examples refactoring

examples/load-balancer/bw-data/configs/http/upstream.conf

@@ -1,5 +0,0 @@
-upstream app {
-	server app1:80;
-	server app2:80;
-	server app3:80;
-}

examples/load-balancer/docker-compose.yml

@@ -6,14 +6,6 @@ services:
     ports:
       - 80:8080
       - 443:8443
-    # ⚠️ read this if you use local folders for volumes ⚠️
-    # bunkerweb runs as an unprivileged user with UID/GID 101
-    # don't forget to edit the permissions of the files and folders accordingly
-    # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
-    # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
-    # more info at https://docs.bunkerweb.io
-    volumes:
-      - bw-data:/data # contains upstreams definition at http context
     environment:
       - SERVER_NAME=www.example.com # replace with your domain
       - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
@@ -43,21 +35,21 @@ services:
     depends_on:
       - mybunker
     environment:
-      - DOCKER_HOST=tcp://docker-proxy:2375
+      - DOCKER_HOST=tcp://bw-docker-proxy:2375
     volumes:
       - bw-data:/data
     networks:
       - bw-universe
-      - net-docker
+      - bw-docker
 
-  docker-proxy:
+  bw-docker-proxy:
     image: tecnativa/docker-socket-proxy:0.1
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     environment:
       - CONTAINERS=1
     networks:
-      - net-docker
+      - bw-docker
 
   app1:
     image: tutum/hello-world
@@ -84,4 +76,4 @@ networks:
       config:
         - subnet: 10.20.30.0/24
   bw-services:
-  net-docker:
+  bw-docker:

examples/magento/autoconf.yml

@@ -8,7 +8,7 @@ services:
         aliases:
           - mymagento
     volumes:
-      - ./magento-data:/bitnami/magento
+      - magento-data:/bitnami/magento
     environment:
       - MAGENTO_USERNAME=admin # replace with admin username
       - MAGENTO_PASSWORD=changeme42 # replace with a stronger password
@@ -41,9 +41,26 @@ services:
     # ⚠️ you need to create the directory and fix permissions ⚠️
     # see setup-autoconf.sh
     volumes:
-      - ./elasticsearch-data:/bitnami/elasticsearch/data
+      - elasticsearch-data:/bitnami/elasticsearch/data
 
-  # For the database, you can refer to the autoconf integration example including a database
+  mydb:
+    image: mariadb:10.2
+    networks:
+      bw-services:
+        aliases:
+          - mydb
+    volumes:
+      - db-data:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
+      - MYSQL_DATABASE=magentodb
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd      # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD)
+
+volumes:
+  magento-data:
+  elasticsearch-data:
+  db-data:
 
 networks:
   bw-services:

examples/magento/docker-compose.yml

@@ -1,35 +1,27 @@
 version: "3"
 
