha256:a4e8f36e677d3336f35089648c8955c51c6d386a13cf6ee9c189c5f5bd713a9f \
--hash=sha256:a52edc8bfff4429aaabdf4d9ee0daadbbf8562364f940937b941f87a4290f5ff \
--hash=sha256:a830b1a40919539d07806aa58e1b114df53ddd43213d9c8b75847eee6c0182b5 \
--hash=sha256:aa88ccfe4e32d362816319ed727a004423aab09c5cea43c01a4b435643fa34eb \
--hash=sha256:af73337013e0b3b46f175e79492d96845b16126ddf79c438d7ea7ff27783a414 \
--hash=sha256:b1c1fbd8a5a1af3412a0810d060a78b5136ec0836c8a4ef9aa11807f2a22f4e1 \
--hash=sha256:b85f66ae9eb53e860a873b858b789217ba505e5e405a24b85c0464822fe88032 \
--hash=sha256:b86024e52a1b269467a802258c25521e6d742349d760728092e1bc2d135b4d76 \
--hash=sha256:bd9c0c7a0c681a347b3194c500cb1e6ca9cab053ea4d82a5cf45b6b754560136 \
--hash=sha256:bfa9c230d2fe991bed5318a5f119bd6780cda2915cca595393649fc118ab895e \
--hash=sha256:d362d1878f00c142b7e1a16e6e5e780f02be8195123f164edf7eddd911eefe7c \
--hash=sha256:d5d38f1411c0ed9f97bcb49b7bd59b6b7c314e0e27420e34d99d844b9ce3b6f3 \
--hash=sha256:dac8d77255a37e81a2efcbd1fc05f1c15ee82200e6c240d7e127e25e365c39ea \
--hash=sha256:dd025009355c926a84a612fecf58bb315a3f6814b17ead51a8e48d3823d9087f \
--hash=sha256:deede7c263feb25dba4e82ea23058a235dcc2fe1f6021025dc71f2b618e26104 \
--hash=sha256:e74473c875d78b8e9d5da2a70f7099549f9eb37ded4e2f6a463e60125bccd176 \
--hash=sha256:ee3120ae9dff32f121610bb08e4313be87e03efeadfc6c0d18f89127e24d0c24 \
--hash=sha256:eedf4b74eda2b5a4b2b2fb4c006d6295df3bf29e459e198c90ea48e130dc75c3 \
--hash=sha256:efd8c21c98c5cc60653bcb311bef2ce0401642b7ce9d09e03a7da87c878289d4 \
--hash=sha256:f1c943e96e85df3d3478f7b691f229887e143f81fedab9b20205349ab04d73ed \
--hash=sha256:f278f034eb75b4e8a13a54a876cc4a5ab39173d2cdd93a638e1b467fc545ac43 \
--hash=sha256:f3f40b3c5a968281fd507d519e444c35f0ff171237f4fdde090dd60699458421 \
--hash=sha256:f490f9368b6fc026f021db16d7ec2fbf7d89e2edb42e8ec09d2c60505f5729c7 \
--hash=sha256:fb043ee2f06b41473269765c2feae53fc2e2fbf96e5e22ca94fb5ad677856f06 \
--hash=sha256:fc3d34d4a8fbec3e88a79b92e5465e0f9b842b628675850d860b8bd300b159f5
# via
# cairosvg
# mkdocs-material
platformdirs==4.4.0 \
--hash=sha256:abd01743f24e5287cd7a5db3752faf1a2d65353f38ec26d98e25a6db65958c85 \
--hash=sha256:ca753cf4d81dc309bc67b0ea38fd15dc97bc30ce419a7f58d13eb3bf14c4febf
platformdirs==4.9.6 \
--hash=sha256:3bfa75b0ad0db84096ae777218481852c0ebc6c727b3168c1b9e0118e458cf0a \
--hash=sha256:e61adb1d5e5cb3441b4b7710bea7e4c12250ca49439228cc1021c00dcfac0917
# via mkdocs-get-deps
pycparser==2.23 \
--hash=sha256:78816d4f24add8f10a06d6f05b4d424ad9e96cfebf68a4ddc99c65c0720d00c2 \
--hash=sha256:e5c6e8d3fbad53479cab09ac03729e0a9faf2bee3db8208a550daf5af81a5934
pycparser==3.0 \
--hash=sha256:600f49d217304a5902ac3c37e1281c9fe94e4d0489de643a9504c5cdfdfc6b29 \
--hash=sha256:b727414169a36b7d524c1c3e31839a521725078d7b2ff038656844266160a992
# via cffi
pygments==2.19.2 \
--hash=sha256:636cb2477cec7f8952536970bc533bc43743542f70392ae026374600add5b887 \
--hash=sha256:86540386c03d588bb81d44bc3928634ff26449851e99741617ecb9037ee5ec0b
pygments==2.20.0 \
--hash=sha256:6757cd03768053ff99f3039c1a36d6c0aa0b263438fcab17520b30a303a82b5f \
--hash=sha256:81a9e26dd42fd28a23a2d169d86d7ac03b46e2f8b59ed4698fb4785f946d0176
# via mkdocs-material
pymdown-extensions==10.16.1 \
--hash=sha256:aace82bcccba3efc03e25d584e6a22d27a8e17caa3f4dd9f207e49b787aa9a91 \
--hash=sha256:d6ba157a6c03146a7fb122b2b9a121300056384eafeec9c9f9e584adfdb2a32d
pymdown-extensions==10.21.3 \
--hash=sha256:72cfcf55f07aea0d4af2c4f11dd4e52466ddfb1bb819673146398e0bd3a77354 \
--hash=sha256:d7a5d08014fc571e80ca21dd6f854e31f94c489800350564d55d15b3c41e76b6
# via mkdocs-material
pyparsing==3.2.5 \
--hash=sha256:2df8d5b7b2802ef88e8d016a2eb9c7aeaa923529cd251ed0fe4608275d4105b6 \
--hash=sha256:e38a4f02064cf41fe6593d328d0512495ad1f3d8a91c4f73fc401b3079a59a5e
pyparsing==3.3.2 \
--hash=sha256:850ba148bd908d7e2411587e247a1e4f0327839c40e2e5e6d05a007ecc69911d \
--hash=sha256:c777f4d763f140633dcb6d8a3eda953bf7a214dc4eff598413c070bcdc117cbc
# via mike
pytablewriter==1.2.1 \
--hash=sha256:7bd0f4f397e070e3b8a34edcf1b9257ccbb18305493d8350a5dbc9957fced959 \
@ -549,9 +575,9 @@ python-dateutil==2.9.0.post0 \
# via
# ghp-import
# typepy
pytz==2025.2 \
--hash=sha256:360b9e3dbb49a209c21ad61809c7fb453643e048b38924c765813546746e81c3 \
--hash=sha256:5ddf76296dd8c44c26eb8f4b6f35488f3ccbf6fbbd7adee0b7262d43f0ec2f00
pytz==2026.2 \
--hash=sha256:04156e608bee23d3792fd45c94ae47fae1036688e75032eea2e3bf0323d1f126 \
--hash=sha256:0e60b47b29f21574376f218fe21abc009894a2321ea16c6754f3cad6eb7cdd6a
# via typepy
pyyaml==6.0.3 \
--hash=sha256:00c4bdeba853cc34e7dd471f16b4114f4162dc03e6b7afcc2128711f0eca823c \
@ -639,44 +665,46 @@ pyyaml-env-tag==1.1 \
# via
# mike
# mkdocs
requests==2.32.5 \
--hash=sha256:2462f94637a34fd532264295e186976db0f5d453d1cdd31473c85a6a161affb6 \
--hash=sha256:dbba0bac56e100853db0ea71b82b4dfd5fe2bf6d3754a8893c3af500cec7d7cf
# via importlib-metadata
requests==2.34.2 \
--hash=sha256:2a0d60c172f83ac6ab31e4554906c0f3b3588d37b5cb939b1c061f4907e278e0 \
--hash=sha256:f288924cae4e29463698d6d60bc6a4da69c89185ad1e0bcc4104f584e960b9ed
# via
# cssselect2
# tinycss2
# The following packages are considered to be unsafe in a requirements file:
setuptools==80.9.0 \
--hash=sha256:062d34222ad13e0cc312a4c02d73f059e86a4acbfbdea8f8f76b28c99f306922 \
--hash=sha256:f36b47402ecde768dbfafc46e8e4207b4360c654f1f3bb84475f0a28628fb19c
setuptools==82.0.1 \
--hash=sha256:7d872682c5d01cfde07da7bccc7b65469d3dca203318515ada1de5eda35efbf9 \
--hash=sha256:a59e362652f08dcd477c78bb6e7bd9d80a7995bc73ce773050228a348ce2e5bb
# via mkdocs-material
six==1.17.0 \
--hash=sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274 \
--hash=sha256:ff70335d468e7eb6ec65b95b99d3a2836546063f63acc5171de367e834932a81
# via python-dateutil
tabledata==1.3.4 \
--hash=sha256:1f56e433bfdeb89f4487abfa48c4603a3b07c5d3a3c7e05ff73dd018c24bd0d4 \
--hash=sha256:e9649cab129d718f3bff4150083b77f8a78c30f6634a30caf692b10fdc60cb97
tabledata==1.3.5 \
--hash=sha256:98c64d0ad6b520846b41000fb3f5b2f42fa7ca2675c2c669e5ccab6b93082a36 \
--hash=sha256:a1e57afc4767b51bef551114c0df31f205d712dbb75e3caf9be7834a79f23136
# via pytablewriter
tcolorpy==0.1.7 \
--hash=sha256:0fbf6bf238890bbc2e32662aa25736769a29bf6d880328f310c910a327632614 \
--hash=sha256:26a59d52027e175a37e0aba72efc99dda43f074db71f55b316d3de37d3251378
# via pytablewriter
tinycss2==1.4.0 \
--hash=sha256:10c0972f6fc0fbee87c3edb76549357415e94548c1ae10ebccdea16fb404a9b7 \
--hash=sha256:3a49cf47b7675da0b15d0c6e1df8df4ebd96e9394bb905a5775adb0d884c5289
tinycss2==1.5.1 \
--hash=sha256:3415ba0f5839c062696996998176c4a3751d18b7edaaeeb658c9ce21ec150661 \
--hash=sha256:d339d2b616ba90ccce58da8495a78f46e55d4d25f9fd71dfd526f07e7d53f957
# via
# cairosvg
# cssselect2
typepy==1.3.4 \
--hash=sha256:89c1f66de6c6133209c43a94d23431d320ba03ef5db18f241091ea594035d9de \
--hash=sha256:d5ed3e0c7f49521bff0603dd08cf8d453371cf68d65a29d3d0038552ccc46e2e
typepy==1.3.5 \
--hash=sha256:a1c5f54c41860f89bab175f512b11e8c9a57cfe7b8b3d5ae5d52d828b756b6dd \
--hash=sha256:de361b59609c7503efc2edbe9d7a4e053ae71307bf90ae1678ec4d6bcd807922
# via
# dataproperty
# pytablewriter
# tabledata
urllib3==2.5.0 \
--hash=sha256:3fc47733c7e419d4bc3f6b3dc2b4f890bb743906a30d56ba4a5bfa4bbff92760 \
--hash=sha256:e6b01673c0fa6a13e374b50871808eb3bf7046c4b125b216f6bf1cc604cff0dc
urllib3==2.7.0 \
--hash=sha256:231e0ec3b63ceb14667c67be60f2f2c40a518cb38b03af60abc813da26505f4c \
--hash=sha256:9fb4c81ebbb1ce9531cce37674bbc6f1360472bc18ca9a553ede278ef7276897
# via requests
verspec==0.1.0 \
--hash=sha256:741877d5633cc9464c45a469ae2a31e801e6dbbaa85b9675d481cda100f11c31 \
@ -717,10 +745,4 @@ watchdog==6.0.0 \
webencodings==0.5.1 \
--hash=sha256:a0af1213f3c2226497a97e2b3aa01a7e4bee4f403f95be16fc9acd2947514a78 \
--hash=sha256:b36a1c245f2d304965eb4e0a82848379241dc04b865afcc4aab16748587e1923
# via
# cssselect2
# tinycss2
zipp==3.23.0 \
--hash=sha256:071652d6115ed432f5ce1d34c336c0adfd6a884660d1e9712a256d3d3bd4b14e \
--hash=sha256:a07157588a12518c9d4034df3fbbee09c814741a33ff63c05fa29d26a2404166
# via pytablewriter

4
docs/robots.txt
View file

@ -1,4 +1,8 @@
User-agent: *
Allow: /latest/
# LLM-friendly documentation
# llms.txt: /latest/llms.txt
# llms-full.txt: /latest/llms-full.txt
Sitemap: https://docs.bunkerweb.io/latest/sitemap.xml

