From cfe5c6063a262bb09eb12f9ce7633e616ff75b71 Mon Sep 17 00:00:00 2001 From: florian Date: Mon, 13 Mar 2023 09:42:22 +0100 Subject: [PATCH] examples refactoring --- .../bw-data/configs/http/upstream.conf | 5 - examples/load-balancer/docker-compose.yml | 18 +--- examples/magento/autoconf.yml | 23 +++- examples/magento/docker-compose.yml | 72 ++++++------- examples/magento/setup-autoconf.sh | 10 -- examples/magento/setup-docker.sh | 10 -- examples/magento/swarm.yml | 26 +++-- examples/mattermost/autoconf.yml | 24 ++++- examples/mattermost/docker-compose.yml | 70 +++++------- examples/mattermost/init-db.sh | 22 ---- examples/mongo-express/autoconf.yml | 5 +- examples/mongo-express/docker-compose.yml | 21 ++-- examples/mongo-express/swarm.yml | 4 +- examples/moodle/autoconf.yml | 43 +++++--- examples/moodle/docker-compose.yml | 75 ++++++------- examples/moodle/swarm.yml | 31 ++++-- examples/nextcloud/autoconf.yml | 22 +++- examples/nextcloud/docker-compose.yml | 101 +++++++++--------- examples/nextcloud/swarm.yml | 22 +++- examples/passbolt/autoconf.yml | 30 ++++-- examples/passbolt/docker-compose.yml | 69 +++++------- examples/passbolt/swarm.yml | 31 ++++-- .../server-http/modsecurity-rules.conf.modsec | 2 +- src/common/core/ui/confs/modsec/ui.conf | 8 +- 24 files changed, 392 insertions(+), 352 deletions(-) delete mode 100644 examples/load-balancer/bw-data/configs/http/upstream.conf delete mode 100755 examples/magento/setup-autoconf.sh delete mode 100755 examples/magento/setup-docker.sh delete mode 100644 examples/mattermost/init-db.sh diff --git a/examples/load-balancer/bw-data/configs/http/upstream.conf b/examples/load-balancer/bw-data/configs/http/upstream.conf deleted file mode 100644 index 6698913aa..000000000 --- a/examples/load-balancer/bw-data/configs/http/upstream.conf +++ /dev/null @@ -1,5 +0,0 @@ -upstream app { - server app1:80; - server app2:80; - server app3:80; -} diff --git a/examples/load-balancer/docker-compose.yml b/examples/load-balancer/docker-compose.yml index f57581f9d..e1885aa8f 100644 --- a/examples/load-balancer/docker-compose.yml +++ b/examples/load-balancer/docker-compose.yml @@ -6,14 +6,6 @@ services: ports: - 80:8080 - 443:8443 - # ⚠️ read this if you use local folders for volumes ⚠️ - # bunkerweb runs as an unprivileged user with UID/GID 101 - # don't forget to edit the permissions of the files and folders accordingly - # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder - # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder - # more info at https://docs.bunkerweb.io - volumes: - - bw-data:/data # contains upstreams definition at http context environment: - SERVER_NAME=www.example.com # replace with your domain - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24 @@ -43,21 +35,21 @@ services: depends_on: - mybunker environment: - - DOCKER_HOST=tcp://docker-proxy:2375 + - DOCKER_HOST=tcp://bw-docker-proxy:2375 volumes: - bw-data:/data networks: - bw-universe - - net-docker + - bw-docker - docker-proxy: + bw-docker-proxy: image: tecnativa/docker-socket-proxy:0.1 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro environment: - CONTAINERS=1 networks: - - net-docker + - bw-docker app1: image: tutum/hello-world @@ -84,4 +76,4 @@ networks: config: - subnet: 10.20.30.0/24 bw-services: - net-docker: + bw-docker: diff --git a/examples/magento/autoconf.yml b/examples/magento/autoconf.yml index 1698a0aac..f9d0c920e 100644 --- a/examples/magento/autoconf.yml +++ b/examples/magento/autoconf.yml @@ -8,7 +8,7 @@ services: aliases: - mymagento volumes: - - ./magento-data:/bitnami/magento + - magento-data:/bitnami/magento environment: - MAGENTO_USERNAME=admin # replace with admin username - MAGENTO_PASSWORD=changeme42 # replace with a stronger password @@ -41,9 +41,26 @@ services: # ⚠️ you need to create the directory and fix permissions ⚠️ # see setup-autoconf.sh volumes: - - ./elasticsearch-data:/bitnami/elasticsearch/data + - elasticsearch-data:/bitnami/elasticsearch/data - # For the database, you can refer to the autoconf integration example including a database + mydb: + image: mariadb:10.2 + networks: + bw-services: + aliases: + - mydb + volumes: + - db-data:/var/lib/mysql + environment: + - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password + - MYSQL_DATABASE=magentodb + - MYSQL_USER=user + - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD) + +volumes: + magento-data: + elasticsearch-data: + db-data: networks: bw-services: diff --git a/examples/magento/docker-compose.yml b/examples/magento/docker-compose.yml index f8c98097c..5ff390144 100644 --- a/examples/magento/docker-compose.yml +++ b/examples/magento/docker-compose.yml @@ -1,35 +1,27 @@ version: "3" -x-bunkerweb-env: &bunkerweb-env - DATABASE_URI: "mariadb+pymysql://${MAGENTO_USER:-user}:${MAGENTO_PASSWORD:-secret}@mydb:3306/${BUNKERWEB_DATABASE:-bunkerweb}" - services: mybunker: image: bunkerity/bunkerweb:1.5.0 ports: - 80:8080 - 443:8443 - # ⚠️ read this if you use local folders for volumes ⚠️ - # bunkerweb runs as an unprivileged user with UID/GID 101 - # don't forget to edit the permissions of the files and folders accordingly - # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder - # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder - # more info at https://docs.bunkerweb.io - volumes: - - bw-data:/data environment: - <<: *bunkerweb-env - SERVER_NAME: "www.example.com" # replace with your domain - API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24" - SERVE_FILES: "no" - DISABLE_DEFAULT_SERVER: "yes" - AUTO_LETS_ENCRYPT: "yes" - USE_CLIENT_CACHE: "yes" - USE_GZIP: "yes" - USE_REVERSE_PROXY: "yes" - REVERSE_PROXY_URL: "/" - REVERSE_PROXY_HOST: "http://mymagento:8080" - CUSTOM_CONF_SERVER_HTTP_magento: "proxy_busy_buffers_size 512k;proxy_buffers 4 512k;proxy_buffer_size 256k;" + - SERVER_NAME=www.example.com # replace with your domain + - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24 + - SERVE_FILES=no + - DISABLE_DEFAULT_SERVER=yes + - AUTO_LETS_ENCRYPT=yes + - USE_CLIENT_CACHE=yes + - USE_GZIP=yes + - USE_REVERSE_PROXY=yes + - REVERSE_PROXY_URL=/ + - REVERSE_PROXY_HOST=http://mymagento:8080 + - | + CUSTOM_CONF_SERVER_HTTP_magento= + proxy_busy_buffers_size 512k; + proxy_buffers 4 512k; + proxy_buffer_size 256k; labels: - "bunkerweb.INSTANCE" # required for the scheduler to recognize the container networks: @@ -41,27 +33,26 @@ services: depends_on: - mybunker environment: - <<: *bunkerweb-env - DOCKER_HOST: "tcp://docker-proxy:2375" + - DOCKER_HOST=tcp://bw-docker-proxy:2375" volumes: - bw-data:/data networks: - bw-universe - - net-docker + - bw-docker - docker-proxy: + bw-docker-proxy: image: tecnativa/docker-socket-proxy:0.1 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro environment: - CONTAINERS=1 networks: - - net-docker + - bw-docker mymagento: image: bitnami/magento:2 volumes: - - ./magento-data:/bitnami/magento + - magento-data:/bitnami/magento environment: - MAGENTO_USERNAME=admin # replace with admin username - MAGENTO_PASSWORD=changeme42 # replace with a stronger password @@ -70,9 +61,9 @@ services: - MAGENTO_ENABLE_HTTPS=yes - MAGENTO_ENABLE_ADMIN_HTTPS=yes - MAGENTO_DATABASE_HOST=mydb - - MAGENTO_DATABASE_NAME=${MAGENTO_DATABASE:-magentodb} - - MAGENTO_DATABASE_USER=${MAGENTO_USER:-user} - - MAGENTO_DATABASE_PASSWORD=${MAGENTO_PASSWORD:-secret} # set a stronger password in a .env file (must match MYSQL_PASSWORD) + - MAGENTO_DATABASE_NAME=mangentodb + - MAGENTO_DATABASE_USER=user + - MAGENTO_DATABASE_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD) - ELASTICSEARCH_HOST=myelasticsearch networks: - bw-services @@ -82,24 +73,27 @@ services: # ⚠️ you need to create the directory and fix permissions ⚠️ # see setup-docker.sh volumes: - - ./elasticsearch-data:/bitnami/elasticsearch/data + - elasticsearch-data:/bitnami/elasticsearch/data networks: - bw-services mydb: - image: mariadb:10.10 + image: mariadb:10.2 volumes: - db-data:/var/lib/mysql environment: - MARIADB_RANDOM_ROOT_PASSWORD: "yes" - entrypoint: sh -c "echo 'DROP USER IF EXISTS \"${MAGENTO_USER:-user}\"; CREATE USER \"${MAGENTO_USER:-user}\"@\"%\"; CREATE DATABASE IF NOT EXISTS ${MAGENTO_DATABASE:-magentodb}; CREATE DATABASE IF NOT EXISTS ${BUNKERWEB_DATABASE:-bunkerweb}; GRANT ALL PRIVILEGES ON ${MAGENTO_DATABASE:-magentodb}.* TO \"${MAGENTO_USER:-user}\"@\"%\" IDENTIFIED BY \"${MAGENTO_PASSWORD:-secret}\"; GRANT ALL PRIVILEGES ON ${BUNKERWEB_DATABASE:-bunkerweb}.* TO \"${MAGENTO_USER:-user}\"@\"%\" IDENTIFIED BY \"${MAGENTO_PASSWORD:-secret}\"; FLUSH PRIVILEGES;' > /docker-entrypoint-initdb.d/init.sql; /usr/local/bin/docker-entrypoint.sh --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci" - networks: - - bw-universe + - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password + - MYSQL_DATABASE=magentodb + - MYSQL_USER=user + - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD) + network: - bw-services volumes: bw-data: db-data: + magento-data: + elasticsearch-data: networks: bw-universe: @@ -108,4 +102,4 @@ networks: config: - subnet: 10.20.30.0/24 bw-services: - net-docker: + bw-docker: diff --git a/examples/magento/setup-autoconf.sh b/examples/magento/setup-autoconf.sh deleted file mode 100755 index 49d951315..000000000 --- a/examples/magento/setup-autoconf.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -if [ $(id -u) -ne 0 ] ; then - echo "❌ Run me as root" - exit 1 -fi - -mkdir elasticsearch-data -chown 1001:1001 elasticsearch-data -chmod 770 elasticsearch-data diff --git a/examples/magento/setup-docker.sh b/examples/magento/setup-docker.sh deleted file mode 100755 index 504e538fe..000000000 --- a/examples/magento/setup-docker.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -if [ $(id -u) -ne 0 ] ; then - echo "❌ Run me as root" - exit 1 -fi - -mkdir elasticsearch-data -chown 1001:1001 elasticsearch-data -chmod 770 elasticsearch-data \ No newline at end of file diff --git a/examples/magento/swarm.yml b/examples/magento/swarm.yml index 71f8e5e93..691cb1a0c 100644 --- a/examples/magento/swarm.yml +++ b/examples/magento/swarm.yml @@ -6,7 +6,7 @@ services: networks: - bw-services volumes: - - magento_data:/bitnami/magento + - magento-data:/bitnami/magento environment: - MAGENTO_USERNAME=admin # replace with admin username - MAGENTO_PASSWORD=changeme42 # replace with a stronger password @@ -34,13 +34,27 @@ services: networks: - bw-services volumes: - - elasticsearch_data:/bitnami/elasticsearch/data + - elasticsearch-data:/bitnami/elasticsearch/data deploy: placement: constraints: - "node.role==worker" - # For the database, you can refer to the swarm integration example including a database + mydb: + image: mariadb:10.2 + networks: + - bw-services + volumes: + - db-data:/var/lib/mysql + environment: + - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password + - MYSQL_DATABASE=magentodb + - MYSQL_USER=user + - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD) + deploy: + placement: + constraints: + - "node.role==worker" networks: bw-services: @@ -48,6 +62,6 @@ networks: name: bw-services volumes: - db_data: - elasticsearch_data: - magento_data: + db-data: + elasticsearch-data: + magento-data: diff --git a/examples/mattermost/autoconf.yml b/examples/mattermost/autoconf.yml index 3048104f4..3ee6db7dd 100644 --- a/examples/mattermost/autoconf.yml +++ b/examples/mattermost/autoconf.yml @@ -63,7 +63,29 @@ services: - bunkerweb.LIMIT_REQ_URL_3=^/static/ - bunkerweb.LIMIT_REQ_RATE_3=10r/s - # For the postgres database, you can refer to the autoconf integration example including a postgres database + postgres: + image: postgres:${POSTGRES_IMAGE_TAG} + networks: + bw-services: + aliases: + - postgres + restart: ${RESTART_POLICY} + security_opt: + - no-new-privileges:true + pids_limit: 100 + read_only: true + tmpfs: + - /tmp + - /var/run/postgresql + volumes: + - ${POSTGRES_DATA_PATH}:/var/lib/postgresql/data + environment: + # timezone inside container + - TZ + # necessary Postgres options/variables + - POSTGRES_USER + - POSTGRES_PASSWORD + - POSTGRES_DB networks: bw-services: diff --git a/examples/mattermost/docker-compose.yml b/examples/mattermost/docker-compose.yml index 118538ced..0f0346842 100644 --- a/examples/mattermost/docker-compose.yml +++ b/examples/mattermost/docker-compose.yml @@ -1,54 +1,41 @@ version: "3" -x-bunkerweb-env: &bunkerweb-env - DATABASE_URI: "postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres/${BUNKERWEB_DATABASE:-bunkerweb}" - services: mybunker: image: bunkerity/bunkerweb:1.5.0 ports: - 80:8080 - 443:8443 - # ⚠️ read this if you use local folders for volumes ⚠️ - # bunkerweb runs as an unprivileged user with UID/GID 101 - # don't forget to edit the permissions of the files and folders accordingly - # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder - # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder - # more info at https://docs.bunkerweb.io - volumes: - - bw-data:/data environment: - <<: *bunkerweb-env - SERVER_NAME: "${DOMAIN}" # set your domain name in the .env file, for additional domains, just add them separated by a space - API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24" - AUTO_LETS_ENCRYPT: "yes" - DISABLE_DEFAULT_SERVER: "yes" - USE_CLIENT_CACHE: "yes" - SERVE_FILES: "no" - MAX_CLIENT_SIZE: "50m" - USE_GZIP: "yes" + - SERVER_NAME=www.example.com # replace with your domain + - AUTO_LETS_ENCRYPT=yes + - DISABLE_DEFAULT_SERVER=yes + - USE_CLIENT_CACHE=yes + - SERVE_FILES=no + - MAX_CLIENT_SIZE=50m + - USE_GZIP=yes # Methods used to query the api # more info at https://api.mattermost.com/ - ALLOWED_METHODS: "GET|POST|HEAD|DELETE|PUT" + - ALLOWED_METHODS=GET|POST|HEAD|DELETE|PUT # Reverse proxy to Mattermost # second endpoint needs websocket enabled # more info at https://docs.mattermost.com/install/config-proxy-nginx.html - USE_REVERSE_PROXY: "yes" - REVERSE_PROXY_INTERCEPT_ERRORS: "no" - REVERSE_PROXY_URL_1: "/" - REVERSE_PROXY_HOST_1: "http://mattermost:8065" - REVERSE_PROXY_URL_2: "~ /api/v[0-9]+/(users/)?websocket$$" - REVERSE_PROXY_HOST_2: "http://mattermost:8065" - REVERSE_PROXY_WS_2: "yes" + - USE_REVERSE_PROXY=yes + - REVERSE_PROXY_INTERCEPT_ERRORS=no + - REVERSE_PROXY_URL_1=/ + - REVERSE_PROXY_HOST_1=http://mattermost:8065 + - REVERSE_PROXY_URL_2=~ /api/v[0-9]+/(users/)?websocket$$ + - REVERSE_PROXY_HOST_2=http://mattermost:8065 + - REVERSE_PROXY_WS_2=yes # Default limit rate for URLs - LIMIT_REQ_URL_1: "/" - LIMIT_REQ_RATE_1: "3r/s" + - LIMIT_REQ_URL_1=/ + - LIMIT_REQ_RATE_1=3r/s # Limit rate for api endpoints - LIMIT_REQ_URL_2: "^/api/" - LIMIT_REQ_RATE_2: "10r/s" + - LIMIT_REQ_URL_2=^/api/ + - LIMIT_REQ_RATE_2=10r/s # Limit rate for static resources - LIMIT_REQ_URL_3: "^/static/" - LIMIT_REQ_RATE_3: "10r/s" + - LIMIT_REQ_URL_3=^/static/ + - LIMIT_REQ_RATE_3=10r/s labels: - "bunkerweb.INSTANCE" # required for the scheduler to recognize the container networks: @@ -60,22 +47,21 @@ services: depends_on: - mybunker environment: - <<: *bunkerweb-env - DOCKER_HOST: "tcp://docker-proxy:2375" + - DOCKER_HOST=tcp://bw-docker-proxy:2375 volumes: - bw-data:/data networks: - bw-universe - - net-docker + - bw-docker - docker-proxy: + bw-docker-proxy: image: tecnativa/docker-socket-proxy:0.1 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro environment: - CONTAINERS=1 networks: - - net-docker + - bw-docker mattermost: depends_on: @@ -124,16 +110,14 @@ services: - /var/run/postgresql volumes: - ${POSTGRES_DATA_PATH}:/var/lib/postgresql/data - - ./init-db.sh:/docker-entrypoint-initdb.d/init-db.sh environment: # timezone inside container - TZ # necessary Postgres options/variables - POSTGRES_USER - POSTGRES_PASSWORD - - POSTGRES_MULTIPLE_DATABASES=${POSTGRES_DB},${BUNKERWEB_DATABASE:-bunkerweb} + - POSTGRES_DB networks: - - bw-universe - bw-services volumes: @@ -146,4 +130,4 @@ networks: config: - subnet: 10.20.30.0/24 bw-services: - net-docker: + bw-docker: diff --git a/examples/mattermost/init-db.sh b/examples/mattermost/init-db.sh deleted file mode 100644 index 18c0f96b9..000000000 --- a/examples/mattermost/init-db.