From 5f79aea4bb13975fed057fc374a9d0867e0e01d0 Mon Sep 17 00:00:00 2001 From: AxyFr Date: Wed, 13 Jul 2022 17:31:01 +0200 Subject: [PATCH] fpm single/multiple docker&autoconf --- docs/quickstart-guide.md | 591 +++++++++++++++++++++++++++++++++++++++ docs/web-ui.md | 15 +- 2 files changed, 598 insertions(+), 8 deletions(-) diff --git a/docs/quickstart-guide.md b/docs/quickstart-guide.md index cca9aac99..a0e2595b1 100644 --- a/docs/quickstart-guide.md +++ b/docs/quickstart-guide.md @@ -1553,6 +1553,597 @@ Some integrations offer a more convenient way of applying configurations for exa Don't forget to reload the bunkerweb service once it's done. +=== "Ansible" + + When the variable `custom_configs` is set to "true" , you could use the + `custom_configs_path[]` variable to write the configs to the /opt/bunkerweb/configs folder. + + Here is an example for server-http/hello-world.conf : + ```conf + location /hello { + default_type 'text/plain'; + content_by_lua_block { + ngx.say('world') + } + } + ``` + + In your Ansible inventory, you can use the `variables_env` variable to configure BunkerWeb : + ```yaml + all: + children: + Groups: + hosts: + "Your_IP_Address": + vars: + custom_configs: true + custom_configs_path: { + server-http: ../hello-world.conf, + #http: ../http.conf, + #default-server-http: ../default-server-http.conf, + #modsec-crs: ../modsec-crs, + #modsec: ../modsec + } + ``` + + Or in INI format : + ```ini + [all] + host + + [all:vars] + custom_configs=true + custom_configs_path={'server-http': '../hello-world.conf', 'http': '../http.conf', 'default-server-http': '../default-server-http.conf', 'modsec-crs': '../modsec-crs', 'modsec': '../modsec'} + ``` + + Run the playbook : + ```shell + ansible-playbook -i inventory.yml playbook.yml + ``` + +## FPM + +Using PHP with Nginx is a bit tricky. + +The following settings can be used : + +- `REMOTE_PHP` : Hostname of the remote PHP-FPM instance. +- `REMOTE_PHP_PATH` : Root folder containing files in the remote PHP-FPM instance. +- `DISABLE_DEFAULT_SERVER` : Close connection if the request vhost is unknown. + +### Single application + +=== "Docker" + + When using the [Docker integration](/1.4/integrations/#docker), you have two steps for adding custom configurations : + + - Using specific settings `REMOTE_PHP` and `REMOTE_PHP_PATH` as environment variables + - Writing yours files in yours folder and mounte the volume on /data + + Create the Docker network if it's not already created : + ```shell + docker network create bw-net + ``` + + Then instance the PHP-FPM container : + ```shell + docker run -d \ + --name myphp \ + --network bw-net \ + -v AbsolutePath/bw-data/www:/app \ + php:fpm + ``` + + You can now run BunkerWeb and configure it for your app : + ```shell + docker run -d \ + --name mybunker \ + --network bw-net \ + -p 80:8080 \ + -p 443:8443 \ + -v AbsolutePath/bw-data:/data \ + -e SERVER_NAME=www.example.com \ + -e AUTO_LETS_ENCRYPT=yes \ + -e DISABLE_DEFAULT_SERVER=yes \ + -e USE_CLIENT_CACHE=yes \ + -e USE_GZIP=yes \ + -e REMOTE_PHP=myphp \ + -e REMOTE_PHP_PATH=/app \ + bunkerity/bunkerweb:1.4.2 + ``` + + Here is the docker-compose equivalent : + ```yaml + version: '3' + + services: + + mybunker: + image: bunkerity/bunkerweb:1.4.2 + ports: + - 80:8080 + - 443:8443 + volumes: + - ./bw-data:/data + environment: + - SERVER_NAME=www.example.com # replace with your domain + - AUTO_LETS_ENCRYPT=yes + - DISABLE_DEFAULT_SERVER=yes + - USE_CLIENT_CACHE=yes + - USE_GZIP=yes + - REMOTE_PHP=myphp + - REMOTE_PHP_PATH=/app + networks: + - bw-net + + myphp: + image: php:fpm + volumes: + - ./bw-data:/data + networks: + - bw-net + + networks: + bw-net: + ``` + +=== "Docker autoconf" + + We will assume that you already have the Docker autoconf integration stack running on your machine and connected to a network called bw-services. + + You can instantiate your container and pass the settings as labels : + ```shell + docker run -d \ + --name mybunker \ + --network bw-autoconf \ + -v ./www:/www \ + -p 80:8080 \ + -p 443:8443 \ + -e AUTOCONF_MODE=yes \ + -e MULTISITE=yes \ + -e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \ + -e SERVER_NAME= \ + -l bunkerweb.AUTOCONF \ + bunkerity/bunkerweb:1.4.2 + ``` + + === "App #1" + ```shell + docker run -d \ + --name myphp1 \ + --network bw-services \ + -v ./www/app1.example.com:/app \ + -l bunkerweb.DISABLE_DEFAULT_SERVER=yes \ + -l bunkerweb.SERVER_NAME=app1.example.com \ + -l bunkerweb.USE_CLIENT_CACHE=yes \ + -l bunkerweb.USE_GZIP=yes \ + -l bunkerweb.REMOTE_PHP=myphp1 \ + -l bunkerweb.REMOTE_PHP_PATH=/app \ + -l bunkerweb.ROOT_FOLDER=/www/app1.example.com \ + php:fpm + ``` + + === "App #2" + ```shell + docker run -d \ + --name myphp2 \ + --network bw-services \ + -v ./www/app2.example.com:/app \ + -l bunkerweb.DISABLE_DEFAULT_SERVER=yes \ + -l bunkerweb.SERVER_NAME=app2.example.com \ + -l bunkerweb.USE_CLIENT_CACHE=yes \ + -l bunkerweb.USE_GZIP=yes \ + -l bunkerweb.REMOTE_PHP=myphp2 \ + -l bunkerweb.REMOTE_PHP_PATH=/app \ + -l bunkerweb.ROOT_FOLDER=/www/app2.example.com \ + php:fpm + ``` + + Here is the docker-compose equivalent : + ```yaml + version: '3' + + services: + + mybunker: + image: bunkerity/bunkerweb:1.4.2 + volumes: + - ./www:/www + ports: + - 80:8080 + - 443:8443 + environment: + - AUTOCONF_MODE=yes + - MULTISITE=yes + - SERVER_NAME= + - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24 + labels: + - "bunkerweb.AUTOCONF" + networks: + - bw-autoconf + - bw-services + + myautoconf: + image: bunkerity/bunkerweb-autoconf:1.4.2 + volumes: + - bw-data:/data + - /var/run/docker.sock:/var/run/docker.sock:ro + networks: + - bw-autoconf + + myphp1: + image: php:fpm + volumes: + - ./www/app1.example.com:/app + networks: + bw-services: + aliases: + - myphp1 + labels: + - "bunkerweb.DISABLE_DEFAULT_SERVER=yes" + - "bunkerweb.SERVER_NAME=app1.example.com" + - "bunkerweb.USE_CLIENT_CACHE=yes" + - "bunkerweb.USE_GZIP=yes" + - "bunkerweb.REMOTE_PHP=myphp1" + - "bunkerweb.REMOTE_PHP_PATH=/app" + - "bunkerweb.ROOT_FOLDER=/www/app1.example.com" + + myphp2: + image: php:fpm + volumes: + - ./www/app2.example.com:/app + networks: + bw-services: + aliases: + - myphp2 + labels: + - "bunkerweb.DISABLE_DEFAULT_SERVER=yes" + - "bunkerweb.SERVER_NAME=app2.example.com" + - "bunkerweb.USE_CLIENT_CACHE=yes" + - "bunkerweb.USE_GZIP=yes" + - "bunkerweb.REMOTE_PHP=myphp2" + - "bunkerweb.REMOTE_PHP_PATH=/app" + - "bunkerweb.ROOT_FOLDER=/www/app2.example.com" + + volumes: + bw-data: + + networks: + bw-autoconf: + ipam: + driver: default + config: + - subnet: 10.20.30.0/24 + bw-services: + name: bw-services + ``` + +=== "Linux" + + We will assume that you already have the [Linux integration](/1.4/integrations/#linux) stack running on your machine. + + You have to install php-fpm + ```shell + apt install php-fpm + ``` + + Configuration of BunkerWeb is done by editing the `/opt/bunkerweb/variables.env` file : + ```conf + SERVER_NAME=www.example.com + HTTP_PORT=80 + HTTPS_PORT=443 + DNS_RESOLVERS=8.8.8.8 8.8.4.4 + USE_REVERSE_PROXY=yes + REVERSE_PROXY_URL=/ + REVERSE_PROXY_HOST=http://127.0.0.1:8000 + ``` + + Let's check the status of BunkerWeb : + ```shell + systemctl status bunkerweb + ``` + + If it's already running we can just reload it : + ```shell + systemctl reload bunkerweb + ``` + + Otherwise, we