45
docs/upgrading.md
View file

@ -25,16 +25,16 @@
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
...
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
...
```
@ -82,6 +82,9 @@
If the checksum verification fails, **do not execute the script**—it may be unsafe.
!!! tip "Interactive upgrade UI"
The upgrade flow uses the same TUI as fresh installs: arrow-key inline prompts via [gum](https://github.com/charmbracelet/gum), with `whiptail` boxed-dialog and plain-text fallbacks if gum cannot be obtained. The `gum` binary is fetched from the official [GitHub release](https://github.com/charmbracelet/gum/releases) (SHA256-pinned, cosign-verified when cosign is installed) and runs from a tempdir that is removed on exit — no system package is installed and no apt/dnf source is added. Pass `--no-tui` (or set `BW_INSTALL_TUI=no`) to skip every TUI tier, or `--tui` to require a working TUI. For fully unattended upgrades pass `-y` / `--yes` with the relevant flags — piped invocations (`curl … | bash`) exit with a clear error instead of silently accepting every default. **Air-gapped upgrades**: combine `--no-tui --yes` so no network call is made for the TUI layer.
* **How it works**:
The same multipurpose install script used for fresh installs can also perform an inplace upgrade. When it detects an existing installation and a different target version, it switches to upgrade mode and applies the following workflow:
@ -116,9 +119,9 @@
* **Mode-aware behavior**:
- The installer reuses the same installation-type logic during upgrades: manager mode keeps the setup wizard disabled, binds the API to `0.0.0.0`, and requires a whitelist IP (pass `--manager-ip` for unattended runs), while worker mode still enforces the manager IP list.
- The installer reuses the same installation-type logic during upgrades: manager mode keeps the setup wizard disabled, binds the internal API listener to `0.0.0.0`, and requires a whitelist IP (pass `--manager-ip` for unattended runs), while worker mode still enforces the manager IP list.
- Manager upgrades can opt to start or skip the Web UI service, and the summary explicitly reports the API service state so you can decide whether to enable it via `--api` / `--no-api`.
- CrowdSec options remain limited to full-stack upgrades, and the script continues to validate both the operating system and CPU architecture before touching packages, gating unsupported combinations behind `--force`.
- CrowdSec is prompted interactively for Full Stack upgrades. The CLI flags remain valid for Full Stack and Manager upgrades, and the script continues to reject CrowdSec for Worker, Scheduler-only, UI-only, and API-only modes.
Rollback summary:
@ -132,6 +135,8 @@
| ----------------------- | ------------------------------------------------------------------------------------------------- |
| `-v, --version <X.Y.Z>` | Target BunkerWeb version to upgrade to. |
| `-y, --yes` | Noninteractive (assumes upgrade confirmation and enables auto backup unless `--no-auto-backup`). |
| `--tui` | Force a TUI (downloaded gum or existing whiptail). Aborts if no TUI tier can render. |
| `--no-tui` | Skip every TUI tier and use plain text prompts. Equivalent to `BW_INSTALL_TUI=no`. |
| `--backup-dir <PATH>` | Destination for the automatic preupgrade backup. Created if missing. |
| `--no-auto-backup` | Skip automatic backup (NOT recommended). You must have a manual backup. |
| `-q, --quiet` | Suppress output (combine with logging / monitoring). |
@ -141,20 +146,20 @@
Examples:
```bash
# Upgrade to 1.6.9 interactively (will prompt for backup)
sudo ./install-bunkerweb.sh --version 1.6.9
# Upgrade to 1.6.10 interactively (will prompt for backup)
sudo ./install-bunkerweb.sh --version 1.6.10
# Non-interactive upgrade with automatic backup to custom directory
sudo ./install-bunkerweb.sh -v 1.6.9 --backup-dir /var/backups/bw-2025-01 -y
sudo ./install-bunkerweb.sh -v 1.6.10 --backup-dir /var/backups/bw-2025-01 -y
# Silent unattended upgrade (logs suppressed) relies on default auto-backup
sudo ./install-bunkerweb.sh -v 1.6.9 -y -q
sudo ./install-bunkerweb.sh -v 1.6.10 -y -q
# Perform a dry run (plan) without applying changes
sudo ./install-bunkerweb.sh -v 1.6.9 --dry-run
sudo ./install-bunkerweb.sh -v 1.6.10 --dry-run
# Upgrade skipping automatic backup (NOT recommended)
sudo ./install-bunkerweb.sh -v 1.6.9 --no-auto-backup -y
sudo ./install-bunkerweb.sh -v 1.6.10 --no-auto-backup -y
```
!!! warning "Skipping backups"
@ -234,7 +239,7 @@
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades bunkerweb=1.6.9
sudo apt install -y --allow-downgrades bunkerweb=1.6.10
```
To prevent the BunkerWeb package from upgrading when executing `apt upgrade`, you can use the following command :
@ -260,7 +265,7 @@
```shell
sudo dnf makecache && \
sudo dnf install -y --allowerasing bunkerweb-1.6.9
sudo dnf install -y --allowerasing bunkerweb-1.6.10
```
To prevent the BunkerWeb package from upgrading when executing `dnf upgrade`, you can use the following command :
@ -657,16 +662,16 @@ We added a **namespace** feature to the autoconf integrations. Namespaces allow
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
...
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
...
```
@ -701,7 +706,7 @@ We added a **namespace** feature to the autoconf integrations. Namespaces allow
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades bunkerweb=1.6.9
sudo apt install -y --allow-downgrades bunkerweb=1.6.10
```
To prevent the BunkerWeb package from upgrading when executing `apt upgrade`, you can use the following command :
@ -727,7 +732,7 @@ We added a **namespace** feature to the autoconf integrations. Namespaces allow
```shell
sudo dnf makecache && \
sudo dnf install -y --allowerasing bunkerweb-1.6.9
sudo dnf install -y --allowerasing bunkerweb-1.6.10
```
To prevent the BunkerWeb package from upgrading when executing `dnf upgrade`, you can use the following command :