-x-bunkerweb-env: &bunkerweb-env
-  DATABASE_URI: "mariadb+pymysql://${MAGENTO_USER:-user}:${MAGENTO_PASSWORD:-secret}@mydb:3306/${BUNKERWEB_DATABASE:-bunkerweb}"
-
 services:
   mybunker:
     image: bunkerity/bunkerweb:1.5.0
     ports:
       - 80:8080
       - 443:8443
-    # ⚠️ read this if you use local folders for volumes ⚠️
-    # bunkerweb runs as an unprivileged user with UID/GID 101
-    # don't forget to edit the permissions of the files and folders accordingly
-    # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
-    # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
-    # more info at https://docs.bunkerweb.io
-    volumes:
-      - bw-data:/data
     environment:
-      <<: *bunkerweb-env
+      - SERVER_NAME=www.example.com # replace with your domain
-      SERVER_NAME: "www.example.com" # replace with your domain
+      - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
-      API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
+      - SERVE_FILES=no
-      SERVE_FILES: "no"
+      - DISABLE_DEFAULT_SERVER=yes
-      DISABLE_DEFAULT_SERVER: "yes"
+      - AUTO_LETS_ENCRYPT=yes
-      AUTO_LETS_ENCRYPT: "yes"
+      - USE_CLIENT_CACHE=yes
-      USE_CLIENT_CACHE: "yes"
+      - USE_GZIP=yes
-      USE_GZIP: "yes"
+      - USE_REVERSE_PROXY=yes
-      USE_REVERSE_PROXY: "yes"
+      - REVERSE_PROXY_URL=/
-      REVERSE_PROXY_URL: "/"
+      - REVERSE_PROXY_HOST=http://mymagento:8080
-      REVERSE_PROXY_HOST: "http://mymagento:8080"
+      - |
-      CUSTOM_CONF_SERVER_HTTP_magento: "proxy_busy_buffers_size 512k;proxy_buffers 4 512k;proxy_buffer_size 256k;"
+        CUSTOM_CONF_SERVER_HTTP_magento=
+        proxy_busy_buffers_size 512k;
+        proxy_buffers 4 512k;
+        proxy_buffer_size 256k;
     labels:
       - "bunkerweb.INSTANCE" # required for the scheduler to recognize the container
     networks:
@@ -41,27 +33,26 @@ services:
     depends_on:
       - mybunker
     environment:
-      <<: *bunkerweb-env
+      - DOCKER_HOST=tcp://bw-docker-proxy:2375"
-      DOCKER_HOST: "tcp://docker-proxy:2375"
     volumes:
       - bw-data:/data
     networks:
       - bw-universe
-      - net-docker
+      - bw-docker
 
-  docker-proxy:
+  bw-docker-proxy:
     image: tecnativa/docker-socket-proxy:0.1
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     environment:
       - CONTAINERS=1
     networks:
-      - net-docker
+      - bw-docker
 
   mymagento:
     image: bitnami/magento:2
     volumes:
-      - ./magento-data:/bitnami/magento
+      - magento-data:/bitnami/magento
     environment:
       - MAGENTO_USERNAME=admin # replace with admin username
       - MAGENTO_PASSWORD=changeme42 # replace with a stronger password
@@ -70,9 +61,9 @@ services:
       - MAGENTO_ENABLE_HTTPS=yes
       - MAGENTO_ENABLE_ADMIN_HTTPS=yes
       - MAGENTO_DATABASE_HOST=mydb
-      - MAGENTO_DATABASE_NAME=${MAGENTO_DATABASE:-magentodb}
+      - MAGENTO_DATABASE_NAME=mangentodb
-      - MAGENTO_DATABASE_USER=${MAGENTO_USER:-user}
+      - MAGENTO_DATABASE_USER=user
-      - MAGENTO_DATABASE_PASSWORD=${MAGENTO_PASSWORD:-secret} # set a stronger password in a .env file (must match MYSQL_PASSWORD)
+      - MAGENTO_DATABASE_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
       - ELASTICSEARCH_HOST=myelasticsearch
     networks:
       - bw-services
@@ -82,24 +73,27 @@ services:
     # ⚠️ you need to create the directory and fix permissions ⚠️
     # see setup-docker.sh
     volumes:
-      - ./elasticsearch-data:/bitnami/elasticsearch/data
+      - elasticsearch-data:/bitnami/elasticsearch/data
     networks:
       - bw-services
 