will need to start it : + ```shell + systemctl start bunkerweb + ``` + +=== "Ansible" + + When the variable `custom_configs` is set to "true" , you could use the + `custom_configs_path[]` variable to write the configs to the /opt/bunkerweb/configs folder. + + Here is an example for server-http/hello-world.conf : + ```conf + location /hello { + default_type 'text/plain'; + content_by_lua_block { + ngx.say('world') + } + } + ``` + + In your Ansible inventory, you can use the `variables_env` variable to configure BunkerWeb : + ```yaml + all: + children: + Groups: + hosts: + "Your_IP_Address": + vars: + custom_configs: true + custom_configs_path: { + server-http: ../hello-world.conf, + #http: ../http.conf, + #default-server-http: ../default-server-http.conf, + #modsec-crs: ../modsec-crs, + #modsec: ../modsec + } + ``` + + Or in INI format : + ```ini + [all] + host + + [all:vars] + custom_configs=true + custom_configs_path={'server-http': '../hello-world.conf', 'http': '../http.conf', 'default-server-http': '../default-server-http.conf', 'modsec-crs': '../modsec-crs', 'modsec': '../modsec'} + ``` + + Run the playbook : + ```shell + ansible-playbook -i inventory.yml playbook.yml + ``` + +### Multiple applications + +=== "Docker" + + When using the [Docker integration](/1.4/integrations/#docker), you have two steps for adding custom configurations : + + - Using specific settings `REMOTE_PHP` and `REMOTE_PHP_PATH` as environment variables + - Writing yours files in yours folder and mounte the volume on /data + + Create the Docker networks if it's not already created : + ```shell + docker network create net_app1 + docker network create net_app2 + ``` + + Then instantiate your apps : + === "App #1" + ```shell + docker run -d \ + --name myphp1 \ + --network net_app1 \ + -v bw-data/www/app1.example.com:/app + php:fpm + ``` + === "App #2" + ```shell + docker run -d \ + --name myphp2 \ + --network net_app2 \ + -v bw-data/www/app2.example.com:/app + php:fpm + ``` + + You can now run BunkerWeb and configure it for your app : + ```shell + docker run -d \ + --name mybunker \ + --network net_app1 \ + --network net_app2 \ + -p 80:8080 \ + -p 443:8443 \ + -v ./bw-data:/data \ + -e SERVER_NAME=app1.example.com app2.exemple.com \ + -e MULTISITE=yes \ + -e AUTO_LETS_ENCRYPT=yes \ + -e DISABLE_DEFAULT_SERVER=yes \ + -e USE_CLIENT_CACHE=yes \ + -e USE_GZIP=yes \ + -e app1.exemple.com_REMOTE_PHP=myphp1 \ + -e app1.exemple.com_REMOTE_PHP_PATH=/app \ + -e app2.exemple.com_REMOTE_PHP=myphp2 \ + -e app2.exemple.com_REMOTE_PHP_PATH=/app \ + bunkerity/bunkerweb:1.4.2 + ``` + + Here is the docker-compose equivalent : + ```yaml + version: '3' + + services: + + mybunker: + image: bunkerity/bunkerweb:1.4.2 + ports: + - 80:8080 + - 443:8443 + volumes: + - ./bw-data:/data + environment: + - SERVER_NAME=www.example.com # replace with your domain + - AUTO_LETS_ENCRYPT=yes + - DISABLE_DEFAULT_SERVER=yes + - USE_CLIENT_CACHE=yes + - USE_GZIP=yes + - REMOTE_PHP=myphp + - REMOTE_PHP_PATH=/app + networks: + - bw-net + + myphp: + image: php:fpm + volumes: + - ./bw-data:/data + networks: + - bw-net + + networks: + bw-net: + ``` + +=== "Docker autoconf" + + We will assume that you already have the Docker autoconf integration stack running on your machine and connected to a network called bw-services. + + You can instantiate your container and pass the settings as labels : + ```shell + docker run -d \ + --name mybunker \ + --network bw-autoconf \ + -v ./www:/www \ + -p 80:8080 \ + -p 443:8443 \ + -e AUTOCONF_MODE=yes \ + -e MULTISITE=yes \ + -e "API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24" \ + -e SERVER_NAME= \ + -l bunkerweb.AUTOCONF \ + bunkerity/bunkerweb:1.4.2 + ``` + + === "App #1" + ```shell + docker run -d \ + --name myphp1 \ + --network bw-services \ + -v ./www/app1.example.com:/app \ + -l bunkerweb.DISABLE_DEFAULT_SERVER=yes \ + -l bunkerweb.SERVER_NAME=app1.example.com \ + -l bunkerweb.USE_CLIENT_CACHE=yes \ + -l bunkerweb.USE_GZIP=yes \ + -l bunkerweb.REMOTE_PHP=myphp1 \ + -l bunkerweb.REMOTE_PHP_PATH=/app \ + -l bunkerweb.ROOT_FOLDER=/www/app1.example.com \ + php:fpm + ``` + + === "App #2" + ```shell + docker run -d \ + --name myphp2 \ + --network bw-services \ + -v ./www/app2.example.com:/app \ + -l bunkerweb.DISABLE_DEFAULT_SERVER=yes \ + -l bunkerweb.SERVER_NAME=app2.example.com \ + -l bunkerweb.USE_CLIENT_CACHE=yes \ + -l bunkerweb.USE_GZIP=yes \ + -l bunkerweb.REMOTE_PHP=myphp2 \ + -l bunkerweb.REMOTE_PHP_PATH=/app \ + -l bunkerweb.ROOT_FOLDER=/www/app2.example.com \ + php:fpm + ``` + + Here is the docker-compose equivalent : + ```yaml + version: '3' + + services: + + mybunker: + image: bunkerity/bunkerweb:1.4.2 + volumes: + - ./www:/www + ports: + - 80:8080 + - 443:8443 + environment: + - AUTOCONF_MODE=yes + - MULTISITE=yes + - SERVER_NAME= + - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24 + labels: + - "bunkerweb.AUTOCONF" + networks: + - bw-autoconf + - bw-services + + myautoconf: + image: bunkerity/bunkerweb-autoconf:1.4.2 + volumes: + - bw-data:/data + - /var/run/docker.sock:/var/run/docker.sock:ro + networks: + - bw-autoconf + + myphp1: + image: php:fpm + volumes: + - ./www/app1.example.com:/app + networks: + bw-services: + aliases: + - myphp1 + labels: + - "bunkerweb.DISABLE_DEFAULT_SERVER=yes" + - "bunkerweb.SERVER_NAME=app1.example.com" + - "bunkerweb.USE_CLIENT_CACHE=yes" + - "bunkerweb.USE_GZIP=yes" + - "bunkerweb.REMOTE_PHP=myphp1" + - "bunkerweb.REMOTE_PHP_PATH=/app" + - "bunkerweb.ROOT_FOLDER=/www/app1.example.com" + + myphp2: + image: php:fpm + volumes: + - ./www/app2.example.com:/app + networks: + bw-services: + aliases: + - myphp2 + labels: + - "bunkerweb.DISABLE_DEFAULT_SERVER=yes" + - "bunkerweb.SERVER_NAME=app2.example.com" + - "bunkerweb.USE_CLIENT_CACHE=yes" + - "bunkerweb.USE_GZIP=yes" + - "bunkerweb.REMOTE_PHP=myphp2" + - "bunkerweb.REMOTE_PHP_PATH=/app" + - "bunkerweb.ROOT_FOLDER=/www/app2.example.com" + + volumes: + bw-data: + + networks: + bw-autoconf: + ipam: + driver: default + config: + - subnet: 10.20.30.0/24 + bw-services: + name: bw-services + ``` + +=== "Linux" + + When using the [Linux integration](/1.4/integrations/#linux), custom configurations must be written to the /opt/bunkerweb/configs folder. + + Here is an example for server-http/hello-world.conf : + ```conf + location /hello { + default_type 'text/plain'; + content_by_lua_block { + ngx.say('world') + } + } + ``` + + Because BunkerWeb runs as an unprivileged user (nginx:nginx), you will need to edit the permissions : + ```shell + chown -R root:nginx /opt/bunkerweb/configs && \ + chmod -R 770 /opt/bunkerweb/configs + ``` + + Don't forget to reload the bunkerweb service once it's done. + === "Ansible" When the variable `custom_configs` is set to "true" , you could use the diff --git a/docs/web-ui.md b/docs/web-ui.md index 6ab03393b..780af9f29 100644 --- a/docs/web-ui.md +++ b/docs/web-ui.md @@ -280,16 +280,15 @@ Because the web UI is a web application, the recommended installation procedure In YAML format: ```yaml - all: - children: - Groups: - hosts: - "Your_IP_Address": - vars: + all: + children: + Groups: + hosts: + "Your_IP_Address": + vars: enable_ui: true # Activate the UI custom_ui: "PathToYourFile" # Path to your UI file - } - ``` + ``` Or in INI format : ```ini