12
docs/web-ui.md
View file

@ -47,7 +47,7 @@ The UI expects the scheduler/(BunkerWeb) API/redis/database stack to be reachabl
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -62,7 +62,7 @@ The UI expects the scheduler/(BunkerWeb) API/redis/database stack to be reachabl
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *service-env
BUNKERWEB_INSTANCES: "bunkerweb" # Make sure to set the correct instance name
@ -86,7 +86,7 @@ The UI expects the scheduler/(BunkerWeb) API/redis/database stack to be reachabl
- bw-db
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
environment:
<<: *service-env
ADMIN_USERNAME: "admin"
@ -186,7 +186,7 @@ The UI expects the scheduler/(BunkerWeb) API/redis/database stack to be reachabl
```
Recovery codes are shown once in the UI; losing the encryption keys wipes stored TOTP secrets.
- Sessions: default lifetime is 12h (`SESSION_LIFETIME_HOURS`). Sessions are pinned to IP and User-Agent; `CHECK_PRIVATE_IP=no` relaxes the IP check for private ranges only. `ALWAYS_REMEMBER=yes` always sets persistent cookies.
- Sessions: default idling lifetime is 12h (`SESSION_LIFETIME_HOURS`), refreshed on every request. A hard absolute cap is enforced by `SESSION_ABSOLUTE_HOURS` (default `168` = 7 days) — past it, users are logged out regardless of activity. Optional session ID rotation (`SESSION_ROLLING_HOURS`, default `0` = disabled) regenerates the session ID at that interval. Sessions are pinned to IP and User-Agent; `CHECK_PRIVATE_IP=no` relaxes the IP check for private ranges only. `ALWAYS_REMEMBER=yes` always sets persistent cookies.
- Remember to set `PROXY_NUMBERS` if multiple proxies append `X-Forwarded-*` headers.
## Configuration sources and precedence
@ -226,7 +226,9 @@ The UI expects the scheduler/(BunkerWeb) API/redis/database stack to be reachabl
| `FLASK_SECRET` | Session signing secret (persisted to `/var/lib/bunkerweb/.flask_secret`) | Hex/base64/opaque string | auto-generated |
| `TOTP_ENCRYPTION_KEYS` (`TOTP_SECRETS`) | Encryption keys for TOTP secrets (space-separated or JSON map) | Strings / JSON | auto-generated if missing |
| `BISCUIT_PUBLIC_KEY`, `BISCUIT_PRIVATE_KEY` | Optional Biscuit keys (hex) used to mint UI tokens | Hex strings | auto-generated & stored |
| `SESSION_LIFETIME_HOURS` | Session lifetime | Number (hours) | `12` |
| `SESSION_LIFETIME_HOURS` | Idling session lifetime (sliding TTL, refreshed on every request) | Number (hours) | `12` |
| `SESSION_ABSOLUTE_HOURS` | Absolute session cap regardless of activity (logout after this many hours since login) | Number (hours) | `168` |
| `SESSION_ROLLING_HOURS` | Session ID rotation interval (`0` disables rotation) | Number (hours) | `0` |
| `ALWAYS_REMEMBER` | Always enable "remember me" cookies | `yes` or `no` | `no` |
| `CHECK_PRIVATE_IP` | Enforce IP pinning (skips change inside private ranges when `no`) | `yes` or `no` | `yes` |
| `PROXY_NUMBERS` | Number of proxy hops to trust for `X-Forwarded-*` | Integer | `1` |

955
docs/zh/advanced.md
View file

File diff suppressed because it is too large Load diff

10
docs/zh/api.md
View file

@ -41,7 +41,7 @@ BunkerWeb API 是用于管理实例、服务、封禁、插件、任务和自定
services:
bunkerweb:
# 调度器识别实例的名称
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -54,7 +54,7 @@ BunkerWeb API 是用于管理实例、服务、封禁、插件、任务和自定
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # 确保填写正确的实例名
@ -76,7 +76,7 @@ BunkerWeb API 是用于管理实例、服务、封禁、插件、任务和自定
- bw-db
bw-api:
image: bunkerity/bunkerweb-api:1.6.9
image: bunkerity/bunkerweb-api:1.6.10
environment:
<<: *bw-env
API_USERNAME: "admin"
@ -108,7 +108,7 @@ BunkerWeb API 是用于管理实例、服务、封禁、插件、任务和自定
command: >
redis-server
--maxmemory 256mb
--maxmemory-policy allkeys-lru
--maxmemory-policy volatile-lru
--save 60 1000
--appendonly yes
volumes:
@ -143,7 +143,7 @@ BunkerWeb API 是用于管理实例、服务、封禁、插件、任务和自定
-e SERVICE_API=yes \
-e API_WHITELIST_IPS="127.0.0.0/8" \
-p 80:8080/tcp -p 443:8443/tcp -p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
=== "Linux"

4
docs/zh/concepts.md
View file

@ -105,7 +105,7 @@ app3.example.com_USE_BAD_BEHAVIOR=no
!!! info "更进一步"
您将在文档的[高级用法](advanced.md)和仓库的 [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) 目录中找到多站点模式的具体示例。
您将在文档的[高级用法](advanced.md)和仓库的 [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/examples) 目录中找到多站点模式的具体示例。
## 自定义配置 {#custom-configurations}
@ -126,7 +126,7 @@ BunkerWeb 的另一个不可或缺的组件是 ModSecurity Web 应用程序防
!!! info "更进一步"
您将在文档的[高级用法](advanced.md#custom-configurations)和仓库的 [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples) 目录中找到自定义配置的具体示例。
您将在文档的[高级用法](advanced.md#custom-configurations)和仓库的 [examples](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/examples) 目录中找到自定义配置的具体示例。
## 数据库

708
docs/zh/features.md
View file

File diff suppressed because it is too large Load diff

240
docs/zh/integrations.md
View file

@ -1268,7 +1268,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
默认情况下,容器暴露:
@ -1284,7 +1284,7 @@ docker run -d \
```yaml
services:
bunkerweb-aio:
image: bunkerity/bunkerweb-all-in-one:1.6.9
image: bunkerity/bunkerweb-all-in-one:1.6.10
volumes:
- bw-storage:/data
...
@ -1340,7 +1340,8 @@ volumes:
- `AUTOCONF_MODE=no` (默认) - 启用自动配置服务
- `USE_REDIS=yes` (默认) - 启用内置的 [Redis](#redis-integration) 实例
- `USE_CROWDSEC=no` (默认) - [CrowdSec](#crowdsec-integration) 集成默认禁用
- `HIDE_SERVICE_LOGS=`(可选)- 以逗号分隔的服务列表,用于在容器日志中静音这些服务。支持的值:`api`、`autoconf`、`bunkerweb`、`crowdsec`、`redis`、`scheduler`、`ui`、`nginx.access`、`nginx.error`、`modsec`。日志仍会写入 `/var/log/bunkerweb/<service>.log`
- `HIDE_SERVICE_LOGS=`(可选)- 以逗号分隔的服务列表,用于在容器日志中静音这些服务。支持的值:`api`、`autoconf`、`bunkerweb`、`crowdsec`、`redis`、`scheduler`、`ui`、`nginx.access`、`nginx.error`、`modsec`。
- **日志**:一体化镜像会将每个服务的 stdout 和 stderr 输出到容器日志。请使用 `docker logs bunkerweb-aio`(或您偏好的容器日志驱动)来查看和轮转日志;该镜像不会为其 Python 服务写入磁盘日志文件。
### API 集成
@ -1361,7 +1362,7 @@ docker run -d \
-e API_PASSWORD=StrongP@ssw0rd \
-p 80:8080/tcp -p 443:8443/tcp -p 443:8443/udp \
-p 8888:8888/tcp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
推荐(在 BunkerWeb 之后)— 不要发布 `8888`;而是反向代理它:
@ -1369,7 +1370,7 @@ docker run -d \
```yaml
services:
bunkerweb-aio:
image: bunkerity/bunkerweb-all-in-one:1.6.9
image: bunkerity/bunkerweb-all-in-one:1.6.10
container_name: bunkerweb-aio
ports:
- "80:8080/tcp"
@ -1425,6 +1426,10 @@ BunkerWeb **一体化**镜像开箱即用地包含了 Redis用于[持久化
- 它仅监听容器的回环接口,因此只能被容器内部的进程访问,其他容器或宿主机无法直接访问。
- 仅当你已经准备好外部 Redis/Valkey 终端时才覆盖 `REDIS_HOST`,否则内置实例将不会启动。
- 若要完全禁用 Redis请设置 `USE_REDIS=no`
- **配置优先级(重要):** 内置 Redis 从 `/var/lib/bunkerweb/redis-runtime.conf` 启动,该文件在启动时通过复制 `/etc/redis.conf` 并**仅为配置文件未指定的指令**追加环境变量驱动的默认值生成。因此挂载的自定义 `/etc/redis.conf` 始终优先;下列环境变量仅用于填补缺失。
- **内存调优:** 默认值遵循 [Redis 最佳实践](features.md#redis-best-practices)——`maxmemory 256mb` 与 `maxmemory-policy volatile-lru`。当配置文件未固定这些值时,可通过 `REDIS_MAXMEMORY``REDIS_MAXMEMORY_POLICY` 覆盖。
- **持久化覆盖:** `REDIS_APPENDONLY=yes|no` 切换 AOF默认 `yes`RDB 快照通过 `REDIS_SAVE` 以及可选的 `REDIS_SAVE_0`、`REDIS_SAVE_1`、…… 配置,每个变量提供一对 `save <秒> <变更>`(例如 `REDIS_SAVE_0="900 1"`、`REDIS_SAVE_1="300 10"`)。一旦设置其中任意一个,就会替换内置的 `900 1 / 300 10 / 60 10000` 默认集;空值会写出 `save ""`,禁用 RDB。当配置文件自身已声明 `save` 时忽略。
- **认证:**`REDIS_PASSWORD` 被设置且配置文件尚未定义 `requirepass` 时,内置 Redis 将以 `requirepass` 启动,使 BunkerWeb 客户端和服务端保持一致。内置服务端仅支持默认用户——仅当连接启用 ACL 的外部 Redis 时才设置 `REDIS_USERNAME`
- Redis 日志在 Docker 日志和 `/var/log/bunkerweb/redis.log` 中以 `[REDIS]` 前缀出现。
### CrowdSec 集成 {#crowdsec-integration}
@ -1441,7 +1446,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
* 当 `USE_CROWDSEC=yes` 时,入口点将:
@ -1496,7 +1501,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
!!! info "内部工作原理"
@ -1518,7 +1523,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
注意:
@ -1554,7 +1559,7 @@ docker run -d \
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
* 当 `CROWDSEC_API` 不是 `127.0.0.1``localhost` 时,将跳过**本地注册**。
@ -1588,13 +1593,13 @@ docker run -d \
无论您是进行测试、开发应用程序还是在生产中部署 BunkerWebDocker 容器化选项都提供了灵活性和易用性。采用这种方法使您能够充分利用 BunkerWeb 的功能,同时利用 Docker 技术的优势。
```shell
docker pull bunkerity/bunkerweb:1.6.9
docker pull bunkerity/bunkerweb:1.6.10
```
Docker 镜像也可在 [GitHub packages](https://github.com/orgs/bunkerity/packages?repo_name=bunkerweb) 上找到,可以使用 `ghcr.io` 仓库地址下载:
```shell
docker pull ghcr.io/bunkerity/bunkerweb:1.6.9
docker pull ghcr.io/bunkerity/bunkerweb:1.6.10
```
Docker 集成的关键概念包括:
@ -1604,7 +1609,7 @@ Docker 集成的关键概念包括:
- **网络**Docker 网络在 BunkerWeb 的集成中扮演着至关重要的角色。这些网络有两个主要目的:向客户端公开端口以及连接到上游 Web 服务。通过公开端口BunkerWeb 可以接受来自客户端的传入请求,允许他们访问受保护的 Web 服务。此外,通过连接到上游 Web 服务BunkerWeb 可以高效地路由和管理流量,提供增强的安全性和性能。
!!! info "数据库后端"
请注意,我们的说明假设您正在使用 SQLite 作为默认的数据库后端,这是由 `DATABASE_URI` 设置配置的。但是,也支持其他数据库后端。有关更多信息,请参阅仓库的 [misc/integrations 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations)中的 docker-compose 文件。
请注意,我们的说明假设您正在使用 SQLite 作为默认的数据库后端,这是由 `DATABASE_URI` 设置配置的。但是,也支持其他数据库后端。有关更多信息,请参阅仓库的 [misc/integrations 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations)中的 docker-compose 文件。
### 环境变量
@ -1614,7 +1619,7 @@ Docker 集成的关键概念包括:
...
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
- MY_SETTING=value
- ANOTHER_SETTING=another value
@ -1655,7 +1660,7 @@ secrets:
[调度器](concepts.md#scheduler) 在其自己的容器中运行,该容器也可在 Docker Hub 上找到:
```shell
docker pull bunkerity/bunkerweb-scheduler:1.6.9
docker pull bunkerity/bunkerweb-scheduler:1.6.10
```
!!! info "BunkerWeb 设置"
@ -1676,7 +1681,7 @@ docker pull bunkerity/bunkerweb-scheduler:1.6.9
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
environment:
# 这将为 BunkerWeb 容器设置 API
<<: *bw-api-env
@ -1685,7 +1690,7 @@ docker pull bunkerity/bunkerweb-scheduler:1.6.9
- bw-universe
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
# 这将为调度器容器设置 API
<<: *bw-api-env
@ -1703,7 +1708,7 @@ docker pull bunkerity/bunkerweb-scheduler:1.6.9
...
services:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
volumes:
- bw-storage:/data
...
@ -1783,14 +1788,14 @@ volumes:
##### 日志
| Setting | 描述 | 接受的值 | 默认值 |
| ------------------------------- | ---------------------------------------------------------------- | ----------------------------------------------- | ------------------------------------------------------------------------------- |
| `LOG_LEVEL`, `CUSTOM_LOG_LEVEL` | 基础/覆盖日志级别 | `debug`, `info`, `warning`, `error`, `critical` | `info` |
| `LOG_TYPES` | 目标 | 空格分隔 `stderr`/`file`/`syslog` | `stderr` |
| `SCHEDULER_LOG_TO_FILE` | 启用文件日志并设置默认路径 | `yes``no` | `no` |
| `LOG_FILE_PATH` | 自定义日志路径(当 `LOG_TYPES` 包含 `file` 时使用) | 文件路径 | `SCHEDULER_LOG_TO_FILE=yes` 时为 `/var/log/bunkerweb/scheduler.log`,否则 unset |
| `LOG_SYSLOG_ADDRESS` | Syslog 目标(`udp://host:514`、`tcp://host:514` 或 socket 路径) | Host:port、带协议前缀的主机或 socket | unset |
| `LOG_SYSLOG_TAG` | Syslog 标识/tag | 字符串 | `bw-scheduler` |
| Setting | 描述 | 接受的值 | 默认值 |
| ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- | ------------------------------------------------------------------------------ |
| `LOG_LEVEL`, `CUSTOM_LOG_LEVEL` | 基础/覆盖日志级别 | `debug`, `info`, `warning`, `error`, `critical` | `info` |
| `LOG_TYPES` | 目标 | 空格分隔 `stderr`/`file`/`syslog` | `stderr` |
| `SCHEDULER_LOG_TO_FILE` | 兼容旧配置的便捷选项:设置后,如果 `LOG_TYPES` 包含 `file` 且您没有显式设置 `LOG_FILE_PATH`,则 `LOG_FILE_PATH` 默认使用 `/var/log/bunkerweb/scheduler.log` | `yes``no` | `no` |
| `LOG_FILE_PATH` | 自定义日志路径(当 `LOG_TYPES` 包含 `file` 时使用) | 文件路径 | `LOG_TYPES` 包含 `file` 时为 `/var/log/bunkerweb/scheduler.log`,否则 unset |
| `LOG_SYSLOG_ADDRESS` | Syslog 目标(`udp://host:514`、`tcp://host:514` 或 socket 路径) | Host:port、带协议前缀的主机或 socket | unset |
| `LOG_SYSLOG_TAG` | Syslog 标识/tag | 字符串 | `bw-scheduler` |
### UI 容器设置
@ -1849,7 +1854,7 @@ x-bw-api-env: &bw-api-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -1862,7 +1867,7 @@ services:
- bw-universe
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-api-env
BUNKERWEB_INSTANCES: "bunkerweb" # 这个设置是强制性的,用来指定 BunkerWeb 实例
@ -1895,7 +1900,7 @@ x-bw-api-env: &bw-api-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -1908,7 +1913,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
depends_on:
- bunkerweb
environment:
@ -1961,7 +1966,7 @@ docker build -t bw-ui -f src/ui/Dockerfile .
- Debian 13 "Trixie"
- Ubuntu 22.04 "Jammy"
- Ubuntu 24.04 "Noble"
- Fedora 42 和 43
- Fedora 42、43 和 44
- Red Hat Enterprise Linux (RHEL) 8, 9 和 10
### 简易安装脚本
@ -1974,8 +1979,8 @@ docker build -t bw-ui -f src/ui/Dockerfile .
```bash
# 下载脚本及其校验和
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.10/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.10/install-bunkerweb.sh.sha256
# 验证校验和
sha256sum -c install-bunkerweb.sh.sha256
@ -2006,7 +2011,24 @@ sudo ./install-bunkerweb.sh
#### 交互式安装
当不带任何选项运行时,脚本会进入一个交互模式,引导您完成设置过程。您将被要求做出以下选择:
当不带任何选项运行时,脚本会进入一个交互模式,引导您完成设置过程。交互流程采用由 [gum](https://github.com/charmbracelet/gum) 提供的内联 TUI —— 方向键菜单(带 `` 光标)、掩码密码字段。
!!! info "首次交互运行时以临时方式获取 gum"
在首次需要交互提示时,安装器会下载 gum并在脚本运行期间从临时目录执行 —— **不会进行任何系统级安装**
- 通过 HTTPSTLS 1.2+,拒绝 HTTP 重定向,连接超时 10 秒 / 总超时 30 秒)从 [GitHub 发布页](https://github.com/charmbracelet/gum/releases) 下载官方 `gum_${VERSION}_${ARCH}.tar.gz`
- 使用**脚本中固定的 SHA256**(本地信任锚 —— 脚本本身的校验和与 gum 二进制必须同时匹配)校验该归档。
- 若已安装 `cosign`:还会针对 Charm 的 GitHub-Actions OIDC 身份(`https://github.com/charmbracelet/gum/...`)校验上游 `checksums.txt` 作为纵深防御,并交叉确认所固定的哈希与 Charm 为此归档发布的值一致。
- 将二进制解压到可执行的临时目录(默认 `/var/tmp/bw-gum.XXXXXX`;当 `/var/tmp` 被挂载为 `noexec` 时则使用 `/tmp`、`$XDG_RUNTIME_DIR` 或 `$HOME/.cache`)。
- 在脚本运行期间将该临时目录加入 `PATH`,并在脚本退出时通过 `EXIT` trap 删除(在 `set -e` 失败或信号中断时同样有效)。
**安装器退出后磁盘上保留的内容:** 没有。无 `/etc/apt/sources.list.d/charm.list`、`apt`/`rpm` 中没有 GPG 密钥、`/usr/bin`/`/usr/local/bin` 中没有 `gum` 二进制、没有包数据库记录。安装器从不注册任何第三方 apt 或 dnf 源。
若无法下载 gum —— 离线主机、网络故障、SHA256 不匹配 —— 安装器会使用系统中已经存在的 `whiptail`(在 Debian/Ubuntu 云镜像上通常通过 `newt` 包预装)。若 gum 与 whiptail 均不可用,则回退到**纯文本提示**。
使用 `--no-tui`(或设置 `BW_INSTALL_TUI=no`)跳过所有 TUI 层级;使用 `--tui` 在无可用 TUI 时中止。**离线air-gapped安装**:组合 `--no-tui``--yes` 以及相应的 `--*` 标志 / `*_INPUT` 环境变量TUI 层不会发起任何网络调用。
您将被要求做出以下选择:
1. **安装类型**:选择您想要安装的组件。
* **完整堆栈(默认)**:一个一体化的安装,包括 BunkerWeb、调度器和 Web UI。
@ -2032,18 +2054,20 @@ sudo ./install-bunkerweb.sh
**通用选项:**
| 选项 | 描述 |
| ----------------------- | ------------------------------------------------ |
| `-v, --version VERSION` | 指定要安装的 BunkerWeb 版本(例如 `1.6.9`)。 |
| `-w, --enable-wizard` | 启用设置向导。 |
| `-n, --no-wizard` | 禁用设置向导。 |
| `-y, --yes` | 以非交互模式运行,对所有提示使用默认答案。 |
| `-f, --force` | 即使在不受支持的操作系统版本上,也强制继续安装。 |
| `-q, --quiet` | 静默安装(抑制输出)。 |