   mydb:
-    image: mariadb:10.10
+    image: mariadb:10.2
     volumes:
       - db-data:/var/lib/mysql
     environment:
-      MARIADB_RANDOM_ROOT_PASSWORD: "yes"
+      - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
-    entrypoint: sh -c "echo 'DROP USER IF EXISTS \"${MAGENTO_USER:-user}\"; CREATE USER \"${MAGENTO_USER:-user}\"@\"%\"; CREATE DATABASE IF NOT EXISTS ${MAGENTO_DATABASE:-magentodb}; CREATE DATABASE IF NOT EXISTS ${BUNKERWEB_DATABASE:-bunkerweb}; GRANT ALL PRIVILEGES ON ${MAGENTO_DATABASE:-magentodb}.* TO \"${MAGENTO_USER:-user}\"@\"%\" IDENTIFIED BY \"${MAGENTO_PASSWORD:-secret}\"; GRANT ALL PRIVILEGES ON ${BUNKERWEB_DATABASE:-bunkerweb}.* TO \"${MAGENTO_USER:-user}\"@\"%\" IDENTIFIED BY \"${MAGENTO_PASSWORD:-secret}\"; FLUSH PRIVILEGES;' > /docker-entrypoint-initdb.d/init.sql; /usr/local/bin/docker-entrypoint.sh --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci"
+      - MYSQL_DATABASE=magentodb
-    networks:
+      - MYSQL_USER=user
-      - bw-universe
+      - MYSQL_PASSWORD=db-user-pwd      # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD)
+    network:
       - bw-services
 
 volumes:
   bw-data:
   db-data:
+  magento-data:
+  elasticsearch-data:
 
 networks:
   bw-universe:
@@ -108,4 +102,4 @@ networks:
       config:
         - subnet: 10.20.30.0/24
   bw-services:
-  net-docker:
+  bw-docker:

examples/magento/setup-autoconf.sh

@@ -1,10 +0,0 @@
-#!/bin/bash
-
-if [ $(id -u) -ne 0 ] ; then
-	echo "❌ Run me as root"
-	exit 1
-fi
-
-mkdir elasticsearch-data
-chown 1001:1001 elasticsearch-data
-chmod 770 elasticsearch-data

examples/magento/setup-docker.sh

@@ -1,10 +0,0 @@
-#!/bin/bash
-
-if [ $(id -u) -ne 0 ] ; then
-	echo "❌ Run me as root"
-	exit 1
-fi
-
-mkdir elasticsearch-data
-chown 1001:1001 elasticsearch-data
-chmod 770 elasticsearch-data

examples/magento/swarm.yml

@@ -6,7 +6,7 @@ services:
     networks:
       - bw-services
     volumes:
-      - magento_data:/bitnami/magento
+      - magento-data:/bitnami/magento
     environment:
       - MAGENTO_USERNAME=admin # replace with admin username
       - MAGENTO_PASSWORD=changeme42 # replace with a stronger password
@@ -34,13 +34,27 @@ services:
     networks:
       - bw-services
     volumes:
-      - elasticsearch_data:/bitnami/elasticsearch/data
+      - elasticsearch-data:/bitnami/elasticsearch/data
     deploy:
       placement:
         constraints:
           - "node.role==worker"
 
-  # For the database, you can refer to the swarm integration example including a database
+  mydb:
+    image: mariadb:10.2
+    networks:
+      - bw-services
+    volumes:
+      - db-data:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
+      - MYSQL_DATABASE=magentodb
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd      # replace with a stronger password (must match MAGENTO_DATABASE_PASSWORD)
+    deploy:
+      placement:
+        constraints:
+          - "node.role==worker"
 
 networks:
   bw-services:
@@ -48,6 +62,6 @@ networks:
       name: bw-services
 
 volumes:
-  db_data:
+  db-data:
-  elasticsearch_data:
+  elasticsearch-data:
-  magento_data:
+  magento-data:

examples/mattermost/autoconf.yml

@@ -63,7 +63,29 @@ services:
       - bunkerweb.LIMIT_REQ_URL_3=^/static/
       - bunkerweb.LIMIT_REQ_RATE_3=10r/s
 
-  # For the postgres database, you can refer to the autoconf integration example including a postgres database
+  postgres:
+    image: postgres:${POSTGRES_IMAGE_TAG}
+    networks:
+      bw-services:
+        aliases:
+          - postgres
+    restart: ${RESTART_POLICY}
+    security_opt:
+      - no-new-privileges:true
+    pids_limit: 100
+    read_only: true
+    tmpfs:
+      - /tmp
+      - /var/run/postgresql
+    volumes:
+      - ${POSTGRES_DATA_PATH}:/var/lib/postgresql/data
+    environment:
+      # timezone inside container
+      - TZ
+      # necessary Postgres options/variables
+      - POSTGRES_USER
+      - POSTGRES_PASSWORD
+      - POSTGRES_DB
 
 networks:
   bw-services:

examples/mattermost/docker-compose.yml

@@ -1,54 +1,41 @@
 version: "3"
 