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -set -e -set -u - -function create_user_and_database() { - local database=$1 - echo " Creating user and database '$database'" - psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL - CREATE USER $database; - CREATE DATABASE $database; - GRANT ALL PRIVILEGES ON DATABASE $database TO $database; -EOSQL -} - -if [ -n "$POSTGRES_MULTIPLE_DATABASES" ]; then - echo "Multiple database creation requested: $POSTGRES_MULTIPLE_DATABASES" - for db in $(echo $POSTGRES_MULTIPLE_DATABASES | tr ',' ' '); do - create_user_and_database $db - done - echo "Multiple databases created" -fi \ No newline at end of file diff --git a/examples/mongo-express/autoconf.yml b/examples/mongo-express/autoconf.yml index aaa88eb99..75652de5b 100644 --- a/examples/mongo-express/autoconf.yml +++ b/examples/mongo-express/autoconf.yml @@ -8,7 +8,7 @@ services: aliases: - mongo volumes: - - ./db:/data/db + - db-data:/data/db environment: - MONGO_INITDB_ROOT_USERNAME=root # replace with a less obvious username - MONGO_INITDB_ROOT_PASSWORD=toor # replace with a better password @@ -38,6 +38,9 @@ services: bunkerweb.CUSTOM_CONF_MODSEC_mongo-express= SecRule REQUEST_FILENAME "@rx ^/db" "id:1,ctl:ruleRemoveByTag=attack-generic,ctl:ruleRemoveByTag=attack-protocol,nolog" +volumes: + db-data: + networks: bw-services: external: diff --git a/examples/mongo-express/docker-compose.yml b/examples/mongo-express/docker-compose.yml index 99fcfec61..35ee63dfc 100644 --- a/examples/mongo-express/docker-compose.yml +++ b/examples/mongo-express/docker-compose.yml @@ -6,14 +6,6 @@ services: ports: - 80:8080 - 443:8443 - # ⚠️ read this if you use local folders for volumes ⚠️ - # bunkerweb runs as an unprivileged user with UID/GID 101 - # don't forget to edit the permissions of the files and folders accordingly - # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder - # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder - # more info at https://docs.bunkerweb.io - volumes: - - bw-data:/data environment: - SERVER_NAME=www.example.com # replace with your domain - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24 @@ -39,26 +31,26 @@ services: depends_on: - mybunker environment: - - DOCKER_HOST=tcp://docker-proxy:2375 + - DOCKER_HOST=tcp://bw-docker-proxy:2375 volumes: - bw-data:/data networks: - bw-universe - - net-docker + - bw-docker - docker-proxy: + bw-docker-proxy: image: tecnativa/docker-socket-proxy:0.1 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro environment: - CONTAINERS=1 networks: - - net-docker + - bw-docker mongo: image: mongo:5.0.14 volumes: - - ./db:/data/db + - db-data:/data/db environment: - MONGO_INITDB_ROOT_USERNAME=root # replace with a less obvious username - MONGO_INITDB_ROOT_PASSWORD=toor # replace with a better password @@ -82,6 +74,7 @@ services: volumes: bw-data: + db-data: networks: bw-universe: @@ -90,4 +83,4 @@ networks: config: - subnet: 10.20.30.0/24 bw-services: - net-docker: + bw-docker: diff --git a/examples/mongo-express/swarm.yml b/examples/mongo-express/swarm.yml index 6713d01d8..0ae36065e 100644 --- a/examples/mongo-express/swarm.yml +++ b/examples/mongo-express/swarm.yml @@ -6,7 +6,7 @@ services: networks: - bw-services volumes: - - db:/data/db + - db-data:/data/db environment: - MONGO_INITDB_ROOT_USERNAME=root # replace with a less obvious username - MONGO_INITDB_ROOT_PASSWORD=toor # replace with a better password @@ -48,4 +48,4 @@ networks: name: bw-services volumes: - db: + db-data: diff --git a/examples/moodle/autoconf.yml b/examples/moodle/autoconf.yml index 541c3029c..fef833e33 100644 --- a/examples/moodle/autoconf.yml +++ b/examples/moodle/autoconf.yml @@ -10,27 +10,38 @@ services: depends_on: - mydb volumes: - - moodle_files:/bitnami/moodle - - moodle_data:/bitnami/moodledata + - moodle-files:/bitnami/moodle + - moodle-data:/bitnami/moodledata environment: - - MOODLE_USERNAME=admin # replace with your moodle admin username - - MOODLE_PASSWORD=password # replace with your moodle admin password - - MOODLE_EMAIL=moodle@example.com # replace with your moodle admin email - - MOODLE_SITE_NAME=My Moodle # replace with your moodle site name + - MOODLE_USERNAME=admin # replace with your moodle admin username + - MOODLE_PASSWORD=password # replace with your moodle admin password + - MOODLE_EMAIL=moodle@example.com # replace with your moodle admin email + - MOODLE_SITE_NAME=My Moodle # replace with your moodle site name - MOODLE_DATABASE_HOST=mydb - - MOODLE_DATABASE_NAME=${MOODLE_DATABASE:-moodledb} - - MOODLE_DATABASE_USER=${MOODLE_USER:-user} - - MOODLE_DATABASE_PASSWORD=${MOODLE_PASSWORD:-secret} # replace with a stronger password (must match MYSQL_PASSWORD) + - MOODLE_DATABASE_NAME=moodle + - MOODLE_DATABASE_USER=user + - MOODLE_DATABASE_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD) labels: - bunkerweb.SERVER_NAME=www.example.com - bunkerweb.USE_REVERSE_PROXY=yes - bunkerweb.REVERSE_PROXY_URL=/ - bunkerweb.REVERSE_PROXY_HOST=https://mymoodle:8443 - # For the database, you can refer to the autoconf integration example including a database - # In this example, you will need to add the following lines to the mydb service: - # - MARIADB_CHARACTER_SET=utf8mb4 - # - MARIADB_COLLATE=utf8mb4_unicode_ci + mydb: + image: mariadb:10.5 + volumes: + - db-data:/var/lib/mysql + networks: + bw-services: + aliases: + - mydb + environment: + - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password + - MYSQL_DATABASE=moodle + - MYSQL_USER=user + - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD) + - MARIADB_CHARACTER_SET=utf8mb4 + - MARIADB_COLLATE=utf8mb4_unicode_ci networks: bw-services: @@ -38,6 +49,6 @@ networks: name: bw-services volumes: - db_data: - moodle_files: - moodle_data: + db-data: + moodle-files: + moodle-data: diff --git a/examples/moodle/docker-compose.yml b/examples/moodle/docker-compose.yml index fdfe6c213..6e5ee8777 100644 --- a/examples/moodle/docker-compose.yml +++ b/examples/moodle/docker-compose.yml @@ -1,35 +1,22 @@ version: "3" -x-bunkerweb-env: &bunkerweb-env - DATABASE_URI: "mariadb+pymysql://${MOODLE_USER:-user}:${MOODLE_PASSWORD:-secret}@mydb:3306/${BUNKERWEB_DATABASE:-bunkerweb}" - services: mybunker: image: bunkerity/bunkerweb:1.5.0 ports: - 80:8080 - 443:8443 - # ⚠️ read this if you use local folders for volumes ⚠️ - # bunkerweb runs as an unprivileged user with UID/GID 101 - # don't forget to edit the permissions of the files and folders accordingly - # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder - # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder - # more info at https://docs.bunkerweb.io - volumes: - - bw-data:/data environment: - <<: *bunkerweb-env - SERVER_NAME: "www.example.com" # replace with your domain - API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24" - AUTO_LETS_ENCRYPT: "yes" - DISABLE_DEFAULT_SERVER: "yes" - MAX_CLIENT_SIZE: "50m" - SERVE_FILES: "no" - USE_CLIENT_CACHE: "yes" - USE_GZIP: "yes" - USE_REVERSE_PROXY: "yes" - REVERSE_PROXY_URL: "/" - REVERSE_PROXY_HOST: "https://mymoodle:8443" + - SERVER_NAME=www.example.com # replace with your domain + - AUTO_LETS_ENCRYPT=yes + - DISABLE_DEFAULT_SERVER=yes + - MAX_CLIENT_SIZE=50m + - SERVE_FILES=no + - USE_CLIENT_CACHE=yes + - USE_GZIP=yes + - USE_REVERSE_PROXY=yes + - REVERSE_PROXY_URL=/ + - REVERSE_PROXY_HOST=https://mymoodle:8443 labels: - "bunkerweb.INSTANCE" # required for the scheduler to recognize the container networks: @@ -41,56 +28,60 @@ services: depends_on: - mybunker environment: - <<: *bunkerweb-env - DOCKER_HOST: "tcp://docker-proxy:2375" + - DOCKER_HOST=tcp://bw-docker-proxy:2375 volumes: - bw-data:/data networks: - bw-universe - - net-docker + - bw-docker - docker-proxy: + bw-docker-proxy: image: tecnativa/docker-socket-proxy:0.1 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro environment: - CONTAINERS=1 networks: - - net-docker + - bw-docker mymoodle: image: bitnami/moodle:4.1.0 depends_on: - mydb volumes: - - ./moodle-files:/bitnami/moodle - - ./moodle-data:/bitnami/moodledata + - moodle-files:/bitnami/moodle + - moodle-data:/bitnami/moodledata environment: - - MOODLE_USERNAME=admin # replace with your moodle admin username - - MOODLE_PASSWORD=password # replace with your moodle admin password - - MOODLE_EMAIL=moodle@example.com # replace with your moodle admin email - - MOODLE_SITE_NAME=My Moodle # replace with your moodle site name + - MOODLE_USERNAME=admin # replace with your moodle admin username + - MOODLE_PASSWORD=password # replace with your moodle admin password + - MOODLE_EMAIL=moodle@example.com # replace with your moodle admin email + - MOODLE_SITE_NAME=My Moodle # replace with your moodle site name - MOODLE_DATABASE_HOST=mydb - - MOODLE_DATABASE_NAME=${MOODLE_DATABASE:-moodledb} - - MOODLE_DATABASE_USER=${MOODLE_USER:-user} - - MOODLE_DATABASE_PASSWORD=${MOODLE_PASSWORD:-secret} # set a stronger password in a .env file (must match MYSQL_PASSWORD) + - MOODLE_DATABASE_NAME=moodle + - MOODLE_DATABASE_USER=user + - MOODLE_DATABASE_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD) networks: - bw-services mydb: - image: mariadb:10.10 + image: mariadb:10.5 volumes: - db-data:/var/lib/mysql environment: - MARIADB_RANDOM_ROOT_PASSWORD: "yes" - entrypoint: sh -c "echo 'DROP USER IF EXISTS \"${MOODLE_USER:-user}\"; CREATE USER \"${MOODLE_USER:-user}\"@\"%\"; CREATE DATABASE IF NOT EXISTS ${MOODLE_DATABASE:-moodledb}; CREATE DATABASE IF NOT EXISTS ${BUNKERWEB_DATABASE:-bunkerweb}; GRANT ALL PRIVILEGES ON ${MOODLE_DATABASE:-moodledb}.* TO \"${MOODLE_USER:-user}\"@\"%\" IDENTIFIED BY \"${MOODLE_PASSWORD:-secret}\"; GRANT ALL PRIVILEGES ON ${BUNKERWEB_DATABASE:-bunkerweb}.* TO \"${MOODLE_USER:-user}\"@\"%\" IDENTIFIED BY \"${MOODLE_PASSWORD:-secret}\"; FLUSH PRIVILEGES;' > /docker-entrypoint-initdb.d/init.sql; /usr/local/bin/docker-entrypoint.sh --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci" + - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password + - MYSQL_DATABASE=moodle + - MYSQL_USER=user + - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD) + - MARIADB_CHARACTER_SET=utf8mb4 + - MARIADB_COLLATE=utf8mb4_unicode_ci networks: - - bw-universe - bw-services volumes: bw-data: db-data: + moodle-files: + moodle-data: networks: bw-universe: @@ -99,4 +90,4 @@ networks: config: - subnet: 10.20.30.0/24 bw-services: - net-docker: + bw-docker: diff --git a/examples/moodle/swarm.yml b/examples/moodle/swarm.yml index 9e62e4475..654404dd6 100644 --- a/examples/moodle/swarm.yml +++ b/examples/moodle/swarm.yml @@ -8,8 +8,8 @@ services: depends_on: - mydb volumes: - - moodle_files:/bitnami/moodle - - moodle_data:/bitnami/moodledata + - moodle-files:/bitnami/moodle + - moodle-data:/bitnami/moodledata environment: - MOODLE_USERNAME=admin # replace with your moodle admin username - MOODLE_PASSWORD=password # replace with your moodle admin password @@ -29,10 +29,23 @@ services: - bunkerweb.REVERSE_PROXY_URL=/ - bunkerweb.REVERSE_PROXY_HOST=https://mymoodle:8443 - # For the database, you can refer to the swarm integration example including a database - # In this example, you will need to add the following lines to the mydb service: - # - MARIADB_CHARACTER_SET=utf8mb4 - # - MARIADB_COLLATE=utf8mb4_unicode_ci + mydb: + image: mariadb:10.5 + volumes: + - db_data:/var/lib/mysql + networks: + - bw-services + environment: + - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password + - MYSQL_DATABASE=moodle + - MYSQL_USER=user + - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD) + - MARIADB_CHARACTER_SET=utf8mb4 + - MARIADB_COLLATE=utf8mb4_unicode_ci + deploy: + placement: + constraints: + - "node.role==worker" networks: bw-services: @@ -40,6 +53,6 @@ networks: name: bw-services volumes: - db_data: - moodle_files: - moodle_data: + db-data: + moodle-files: + moodle-data: diff --git