| `--api`, `--enable-api` | 启用 API (FastAPI) systemd 服务(默认禁用)。 |
| `--no-api` | 明确禁用 API 服务。 |
| `-h, --help` | 显示包含所有可用选项的帮助信息。 |
| `--dry-run` | 显示将要安装的内容,但不实际执行。 |
| 选项 | 描述 |
| ----------------------- | -------------------------------------------------- |
| `-v, --version VERSION` | 指定要安装的 BunkerWeb 版本(例如 `1.6.10`)。 |
| `-w, --enable-wizard` | 启用设置向导。 |
| `-n, --no-wizard` | 禁用设置向导。 |
| `-y, --yes` | 以非交互模式运行,对所有提示使用默认答案。 |
| `--tui` | 强制使用 TUIgum 或 whiptail。若两者都无法安装则中止。 |
| `--no-tui` | 禁用所有 TUI 层级并使用纯文本提示。等同于 `BW_INSTALL_TUI=no`。 |
| `-f, --force` | 即使在不受支持的操作系统版本上,也强制继续安装。 |
| `-q, --quiet` | 静默安装(抑制输出)。 |
| `--api`, `--enable-api` | 启用 API (FastAPI) systemd 服务(默认禁用)。 |
| `--no-api` | 明确禁用 API 服务。 |
| `-h, --help` | 显示包含所有可用选项的帮助信息。 |
| `--dry-run` | 显示将要安装的内容,但不实际执行。 |
**安装类型:**
@ -2054,7 +2078,7 @@ sudo ./install-bunkerweb.sh
| `--worker` | 仅安装 BunkerWeb 实例。 |
| `--scheduler-only` | 仅安装调度器组件。 |
| `--ui-only` | 仅安装 Web UI 组件。 |
| `--api-only` | 仅安装 API 服务(端口 8000)。 |
| `--api-only` | 仅安装 API 服务(端口 8888)。 |
**安全集成:**
@ -2099,7 +2123,7 @@ sudo ./install-bunkerweb.sh --yes
sudo ./install-bunkerweb.sh --worker --no-wizard
# 安装一个特定版本
sudo ./install-bunkerweb.sh --version 1.6.9
sudo ./install-bunkerweb.sh --version 1.6.10
# 带有远程工作实例的管理器设置(需要 instances
sudo ./install-bunkerweb.sh --manager --instances "192.168.1.10 192.168.1.11"
@ -2146,7 +2170,7 @@ sudo ./install-bunkerweb.sh --yes --api
**API 服务可用性:**
- 外部 API 服务(端口 8000)适用于 `--full``--manager` 安装类型
- 外部 API 服务(端口 8888)适用于 `--full``--manager` 安装类型
- 它不适用于 `--worker`, `--scheduler-only``--ui-only` 安装
- 使用 `--api-only` 进行专用的 API 服务安装
@ -2207,7 +2231,7 @@ sudo ./install-bunkerweb.sh --yes --api
### 使用软件包管理器安装
请确保在安装 BunkerWeb 之前**已经安装了 NGINX 1.28.2**。对于所有发行版,强制要求使用来自[官方 NGINX 仓库](https://nginx.org/en/linux_packages.html)的预构建包。从源代码编译 NGINX 或使用来自不同仓库的包将无法与 BunkerWeb 的官方预构建包一起工作。但是,您可以选择从源代码构建 BunkerWeb。
请确保在安装 BunkerWeb 之前**已经安装了 NGINX 1.30.1**。对于所有发行版,强制要求使用来自[官方 NGINX 仓库](https://nginx.org/en/linux_packages.html)的预构建包。从源代码编译 NGINX 或使用来自不同仓库的包将无法与 BunkerWeb 的官方预构建包一起工作。但是,您可以选择从源代码构建 BunkerWeb。
=== "Debian Bookworm/Trixie"
@ -2222,11 +2246,11 @@ sudo ./install-bunkerweb.sh --yes --api
| sudo tee /etc/apt/sources.list.d/nginx.list
```
您现在应该能够安装 NGINX 1.28.2
您现在应该能够安装 NGINX 1.30.1
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades nginx=1.28.2-1~$(lsb_release -cs)
sudo apt install -y --allow-downgrades nginx=1.30.1-1~$(lsb_release -cs)
```
!!! warning "测试/开发版本"
@ -2243,12 +2267,12 @@ sudo ./install-bunkerweb.sh --yes --api
export UI_WIZARD=no
```
最后安装 BunkerWeb 1.6.9
最后安装 BunkerWeb 1.6.10
```shell
curl -s https://repo.bunkerweb.io/install/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.9
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.10
```
要防止在执行 `apt upgrade` 时升级 NGINX 和/或 BunkerWeb 包,您可以使用以下命令:
@ -2270,11 +2294,11 @@ sudo ./install-bunkerweb.sh --yes --api
| sudo tee /etc/apt/sources.list.d/nginx.list
```
您现在应该能够安装 NGINX 1.28.2
您现在应该能够安装 NGINX 1.30.1
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades nginx=1.28.2-1~$(lsb_release -cs)
sudo apt install -y --allow-downgrades nginx=1.30.1-1~$(lsb_release -cs)
```
!!! warning "测试/开发版本"
@ -2291,12 +2315,12 @@ sudo ./install-bunkerweb.sh --yes --api
export UI_WIZARD=no
```
最后安装 BunkerWeb 1.6.9
最后安装 BunkerWeb 1.6.10
```shell
curl -s https://repo.bunkerweb.io/install/script.deb.sh | sudo bash && \
sudo apt update && \
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.9
sudo -E apt install -y --allow-downgrades bunkerweb=1.6.10
```
要防止在执行 `apt upgrade` 时升级 NGINX 和/或 BunkerWeb 包,您可以使用以下命令:
@ -2314,10 +2338,10 @@ sudo ./install-bunkerweb.sh --yes --api
sudo dnf config-manager setopt updates-testing.enabled=1
```
Fedora 已经提供了我们支持的 NGINX 1.28.2
Fedora 已经提供了我们支持的 NGINX 1.30.1
```shell
sudo dnf install -y --allowerasing nginx-1.28.2
sudo dnf install -y --allowerasing nginx-1.30.1
```
!!! example "禁用设置向导"
@ -2327,12 +2351,12 @@ sudo ./install-bunkerweb.sh --yes --api
export UI_WIZARD=no
```
最后安装 BunkerWeb 1.6.9
最后安装 BunkerWeb 1.6.10
```shell
curl -s https://repo.bunkerweb.io/install/script.rpm.sh | sudo bash && \
sudo dnf makecache && \
sudo -E dnf install -y --allowerasing bunkerweb-1.6.9
sudo -E dnf install -y --allowerasing bunkerweb-1.6.10
```
要防止在执行 `dnf upgrade` 时升级 NGINX 和/或 BunkerWeb 包,您可以使用以下命令:
@ -2364,10 +2388,10 @@ sudo ./install-bunkerweb.sh --yes --api
module_hotfixes=true
```
您现在应该能够安装 NGINX 1.28.2
您现在应该能够安装 NGINX 1.30.1
```shell
sudo dnf install --allowerasing nginx-1.28.2
sudo dnf install --allowerasing nginx-1.30.1
```
!!! example "禁用设置向导"
@ -2377,12 +2401,12 @@ sudo ./install-bunkerweb.sh --yes --api
export UI_WIZARD=no
```
最后安装 BunkerWeb 1.6.9
最后安装 BunkerWeb 1.6.10
```shell
curl -s https://repo.bunkerweb.io/install/script.rpm.sh | sudo bash && \
sudo dnf check-update && \
sudo -E dnf install -y --allowerasing bunkerweb-1.6.9
sudo -E dnf install -y --allowerasing bunkerweb-1.6.10
```
要防止在执行 `dnf upgrade` 时升级 NGINX 和/或 BunkerWeb 包,您可以使用以下命令:
@ -2475,7 +2499,7 @@ export SERVICE_UI=yes
Docker 自动配置集成意味着使用**多站点模式**。有关更多信息,请参阅文档的[多站点部分](concepts.md#multisite-mode)。
!!! info "数据库后端"
请注意,我们的说明假设您正在使用 MariaDB 作为默认的数据库后端,这是由 `DATABASE_URI` 设置配置的。但是,我们理解您可能更喜欢为您的 Docker 集成使用其他后端。如果是这样,请放心,其他数据库后端仍然是可行的。有关更多信息,请参阅仓库的 [misc/integrations 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations)中的 docker-compose 文件。
请注意,我们的说明假设您正在使用 MariaDB 作为默认的数据库后端,这是由 `DATABASE_URI` 设置配置的。但是,我们理解您可能更喜欢为您的 Docker 集成使用其他后端。如果是这样,请放心,其他数据库后端仍然是可行的。有关更多信息,请参阅仓库的 [misc/integrations 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations)中的 docker-compose 文件。
要启用自动配置更新,请在堆栈中包含一个名为 `bw-autoconf` 的额外容器。此容器承载自动配置服务,该服务管理 BunkerWeb 的动态配置更改。
@ -2489,7 +2513,7 @@ x-bw-env: &bw-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -2504,7 +2528,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "" # 我们不需要在这里指定 BunkerWeb 实例,因为它们由自动配置服务自动检测
@ -2519,7 +2543,7 @@ services:
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
depends_on:
- bunkerweb
- bw-docker
@ -2598,16 +2622,17 @@ networks:
##### 模式与运行时
| Setting | 描述 | 接受的值 | 默认值 |
| ------------------------- | --------------------------------------- | ---------------------------------- | ----------------------------- |
| `AUTOCONF_MODE` | 启用 autoconf 控制器 | `yes``no` | `no` |
| `SWARM_MODE` | 监控 Swarm 服务而非 Docker 容器 | `yes``no` | `no` |
| `KUBERNETES_MODE` | 监控 Kubernetes ingress/pod 而非 Docker | `yes``no` | `no` |
| `KUBERNETES_GATEWAY_MODE` | 启用 Kubernetes Gateway API 控制器 | `yes``no` | `no` |
| `DOCKER_HOST` | Docker 套接字 / 远程 API URL | 例如 `unix:///var/run/docker.sock` | `unix:///var/run/docker.sock` |
| `WAIT_RETRY_INTERVAL` | 实例就绪检查之间的秒数 | 整秒 | `5` |
| `LOG_SYSLOG_TAG` | Autoconf 日志的 syslog tag | 字符串 | `bw-autoconf` |
| `TZ` | Autoconf 日志和时间戳使用的时区 | TZ 数据库名(如 `Europe/Paris` | unset容器默认通常为 UTC |
| Setting | 描述 | 接受的值 | 默认值 |
| -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------- | ----------------------------- |
| `AUTOCONF_MODE` | 启用 autoconf 控制器 | `yes``no` | `no` |
| `SWARM_MODE` | 监控 Swarm 服务而非 Docker 容器 | `yes``no` | `no` |
| `KUBERNETES_MODE` | 监控 Kubernetes ingress/pod 而非 Docker | `yes``no` | `no` |
| `KUBERNETES_GATEWAY_MODE` | 启用 Kubernetes Gateway API 控制器 | `yes``no` | `no` |
| `DOCKER_HOST` | Docker 套接字 / 远程 API URL | 例如 `unix:///var/run/docker.sock` | `unix:///var/run/docker.sock` |
| `WAIT_RETRY_INTERVAL` | 实例就绪检查之间的秒数 | 整秒 | `5` |
| `AUTOCONF_DISABLE_CLEANUP` | 设为 `yes`从编排器中移除的服务及自定义配置将被转换为草稿draft而不是硬删除因而可以在瞬时移除后保留并可通过 Web UI 删除。 | `yes``no` | `no` |
| `LOG_SYSLOG_TAG` | Autoconf 日志的 syslog tag | 字符串 | `bw-autoconf` |
| `TZ` | Autoconf 日志和时间戳使用的时区 | TZ 数据库名(如 `Europe/Paris` | unset容器默认通常为 UTC |
##### 数据库与校验
@ -2673,6 +2698,27 @@ networks:
name: bw-services
```
#### 在移除时将服务保留为草稿 {#autoconf-disable-cleanup}
默认情况下,当 autoconf 管理的容器、Swarm 服务或 Ingress 从编排器中消失时,其在 BunkerWeb 共享数据库中的服务条目(以及任何关联的自定义配置)会被立即删除。这种行为具有破坏性:操作者无法区分临时性移除和有意下线,恢复服务需要从零重新定义。
`bw-autoconf` 容器上设置 `AUTOCONF_DISABLE_CLEANUP=yes` 后:
- 从编排器中移除的服务不再被删除,而是被翻转为 `is_draft = true`。其 `services_settings` 记录、自定义配置和任务缓存都会被保留。
- 草稿状态的服务会从生成的 NGINX 配置中排除(不会对外提供服务),因此移除编排对象仍然会让站点下线,只是状态被保留下来。
- 若该服务之后被 autoconf 再次登记(相同的 server name / Ingress host它会自动被重新置为在线并重新发布已有的自定义配置会被复用。
- 当服务处于此"由 autoconf 转为草稿"状态时,可以通过 Web UI 的 **Services** 页面将其删除——通常 autoconf 所属的服务在 UI 中不可删除,但对 autoconf 草稿服务的 **Delete** 按钮会启用,方便操作者清理失效条目。在线状态的 autoconf 服务仍然无法从 UI 中删除。
```yaml
services:
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
AUTOCONF_MODE: "yes"
AUTOCONF_DISABLE_CLEANUP: "yes" # 将被移除的服务保留为草稿
DATABASE_URI: "mariadb+pymysql://bunkerweb:secret@bw-db:3306/db"
```
### 命名空间 {#namespaces}
`1.6.0` 版本开始BunkerWeb 的自动配置堆栈现在支持命名空间。此功能使您能够在同一个 Docker 主机上管理多个 BunkerWeb 实例和服务的“*集群*”。要利用命名空间,只需在您的服务上设置 `NAMESPACE` 标签。这是一个示例:
@ -2702,13 +2748,13 @@ networks:
...
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
labels:
- "bunkerweb.INSTANCE=yes"
- "bunkerweb.NAMESPACE=my-namespace" # 为 BunkerWeb 实例设置命名空间,以便自动配置服务可以检测到它
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
...
NAMESPACES: "my-namespace my-other-namespace" # 只监听这些命名空间
@ -2759,7 +2805,7 @@ autoconf 服务充当一个 [Ingress 控制器](https://kubernetes.io/docs/conce
鉴于存在多个 BunkerWeb 实例,有必要建立一个共享数据存储,实现为一个 [Redis](https://redis.io/) 或 [Valkey](https://valkey.io/) 服务。这些实例将利用该服务来缓存和共享彼此之间的数据。有关 Redis/Valkey 设置的更多信息,请参见[此处](features.md#redis)。
!!! info "数据库后端"
请注意,我们的说明假设您正在使用 MariaDB 作为默认的数据库后端,这是由 `DATABASE_URI` 设置配置的。但是,我们理解您可能更喜欢为您的 Docker 集成使用其他后端。如果是这样,请放心,其他数据库后端仍然是可行的。有关更多信息,请参阅仓库的 [misc/integrations 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations)中的 docker-compose 文件。
请注意,我们的说明假设您正在使用 MariaDB 作为默认的数据库后端,这是由 `DATABASE_URI` 设置配置的。但是,我们理解您可能更喜欢为您的 Docker 集成使用其他后端。如果是这样,请放心,其他数据库后端仍然是可行的。有关更多信息,请参阅仓库的 [misc/integrations 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations)中的 docker-compose 文件。
集群数据库后端的设置超出了本文档的范围。
@ -2874,7 +2920,7 @@ The **BunkerWeb controller** automatically discovers pods with BunkerWeb sidecar
```yaml
controller:
enabled: true
tag: "1.6.9"
tag: "1.6.10"
```
2. For each sidecar, add:
@ -2967,7 +3013,7 @@ In your BunkerWeb chart `values.yaml`, configure the `BUNKERWEB_INSTANCES` envir
```yaml
scheduler:
tag: "1.6.9"
tag: "1.6.10"
extraEnvs:
- name: BUNKERWEB_INSTANCES
value: "http://app1-bunkerweb-workers.namespace.svc.cluster.local:5000 http://app2-bunkerweb-workers.namespace.svc.cluster.local:5000"
@ -3011,7 +3057,7 @@ spec:
# BunkerWeb Sidecar
- name: bunkerweb
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- containerPort: 8080 # Exposed HTTP port
- containerPort: 5000 # Internal API (mandatory)
@ -3282,7 +3328,7 @@ To add a new application protected by BunkerWeb:
#### 完整的 YAML 文件
除了使用 helm chart您还可以使用 GitHub 仓库中 [misc/integrations 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations)内的 YAML 样板文件。请注意,我们强烈建议您改用 helm chart。
除了使用 helm chart您还可以使用 GitHub 仓库中 [misc/integrations 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations)内的 YAML 样板文件。请注意,我们强烈建议您改用 helm chart。
### Ingress 资源
@ -3430,7 +3476,7 @@ metadata:
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-controller
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
imagePullPolicy: Always
env:
- name: NAMESPACES
@ -3604,11 +3650,11 @@ service:
# BunkerWeb 设置
bunkerweb:
tag: 1.6.9
tag: 1.6.10
# 调度器设置
scheduler:
tag: 1.6.9
tag: 1.6.10
extraEnvs:
# 启用 real IP 模块以获取客户端的真实 IP
- name: USE_REAL_IP
@ -3616,11 +3662,11 @@ scheduler:
# 控制器设置
controller:
tag: 1.6.9
tag: 1.6.10
# UI 设置
ui:
tag: 1.6.9
tag: 1.6.10
```
使用自定义值安装 BunkerWeb
@ -4242,7 +4288,7 @@ kubectl delete ingress <old-ingress> -n <namespace>
至于数据库卷,文档并未指定具体的方法。为数据库卷选择共享文件夹或特定驱动程序取决于您的独特用例,留给读者自行决定。
!!! info "数据库后端"
请注意,我们的说明假设您正在使用 MariaDB 作为默认的数据库后端,这是由 `DATABASE_URI` 设置配置的。但是,我们理解您可能更喜欢为您的 Docker 集成使用其他后端。如果是这样,请放心,其他数据库后端仍然是可行的。有关更多信息,请参阅仓库的 [misc/integrations 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/misc/integrations)中的 docker-compose 文件。
请注意,我们的说明假设您正在使用 MariaDB 作为默认的数据库后端,这是由 `DATABASE_URI` 设置配置的。但是,我们理解您可能更喜欢为您的 Docker 集成使用其他后端。如果是这样,请放心,其他数据库后端仍然是可行的。有关更多信息,请参阅仓库的 [misc/integrations 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/misc/integrations)中的 docker-compose 文件。
集群数据库后端的设置超出了本文档的范围。
@ -4256,7 +4302,7 @@ x-bw-env: &bw-env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- published: 80
target: 8080
@ -4285,7 +4331,7 @@ services:
- "bunkerweb.INSTANCE=yes" # autoconf 服务识别 BunkerWeb 实例的强制性标签
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "" # 我们不需要在这里指定 BunkerWeb 实例,因为它们由 autoconf 服务自动检测
@ -4306,7 +4352,7 @@ services:
- "node.role == worker"
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
SWARM_MODE: "yes"
DATABASE_URI: "mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db" # 记得为数据库设置一个更强的密码
@ -4455,7 +4501,7 @@ networks:
...
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
...
deploy:
mode: global
@ -4467,7 +4513,7 @@ networks:
- "bunkerweb.NAMESPACE=my-namespace" # 为 BunkerWeb 实例设置命名空间
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
NAMESPACES: "my-namespace my-other-namespace" # 只监听这些命名空间
...

12
docs/zh/plugins.md
View file

@ -89,7 +89,7 @@ BunkerWeb 附带一个插件系统,可以轻松添加新功能。安装插件
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
volumes:
- ./bw-data:/data
...
@ -125,7 +125,7 @@ BunkerWeb 附带一个插件系统,可以轻松添加新功能。安装插件
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
volumes:
- ./bw-data:/data
...
@ -168,7 +168,7 @@ BunkerWeb 附带一个插件系统,可以轻松添加新功能。安装插件
services:
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
volumes:
- /shared/bw-plugins:/data/plugins
...
@ -215,7 +215,7 @@ BunkerWeb 附带一个插件系统,可以轻松添加新功能。安装插件
serviceAccountName: sa-bunkerweb
containers:
- name: bunkerweb-scheduler
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
@ -255,7 +255,7 @@ BunkerWeb 附带一个插件系统,可以轻松添加新功能。安装插件
!!! tip "现有插件"
如果文档不够,您可以查看[官方插件](https://github.com/bunkerity/bunkerweb-plugins)和[核心插件](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/src/common/core)的现有源代码(已包含在 BunkerWeb 中,但从技术上讲它们是插件)。
如果文档不够,您可以查看[官方插件](https://github.com/bunkerity/bunkerweb-plugins)和[核心插件](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/src/common/core)的现有源代码(已包含在 BunkerWeb 中,但从技术上讲它们是插件)。
插件结构如下所示:
```
@ -560,7 +560,7 @@ end
!!! tip "更多示例"
如果您想查看可用函数的完整列表,可以查看仓库的 [lua 目录](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/src/bw/lua/bunkerweb)中存在的文件。
如果您想查看可用函数的完整列表,可以查看仓库的 [lua 目录](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/src/bw/lua/bunkerweb)中存在的文件。
### 作业