-x-bunkerweb-env: &bunkerweb-env
-  DATABASE_URI: "postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres/${BUNKERWEB_DATABASE:-bunkerweb}"
-
 services:
   mybunker:
     image: bunkerity/bunkerweb:1.5.0
     ports:
       - 80:8080
       - 443:8443
-    # ⚠️ read this if you use local folders for volumes ⚠️
-    # bunkerweb runs as an unprivileged user with UID/GID 101
-    # don't forget to edit the permissions of the files and folders accordingly
-    # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
-    # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
-    # more info at https://docs.bunkerweb.io
-    volumes:
-      - bw-data:/data
     environment:
-      <<: *bunkerweb-env
+      - SERVER_NAME=www.example.com # replace with your domain
-      SERVER_NAME: "${DOMAIN}" # set your domain name in the .env file, for additional domains, just add them separated by a space
+      - AUTO_LETS_ENCRYPT=yes
-      API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
+      - DISABLE_DEFAULT_SERVER=yes
-      AUTO_LETS_ENCRYPT: "yes"
+      - USE_CLIENT_CACHE=yes
-      DISABLE_DEFAULT_SERVER: "yes"
+      - SERVE_FILES=no
-      USE_CLIENT_CACHE: "yes"
+      - MAX_CLIENT_SIZE=50m
-      SERVE_FILES: "no"
+      - USE_GZIP=yes
-      MAX_CLIENT_SIZE: "50m"
-      USE_GZIP: "yes"
       # Methods used to query the api
       # more info at https://api.mattermost.com/
-      ALLOWED_METHODS: "GET|POST|HEAD|DELETE|PUT"
+      - ALLOWED_METHODS=GET|POST|HEAD|DELETE|PUT
       # Reverse proxy to Mattermost
       # second endpoint needs websocket enabled
       # more info at https://docs.mattermost.com/install/config-proxy-nginx.html
-      USE_REVERSE_PROXY: "yes"
+      - USE_REVERSE_PROXY=yes
-      REVERSE_PROXY_INTERCEPT_ERRORS: "no"
+      - REVERSE_PROXY_INTERCEPT_ERRORS=no
-      REVERSE_PROXY_URL_1: "/"
+      - REVERSE_PROXY_URL_1=/
-      REVERSE_PROXY_HOST_1: "http://mattermost:8065"
+      - REVERSE_PROXY_HOST_1=http://mattermost:8065
-      REVERSE_PROXY_URL_2: "~ /api/v[0-9]+/(users/)?websocket$$"
+      - REVERSE_PROXY_URL_2=~ /api/v[0-9]+/(users/)?websocket$$
-      REVERSE_PROXY_HOST_2: "http://mattermost:8065"
+      - REVERSE_PROXY_HOST_2=http://mattermost:8065
-      REVERSE_PROXY_WS_2: "yes"
+      - REVERSE_PROXY_WS_2=yes
       # Default limit rate for URLs
-      LIMIT_REQ_URL_1: "/"
+      - LIMIT_REQ_URL_1=/
-      LIMIT_REQ_RATE_1: "3r/s"
+      - LIMIT_REQ_RATE_1=3r/s
       # Limit rate for api endpoints
-      LIMIT_REQ_URL_2: "^/api/"
+      - LIMIT_REQ_URL_2=^/api/
-      LIMIT_REQ_RATE_2: "10r/s"
+      - LIMIT_REQ_RATE_2=10r/s
       # Limit rate for static resources
-      LIMIT_REQ_URL_3: "^/static/"
+      - LIMIT_REQ_URL_3=^/static/
-      LIMIT_REQ_RATE_3: "10r/s"
+      - LIMIT_REQ_RATE_3=10r/s
     labels:
       - "bunkerweb.INSTANCE" # required for the scheduler to recognize the container
     networks:
@@ -60,22 +47,21 @@ services:
     depends_on:
       - mybunker
     environment:
-      <<: *bunkerweb-env
+      - DOCKER_HOST=tcp://bw-docker-proxy:2375
-      DOCKER_HOST: "tcp://docker-proxy:2375"
     volumes:
       - bw-data:/data
     networks:
       - bw-universe
-      - net-docker
+      - bw-docker
 