a/examples/nextcloud/autoconf.yml b/examples/nextcloud/autoconf.yml index 869a8205d..db7998c28 100644 --- a/examples/nextcloud/autoconf.yml +++ b/examples/nextcloud/autoconf.yml @@ -4,7 +4,7 @@ services: mync: image: nextcloud:stable-apache volumes: - - ./nc-files:/var/www/html + - nc-files:/var/www/html networks: bw-services: aliases: @@ -56,7 +56,25 @@ services: bunkerweb.CUSTOM_CONF_MODSEC_nextcloud= SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:1000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog" - # For the database, you can refer to the autoconf integration example including a database + + mydb: + image: mariadb + command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW + volumes: + - db-data:/var/lib/mysql + networks: + bw-services: + aliases: + - mydb + environment: + - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password + - MYSQL_DATABASE=nc + - MYSQL_USER=user + - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD) + +volumes: + nc-files: + db-data: networks: bw-services: diff --git a/examples/nextcloud/docker-compose.yml b/examples/nextcloud/docker-compose.yml index 6519e18c2..8c3ae2cb5 100644 --- a/examples/nextcloud/docker-compose.yml +++ b/examples/nextcloud/docker-compose.yml @@ -1,49 +1,51 @@ version: "3" -x-bunkerweb-env: &bunkerweb-env - DATABASE_URI: "mariadb+pymysql://${NEXTCLOUD_USER:-user}:${NEXTCLOUD_PASSWORD:-secret}@mydb:3306/${BUNKERWEB_DATABASE:-bunkerweb}" - services: mybunker: image: bunkerity/bunkerweb:1.5.0 ports: - 80:8080 - 443:8443 - # ⚠️ read this if you use local folders for volumes ⚠️ - # bunkerweb runs as an unprivileged user with UID/GID 101 - # don't forget to edit the permissions of the files and folders accordingly - # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder - # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder - # more info at https://docs.bunkerweb.io - volumes: - - bw-data:/data environment: - <<: *bunkerweb-env - SERVER_NAME: "www.example.com" # replace with your domain - API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24" - AUTO_LETS_ENCRYPT: "yes" - DISABLE_DEFAULT_SERVER: "yes" - MAX_CLIENT_SIZE: "10G" - USE_CLIENT_CACHE: "yes" - SERVE_FILES: "no" - ALLOWED_METHODS: "GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS" - X_FRAME_OPTIONS: "SAMEORIGIN" - USE_GZIP: "yes" - BAD_BEHAVIOR_STATUS_CODES: "400 401 403 405 444" - USE_REVERSE_PROXY: "yes" - REVERSE_PROXY_URL: "/" - REVERSE_PROXY_HOST: "http://mync" - LIMIT_REQ_URL_1: "/apps" - LIMIT_REQ_RATE_1: "5r/s" - LIMIT_REQ_URL_2: "/apps/text/session/sync" - LIMIT_REQ_RATE_2: "8r/s" - LIMIT_REQ_URL_3: "/core/preview" - LIMIT_REQ_RATE_3: "5r/s" - CUSTOM_CONF_MODSEC_CRS_nextcloud: - 'SecAction "id:900130,phase:1,nolog,pass,t:none,setvar:tx.crs_exclusions_nextcloud=1" - - # WebDAV SecAction "id:900200,phase:1,nolog,pass,t:none,setvar:''tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS''"' - CUSTOM_CONF_MODSEC_nextcloud: 'SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:1000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"' + - SERVER_NAME=www.example.com # replace with your domain + - AUTO_LETS_ENCRYPT=yes + - DISABLE_DEFAULT_SERVER=yes + - MAX_CLIENT_SIZE=10G + - USE_CLIENT_CACHE=yes + - SERVE_FILES=no + - ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS + - X_FRAME_OPTIONS=SAMEORIGIN + - USE_GZIP=yes + - BAD_BEHAVIOR_STATUS_CODES=400 401 403 405 444 + - USE_REVERSE_PROXY=yes + - REVERSE_PROXY_URL=/ + - REVERSE_PROXY_HOST=http://mync + - LIMIT_REQ_URL_1=/apps + - LIMIT_REQ_RATE_1=5r/s + - LIMIT_REQ_URL_2=/apps/text/session/sync + - LIMIT_REQ_RATE_2=8r/s + - LIMIT_REQ_URL_3=/core/preview + - LIMIT_REQ_RATE_3=5r/s + - | + CUSTOM_CONF_MODSEC_CRS_nextcloud= + SecAction \ + "id:900130,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:tx.crs_exclusions_nextcloud=1" + # WebDAV + SecAction \ + "id:900200,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'" + - | + CUSTOM_CONF_MODSEC_nextcloud= + SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:2000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog" labels: - "bunkerweb.INSTANCE" # required for the scheduler to recognize the container networks: @@ -55,27 +57,26 @@ services: depends_on: - mybunker environment: - <<: *bunkerweb-env - DOCKER_HOST: "tcp://docker-proxy:2375" + - DOCKER_HOST=tcp://bw-docker-proxy:2375 volumes: - bw-data:/data networks: - bw-universe - - net-docker + - bw-docker - docker-proxy: + bw-docker-proxy: image: tecnativa/docker-socket-proxy:0.1 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro environment: - CONTAINERS=1 networks: - - net-docker + - bw-docker mync: image: nextcloud:24-apache volumes: - - ./nc-files:/var/www/html + - nc-files:/var/www/html environment: - NEXTCLOUD_ADMIN_USER=admin # replace with the admin username - NEXTCLOUD_ADMIN_PASSWORD=changeme # replace with a stronger password @@ -90,12 +91,15 @@ services: - bw-services mydb: - image: mariadb:10.10 + image: mariadb:10.9 + command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW volumes: - - db-data:/var/lib/mysql + - ./db-data:/var/lib/mysql environment: - MARIADB_RANDOM_ROOT_PASSWORD: "yes" - entrypoint: sh -c "echo 'DROP USER IF EXISTS \"${NEXTCLOUD_USER:-user}\"; CREATE USER \"${NEXTCLOUD_USER:-user}\"@\"%\"; CREATE DATABASE IF NOT EXISTS ${NEXTCLOUD_DATABASE:-nextclouddb}; CREATE DATABASE IF NOT EXISTS ${BUNKERWEB_DATABASE:-bunkerweb}; GRANT ALL PRIVILEGES ON ${NEXTCLOUD_DATABASE:-nextclouddb}.* TO \"${NEXTCLOUD_USER:-user}\"@\"%\" IDENTIFIED BY \"${NEXTCLOUD_PASSWORD:-secret}\"; GRANT ALL PRIVILEGES ON ${BUNKERWEB_DATABASE:-bunkerweb}.