45
docs/zh/quickstart-guide.md
View file

@ -18,7 +18,7 @@
保护已经可以通过 HTTP(S) 协议访问的现有 Web 应用程序是 BunkerWeb 的主要目标:它将充当一个带有额外安全功能的经典[反向代理](https://en.wikipedia.org/wiki/Reverse_proxy)。
有关真实世界的示例,请参阅仓库的 [examples 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.9/examples)。
有关真实世界的示例,请参阅仓库的 [examples 文件夹](https://github.com/bunkerity/bunkerweb/tree/v1.6.10/examples)。
## 基本设置
@ -33,7 +33,7 @@
-p 80:8080/tcp \
-p 443:8443/tcp \
-p 443:8443/udp \
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
默认情况下,容器暴露:
@ -51,8 +51,8 @@
```bash
# 下载脚本及其校验和
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.9/install-bunkerweb.sh.sha256
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.10/install-bunkerweb.sh
curl -fsSL -O https://github.com/bunkerity/bunkerweb/releases/download/v1.6.10/install-bunkerweb.sh.sha256
# 验证校验和
sha256sum -c install-bunkerweb.sh.sha256
@ -68,10 +68,13 @@
#### Easy Install 亮点
- 在更改系统之前,会预先检测您的 Linux 发行版和 CPU 架构,并在超出支持矩阵时发出警告。
- 交互式流程允许选择安装配置全栈、manager、worker 等manager 模式始终将 API 绑定到 `0.0.0.0`、禁用设置向导并要求提供白名单 IP非交互式运行可通过 `--manager-ip` 传入),而 worker 模式会强制收集 manager IP 以填充其白名单。
- 交互提示采用由 [gum](https://github.com/charmbracelet/gum) 提供的内联 TUI —— 支持方向键菜单(带 `` 光标)、掩码密码字段。首次进入交互模式时,脚本会从 [GitHub 发布页](https://github.com/charmbracelet/gum/releases)下载官方 `gum` 二进制SHA256 已固定校验;若已安装 cosign则额外校验 cosign 签名),从临时目录运行,并在脚本退出时删除该临时目录 —— **不会安装任何系统包,不会添加 apt/dnf 源,不会在系统上残留任何二进制**。若无法获取 gum安装器会使用系统中已存在的 `whiptail`;二者都不可用时退化到纯文本提示。
- 两个标志控制 TUI`--no-tui`(或 `BW_INSTALL_TUI=no`)跳过所有 TUI 层级,使用纯文本提示;`--tui` 要求必须有可用的 TUI并会在无法获取 gum 且系统中没有现成 whiptail 时中止。
- 当安装器通过管道运行(`curl … | bash`)或 stdin 不是 TTY 时,会以清晰的错误退出,而不会静默接受每个默认值。对于非交互式安装,请使用 `--yes` 配合相应的 `--*` 标志 / `*_INPUT` 环境变量。
- 交互式流程允许选择安装配置Full Stack、Manager、Worker 等Manager 模式会将内部 API 监听器绑定到 `0.0.0.0`、禁用设置向导并要求提供白名单 IP非交互式运行可通过 `--manager-ip` 传入),而 Worker 模式会强制收集 Manager IP 以填充其白名单。
- 即使向导被禁用Manager 安装仍可决定是否启动 Web UI 服务。
- 汇总信息会显示 FastAPI 服务是否会启动,便于使用 `--api` / `--no-api` 明确启用或禁用它。
- CrowdSec 选项仅适用于全栈安装manager / worker 模式会自动跳过它们,以专注于远程控制。
- 交互式安装只会在 Full Stack 模式下询问 CrowdSec。通过 CLI 使用时,`--crowdsec` 和 `--crowdsec-appsec` 适用于 Full Stack 和 ManagerWorker、Scheduler-only、UI-only 和 API-only 模式会拒绝这些选项
有关高级安装方法包管理器、安装类型、非交互式标志、CrowdSec 集成等),请参阅[Linux 集成](integrations.md#linux)。
@ -90,7 +93,7 @@
services:
bunkerweb:
# 这是将用于在调度器中识别实例的名称
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -103,7 +106,7 @@
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-env
BUNKERWEB_INSTANCES: "bunkerweb" # 确保设置正确的实例名称
@ -120,7 +123,7 @@
- bw-db
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
environment:
<<: *bw-env
restart: "unless-stopped"
@ -148,7 +151,7 @@
command: >
redis-server
--maxmemory 256mb
--maxmemory-policy allkeys-lru
--maxmemory-policy volatile-lru
--save 60 1000
--appendonly yes
volumes:
@ -187,7 +190,7 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -203,7 +206,7 @@
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: ""
@ -221,7 +224,7 @@
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
depends_on:
- bw-docker
environment:
@ -244,7 +247,7 @@
- bw-docker
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
environment:
<<: *bw-ui-env
TOTP_ENCRYPTION_KEYS: "mysecret" # 记得设置一个更强的密钥(请参阅先决条件部分)
@ -273,7 +276,7 @@
command: >
redis-server
--maxmemory 256mb
--maxmemory-policy allkeys-lru
--maxmemory-policy volatile-lru
--save 60 1000
--appendonly yes
volumes:
@ -339,7 +342,7 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- published: 80
target: 8080
@ -369,7 +372,7 @@
- "bunkerweb.INSTANCE=yes"
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *bw-ui-env
BUNKERWEB_INSTANCES: ""
@ -387,7 +390,7 @@
- bw-db
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
environment:
<<: *bw-ui-env
DOCKER_HOST: "tcp://bw-docker:2375"
@ -416,7 +419,7 @@
- "node.role == manager"
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
environment:
<<: *bw-ui-env
TOTP_ENCRYPTION_KEYS: "mysecret" # 记得设置一个更强的密钥(请参阅先决条件部分)
@ -638,7 +641,7 @@
-e "www.example.com_REVERSE_PROXY_HOST=http://myapp:8080" \
-e "www.example.com_REVERSE_PROXY_URL=/" \
# --- 包括任何其他现有的用于 UI、Redis、CrowdSec 等的环境变量 ---
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
您的应用程序容器 (`myapp`) 和 `bunkerweb-aio` 容器必须在同一个 Docker 网络上,以便 BunkerWeb 能够使用主机名 `myapp` 访问它。
@ -660,7 +663,7 @@
-p 443:8443/tcp \
-p 443:8443/udp \
# ... (如上主示例所示的所有其他相关环境变量)...
bunkerity/bunkerweb-all-in-one:1.6.9
bunkerity/bunkerweb-all-in-one:1.6.10
```
请确保将 `myapp` 替换为您的应用程序容器的实际名称或 IP并将 `http://myapp:8080` 替换为其正确的地址和端口。