-  docker-proxy:
+  bw-docker-proxy:
     image: tecnativa/docker-socket-proxy:0.1
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     environment:
       - CONTAINERS=1
     networks:
-      - net-docker
+      - bw-docker
 
   mattermost:
     depends_on:
@@ -124,16 +110,14 @@ services:
       - /var/run/postgresql
     volumes:
       - ${POSTGRES_DATA_PATH}:/var/lib/postgresql/data
-      - ./init-db.sh:/docker-entrypoint-initdb.d/init-db.sh
     environment:
       # timezone inside container
       - TZ
       # necessary Postgres options/variables
       - POSTGRES_USER
       - POSTGRES_PASSWORD
-      - POSTGRES_MULTIPLE_DATABASES=${POSTGRES_DB},${BUNKERWEB_DATABASE:-bunkerweb}
+      - POSTGRES_DB
     networks:
-      - bw-universe
       - bw-services
 
 volumes:
@@ -146,4 +130,4 @@ networks:
       config:
         - subnet: 10.20.30.0/24
   bw-services:
-  net-docker:
+  bw-docker:

examples/mattermost/init-db.sh

@@ -1,22 +0,0 @@
-#!/bin/bash
-
-set -e
-set -u
-
-function create_user_and_database() {
-	local database=$1
-	echo "  Creating user and database '$database'"
-	psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
-	    CREATE USER $database;
-	    CREATE DATABASE $database;
-	    GRANT ALL PRIVILEGES ON DATABASE $database TO $database;
-EOSQL
-}
-
-if [ -n "$POSTGRES_MULTIPLE_DATABASES" ]; then
-	echo "Multiple database creation requested: $POSTGRES_MULTIPLE_DATABASES"
-	for db in $(echo $POSTGRES_MULTIPLE_DATABASES | tr ',' ' '); do
-		create_user_and_database $db
-	done
-	echo "Multiple databases created"
-fi

examples/mongo-express/autoconf.yml

@@ -8,7 +8,7 @@ services:
         aliases:
           - mongo
     volumes:
-      - ./db:/data/db
+      - db-data:/data/db
     environment:
       - MONGO_INITDB_ROOT_USERNAME=root # replace with a less obvious username
       - MONGO_INITDB_ROOT_PASSWORD=toor # replace with a better password
@@ -38,6 +38,9 @@ services:
         bunkerweb.CUSTOM_CONF_MODSEC_mongo-express=
         SecRule REQUEST_FILENAME "@rx ^/db" "id:1,ctl:ruleRemoveByTag=attack-generic,ctl:ruleRemoveByTag=attack-protocol,nolog"
 
+volumes:
+  db-data:
+
 networks:
   bw-services:
     external:

examples/mongo-express/docker-compose.yml

@@ -6,14 +6,6 @@ services:
     ports:
       - 80:8080
       - 443:8443
-    # ⚠️ read this if you use local folders for volumes ⚠️
-    # bunkerweb runs as an unprivileged user with UID/GID 101
-    # don't forget to edit the permissions of the files and folders accordingly
-    # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
-    # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
-    # more info at https://docs.bunkerweb.io
-    volumes:
-      - bw-data:/data
     environment:
       - SERVER_NAME=www.example.com # replace with your domain
       - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
@@ -39,26 +31,26 @@ services:
     depends_on:
       - mybunker
     environment:
-      - DOCKER_HOST=tcp://docker-proxy:2375
+      - DOCKER_HOST=tcp://bw-docker-proxy:2375
     volumes:
       - bw-data:/data
     networks:
       - bw-universe
-      - net-docker
+      - bw-docker
 
