From c2402b118f02130e9d227e0fd1cb2d399aed2288 Mon Sep 17 00:00:00 2001 From: florian Date: Fri, 17 Feb 2023 15:09:55 +0100 Subject: [PATCH] fix duplicate root error when bw is starting, add modesec rule to core ui and init work on k8s/swarm integration files --- misc/integrations/docker.ui.yml | 1 - misc/integrations/k8s.mariadb.ui.yml | 318 +++++++++++++++ misc/integrations/k8s.mariadb.yml | 256 ++++++++++++ misc/integrations/k8s.mysql.ui.yml | 376 ++++++++++++++++++ misc/integrations/k8s.mysql.yml | 256 ++++++++++++ misc/integrations/k8s.postgres.ui.yml | 329 +++++++++++++++ misc/integrations/k8s.postgres.yml | 254 ++++++++++++ misc/integrations/swarm.mariadb.ui.yml | 127 ++++++ misc/integrations/swarm.mariadb.yml | 7 + misc/integrations/swarm.mysql.ui.yml | 127 ++++++ misc/integrations/swarm.mysql.yml | 7 + misc/integrations/swarm.postgres.ui.yml | 126 ++++++ misc/integrations/swarm.postgres.yml | 7 + .../misc/confs/default-server-http/page.conf | 2 +- src/common/core/ui/confs/modsec/ui.conf | 2 +- 15 files changed, 2192 insertions(+), 3 deletions(-) create mode 100644 misc/integrations/k8s.mariadb.ui.yml create mode 100644 misc/integrations/k8s.mariadb.yml create mode 100644 misc/integrations/k8s.mysql.ui.yml create mode 100644 misc/integrations/k8s.mysql.yml create mode 100644 misc/integrations/k8s.postgres.ui.yml create mode 100644 misc/integrations/k8s.postgres.yml create mode 100644 misc/integrations/swarm.mariadb.ui.yml create mode 100644 misc/integrations/swarm.mysql.ui.yml create mode 100644 misc/integrations/swarm.postgres.ui.yml diff --git a/misc/integrations/docker.ui.yml b/misc/integrations/docker.ui.yml index 7255945f6..521f7ca4e 100644 --- a/misc/integrations/docker.ui.yml +++ b/misc/integrations/docker.ui.yml @@ -18,7 +18,6 @@ services: - www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000 - www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /admin - www.example.com_INTERCEPTED_ERROR_CODES=400 401 405 413 429 500 501 502 503 504 - - www.example.com_CUSTOM_CONF_MODSEC_CRS_remove_ui_false_positives=SecRule REQUEST_FILENAME "@rx /global_config$$" "id:999,ctl:ruleRemoveByTag=platform-pgsql,nolog" networks: - bw-universe - bw-services diff --git a/misc/integrations/k8s.mariadb.ui.yml b/misc/integrations/k8s.mariadb.ui.yml new file mode 100644 index 000000000..514249bf5 --- /dev/null +++ b/misc/integrations/k8s.mariadb.ui.yml @@ -0,0 +1,318 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cr-bunkerweb +rules: +- apiGroups: [""] + resources: ["services", "pods", "configmaps"] + verbs: ["get", "watch", "list"] +- apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "watch", "list"] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sa-bunkerweb +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: crb-bunkerweb +subjects: +- kind: ServiceAccount + name: sa-bunkerweb + namespace: default + apiGroup: "" +roleRef: + kind: ClusterRole + name: cr-bunkerweb + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: bunkerweb +spec: + selector: + matchLabels: + app: bunkerweb + template: + metadata: + labels: + app: bunkerweb + # mandatory annotation + annotations: + bunkerweb.io/AUTOCONF: "yes" + spec: + containers: + - name: bunkerweb + image: bunkerity/bunkerweb:1.4.6 + imagePullPolicy: Always + securityContext: + runAsUser: 101 + runAsGroup: 101 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + ports: + - containerPort: 8080 + hostPort: 80 + - containerPort: 8443 + hostPort: 443 + env: + - name: KUBERNETES_MODE + value: "yes" + # replace with your DNS resolvers + # e.g. : kube-dns.kube-system.svc.cluster.local + - name: DNS_RESOLVERS + value: "coredns.kube-system.svc.cluster.local" + - name: USE_API + value: "yes" + # 10.0.0.0/8 is the cluster internal subnet + - name: API_WHITELIST_IP + value: "127.0.0.0/8 10.0.0.0/8" + - name: SERVER_NAME + value: "" + - name: MULTISITE + value: "yes" + livenessProbe: + exec: + command: + - /usr/share/bunkerweb/helpers/healthcheck.sh + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 1 + failureThreshold: 3 + readinessProbe: + exec: + command: + - /usr/share/bunkerweb/helpers/healthcheck.sh + initialDelaySeconds: 30 + periodSeconds: 1 + timeoutSeconds: 1 + failureThreshold: 3 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-controller +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-controller + template: + metadata: + labels: + app: bunkerweb-controller + spec: + serviceAccountName: sa-bunkerweb + containers: + - name: bunkerweb-controller + image: bunkerity/bunkerweb-autoconf:1.4.6 + imagePullPolicy: Always + env: + - name: KUBERNETES_MODE + value: "yes" + - name: "DATABASE_URI" + value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-scheduler +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-scheduler + template: + metadata: + labels: + app: bunkerweb-scheduler + spec: + containers: + - name: bunkerweb-controller + image: bunkerity/bunkerweb-autoconf:1.4.6 + imagePullPolicy: Always + env: + - name: KUBERNETES_MODE + value: "yes" + - name: "DATABASE_URI" + value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-redis +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-redis + template: + metadata: + labels: + app: bunkerweb-redis + spec: + containers: + - name: bunkerweb-redis + image: redis:7-alpine + imagePullPolicy: Always +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-db +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-db + template: + metadata: + labels: + app: bunkerweb-db + spec: + containers: + - name: bunkerweb-db + image: mariadb:10.10 + imagePullPolicy: Always + env: + - name: MYSQL_RANDOM_ROOT_PASSWORD + value: "yes" + - name: "MYSQL_DATABASE" + value: "db" + - name: "MYSQL_USER" + value: "bunkerweb" + - name: "MYSQL_PASSWORD" + value: "changeme" + volumeMounts: + - mountPath: "/var/lib/mysql" + name: vol-db + volumes: + - name: vol-db + persistentVolumeClaim: + claimName: pvc-bunkerweb +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-ui +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-ui + template: + metadata: + labels: + app: bunkerweb-ui + spec: + containers: + - name: bunkerweb-ui + image: bunkerity/bunkerweb-ui:1.5.0 + imagePullPolicy: Always + env: + - name: ADMIN_USERNAME + value: "admin" + - name: "ADMIN_PASSWORD" + value: "changeme" + - name: "ABSOLUTE_URI" + value: "http://www.example.com/admin" +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-bunkerweb +spec: + clusterIP: None + selector: + app: bunkerweb +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-bunkerweb-db +spec: + type: ClusterIP + selector: + app: bunkerweb-db + ports: + - name: sql + protocol: TCP + port: 3306 + targetPort: 3306 +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-bunkerweb-redis +spec: + type: ClusterIP + selector: + app: bunkerweb-redis + ports: + - name: redis + protocol: TCP + port: 6379 + targetPort: 6379 +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-bunkerweb-ui +spec: + type: ClusterIP + selector: + app: bunkerweb-ui + ports: + - name: http + protocol: TCP + port: 7000 + targetPort: 7000 +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pvc-bunkerweb +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + storageClassName: "" + volumeName: pv-bunkerweb +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: ingress + annotations: + bunkerweb.io/www.example.com_USE_UI: "yes" + bunkerweb.io/www.example.com_REVERSE_PROXY_HEADERS: "X-Script-Name /admin" +spec: + rules: + - host: www.example.com + http: + paths: + - path: /admin + pathType: Prefix + backend: + service: + name: svc-bunkerweb-ui + port: + number: 7000 \ No newline at end of file diff --git a/misc/integrations/k8s.mariadb.yml b/misc/integrations/k8s.mariadb.yml new file mode 100644 index 000000000..4b8ac0527 --- /dev/null +++ b/misc/integrations/k8s.mariadb.yml @@ -0,0 +1,256 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cr-bunkerweb +rules: +- apiGroups: [""] + resources: ["services", "pods", "configmaps"] + verbs: ["get", "watch", "list"] +- apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "watch", "list"] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sa-bunkerweb +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: crb-bunkerweb +subjects: +- kind: ServiceAccount + name: sa-bunkerweb + namespace: default + apiGroup: "" +roleRef: + kind: ClusterRole + name: cr-bunkerweb + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: bunkerweb +spec: + selector: + matchLabels: + app: bunkerweb + template: + metadata: + labels: + app: bunkerweb + # mandatory annotation + annotations: + bunkerweb.io/AUTOCONF: "yes" + spec: + containers: + - name: bunkerweb + image: bunkerity/bunkerweb:1.4.6 + imagePullPolicy: Always + securityContext: + runAsUser: 101 + runAsGroup: 101 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + ports: + - containerPort: 8080 + hostPort: 80 + - containerPort: 8443 + hostPort: 443 + env: + - name: KUBERNETES_MODE + value: "yes" + # replace with your DNS resolvers + # e.g. : kube-dns.kube-system.svc.cluster.local + - name: DNS_RESOLVERS + value: "coredns.kube-system.svc.cluster.local" + - name: USE_API + value: "yes" + # 10.0.0.0/8 is the cluster internal subnet + - name: API_WHITELIST_IP + value: "127.0.0.0/8 10.0.0.0/8" + - name: SERVER_NAME + value: "" + - name: MULTISITE + value: "yes" + livenessProbe: + exec: + command: + - /usr/share/bunkerweb/helpers/healthcheck.sh + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 1 + failureThreshold: 3 + readinessProbe: + exec: + command: + - /usr/share/bunkerweb/helpers/healthcheck.sh + initialDelaySeconds: 30 + periodSeconds: 1 + timeoutSeconds: 1 + failureThreshold: 3 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-controller +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-controller + template: + metadata: + labels: + app: bunkerweb-controller + spec: + serviceAccountName: sa-bunkerweb + containers: + - name: bunkerweb-controller + image: bunkerity/bunkerweb-autoconf:1.4.6 + imagePullPolicy: Always + env: + - name: KUBERNETES_MODE + value: "yes" + - name: "DATABASE_URI" + value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-scheduler +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-scheduler + template: + metadata: + labels: + app: bunkerweb-scheduler + spec: + containers: + - name: bunkerweb-controller + image: bunkerity/bunkerweb-autoconf:1.4.6 + imagePullPolicy: Always + env: + - name: KUBERNETES_MODE + value: "yes" + - name: "DATABASE_URI" + value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-redis +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-redis + template: + metadata: + labels: + app: bunkerweb-redis + spec: + containers: + - name: bunkerweb-redis + image: redis:7-alpine + imagePullPolicy: Always +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-db +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-db + template: + metadata: + labels: + app: bunkerweb-db + spec: + containers: + - name: bunkerweb-db + image: mariadb:10.10 + imagePullPolicy: Always + env: + - name: MYSQL_RANDOM_ROOT_PASSWORD + value: "yes" + - name: "MYSQL_DATABASE" + value: "db" + - name: "MYSQL_USER" + value: "bunkerweb" + - name: "MYSQL_PASSWORD" + value: "changeme" + volumeMounts: + - mountPath: "/var/lib/mysql" + name: vol-db + volumes: + - name: vol-db + persistentVolumeClaim: + claimName: pvc-bunkerweb +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-bunkerweb +spec: + clusterIP: None + selector: + app: bunkerweb +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-bunkerweb-db +spec: + type: ClusterIP + selector: + app: bunkerweb-db + ports: + - name: sql + protocol: TCP + port: 3306 + targetPort: 3306 +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-bunkerweb-redis +spec: + type: ClusterIP + selector: + app: bunkerweb-redis + ports: + - name: redis + protocol: TCP + port: 6379 + targetPort: 6379 +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pvc-bunkerweb +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + storageClassName: "" + volumeName: pv-bunkerweb \ No newline at end of file diff --git a/misc/integrations/k8s.mysql.ui.yml b/misc/integrations/k8s.mysql.ui.yml new file mode 100644 index 000000000..7fc2829bd --- /dev/null +++ b/misc/integrations/k8s.mysql.ui.yml @@ -0,0 +1,376 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cr-bunkerweb +rules: +- apiGroups: [""] + resources: ["services", "pods", "configmaps"] + verbs: ["get", "watch", "list"] +- apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "watch", "list"] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sa-bunkerweb +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: crb-bunkerweb +subjects: +- kind: ServiceAccount + name: sa-bunkerweb + namespace: default + apiGroup: "" +roleRef: + kind: ClusterRole + name: cr-bunkerweb + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: bunkerweb +spec: + selector: + matchLabels: + app: bunkerweb + template: + metadata: + labels: + app: bunkerweb + # mandatory annotation + annotations: + bunkerweb.io/AUTOCONF: "yes" + spec: + containers: + - name: bunkerweb + image: bunkerity/bunkerweb:1.4.6 + imagePullPolicy: Always + securityContext: + runAsUser: 101 + runAsGroup: 101 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + ports: + - containerPort: 8080 + hostPort: 80 + - containerPort: 8443 + hostPort: 443 + env: + - name: KUBERNETES_MODE + value: "yes" + # replace with your DNS resolvers + # e.g. : kube-dns.kube-system.svc.cluster.local + - name: DNS_RESOLVERS + value: "coredns.kube-system.svc.cluster.local" + - name: USE_API + value: "yes" + # 10.0.0.0/8 is the cluster internal subnet + - name: API_WHITELIST_IP + value: "127.0.0.0/8 10.0.0.0/8" + - name: SERVER_NAME + value: "" + - name: MULTISITE + value: "yes" + livenessProbe: + exec: + command: + - /usr/share/bunkerweb/helpers/healthcheck.sh + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 1 + failureThreshold: 3 + readinessProbe: + exec: + command: + - /usr/share/bunkerweb/helpers/healthcheck.sh + initialDelaySeconds: 30 + periodSeconds: 1 + timeoutSeconds: 1 + failureThreshold: 3 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-controller +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-controller + template: + metadata: + labels: + app: bunkerweb-controller + spec: + serviceAccountName: sa-bunkerweb + containers: + - name: bunkerweb-controller + image: bunkerity/bunkerweb-autoconf:1.4.6 + imagePullPolicy: Always + env: + - name: KUBERNETES_MODE + value: "yes" + - name: "DATABASE_URI" + value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-scheduler +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-scheduler + template: + metadata: + labels: + app: bunkerweb-scheduler + spec: + containers: + - name: bunkerweb-controller + image: bunkerity/bunkerweb-autoconf:1.4.6 + imagePullPolicy: Always + env: + - name: KUBERNETES_MODE + value: "yes" + - name: "DATABASE_URI" + value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-redis +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-redis + template: + metadata: + labels: + app: bunkerweb-redis + spec: + containers: + - name: bunkerweb-redis + image: redis:7-alpine + imagePullPolicy: Always +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-db +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-db + template: + metadata: + labels: + app: bunkerweb-db + spec: + containers: + - name: bunkerweb-db + image: mysql:8.0 + imagePullPolicy: Always + env: + - name: MYSQL_RANDOM_ROOT_PASSWORD + value: "yes" + - name: "MYSQL_DATABASE" + value: "db" + - name: "MYSQL_USER" + value: "bunkerweb" + - name: "MYSQL_PASSWORD" + value: "changeme" + volumeMounts: + - mountPath: "/var/lib/mysql" + name: vol-db + volumes: + - name: vol-db + persistentVolumeClaim: + claimName: pvc-bunkerweb +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-redis +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-redis + template: + metadata: + labels: + app: bunkerweb-redis + spec: + containers: + - name: bunkerweb-redis + image: redis:7-alpine + imagePullPolicy: Always +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-db +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-db + template: + metadata: + labels: + app: bunkerweb-db + spec: + containers: + - name: bunkerweb-db + image: mariadb:10.10 + imagePullPolicy: Always + env: + - name: MYSQL_RANDOM_ROOT_PASSWORD + value: "yes" + - name: "MYSQL_DATABASE" + value: "db" + - name: "MYSQL_USER" + value: "bunkerweb" + - name: "MYSQL_PASSWORD" + value: "changeme" + volumeMounts: + - mountPath: "/var/lib/mysql" + name: vol-db + volumes: + - name: vol-db + persistentVolumeClaim: + claimName: pvc-bunkerweb +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-ui +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-ui + template: + metadata: + labels: + app: bunkerweb-ui + spec: + containers: + - name: bunkerweb-ui + image: bunkerity/bunkerweb-ui:1.5.0 + imagePullPolicy: Always + env: + - name: ADMIN_USERNAME + value: "admin" + - name: "ADMIN_PASSWORD" + value: "changeme" + - name: "ABSOLUTE_URI" + value: "http://www.example.com/admin" +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-bunkerweb +spec: + clusterIP: None + selector: + app: bunkerweb +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-bunkerweb-db +spec: + type: ClusterIP + selector: + app: bunkerweb-db + ports: + - name: sql + protocol: TCP + port: 3306 + targetPort: 3306 +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-bunkerweb-redis +spec: + type: ClusterIP + selector: + app: bunkerweb-redis + ports: + - name: redis + protocol: TCP + port: 6379 + targetPort: 6379 +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-bunkerweb-ui +spec: + type: ClusterIP + selector: + app: bunkerweb-ui + ports: + - name: http + protocol: TCP + port: 7000 + targetPort: 7000 +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pvc-bunkerweb +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + storageClassName: "" + volumeName: pv-bunkerweb +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: ingress + annotations: + bunkerweb.io/www.example.com_USE_UI: "yes" + bunkerweb.io/www.example.com_REVERSE_PROXY_HEADERS: "X-Script-Name /admin" +spec: + rules: + - host: www.example.com + http: + paths: + - path: /admin + pathType: Prefix + backend: + service: + name: svc-bunkerweb-ui + port: + number: 7000 \ No newline at end of file diff --git a/misc/integrations/k8s.mysql.yml b/misc/integrations/k8s.mysql.yml new file mode 100644 index 000000000..82f6b7445 --- /dev/null +++ b/misc/integrations/k8s.mysql.yml @@ -0,0 +1,256 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cr-bunkerweb +rules: +- apiGroups: [""] + resources: ["services", "pods", "configmaps"] + verbs: ["get", "watch", "list"] +- apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "watch", "list"] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sa-bunkerweb +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: crb-bunkerweb +subjects: +- kind: ServiceAccount + name: sa-bunkerweb + namespace: default + apiGroup: "" +roleRef: + kind: ClusterRole + name: cr-bunkerweb + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: bunkerweb +spec: + selector: + matchLabels: + app: bunkerweb + template: + metadata: + labels: + app: bunkerweb + # mandatory annotation + annotations: + bunkerweb.io/AUTOCONF: "yes" + spec: + containers: + - name: bunkerweb + image: bunkerity/bunkerweb:1.4.6 + imagePullPolicy: Always + securityContext: + runAsUser: 101 + runAsGroup: 101 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + ports: + - containerPort: 8080 + hostPort: 80 + - containerPort: 8443 + hostPort: 443 + env: + - name: KUBERNETES_MODE + value: "yes" + # replace with your DNS resolvers + # e.g. : kube-dns.kube-system.svc.cluster.local + - name: DNS_RESOLVERS + value: "coredns.kube-system.svc.cluster.local" + - name: USE_API + value: "yes" + # 10.0.0.0/8 is the cluster internal subnet + - name: API_WHITELIST_IP + value: "127.0.0.0/8 10.0.0.0/8" + - name: SERVER_NAME + value: "" + - name: MULTISITE + value: "yes" + livenessProbe: + exec: + command: + - /usr/share/bunkerweb/helpers/healthcheck.sh + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 1 + failureThreshold: 3 + readinessProbe: + exec: + command: + - /usr/share/bunkerweb/helpers/healthcheck.sh + initialDelaySeconds: 30 + periodSeconds: 1 + timeoutSeconds: 1 + failureThreshold: 3 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-controller +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-controller + template: + metadata: + labels: + app: bunkerweb-controller + spec: + serviceAccountName: sa-bunkerweb + containers: + - name: bunkerweb-controller + image: bunkerity/bunkerweb-autoconf:1.4.6 + imagePullPolicy: Always + env: + - name: KUBERNETES_MODE + value: "yes" + - name: "DATABASE_URI" + value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-scheduler +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-scheduler + template: + metadata: + labels: + app: bunkerweb-scheduler + spec: + containers: + - name: bunkerweb-controller + image: bunkerity/bunkerweb-autoconf:1.4.6 + imagePullPolicy: Always + env: + - name: KUBERNETES_MODE + value: "yes" + - name: "DATABASE_URI" + value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-redis +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-redis + template: + metadata: + labels: + app: bunkerweb-redis + spec: + containers: + - name: bunkerweb-redis + image: redis:7-alpine + imagePullPolicy: Always +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-db +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-db + template: + metadata: + labels: + app: bunkerweb-db + spec: + containers: + - name: bunkerweb-db + image: mysql:8.0 + imagePullPolicy: Always + env: + - name: MYSQL_RANDOM_ROOT_PASSWORD + value: "yes" + - name: "MYSQL_DATABASE" + value: "db" + - name: "MYSQL_USER" + value: "bunkerweb" + - name: "MYSQL_PASSWORD" + value: "changeme" + volumeMounts: + - mountPath: "/var/lib/mysql" + name: vol-db + volumes: + - name: vol-db + persistentVolumeClaim: + claimName: pvc-bunkerweb +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-bunkerweb +spec: + clusterIP: None + selector: + app: bunkerweb +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-bunkerweb-db +spec: + type: ClusterIP + selector: + app: bunkerweb-db + ports: + - name: sql + protocol: TCP + port: 3306 + targetPort: 3306 +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-bunkerweb-redis +spec: + type: ClusterIP + selector: + app: bunkerweb-redis + ports: + - name: redis + protocol: TCP + port: 6379 + targetPort: 6379 +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pvc-bunkerweb +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + storageClassName: "" + volumeName: pv-bunkerweb \ No newline at end of file diff --git a/misc/integrations/k8s.postgres.ui.yml b/misc/integrations/k8s.postgres.ui.yml new file mode 100644 index 000000000..475ded24b --- /dev/null +++ b/misc/integrations/k8s.postgres.ui.yml @@ -0,0 +1,329 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cr-bunkerweb +rules: +- apiGroups: [""] + resources: ["services", "pods", "configmaps"] + verbs: ["get", "watch", "list"] +- apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "watch", "list"] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sa-bunkerweb +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: crb-bunkerweb +subjects: +- kind: ServiceAccount + name: sa-bunkerweb + namespace: default + apiGroup: "" +roleRef: + kind: ClusterRole + name: cr-bunkerweb + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: bunkerweb +spec: + selector: + matchLabels: + app: bunkerweb + template: + metadata: + labels: + app: bunkerweb + # mandatory annotation + annotations: + bunkerweb.io/AUTOCONF: "yes" + spec: + containers: + - name: bunkerweb + image: bunkerity/bunkerweb:1.4.6 + imagePullPolicy: Always + securityContext: + runAsUser: 101 + runAsGroup: 101 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + ports: + - containerPort: 8080 + hostPort: 80 + - containerPort: 8443 + hostPort: 443 + env: + - name: KUBERNETES_MODE + value: "yes" + # replace with your DNS resolvers + # e.g. : kube-dns.kube-system.svc.cluster.local + - name: DNS_RESOLVERS + value: "coredns.kube-system.svc.cluster.local" + - name: USE_API + value: "yes" + # 10.0.0.0/8 is the cluster internal subnet + - name: API_WHITELIST_IP + value: "127.0.0.0/8 10.0.0.0/8" + - name: SERVER_NAME + value: "" + - name: MULTISITE + value: "yes" + livenessProbe: + exec: + command: + - /usr/share/bunkerweb/helpers/healthcheck.sh + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 1 + failureThreshold: 3 + readinessProbe: + exec: + command: + - /usr/share/bunkerweb/helpers/healthcheck.sh + initialDelaySeconds: 30 + periodSeconds: 1 + timeoutSeconds: 1 + failureThreshold: 3 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-controller +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-controller + template: + metadata: + labels: + app: bunkerweb-controller + spec: + serviceAccountName: sa-bunkerweb + containers: + - name: bunkerweb-controller + image: bunkerity/bunkerweb-autoconf:1.4.6 + imagePullPolicy: Always + env: + - name: KUBERNETES_MODE + value: "yes" + - name: "DATABASE_URI" + value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-scheduler +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-scheduler + template: + metadata: + labels: + app: bunkerweb-scheduler + spec: + containers: + - name: bunkerweb-controller + image: bunkerity/bunkerweb-autoconf:1.4.6 + imagePullPolicy: Always + env: + - name: KUBERNETES_MODE + value: "yes" + - name: "DATABASE_URI" + value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-redis +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-redis + template: + metadata: + labels: + app: bunkerweb-redis + spec: + containers: + - name: bunkerweb-redis + image: redis:7-alpine + imagePullPolicy: Always +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-db +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-db + template: + metadata: + labels: + app: bunkerweb-db + spec: + containers: + - name: bunkerweb-db + image: postgres:15.1 + imagePullPolicy: Always + env: + - name: "POSTGRES_DB" + value: "db" + - name: "POSTGRES_USER" + value: "bunkerweb" + - name: "POSTGRES_PASSWORD" + value: "changeme" + volumeMounts: + - mountPath: "/var/lib/postgresql/data" + name: vol-db + volumes: + - name: vol-db + persistentVolumeClaim: + claimName: pvc-bunkerweb +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-ui +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-ui + template: + metadata: + labels: + app: bunkerweb-ui + spec: + containers: + - name: bunkerweb-ui + image: bunkerity/bunkerweb-ui:1.5.0 + imagePullPolicy: Always + env: + - name: ADMIN_USERNAME + value: "admin" + - name: "ADMIN_PASSWORD" + value: "changeme" + - name: "ABSOLUTE_URI" + value: "http://www.example.com/admin" +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-bunkerweb +spec: + clusterIP: None + selector: + app: bunkerweb +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-bunkerweb-db +spec: + type: ClusterIP + selector: + app: bunkerweb-db + ports: + - name: sql + protocol: TCP + port: 5432 + targetPort: 5432 +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-bunkerweb-redis +spec: + type: ClusterIP + selector: + app: bunkerweb-redis + ports: + - name: redis + protocol: TCP + port: 6379 + targetPort: 6379 +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-bunkerweb-ui +spec: + type: ClusterIP + selector: + app: bunkerweb-ui + ports: + - name: http + protocol: TCP + port: 7000 + targetPort: 7000 +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pvc-bunkerweb +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + storageClassName: "" + volumeName: pv-bunkerweb +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pvc-bunkerweb +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + storageClassName: "" + volumeName: pv-bunkerweb +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: ingress + annotations: + bunkerweb.io/www.example.com_USE_UI: "yes" + bunkerweb.io/www.example.com_REVERSE_PROXY_HEADERS: "X-Script-Name /admin" +spec: + rules: + - host: www.example.com + http: + paths: + - path: /admin + pathType: Prefix + backend: + service: + name: svc-bunkerweb-ui + port: + number: 7000 \ No newline at end of file diff --git a/misc/integrations/k8s.postgres.yml b/misc/integrations/k8s.postgres.yml new file mode 100644 index 000000000..a2bda244a --- /dev/null +++ b/misc/integrations/k8s.postgres.yml @@ -0,0 +1,254 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cr-bunkerweb +rules: +- apiGroups: [""] + resources: ["services", "pods", "configmaps"] + verbs: ["get", "watch", "list"] +- apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "watch", "list"] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sa-bunkerweb +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: crb-bunkerweb +subjects: +- kind: ServiceAccount + name: sa-bunkerweb + namespace: default + apiGroup: "" +roleRef: + kind: ClusterRole + name: cr-bunkerweb + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: bunkerweb +spec: + selector: + matchLabels: + app: bunkerweb + template: + metadata: + labels: + app: bunkerweb + # mandatory annotation + annotations: + bunkerweb.io/AUTOCONF: "yes" + spec: + containers: + - name: bunkerweb + image: bunkerity/bunkerweb:1.4.6 + imagePullPolicy: Always + securityContext: + runAsUser: 101 + runAsGroup: 101 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + ports: + - containerPort: 8080 + hostPort: 80 + - containerPort: 8443 + hostPort: 443 + env: + - name: KUBERNETES_MODE + value: "yes" + # replace with your DNS resolvers + # e.g. : kube-dns.kube-system.svc.cluster.local + - name: DNS_RESOLVERS + value: "coredns.kube-system.svc.cluster.local" + - name: USE_API + value: "yes" + # 10.0.0.0/8 is the cluster internal subnet + - name: API_WHITELIST_IP + value: "127.0.0.0/8 10.0.0.0/8" + - name: SERVER_NAME + value: "" + - name: MULTISITE + value: "yes" + livenessProbe: + exec: + command: + - /usr/share/bunkerweb/helpers/healthcheck.sh + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 1 + failureThreshold: 3 + readinessProbe: + exec: + command: + - /usr/share/bunkerweb/helpers/healthcheck.sh + initialDelaySeconds: 30 + periodSeconds: 1 + timeoutSeconds: 1 + failureThreshold: 3 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-controller +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-controller + template: + metadata: + labels: + app: bunkerweb-controller + spec: + serviceAccountName: sa-bunkerweb + containers: + - name: bunkerweb-controller + image: bunkerity/bunkerweb-autoconf:1.4.6 + imagePullPolicy: Always + env: + - name: KUBERNETES_MODE + value: "yes" + - name: "DATABASE_URI" + value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-scheduler +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-scheduler + template: + metadata: + labels: + app: bunkerweb-scheduler + spec: + containers: + - name: bunkerweb-controller + image: bunkerity/bunkerweb-autoconf:1.4.6 + imagePullPolicy: Always + env: + - name: KUBERNETES_MODE + value: "yes" + - name: "DATABASE_URI" + value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-redis +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-redis + template: + metadata: + labels: + app: bunkerweb-redis + spec: + containers: + - name: bunkerweb-redis + image: redis:7-alpine + imagePullPolicy: Always +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bunkerweb-db +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: bunkerweb-db + template: + metadata: + labels: + app: bunkerweb-db + spec: + containers: + - name: bunkerweb-db + image: postgres:15.1 + imagePullPolicy: Always + env: + - name: "POSTGRES_DB" + value: "db" + - name: "POSTGRES_USER" + value: "bunkerweb" + - name: "POSTGRES_PASSWORD" + value: "changeme" + volumeMounts: + - mountPath: "/var/lib/postgresql/data" + name: vol-db + volumes: + - name: vol-db + persistentVolumeClaim: + claimName: pvc-bunkerweb +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-bunkerweb +spec: + clusterIP: None + selector: + app: bunkerweb +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-bunkerweb-db +spec: + type: ClusterIP + selector: + app: bunkerweb-db + ports: + - name: sql + protocol: TCP + port: 5432 + targetPort: 5432 +--- +apiVersion: v1 +kind: Service +metadata: + name: svc-bunkerweb-redis +spec: + type: ClusterIP + selector: + app: bunkerweb-redis + ports: + - name: redis + protocol: TCP + port: 6379 + targetPort: 6379 +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pvc-bunkerweb +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + storageClassName: "" + volumeName: pv-bunkerweb \ No newline at end of file diff --git a/misc/integrations/swarm.mariadb.ui.yml b/misc/integrations/swarm.mariadb.ui.yml new file mode 100644 index 000000000..68f026756 --- /dev/null +++ b/misc/integrations/swarm.mariadb.ui.yml @@ -0,0 +1,127 @@ +version: "3.5" + +services: + bunkerweb: + image: bunkerity/bunkerweb:1.5.0 + ports: + - published: 80 + target: 8080 + mode: host + protocol: tcp + - published: 443 + target: 8443 + mode: host + protocol: tcp + environment: + - SERVER_NAME= + - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db + - SWARM_MODE=yes + - MULTISITE=yes + - USE_REDIS=yes + - REDIS_HOST=bw-redis + - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24 + networks: + - bw-universe + - bw-services + deploy: + mode: global + placement: + constraints: + - "node.role == worker" + labels: + - "bunkerweb.INSTANCE" + + bw-autoconf: + image: bunkerity/bunkerweb-autoconf:1.5.0 + environment: + - SWARM_MODE=yes + - DOCKER_HOST=tcp://bw-docker:2375 + - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db + networks: + - bw-universe + - bw-docker + + bw-docker: + image: tecnativa/docker-socket-proxy + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + environment: + - CONFIGS=1 + - CONTAINERS=1 + - SERVICES=1 + - SWARM=1 + - TASKS=1 + networks: + - bw-docker + deploy: + placement: + constraints: + - "node.role == manager" + + bw-scheduler: + image: bunkerity/bunkerweb-scheduler:1.5.0 + environment: + - SWARM_MODE=yes + - DOCKER_HOST=tcp://bw-docker:2375 + - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db + networks: + - bw-universe + - bw-docker + + bw-db: + image: mariadb:10.10 + environment: + - MYSQL_RANDOM_ROOT_PASSWORD=yes + - MYSQL_DATABASE=db + - MYSQL_USER=bunkerweb + - MYSQL_PASSWORD=changeme + volumes: + - bw-data:/var/lib/mysql + networks: + - bw-docker + + bw-redis: + image: redis:7-alpine + networks: + - bw-universe + + bw-ui: + image: bunkerity/bunkerweb-ui:1.5.0 + environment: + - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database + - DOCKER_HOST=tcp://bw-docker:2375 + - ADMIN_USERNAME=admin + - ADMIN_PASSWORD=changeme # Remember to set a stronger password for the admin user + - ABSOLUTE_URI=http://www.example.com/admin + networks: + - bw-universe + - bw-docker + deploy: + labels: + - bunkerweb.SERVER_NAME=www.example.com + - bunkerweb.USE_UI=yes + - bunkerweb.USE_REVERSE_PROXY=yes + - bunkerweb.REVERSE_PROXY_URL=/admin + - bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000 + - bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /admin + - bunkerweb.INTERCEPTED_ERROR_CODES=400 401 405 413 429 500 501 502 503 504 + +volumes: + bw-data: + +networks: + bw-universe: + name: bw-universe + driver: overlay + attachable: true + ipam: + config: + - subnet: 10.20.30.0/24 + bw-services: + name: bw-services + driver: overlay + attachable: true + bw-docker: + name: bw-docker + driver: overlay + attachable: true diff --git a/misc/integrations/swarm.mariadb.yml b/misc/integrations/swarm.mariadb.yml index 8975a96af..95736ac58 100644 --- a/misc/integrations/swarm.mariadb.yml +++ b/misc/integrations/swarm.mariadb.yml @@ -17,6 +17,8 @@ services: - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db - SWARM_MODE=yes - MULTISITE=yes + - USE_REDIS=yes + - REDIS_HOST=bw-redis - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24 networks: - bw-universe @@ -78,6 +80,11 @@ services: networks: - bw-docker + bw-redis: + image: redis:7-alpine + networks: + - bw-universe + volumes: bw-data: diff --git a/misc/integrations/swarm.mysql.ui.yml b/misc/integrations/swarm.mysql.ui.yml new file mode 100644 index 000000000..00eb48b38 --- /dev/null +++ b/misc/integrations/swarm.mysql.ui.yml @@ -0,0 +1,127 @@ +version: "3.5" + +services: + bunkerweb: + image: bunkerity/bunkerweb:1.5.0 + ports: + - published: 80 + target: 8080 + mode: host + protocol: tcp + - published: 443 + target: 8443 + mode: host + protocol: tcp + environment: + - SERVER_NAME= + - DATABASE_URI=mysql+pymysql://bunkerweb:changeme@bw-db:3306/db + - SWARM_MODE=yes + - MULTISITE=yes + - USE_REDIS=yes + - REDIS_HOST=bw-redis + - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24 + networks: + - bw-universe + - bw-services + deploy: + mode: global + placement: + constraints: + - "node.role == worker" + labels: + - "bunkerweb.INSTANCE" + + bw-autoconf: + image: bunkerity/bunkerweb-autoconf:1.5.0 + environment: + - SWARM_MODE=yes + - DOCKER_HOST=tcp://bw-docker:2375 + - DATABASE_URI=mysql+pymysql://bunkerweb:changeme@bw-db:3306/db + networks: + - bw-universe + - bw-docker + + bw-docker: + image: tecnativa/docker-socket-proxy + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + environment: + - CONFIGS=1 + - CONTAINERS=1 + - SERVICES=1 + - SWARM=1 + - TASKS=1 + networks: + - bw-docker + deploy: + placement: + constraints: + - "node.role == manager" + + bw-scheduler: + image: bunkerity/bunkerweb-scheduler:1.5.0 + environment: + - SWARM_MODE=yes + - DOCKER_HOST=tcp://bw-docker:2375 + - DATABASE_URI=mysql+pymysql://bunkerweb:changeme@bw-db:3306/db + networks: + - bw-universe + - bw-docker + + bw-db: + image: mysql:8.0 + environment: + - MYSQL_RANDOM_ROOT_PASSWORD=yes + - MYSQL_DATABASE=db + - MYSQL_USER=bunkerweb + - MYSQL_PASSWORD=changeme + volumes: + - bw-data:/var/lib/mysql + networks: + - bw-docker + + bw-redis: + image: redis:7-alpine + networks: + - bw-universe + + bw-ui: + image: bunkerity/bunkerweb-ui:1.5.0 + environment: + - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database + - DOCKER_HOST=tcp://bw-docker:2375 + - ADMIN_USERNAME=admin + - ADMIN_PASSWORD=changeme # Remember to set a stronger password for the admin user + - ABSOLUTE_URI=http://www.example.com/admin + networks: + - bw-universe + - bw-docker + deploy: + labels: + - bunkerweb.SERVER_NAME=www.example.com + - bunkerweb.USE_UI=yes + - bunkerweb.USE_REVERSE_PROXY=yes + - bunkerweb.REVERSE_PROXY_URL=/admin + - bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000 + - bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /admin + - bunkerweb.INTERCEPTED_ERROR_CODES=400 401 405 413 429 500 501 502 503 504 + +volumes: + bw-data: + +networks: + bw-universe: + name: bw-universe + driver: overlay + attachable: true + ipam: + config: + - subnet: 10.20.30.0/24 + bw-services: + name: bw-services + driver: overlay + attachable: true + bw-docker: + name: bw-docker + driver: overlay + attachable: true diff --git a/misc/integrations/swarm.mysql.yml b/misc/integrations/swarm.mysql.yml index 6b70a98a1..e46142a7c 100644 --- a/misc/integrations/swarm.mysql.yml +++ b/misc/integrations/swarm.mysql.yml @@ -17,6 +17,8 @@ services: - DATABASE_URI=mysql+pymysql://bunkerweb:changeme@bw-db:3306/db - SWARM_MODE=yes - MULTISITE=yes + - USE_REDIS=yes + - REDIS_HOST=bw-redis - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24 networks: - bw-universe @@ -78,6 +80,11 @@ services: networks: - bw-docker + bw-redis: + image: redis:7-alpine + networks: + - bw-universe + volumes: bw-data: diff --git a/misc/integrations/swarm.postgres.ui.yml b/misc/integrations/swarm.postgres.ui.yml new file mode 100644 index 000000000..e2e0f0f2d --- /dev/null +++ b/misc/integrations/swarm.postgres.ui.yml @@ -0,0 +1,126 @@ +version: "3.5" + +services: + bunkerweb: + image: bunkerity/bunkerweb:1.5.0 + ports: + - published: 80 + target: 8080 + mode: host + protocol: tcp + - published: 443 + target: 8443 + mode: host + protocol: tcp + environment: + - SERVER_NAME= + - DATABASE_URI=postgresql://bunkerweb:changeme@bw-db:5432/db + - SWARM_MODE=yes + - MULTISITE=yes + - USE_REDIS=yes + - REDIS_HOST=bw-redis + - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24 + networks: + - bw-universe + - bw-services + deploy: + mode: global + placement: + constraints: + - "node.role == worker" + labels: + - "bunkerweb.INSTANCE" + + bw-autoconf: + image: bunkerity/bunkerweb-autoconf:1.5.0 + environment: + - SWARM_MODE=yes + - DOCKER_HOST=tcp://bw-docker:2375 + - DATABASE_URI=postgresql://bunkerweb:changeme@bw-db:5432/db + networks: + - bw-universe + - bw-docker + + bw-docker: + image: tecnativa/docker-socket-proxy + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + environment: + - CONFIGS=1 + - CONTAINERS=1 + - SERVICES=1 + - SWARM=1 + - TASKS=1 + networks: + - bw-docker + deploy: + placement: + constraints: + - "node.role == manager" + + bw-scheduler: + image: bunkerity/bunkerweb-scheduler:1.5.0 + environment: + - SWARM_MODE=yes + - DOCKER_HOST=tcp://bw-docker:2375 + - DATABASE_URI=postgresql://bunkerweb:changeme@bw-db:5432/db + networks: + - bw-universe + - bw-docker + + bw-db: + image: postgres:15.1 + environment: + - POSTGRES_USER=bunkerweb + - POSTGRES_PASSWORD=changeme + - POSTGRES_DB=db + volumes: + - bw-data:/var/lib/postgresql/data + networks: + - bw-docker + + bw-redis: + image: redis:7-alpine + networks: + - bw-universe + + bw-ui: + image: bunkerity/bunkerweb-ui:1.5.0 + environment: + - DATABASE_URI=postgresql://bunkerweb:changeme@bw-db:5432/db + - DOCKER_HOST=tcp://bw-docker:2375 + - ADMIN_USERNAME=admin + - ADMIN_PASSWORD=changeme + - ABSOLUTE_URI=http://www.example.com/admin + networks: + - bw-universe + - bw-docker + deploy: + labels: + - bunkerweb.SERVER_NAME=www.example.com + - bunkerweb.USE_UI=yes + - bunkerweb.USE_REVERSE_PROXY=yes + - bunkerweb.REVERSE_PROXY_URL=/admin + - bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000 + - bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /admin + - bunkerweb.INTERCEPTED_ERROR_CODES=400 401 405 413 429 500 501 502 503 504 + +volumes: + bw-data: + +networks: + bw-universe: + name: bw-universe + driver: overlay + attachable: true + ipam: + config: + - subnet: 10.20.30.0/24 + bw-services: + name: bw-services + driver: overlay + attachable: true + bw-docker: + name: bw-docker + driver: overlay + attachable: true diff --git a/misc/integrations/swarm.postgres.yml b/misc/integrations/swarm.postgres.yml index 005bf41c6..908308bc7 100644 --- a/misc/integrations/swarm.postgres.yml +++ b/misc/integrations/swarm.postgres.yml @@ -17,6 +17,8 @@ services: - DATABASE_URI=postgresql://bunkerweb:changeme@bw-db:5432/db - SWARM_MODE=yes - MULTISITE=yes + - USE_REDIS=yes + - REDIS_HOST=bw-redis - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24 networks: - bw-universe @@ -77,6 +79,11 @@ services: networks: - bw-docker + bw-redis: + image: redis:7-alpine + networks: + - bw-universe + volumes: bw-data: diff --git a/src/common/core/misc/confs/default-server-http/page.conf b/src/common/core/misc/confs/default-server-http/page.conf index d1da5e533..f4764ef69 100644 --- a/src/common/core/misc/confs/default-server-http/page.conf +++ b/src/common/core/misc/confs/default-server-http/page.conf @@ -1,4 +1,4 @@ -{% if DISABLE_DEFAULT_SERVER == "no" +%} +{% if IS_LOADING != "yes" and DISABLE_DEFAULT_SERVER == "no" +%} root /usr/share/bunkerweb/core/misc/files; location / { try_files /default.html =404; diff --git a/src/common/core/ui/confs/modsec/ui.conf b/src/common/core/ui/confs/modsec/ui.conf index db9e5c0d3..66cc39de4 100644 --- a/src/common/core/ui/confs/modsec/ui.conf +++ b/src/common/core/ui/confs/modsec/ui.conf @@ -1,5 +1,5 @@ {% if USE_UI == "yes" +%} SecRule REQUEST_FILENAME "@rx /services$" "id:1,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-generic,nolog" -SecRule REQUEST_FILENAME "@rx /global_config$" "id:2,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-generic,nolog" +SecRule REQUEST_FILENAME "@rx /global_config$" "id:2,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-generic,ctl:ruleRemoveByTag=platform-pgsqlnolog" SecRule REQUEST_FILENAME "@rx /configs$" "id:3,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-generic,nolog" {% endif +%} \ No newline at end of file