41
docs/zh/upgrading.md
View file

@ -25,16 +25,16 @@
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
...
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
...
```
@ -82,6 +82,9 @@
如果校验和验证失败,**请不要执行该脚本**——它可能不安全。
!!! tip "交互式升级界面"
升级流程使用与全新安装相同的 TUI通过 [gum](https://github.com/charmbracelet/gum) 提供的内联提示;若无法获取 gum则回退到 `whiptail` 对话框,最终退化为纯文本提示。`gum` 二进制从官方 [GitHub 发布页](https://github.com/charmbracelet/gum/releases) 下载SHA256 已固定,若已安装 cosign 则进行 cosign 校验),从临时目录运行,并在脚本退出时删除该目录 —— 不会安装任何系统包,也不会添加 apt/dnf 源。使用 `--no-tui`(或设置 `BW_INSTALL_TUI=no`)跳过所有 TUI 层级;使用 `--tui` 在无可用 TUI 时中止。对于完全无人值守的升级,请使用 `-y` / `--yes` 配合相应标志 —— 通过管道调用(`curl … | bash`)会以清晰的错误退出,而不会静默接受每个默认值。**离线air-gapped升级**:组合 `--no-tui --yes`TUI 层不会发起任何网络调用。
* **工作原理**
用于全新安装的多功能安装脚本也可以执行原地升级。当它检测到现有安装和不同的目标版本时,它会切换到升级模式并应用以下工作流程:
@ -132,6 +135,8 @@
| ----------------------- | --------------------------------------------------------------------- |
| `-v, --version <X.Y.Z>` | 要升级到的目标 BunkerWeb 版本。 |
| `-y, --yes` | 非交互式(假定升级确认并启用自动备份,除非使用 `--no-auto-backup`)。 |
| `--tui` | 强制使用 TUIgum 或 whiptail。若两者都无法安装则中止。 |
| `--no-tui` | 跳过所有 TUI 层级并使用纯文本提示。等同于 `BW_INSTALL_TUI=no`。 |
| `--backup-dir <PATH>` | 自动升级前备份的目的地。如果不存在则创建。 |
| `--no-auto-backup` | 跳过自动备份(不推荐)。您必须有手动备份。 |
| `-q, --quiet` | 抑制输出(与日志记录/监控结合使用)。 |
@ -141,20 +146,20 @@
示例:
```bash
# 交互式升级到 1.6.9(会提示备份)
sudo ./install-bunkerweb.sh --version 1.6.9
# 交互式升级到 1.6.10(会提示备份)
sudo ./install-bunkerweb.sh --version 1.6.10
# 使用自动备份到自定义目录的非交互式升级
sudo ./install-bunkerweb.sh -v 1.6.9 --backup-dir /var/backups/bw-2025-01 -y
sudo ./install-bunkerweb.sh -v 1.6.10 --backup-dir /var/backups/bw-2025-01 -y
# 静默无人值守升级(抑制日志)– 依赖默认的自动备份
sudo ./install-bunkerweb.sh -v 1.6.9 -y -q
sudo ./install-bunkerweb.sh -v 1.6.10 -y -q
# 执行一次空运行(计划)而不应用更改
sudo ./install-bunkerweb.sh -v 1.6.9 --dry-run
sudo ./install-bunkerweb.sh -v 1.6.10 --dry-run
# 跳过自动备份进行升级(不推荐)
sudo ./install-bunkerweb.sh -v 1.6.9 --no-auto-backup -y
sudo ./install-bunkerweb.sh -v 1.6.10 --no-auto-backup -y
```
!!! warning "跳过备份"
@ -234,7 +239,7 @@
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades bunkerweb=1.6.9
sudo apt install -y --allow-downgrades bunkerweb=1.6.10
```
为了防止在执行 `apt upgrade` 时升级 BunkerWeb 软件包,您可以使用以下命令:
@ -260,7 +265,7 @@
```shell
sudo dnf makecache && \
sudo dnf install -y --allowerasing bunkerweb-1.6.9
sudo dnf install -y --allowerasing bunkerweb-1.6.10
```
为了防止在执行 `dnf upgrade` 时升级 BunkerWeb 软件包,您可以使用以下命令:
@ -657,16 +662,16 @@
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.6.9
image: bunkerity/bunkerweb-autoconf:1.6.10
...
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
...
```
@ -701,7 +706,7 @@
```shell
sudo apt update && \
sudo apt install -y --allow-downgrades bunkerweb=1.6.9
sudo apt install -y --allow-downgrades bunkerweb=1.6.10
```
为了防止在执行 `apt upgrade` 时升级 BunkerWeb 软件包,您可以使用以下命令:
@ -727,7 +732,7 @@
```shell
sudo dnf makecache && \
sudo dnf install -y --allowerasing bunkerweb-1.6.9
sudo dnf install -y --allowerasing bunkerweb-1.6.10
```
为了防止在执行 `dnf upgrade` 时升级 BunkerWeb 软件包,您可以使用以下命令:

14
docs/zh/web-ui.md
View file

@ -35,7 +35,7 @@ UI 需要可访问的 scheduler /BunkerWebAPI / redis / 数据库。
使用已发布镜像与[快速入门](quickstart-guide.md#__tabbed_1_3)的布局启动栈,然后在浏览器完成向导。
```bash
docker compose -f https://raw.githubusercontent.com/bunkerity/bunkerweb/v1.6.9-rc1/misc/integrations/docker-compose.yml up -d
docker compose -f https://raw.githubusercontent.com/bunkerity/bunkerweb/v1.6.10-rc1/misc/integrations/docker-compose.yml up -d
```
访问 scheduler 主机名(如 `https://www.example.com/changeme`),运行 `/setup` 向导以配置 UI、scheduler 与实例。
@ -52,7 +52,7 @@ UI 需要可访问的 scheduler /BunkerWebAPI / redis / 数据库。
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
ports:
- "80:8080/tcp"
- "443:8443/tcp"
@ -63,7 +63,7 @@ UI 需要可访问的 scheduler /BunkerWebAPI / redis / 数据库。
networks: [bw-universe, bw-services]
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
environment:
<<: *service-env
BUNKERWEB_INSTANCES: "bunkerweb"
@ -83,7 +83,7 @@ UI 需要可访问的 scheduler /BunkerWebAPI / redis / 数据库。
networks: [bw-universe, bw-db]
bw-ui:
image: bunkerity/bunkerweb-ui:1.6.9
image: bunkerity/bunkerweb-ui:1.6.10
environment:
<<: *service-env
ADMIN_USERNAME: "admin"
@ -165,7 +165,7 @@ UI 需要可访问的 scheduler /BunkerWebAPI / redis / 数据库。
```
恢复码在 UI 中仅显示一次;若丢失加密密钥,将清除已存的 TOTP 秘钥。
- 会话:默认 12 小时(`SESSION_LIFETIME_HOURS`)。绑定 IP 与 User-Agent`CHECK_PRIVATE_IP=no` 仅对私网放宽 IP 检查。`ALWAYS_REMEMBER=yes` 始终启用持久 Cookie。
- 会话:默认空闲时长 12 小时(`SESSION_LIFETIME_HOURS`),每次请求刷新。`SESSION_ABSOLUTE_HOURS`(默认 `168` = 7 天)设定绝对上限——无论是否活跃,超过即强制登出。可选的会话 ID 轮换(`SESSION_ROLLING_HOURS`,默认 `0` = 关闭)按该间隔重新生成会话 ID。会话绑定 IP 与 User-Agent`CHECK_PRIVATE_IP=no` 仅对私网放宽 IP 检查。`ALWAYS_REMEMBER=yes` 始终启用持久 Cookie。
- 若多级代理附加 `X-Forwarded-*`,请设置 `PROXY_NUMBERS`
## 配置来源与优先级
@ -205,7 +205,9 @@ UI 需要可访问的 scheduler /BunkerWebAPI / redis / 数据库。
| `FLASK_SECRET` | 会话签名密钥(存于 `/var/lib/bunkerweb/.flask_secret` | 十六进制/Base64/不透明字符串 | 自动生成 |
| `TOTP_ENCRYPTION_KEYS` (`TOTP_SECRETS`) | TOTP 秘钥加密键(空格或 JSON | 字符串 / JSON | 缺失时自动生成 |
| `BISCUIT_PUBLIC_KEY`, `BISCUIT_PRIVATE_KEY` | Biscuit 密钥hex用于 UI token | Hex 字符串 | 自动生成并存储 |
| `SESSION_LIFETIME_HOURS` | 会话时长 | 数值(小时) | `12` |
| `SESSION_LIFETIME_HOURS` | 会话空闲时长(滑动 TTL每次请求刷新 | 数值(小时) | `12` |
| `SESSION_ABSOLUTE_HOURS` | 与活动无关的绝对会话上限 | 数值(小时) | `168` |
| `SESSION_ROLLING_HOURS` | 会话 ID 轮换间隔(`0` 关闭轮换) | 数值(小时) | `0` |
| `ALWAYS_REMEMBER` | 总是启用 “remember me” | `yes``no` | `no` |
| `CHECK_PRIVATE_IP` | 绑定会话到 IP`no` 时放宽私网变更) | `yes``no` | `yes` |
| `PROXY_NUMBERS` | 信任的 `X-Forwarded-*` 代理层数 | 整数 | `1` |

4
examples/authelia/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
container_name: bw-scheduler
depends_on:
- bunkerweb

10
examples/authentik/README.md
View file

@ -1,3 +1,9 @@
We assume that you are already familiar with [Authentik](https://goauthentik.io/).
# BunkerWeb + Authentik (Forward Auth, Domain Level)
This example has been tested with a Proxy in Forward auth (domain level) mode (see [here](https://goauthentik.io/docs/providers/proxy/forward_auth) for more information).
This example protects two demo applications (`app1` and `app2`) behind a single [Authentik](https://goauthentik.io/) instance using the [Forward auth (domain level)](https://goauthentik.io/docs/providers/proxy/forward_auth) mode. [BunkerWeb](https://www.bunkerweb.io) sits in front of everything as the reverse proxy and Web Application Firewall, calls the Authentik outpost on each request via `auth_request`, and redirects unauthenticated users to the Authentik sign-in flow.
The Authentik stack (`server`, `worker`, `postgresql`) tracks the [upstream docker-compose reference](https://docs.goauthentik.io/install-config/install/docker-compose) for `2026.2+` and no longer needs Redis. An Authentik [blueprint](blueprints/bunkerweb.yaml) auto-provisions the forward-auth providers, applications and the embedded outpost binding, so both apps work out of the box without any manual click-through in the Authentik admin UI.
Supported integrations: [`docker-compose.yml`](docker-compose.yml), [`autoconf.yml`](autoconf.yml) and [`kubernetes.yml`](kubernetes.yml).
See the [BunkerWeb documentation](https://docs.bunkerweb.io) for the full configuration reference.