-  docker-proxy:
+  bw-docker-proxy:
     image: tecnativa/docker-socket-proxy:0.1
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     environment:
       - CONTAINERS=1
     networks:
-      - net-docker
+      - bw-docker
 
   mongo:
     image: mongo:5.0.14
     volumes:
-      - ./db:/data/db
+      - db-data:/data/db
     environment:
       - MONGO_INITDB_ROOT_USERNAME=root # replace with a less obvious username
       - MONGO_INITDB_ROOT_PASSWORD=toor # replace with a better password
@@ -82,6 +74,7 @@ services:
 
 volumes:
   bw-data:
+  db-data:
 
 networks:
   bw-universe:
@@ -90,4 +83,4 @@ networks:
       config:
         - subnet: 10.20.30.0/24
   bw-services:
-  net-docker:
+  bw-docker:

examples/mongo-express/swarm.yml

@@ -6,7 +6,7 @@ services:
     networks:
       - bw-services
     volumes:
-      - db:/data/db
+      - db-data:/data/db
     environment:
       - MONGO_INITDB_ROOT_USERNAME=root # replace with a less obvious username
       - MONGO_INITDB_ROOT_PASSWORD=toor # replace with a better password
@@ -48,4 +48,4 @@ networks:
       name: bw-services
 
 volumes:
-  db:
+  db-data:

examples/moodle/autoconf.yml

@@ -10,27 +10,38 @@ services:
     depends_on:
       - mydb
     volumes:
-      - moodle_files:/bitnami/moodle
+      - moodle-files:/bitnami/moodle
-      - moodle_data:/bitnami/moodledata
+      - moodle-data:/bitnami/moodledata
     environment:
-      - MOODLE_USERNAME=admin # replace with your moodle admin username
+      - MOODLE_USERNAME=admin                # replace with your moodle admin username
-      - MOODLE_PASSWORD=password # replace with your moodle admin password
+      - MOODLE_PASSWORD=password             # replace with your moodle admin password
-      - MOODLE_EMAIL=moodle@example.com # replace with your moodle admin email
+      - MOODLE_EMAIL=moodle@example.com      # replace with your moodle admin email
-      - MOODLE_SITE_NAME=My Moodle # replace with your moodle site name
+      - MOODLE_SITE_NAME=My Moodle           # replace with your moodle site name
       - MOODLE_DATABASE_HOST=mydb
-      - MOODLE_DATABASE_NAME=${MOODLE_DATABASE:-moodledb}
+      - MOODLE_DATABASE_NAME=moodle
-      - MOODLE_DATABASE_USER=${MOODLE_USER:-user}
+      - MOODLE_DATABASE_USER=user
-      - MOODLE_DATABASE_PASSWORD=${MOODLE_PASSWORD:-secret} # replace with a stronger password (must match MYSQL_PASSWORD)
+      - MOODLE_DATABASE_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
     labels:
       - bunkerweb.SERVER_NAME=www.example.com
       - bunkerweb.USE_REVERSE_PROXY=yes
       - bunkerweb.REVERSE_PROXY_URL=/
       - bunkerweb.REVERSE_PROXY_HOST=https://mymoodle:8443
 