* TO \"${NEXTCLOUD_USER:-user}\"@\"%\" IDENTIFIED BY \"${NEXTCLOUD_PASSWORD:-secret}\"; FLUSH PRIVILEGES;' > /docker-entrypoint-initdb.d/init.sql; /usr/local/bin/docker-entrypoint.sh --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci" + - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password + - MYSQL_DATABASE=nc + - MYSQL_USER=user + - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD) networks: - bw-universe - bw-services @@ -103,6 +107,7 @@ services: volumes: bw-data: db-data: + nc-files: networks: bw-universe: @@ -111,4 +116,4 @@ networks: config: - subnet: 10.20.30.0/24 bw-services: - net-docker: + bw-docker: diff --git a/examples/nextcloud/swarm.yml b/examples/nextcloud/swarm.yml index 9505d1148..aeb013526 100644 --- a/examples/nextcloud/swarm.yml +++ b/examples/nextcloud/swarm.yml @@ -4,7 +4,7 @@ services: mync: image: nextcloud:24-apache volumes: - - nc_files:/var/www/html + - nc-files:/var/www/html networks: - bw-services environment: @@ -37,7 +37,22 @@ services: - bunkerweb.LIMIT_REQ_URL_3=/core/preview - bunkerweb.LIMIT_REQ_RATE_3=5r/s - # For the database, you can refer to the swarm integration example including a database + mydb: + image: mariadb:10.9 + command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW + volumes: + - db-data:/var/lib/mysql + networks: + - bw-services + environment: + - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password + - MYSQL_DATABASE=nc + - MYSQL_USER=user + - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD) + deploy: + placement: + constraints: + - "node.role==worker" networks: bw-services: @@ -45,4 +60,5 @@ networks: name: bw-services volumes: - nc_files: + nc-files: + db-data: diff --git a/examples/passbolt/autoconf.yml b/examples/passbolt/autoconf.yml index 7ae791667..73d3f2cc5 100644 --- a/examples/passbolt/autoconf.yml +++ b/examples/passbolt/autoconf.yml @@ -12,14 +12,13 @@ services: - mypassbolt environment: - APP_FULL_BASE_URL=https://www.example.com # replace with your URL - - PASSBOLT_SSL_FORCE=false - DATASOURCES_DEFAULT_HOST=mydb - - DATASOURCES_DEFAULT_DATABASE=${PASSBOLT_DATABASE:-passboltdb} - - DATASOURCES_DEFAULT_USERNAME=${PASSBOLT_USER:-user} - - DATASOURCES_DEFAULT_PASSWORD=${PASSBOLT_PASSWORD:-secret} # set a stronger password in a .env file (must match MYSQL_PASSWORD) + - DATASOURCES_DEFAULT_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD) + - DATASOURCES_DEFAULT_USERNAME=user + - DATASOURCES_DEFAULT_DATABASE=passbolt volumes: - - gpg_volume:/etc/passbolt/gpg - - jwt_volume:/etc/passbolt/jwt + - gpg-data:/etc/passbolt/gpg + - jwt-data:/etc/passbolt/jwt command: [ "/usr/bin/wait-for.sh", @@ -37,11 +36,24 @@ services: - bunkerweb.REVERSE_PROXY_URL=/ - bunkerweb.REVERSE_PROXY_HOST=https://mypassbolt - # For the database, you can refer to the autoconf integration example including a database + mydb: + image: mariadb + volumes: + - db-data:/var/lib/mysql + networks: + bw-services: + aliases: + - mydb + environment: + - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password + - MYSQL_DATABASE=passbolt + - MYSQL_USER=user + - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD) volumes: - gpg_volume: - jwt_volume: + gpg-data: + jwt-data: + db-data: networks: bw-services: diff --git a/examples/passbolt/docker-compose.yml b/examples/passbolt/docker-compose.yml index 5da776479..9854e02ba 100644 --- a/examples/passbolt/docker-compose.yml +++ b/examples/passbolt/docker-compose.yml @@ -1,36 +1,24 @@ version: "3" -x-bunkerweb-env: &bunkerweb-env - DATABASE_URI: "mariadb+pymysql://${PASSBOLT_USER:-user}:${PASSBOLT_PASSWORD:-secret}@mydb:3306/${BUNKERWEB_DATABASE:-bunkerweb}" - services: mybunker: image: bunkerity/bunkerweb:1.5.0 ports: - 80:8080 - 443:8443 - # ⚠️ read this if you use local folders for volumes ⚠️ - # bunkerweb runs as an unprivileged user with UID/GID 101 - # don't forget to edit the permissions of the files and folders accordingly - # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder - # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder - # more info at https://docs.bunkerweb.io - volumes: - - bw-data:/data environment: - <<: *bunkerweb-env - SERVER_NAME: "www.example.com" # replace with your domain - API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24" - AUTO_LETS_ENCRYPT: "yes" - COOKIE_FLAGS: "* SameSite=Lax" - DISABLE_DEFAULT_SERVER: "yes" - ALLOWED_METHODS: "GET|POST|HEAD|PUT|DELETE" - SERVE_FILES: "no" - USE_CLIENT_CACHE: "yes" - USE_GZIP: "yes" - USE_REVERSE_PROXY: "yes" - REVERSE_PROXY_URL: "/" - REVERSE_PROXY_HOST: "https://mypassbolt" + - SERVER_NAME=www.example.com # replace with your domain + - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24 + - AUTO_LETS_ENCRYPT=yes + - DISABLE_DEFAULT_SERVER=yes + - COOKIE_FLAGS=* SameSite=Lax + - ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE + - SERVE_FILES=no + - USE_CLIENT_CACHE=yes + - USE_GZIP=yes + - USE_REVERSE_PROXY=yes + - REVERSE_PROXY_URL=/ + - REVERSE_PROXY_HOST=https://mypassbolt labels: - "bunkerweb.INSTANCE" # required for the scheduler to recognize the container networks: @@ -42,22 +30,21 @@ services: depends_on: - mybunker environment: - <<: *bunkerweb-env - DOCKER_HOST: "tcp://docker-proxy:2375" + - DOCKER_HOST=tcp://bw-docker-proxy:2375 volumes: - bw-data:/data networks: - bw-universe - - net-docker + - bw-docker - docker-proxy: + bw-docker-proxy: image: tecnativa/docker-socket-proxy:0.1 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro environment: - CONTAINERS=1 networks: - - net-docker + - bw-docker # you will need to add a user by hand # example : docker-compose exec mypassbolt su -m -c "/usr/share/php/passbolt/bin/cake passbolt register_user -u -f -l -r admin" -s /bin/sh www-data @@ -70,14 +57,13 @@ services: - mydb environment: - APP_FULL_BASE_URL=https://www.example.com # replace with your URL - - PASSBOLT_SSL_FORCE=false - DATASOURCES_DEFAULT_HOST=mydb - - DATASOURCES_DEFAULT_DATABASE=${PASSBOLT_DATABASE:-passboltdb} - - DATASOURCES_DEFAULT_USERNAME=${PASSBOLT_USER:-user} - - DATASOURCES_DEFAULT_PASSWORD=${PASSBOLT_PASSWORD:-secret} # set a stronger password in a .env file (must match MYSQL_PASSWORD) + - DATASOURCES_DEFAULT_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD) + - DATASOURCES_DEFAULT_USERNAME=user + - DATASOURCES_DEFAULT_DATABASE=passbolt volumes: - - gpg_volume:/etc/passbolt/gpg - - jwt_volume:/etc/passbolt/jwt + - gpg-data:/etc/passbolt/gpg + - jwt-data:/etc/passbolt/jwt command: [ "/usr/bin/wait-for.sh", @@ -95,15 +81,16 @@ services: volumes: - db-data:/var/lib/mysql environment: - MARIADB_RANDOM_ROOT_PASSWORD: "yes" - entrypoint: sh -c "echo 'DROP USER IF EXISTS \"${PASSBOLT_USER:-user}\"; CREATE USER \"${PASSBOLT_USER:-user}\"@\"%\"; CREATE DATABASE IF NOT EXISTS ${PASSBOLT_DATABASE:-passboltdb}; CREATE DATABASE IF NOT EXISTS ${BUNKERWEB_DATABASE:-bunkerweb}; GRANT ALL PRIVILEGES ON ${PASSBOLT_DATABASE:-passboltdb}.* TO \"${PASSBOLT_USER:-user}\"@\"%\" IDENTIFIED BY \"${PASSBOLT_PASSWORD:-secret}\"; GRANT ALL PRIVILEGES ON ${BUNKERWEB_DATABASE:-bunkerweb}.* TO \"${PASSBOLT_USER:-user}\"@\"%\" IDENTIFIED BY \"${PASSBOLT_PASSWORD:-secret}\"; FLUSH PRIVILEGES;' > /docker-entrypoint-initdb.d/init.sql; /usr/local/bin/docker-entrypoint.sh --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci" + - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password + - MYSQL_DATABASE=passbolt + - MYSQL_USER=user + - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD) networks: - - bw-universe - bw-services volumes: - gpg_volume: - jwt_volume: + gpg-data: + jwt-data: db-data: bw-data: @@ -114,4 +101,4 @@ networks: config: - subnet: 10.20.30.0/24 bw-services: - net-docker: + bw-docker: diff --git a/examples/passbolt/swarm.yml b/examples/passbolt/swarm.yml index 480e5c1da..d1cf81da0 100644 --- a/examples/passbolt/swarm.yml +++ b/examples/passbolt/swarm.yml @@ -10,14 +10,13 @@ services: - bw-services environment: - APP_FULL_BASE_URL=https://www.example.com # replace with your URL - - PASSBOLT_SSL_FORCE=false - DATASOURCES_DEFAULT_HOST=mydb - - DATASOURCES_DEFAULT_DATABASE=${PASSBOLT_DATABASE:-passboltdb} - - DATASOURCES_DEFAULT_USERNAME=${PASSBOLT_USER:-user} - - DATASOURCES_DEFAULT_PASSWORD=${PASSBOLT_PASSWORD:-secret} # set a stronger password in a .env file (must match MYSQL_PASSWORD) + - DATASOURCES_DEFAULT_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD) + - DATASOURCES_DEFAULT_USERNAME=user + - DATASOURCES_DEFAULT_DATABASE=passbolt volumes: - - gpg_volume:/etc/passbolt/gpg - - jwt_volume:/etc/passbolt/jwt + - gpg-data:/etc/passbolt/gpg + - jwt-data:/etc/passbolt/jwt command: [ "/usr/bin/wait-for.sh", @@ -39,7 +38,21 @@ services: - bunkerweb.REVERSE_PROXY_URL=/ - bunkerweb.REVERSE_PROXY_HOST=https://mypassbolt - # For the database, you can refer to the swarm integration example including a database + mydb: + image: mariadb + volumes: + - db-data:/var/lib/mysql + networks: + - bw-services + environment: + - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password + - MYSQL_DATABASE=passbolt + - MYSQL_USER=user + - MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD) + deploy: + placement: + constraints: + - "node.role==worker" networks: bw-services: @@ -47,4 +60,6 @@ networks: name: bw-services volumes: - db_data: + db-data: + gpg-data: + jwt-data: diff --git a/src/common/core/modsecurity/confs/server-http/modsecurity-rules.conf.modsec b/src/common/core/modsecurity/confs/server-http/modsecurity-rules.conf.modsec index 0ef289ca3..77aae37bf 100644 --- a/src/common/core/modsecurity/confs/server-http/modsecurity-rules.conf.modsec +++ b/src/common/core/modsecurity/confs/server-http/modsecurity-rules.conf.modsec @@ -123,4 +123,4 @@ include /etc/nginx/{{ SERVER_NAME.split(" ")[0] }}/modsec/*.conf {% if USE_MODSECURITY_CRS == "yes" %} SecRuleUpdateActionById 949110 "t:none,deny,status:{{ DENY_HTTP_STATUS }},setenv:REASON=modsecurity" SecRuleUpdateActionById 959100 "t:none,deny,status:{{ DENY_HTTP_STATUS }},setenv:REASON=modsecurity" -{% endif %} \ No newline at end of file +{% endif %} diff --git a/src/common/core/ui/confs/modsec/ui.conf b/src/common/core/ui/confs/modsec/ui.conf index 66cc39de4..0e6a99704 100644 --- a/src/common/core/ui/confs/modsec/ui.conf +++ b/src/common/core/ui/confs/modsec/ui.conf @@ -1,5 +1,5 @@ {% if USE_UI == "yes" +%} -SecRule REQUEST_FILENAME "@rx /services$" "id:1,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-generic,nolog" -SecRule REQUEST_FILENAME "@rx /global_config$" "id:2,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-generic,ctl:ruleRemoveByTag=platform-pgsqlnolog" -SecRule REQUEST_FILENAME "@rx /configs$" "id:3,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-generic,nolog" -{% endif +%} \ No newline at end of file +SecRule REQUEST_FILENAME "@rx /services$" "id:1001,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-generic,nolog" +SecRule REQUEST_FILENAME "@rx /global_config$" "id:1002,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-generic,ctl:ruleRemoveByTag=platform-pgsqlnolog" +SecRule REQUEST_FILENAME "@rx /configs$" "id:1003,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-generic,nolog" +{% endif +%}