52
examples/authentik/authentik-chart-values.yml Normal file
View file

@ -0,0 +1,52 @@
# Authentik Helm chart values for the BunkerWeb forward-auth demo.
# Chart: https://github.com/goauthentik/helm
#
# Replace the secrets below before using this outside of a local demo.
authentik:
log_level: info
# Generate with: openssl rand -base64 60 | tr -d '\n'
secret_key: "changeme-authentik-secret-key"
error_reporting:
enabled: false
postgresql:
password: "changeme-pg-pass"
# Bootstrap the built-in admin user + token so the blueprint and the
# Authentik API can be used out of the box. These env vars are read by both
# the server and the worker containers (see AUTHENTIK_BOOTSTRAP_* docs).
server:
env:
- name: AUTHENTIK_BOOTSTRAP_PASSWORD
value: "changeme-bootstrap-password"
- name: AUTHENTIK_BOOTSTRAP_TOKEN
value: "changeme-bootstrap-token"
- name: AUTHENTIK_COOKIE_DOMAIN
value: "example.com"
worker:
env:
- name: AUTHENTIK_BOOTSTRAP_PASSWORD
value: "changeme-bootstrap-password"
- name: AUTHENTIK_BOOTSTRAP_TOKEN
value: "changeme-bootstrap-token"
- name: AUTHENTIK_COOKIE_DOMAIN
value: "example.com"
# Auto-provision the forward-auth providers, applications, and the embedded
# outpost binding from the blueprint shipped in ./blueprints/bunkerweb.yaml.
# The ConfigMap itself is created by setup-kubernetes.sh before `helm install`
# so the worker can mount and discover it at pod creation time.
blueprints:
configMaps:
- authentik-blueprint-bunkerweb
# Bundled PostgreSQL subchart (Bitnami) — Authentik 2026.2+ uses PostgreSQL for
# cache and channel layers, so no Redis is needed.
postgresql:
enabled: true
auth:
password: "changeme-pg-pass"
# Redis subchart is no longer required and is disabled.
redis:
enabled: false

148
examples/authentik/autoconf.yml Normal file
View file

@ -0,0 +1,148 @@
services:
# APPLICATIONS
app1:
image: nginxdemos/nginx-hello
networks:
bw-services:
aliases:
- app1
labels:
- bunkerweb.SERVER_NAME=app1.example.com
- bunkerweb.USE_REVERSE_PROXY=yes
- bunkerweb.REVERSE_PROXY_URL=/
- bunkerweb.REVERSE_PROXY_HOST=http://app1:8080
# Drop 401 from intercepted codes so Authentik's 401 bubbles up to the
# parent location where REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL rewrites
# it to a 302 redirect to the sign-in flow.
- bunkerweb.INTERCEPTED_ERROR_CODES=400 403 404 405 413 429 500 501 502 503 504
- bunkerweb.REVERSE_PROXY_AUTH_REQUEST=/outpost.goauthentik.io/auth/nginx
- bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://app1.example.com/outpost.goauthentik.io/start?rd=$$scheme%3A%2F%2F$$host$$request_uri
- bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET=$$auth_cookie $$upstream_http_set_cookie;$$authentik_username $$upstream_http_x_authentik_username;$$authentik_groups $$upstream_http_x_authentik_groups;$$authentik_entitlements $$upstream_http_x_authentik_entitlements;$$authentik_email $$upstream_http_x_authentik_email;$$authentik_name $$upstream_http_x_authentik_name;$$authentik_uid $$upstream_http_x_authentik_uid
- bunkerweb.REVERSE_PROXY_HEADERS_CLIENT=Set-Cookie $$auth_cookie
- bunkerweb.REVERSE_PROXY_HEADERS=X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-entitlements $$authentik_entitlements;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid
- bunkerweb.REVERSE_PROXY_URL_999=/outpost.goauthentik.io
- bunkerweb.REVERSE_PROXY_HOST_999=http://server:9000
- bunkerweb.REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
- bunkerweb.REVERSE_PROXY_HEADERS_CLIENT_999=Set-Cookie $$auth_cookie
- bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET_999=$$auth_cookie $$upstream_http_set_cookie
- bunkerweb.REVERSE_PROXY_PASS_REQUEST_BODY_999=no
app2:
image: nginxdemos/nginx-hello
networks:
bw-services:
aliases:
- app2
labels:
- bunkerweb.SERVER_NAME=app2.example.com
- bunkerweb.USE_REVERSE_PROXY=yes
- bunkerweb.REVERSE_PROXY_URL=/
- bunkerweb.REVERSE_PROXY_HOST=http://app2:8080
- bunkerweb.INTERCEPTED_ERROR_CODES=400 403 404 405 413 429 500 501 502 503 504
- bunkerweb.REVERSE_PROXY_AUTH_REQUEST=/outpost.goauthentik.io/auth/nginx
- bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://app2.example.com/outpost.goauthentik.io/start?rd=$$scheme%3A%2F%2F$$host$$request_uri
- bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET=$$auth_cookie $$upstream_http_set_cookie;$$authentik_username $$upstream_http_x_authentik_username;$$authentik_groups $$upstream_http_x_authentik_groups;$$authentik_entitlements $$upstream_http_x_authentik_entitlements;$$authentik_email $$upstream_http_x_authentik_email;$$authentik_name $$upstream_http_x_authentik_name;$$authentik_uid $$upstream_http_x_authentik_uid
- bunkerweb.REVERSE_PROXY_HEADERS_CLIENT=Set-Cookie $$auth_cookie
- bunkerweb.REVERSE_PROXY_HEADERS=X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-entitlements $$authentik_entitlements;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid
- bunkerweb.REVERSE_PROXY_URL_999=/outpost.goauthentik.io
- bunkerweb.REVERSE_PROXY_HOST_999=http://server:9000
- bunkerweb.REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
- bunkerweb.REVERSE_PROXY_HEADERS_CLIENT_999=Set-Cookie $$auth_cookie
- bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET_999=$$auth_cookie $$upstream_http_set_cookie
- bunkerweb.REVERSE_PROXY_PASS_REQUEST_BODY_999=no
# AUTHENTIK SERVICES
postgresql:
image: docker.io/library/postgres:16-alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- database:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: ${PG_PASS:?database password required}
POSTGRES_USER: ${PG_USER:-authentik}
POSTGRES_DB: ${PG_DB:-authentik}
PGDATA: /var/lib/postgresql/data/pgdata
env_file:
- .env
networks:
- authentik-net
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.2.2}
restart: unless-stopped
command: server
shm_size: 512mb
environment:
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
volumes:
- ak-data:/data
- custom-templates:/templates
- ./blueprints:/blueprints/custom:ro
env_file:
- .env
depends_on:
postgresql:
condition: service_healthy
networks:
- authentik-net
- bw-services
labels:
- bunkerweb.SERVER_NAME=auth.example.com
- bunkerweb.USE_REVERSE_PROXY=yes
- bunkerweb.REVERSE_PROXY_URL=/
- bunkerweb.REVERSE_PROXY_HOST=http://server:9000
- bunkerweb.REVERSE_PROXY_WS=yes
- bunkerweb.LIMIT_REQ_URL_1=^/api/
- bunkerweb.LIMIT_REQ_RATE_1=5r/s
- bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no
- bunkerweb.ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE|PATCH
- bunkerweb.COOKIE_FLAGS=* SameSite=Lax
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.2.2}
restart: unless-stopped
command: worker
shm_size: 512mb
environment:
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ak-data:/data
- certs:/certs
- custom-templates:/templates
- ./blueprints:/blueprints/custom:ro
env_file:
- .env
depends_on:
postgresql:
condition: service_healthy
networks:
- authentik-net
networks:
bw-services:
external: true
name: bw-services
authentik-net:
name: authentik-net
volumes:
database:
ak-data:
certs:
custom-templates:

58
examples/authentik/blueprints/bunkerweb.yaml Normal file
View file

@ -0,0 +1,58 @@
version: 1
metadata:
name: BunkerWeb forward-auth demo
entries:
- model: authentik_providers_proxy.proxyprovider
id: app1-provider
identifiers:
name: app1-provider
attrs:
name: app1-provider
mode: forward_domain
external_host: https://app1.example.com
cookie_domain: example.com
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
- model: authentik_core.application
identifiers:
slug: app1
attrs:
name: App1
slug: app1
provider: !KeyOf app1-provider
- model: authentik_providers_proxy.proxyprovider
id: app2-provider
identifiers:
name: app2-provider
attrs:
name: app2-provider
mode: forward_domain
external_host: https://app2.example.com
cookie_domain: example.com
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
- model: authentik_core.application
identifiers:
slug: app2
attrs:
name: App2
slug: app2
provider: !KeyOf app2-provider
- model: authentik_outposts.outpost
identifiers:
managed: goauthentik.io/outposts/embedded
attrs:
providers:
- !KeyOf app1-provider
- !KeyOf app2-provider
config:
authentik_host: https://auth.example.com/
authentik_host_insecure: true
authentik_host_browser: https://auth.example.com/
log_level: info
error_reporting: false
object_naming_template: "ak-outpost-%(name)s"
kubernetes_replicas: 1
kubernetes_namespace: default

5
examples/authentik/cleanup-kubernetes.sh Executable file
View file

@ -0,0 +1,5 @@
#!/bin/bash
set -euo pipefail
helm uninstall authentik 2>/dev/null || true
kubectl delete configmap authentik-blueprint-bunkerweb --ignore-not-found=true

92
examples/authentik/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
container_name: bw-scheduler
depends_on:
- bunkerweb
@ -35,7 +35,7 @@ services:
# Proxy to outpost
REVERSE_PROXY_URL_999: "/outpost.goauthentik.io"
REVERSE_PROXY_HOST_999: "http://server:9000"
REVERSE_PROXY_HEADERS_999: "X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length \"\";Connection $$connection_upgrade_keepalive"
REVERSE_PROXY_HEADERS_999: 'X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""'
REVERSE_PROXY_HEADERS_CLIENT_999: "Set-Cookie $$auth_cookie"
REVERSE_PROXY_AUTH_REQUEST_SET_999: "$$auth_cookie $$upstream_http_set_cookie"
REVERSE_PROXY_PASS_REQUEST_BODY_999: "no"
@ -51,37 +51,20 @@ services:
# Applications
app1.example.com_REVERSE_PROXY_URL: "/"
app1.example.com_REVERSE_PROXY_HOST: "http://app1:8080"
app1.example.com_INTERCEPTED_ERROR_CODES: "400 403 404 405 413 429 500 501 502 503 504"
app1.example.com_REVERSE_PROXY_AUTH_REQUEST: "/outpost.goauthentik.io/auth/nginx"
app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL: "https://auth.example.com/outpost.goauthentik.io/start?rd=$$scheme%3A%2F%2F$$host$$request_uri"
app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET: "$$auth_cookie $$upstream_http_set_cookie;$$authentik_username $$upstream_http_x_authentik_username;$$authentik_groups $$upstream_http_x_authentik_groups;$$authentik_email $$upstream_http_x_authentik_email;$$authentik_name $$upstream_http_x_authentik_name;$$authentik_uid $$upstream_http_x_authentik_uid"
app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL: "https://app1.example.com/outpost.goauthentik.io/start?rd=$$scheme%3A%2F%2F$$host$$request_uri"
app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET: "$$auth_cookie $$upstream_http_set_cookie;$$authentik_username $$upstream_http_x_authentik_username;$$authentik_groups $$upstream_http_x_authentik_groups;$$authentik_entitlements $$upstream_http_x_authentik_entitlements;$$authentik_email $$upstream_http_x_authentik_email;$$authentik_name $$upstream_http_x_authentik_name;$$authentik_uid $$upstream_http_x_authentik_uid"
app1.example.com_REVERSE_PROXY_HEADERS_CLIENT: "Set-Cookie $$auth_cookie"
app1.example.com_REVERSE_PROXY_HEADERS: "Connection $$connection_upgrade_keepalive;X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid"
app1.example.com_ERRORS: "401=@goauthentik_proxy_signin"
app1.example.com_REVERSE_PROXY_HEADERS: "X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-entitlements $$authentik_entitlements;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid"
app2.example.com_REVERSE_PROXY_URL: "/"
app2.example.com_REVERSE_PROXY_HOST: "http://app2:8080"
app2.example.com_INTERCEPTED_ERROR_CODES: "400 403 404 405 413 429 500 501 502 503 504"
app2.example.com_REVERSE_PROXY_AUTH_REQUEST: "/outpost.goauthentik.io/auth/nginx"
app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL: "https://auth.example.com/outpost.goauthentik.io/start?rd=$$scheme%3A%2F%2F$$host$$request_uri"
app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET: "$$auth_cookie $$upstream_http_set_cookie;$$authentik_username $$upstream_http_x_authentik_username;$$authentik_groups $$upstream_http_x_authentik_groups;$$authentik_email $$upstream_http_x_authentik_email;$$authentik_name $$upstream_http_x_authentik_name;$$authentik_uid $$upstream_http_x_authentik_uid"
app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL: "https://app2.example.com/outpost.goauthentik.io/start?rd=$$scheme%3A%2F%2F$$host$$request_uri"
app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET: "$$auth_cookie $$upstream_http_set_cookie;$$authentik_username $$upstream_http_x_authentik_username;$$authentik_groups $$upstream_http_x_authentik_groups;$$authentik_entitlements $$upstream_http_x_authentik_entitlements;$$authentik_email $$upstream_http_x_authentik_email;$$authentik_name $$upstream_http_x_authentik_name;$$authentik_uid $$upstream_http_x_authentik_uid"
app2.example.com_REVERSE_PROXY_HEADERS_CLIENT: "Set-Cookie $$auth_cookie"
app2.example.com_REVERSE_PROXY_HEADERS: "Connection $$connection_upgrade_keepalive;X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid"
app2.example.com_ERRORS: "401=@goauthentik_proxy_signin"
# Custom configuration
CUSTOM_CONF_HTTP_connection_upgrade_keepalive: |
map $$http_upgrade $$connection_upgrade_keepalive {
default upgrade;
'' '';
}
CUSTOM_CONF_SERVER_HTTP_goauthentik_proxy_signin: |
proxy_buffers 8 16k;
proxy_buffer_size 32k;
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $$auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$$scheme://$$http_host$$request_uri;
}
app2.example.com_REVERSE_PROXY_HEADERS: "X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-entitlements $$authentik_entitlements;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid"
restart: "unless-stopped"
networks:
- bw-universe
@ -97,11 +80,15 @@ services:
- bw-services
# AUTHENTIK SERVICES
# Stack aligned with the upstream Authentik docker-compose reference for 2026.2+
# (see https://docs.goauthentik.io/install-config/install/docker-compose).
# Authentik 2026.2 no longer requires a separate Redis service: cache and
# channel layers run on PostgreSQL via django_postgres_cache / django_channels_postgres.
postgresql:
image: docker.io/library/postgres:17-alpine
image: docker.io/library/postgres:16-alpine
restart: unless-stopped
healthcheck:
test: [ "CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}" ]
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
@ -112,58 +99,50 @@ services:
POSTGRES_PASSWORD: ${PG_PASS:?database password required}
POSTGRES_USER: ${PG_USER:-authentik}
POSTGRES_DB: ${PG_DB:-authentik}
PGDATA: /var/lib/postgresql/data/pgdata
env_file:
- .env
networks:
- authentik-net
redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: [ "CMD-SHELL", "redis-cli ping | grep PONG" ]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- redis:/data
networks:
- authentik-net
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.2.2}
restart: unless-stopped
command: server
shm_size: 512mb
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
volumes:
- media:/media
- ak-data:/data
- custom-templates:/templates
# Blueprint that auto-provisions the forward-auth providers, applications
# and binds them to the embedded outpost so the apps work out of the box.
- ./blueprints:/blueprints/custom:ro
env_file:
- .env
# ports:
# - "${COMPOSE_PORT_HTTP:-9000}:9000"
# - "${COMPOSE_PORT_HTTPS:-9443}:9443"
depends_on:
- postgresql
- redis
postgresql:
condition: service_healthy
networks:
- authentik-net
- bw-services
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.2.2}
restart: unless-stopped
command: worker
shm_size: 512mb
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
@ -173,26 +152,25 @@ services:
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- media:/media
- ak-data:/data
- certs:/certs
- custom-templates:/templates
- ./blueprints:/blueprints/custom:ro
env_file:
- .env
depends_on:
- postgresql
- redis
postgresql:
condition: service_healthy
networks:
- authentik-net
volumes:
bw-storage:
database:
redis:
media:
ak-data:
certs:
custom-templates:
networks:
bw-universe:
name: bw-universe

165
examples/authentik/kubernetes.yml Normal file
View file

@ -0,0 +1,165 @@
# Shared Authentik outpost reverse-proxy slot (`_999`) applied globally so
# every site inherits `/outpost.goauthentik.io`. Per-site Ingresses below
# only carry their own forward-auth settings.
apiVersion: v1
kind: ConfigMap
metadata:
name: bw-authentik-outpost
annotations:
bunkerweb.io/CONFIG_TYPE: "settings"
data:
AUTO_LETS_ENCRYPT: "yes"
REVERSE_PROXY_URL_999: "/outpost.goauthentik.io"
REVERSE_PROXY_HOST_999: "http://authentik-server.default.svc.cluster.local"
REVERSE_PROXY_HEADERS_999: 'X-Original-URL $scheme://$http_host$request_uri;Content-Length ""'
REVERSE_PROXY_HEADERS_CLIENT_999: "Set-Cookie $auth_cookie"
REVERSE_PROXY_AUTH_REQUEST_SET_999: "$auth_cookie $upstream_http_set_cookie"
REVERSE_PROXY_PASS_REQUEST_BODY_999: "no"
---
# One Ingress per host so the BW controller auto-scopes each unprefixed
# annotation to its single server_name (IngressController.py:120-126),
# keeping annotation name parts under Kubernetes' 63-byte limit.
#
# Authentik server — login, admin, flows.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-auth
annotations:
bunkerweb.io/REVERSE_PROXY_WS_1: "yes"
bunkerweb.io/LIMIT_REQ_URL_1: "^/api/"
bunkerweb.io/LIMIT_REQ_RATE_1: "5r/s"
bunkerweb.io/REVERSE_PROXY_INTERCEPT_ERRORS: "no"
bunkerweb.io/ALLOWED_METHODS: "GET|POST|HEAD|PUT|DELETE|PATCH"
bunkerweb.io/COOKIE_FLAGS: "* SameSite=Lax"
spec:
rules:
- host: auth.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: authentik-server
port:
number: 80
---
# app1 — protected by Authentik forward-auth. `_1` targets `location /`.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-app1
annotations:
# Drop 401 from intercepted codes so Authentik's 401 reaches the signin redirect.
bunkerweb.io/INTERCEPTED_ERROR_CODES: "400 403 404 405 413 429 500 501 502 503 504"
bunkerweb.io/REVERSE_PROXY_AUTH_REQUEST_1: "/outpost.goauthentik.io/auth/nginx"
bunkerweb.io/REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL_1: "https://app1.example.com/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$request_uri"
bunkerweb.io/REVERSE_PROXY_AUTH_REQUEST_SET_1: "$auth_cookie $upstream_http_set_cookie;$authentik_username $upstream_http_x_authentik_username;$authentik_groups $upstream_http_x_authentik_groups;$authentik_entitlements $upstream_http_x_authentik_entitlements;$authentik_email $upstream_http_x_authentik_email;$authentik_name $upstream_http_x_authentik_name;$authentik_uid $upstream_http_x_authentik_uid"
bunkerweb.io/REVERSE_PROXY_HEADERS_CLIENT_1: "Set-Cookie $auth_cookie"
bunkerweb.io/REVERSE_PROXY_HEADERS_1: "X-authentik-username $authentik_username;X-authentik-groups $authentik_groups;X-authentik-entitlements $authentik_entitlements;X-authentik-email $authentik_email;X-authentik-name $authentik_name;X-authentik-uid $authentik_uid"
spec:
rules:
- host: app1.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: svc-app1
port:
number: 80
---
# app2 — same forward-auth pattern as app1.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-app2
annotations:
bunkerweb.io/INTERCEPTED_ERROR_CODES: "400 403 404 405 413 429 500 501 502 503 504"
bunkerweb.io/REVERSE_PROXY_AUTH_REQUEST_1: "/outpost.goauthentik.io/auth/nginx"
bunkerweb.io/REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL_1: "https://app2.example.com/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$request_uri"
bunkerweb.io/REVERSE_PROXY_AUTH_REQUEST_SET_1: "$auth_cookie $upstream_http_set_cookie;$authentik_username $upstream_http_x_authentik_username;$authentik_groups $upstream_http_x_authentik_groups;$authentik_entitlements $upstream_http_x_authentik_entitlements;$authentik_email $upstream_http_x_authentik_email;$authentik_name $upstream_http_x_authentik_name;$authentik_uid $upstream_http_x_authentik_uid"
bunkerweb.io/REVERSE_PROXY_HEADERS_CLIENT_1: "Set-Cookie $auth_cookie"
bunkerweb.io/REVERSE_PROXY_HEADERS_1: "X-authentik-username $authentik_username;X-authentik-groups $authentik_groups;X-authentik-entitlements $authentik_entitlements;X-authentik-email $authentik_email;X-authentik-name $authentik_name;X-authentik-uid $authentik_uid"
spec:
rules:
- host: app2.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: svc-app2
port:
number: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: app1
labels:
app: app1
spec:
replicas: 1
selector:
matchLabels:
app: app1
template:
metadata:
labels:
app: app1
spec:
containers:
- name: app1
image: nginxdemos/nginx-hello
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: svc-app1
spec:
selector:
app: app1
ports:
- protocol: TCP
port: 80
targetPort: 8080
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: app2
labels:
app: app2
spec:
replicas: 1
selector:
matchLabels:
app: app2
template:
metadata:
labels:
app: app2
spec:
containers:
- name: app2
image: nginxdemos/nginx-hello
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: svc-app2
spec:
selector:
app: app2
ports:
- protocol: TCP
port: 80
targetPort: 8080

16
examples/authentik/setup-kubernetes.sh Executable file
View file

@ -0,0 +1,16 @@
#!/bin/bash
set -euo pipefail
# Create the Authentik blueprint ConfigMap first so the Helm chart can mount it
# into the worker pod at creation time (the chart reads the ConfigMap list from
# blueprints.configMaps in authentik-chart-values.yml).
kubectl create configmap authentik-blueprint-bunkerweb \
--from-file=bunkerweb.yaml=blueprints/bunkerweb.yaml \
--dry-run=client -o yaml | kubectl apply -f -
# Install Authentik from the official Helm chart. Authentik 2026.2+ uses
# PostgreSQL for cache and channel layers, so Redis is disabled in the values
# file and no separate Redis subchart is pulled in.
helm repo add authentik https://charts.goauthentik.io >/dev/null 2>&1 || true
helm repo update authentik
helm upgrade --install -f authentik-chart-values.yml authentik authentik/authentik

27
examples/authentik/tests.json.backup Normal file
View file

@ -0,0 +1,27 @@
{
"name": "authentik",
"kinds": ["docker", "autoconf", "kubernetes"],
"timeout": 300,
"delay": 180,
"no_copy_container": true,
"tests": [
{
"type": "string",
"url": "https://auth.example.com",
"string": "authentik",
"tls": "auth.example.com"
},
{
"type": "string",
"url": "https://app1.example.com",
"string": "authentik",
"tls": "app1.example.com"
},
{
"type": "string",
"url": "https://app2.example.com",
"string": "authentik",
"tls": "app2.example.com"
}
]
}

4
examples/behind-reverse-proxy/docker-compose.yml
View file

@ -6,7 +6,7 @@ x-env: &env
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
container_name: bunkerweb
environment:
<<: *env
@ -17,7 +17,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/bigbluebutton/docker-compose.yml
View file

@ -25,7 +25,7 @@ services:
...
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -40,7 +40,7 @@ services:
bw-universe:
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/cors/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -22,7 +22,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/dns-cloudflare/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/dns-desec/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/dns-digitalocean/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
container_name: bw-scheduler
depends_on:
- bunkerweb

4
examples/dns-dnsimple/docker-compose.yml
View file

@ -1,6 +1,6 @@
services:
bunkerweb:
image: bunkerity/bunkerweb:1.6.9
image: bunkerity/bunkerweb:1.6.10
container_name: bunkerweb
ports:
- "80:8080/tcp"
@ -14,7 +14,7 @@ services:
- bw-services
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.6.9
image: bunkerity/bunkerweb-scheduler:1.6.10
container_name: bw-scheduler
depends_on:
- bunkerweb

Some files were not shown because too many files have changed in this diff Show more