-  # For the database, you can refer to the autoconf integration example including a database
+  mydb:
-  # In this example, you will need to add the following lines to the mydb service:
+    image: mariadb:10.5
-  # - MARIADB_CHARACTER_SET=utf8mb4
+    volumes:
-  # - MARIADB_COLLATE=utf8mb4_unicode_ci
+      - db-data:/var/lib/mysql
+    networks:
+      bw-services:
+        aliases:
+          - mydb
+    environment:
+      - MYSQL_ROOT_PASSWORD=db-root-pwd      # replace with a stronger password
+      - MYSQL_DATABASE=moodle
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd           # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD)
+      - MARIADB_CHARACTER_SET=utf8mb4
+      - MARIADB_COLLATE=utf8mb4_unicode_ci
 
 networks:
   bw-services:
@@ -38,6 +49,6 @@ networks:
       name: bw-services
 
 volumes:
-  db_data:
+  db-data:
-  moodle_files:
+  moodle-files:
-  moodle_data:
+  moodle-data:

examples/moodle/docker-compose.yml

@@ -1,35 +1,22 @@
 version: "3"
 
-x-bunkerweb-env: &bunkerweb-env
-  DATABASE_URI: "mariadb+pymysql://${MOODLE_USER:-user}:${MOODLE_PASSWORD:-secret}@mydb:3306/${BUNKERWEB_DATABASE:-bunkerweb}"
-
 services:
   mybunker:
     image: bunkerity/bunkerweb:1.5.0
     ports:
       - 80:8080
       - 443:8443
-    # ⚠️ read this if you use local folders for volumes ⚠️
-    # bunkerweb runs as an unprivileged user with UID/GID 101
-    # don't forget to edit the permissions of the files and folders accordingly
-    # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
-    # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
-    # more info at https://docs.bunkerweb.io
-    volumes:
-      - bw-data:/data
     environment:
-      <<: *bunkerweb-env
+      - SERVER_NAME=www.example.com # replace with your domain
-      SERVER_NAME: "www.example.com" # replace with your domain
+      - AUTO_LETS_ENCRYPT=yes
-      API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
+      - DISABLE_DEFAULT_SERVER=yes
-      AUTO_LETS_ENCRYPT: "yes"
+      - MAX_CLIENT_SIZE=50m
-      DISABLE_DEFAULT_SERVER: "yes"
+      - SERVE_FILES=no
-      MAX_CLIENT_SIZE: "50m"
+      - USE_CLIENT_CACHE=yes
-      SERVE_FILES: "no"
+      - USE_GZIP=yes
-      USE_CLIENT_CACHE: "yes"
+      - USE_REVERSE_PROXY=yes
-      USE_GZIP: "yes"
+      - REVERSE_PROXY_URL=/
-      USE_REVERSE_PROXY: "yes"
+      - REVERSE_PROXY_HOST=https://mymoodle:8443
-      REVERSE_PROXY_URL: "/"
-      REVERSE_PROXY_HOST: "https://mymoodle:8443"
     labels:
       - "bunkerweb.INSTANCE" # required for the scheduler to recognize the container
     networks:
@@ -41,56 +28,60 @@ services:
     depends_on:
       - mybunker
     environment:
-      <<: *bunkerweb-env
+      - DOCKER_HOST=tcp://bw-docker-proxy:2375
-      DOCKER_HOST: "tcp://docker-proxy:2375"
     volumes:
       - bw-data:/data
     networks:
       - bw-universe
-      - net-docker
+      - bw-docker
 
-  docker-proxy:
+  bw-docker-proxy:
     image: tecnativa/docker-socket-proxy:0.1
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     environment:
       - CONTAINERS=1
     networks:
-      - net-docker
+      - bw-docker
 
   mymoodle:
     image: bitnami/moodle:4.1.0
     depends_on:
       - mydb
     volumes:
-      - ./moodle-files:/bitnami/moodle
+      - moodle-files:/bitnami/moodle
-      - ./moodle-data:/bitnami/moodledata
+      - moodle-data:/bitnami/moodledata
     environment:
-      - MOODLE_USERNAME=admin # replace with your moodle admin username
+      - MOODLE_USERNAME=admin                # replace with your moodle admin username
-      - MOODLE_PASSWORD=password # replace with your moodle admin password
+      - MOODLE_PASSWORD=password             # replace with your moodle admin password
-      - MOODLE_EMAIL=moodle@example.com # replace with your moodle admin email
+      - MOODLE_EMAIL=moodle@example.com      # replace with your moodle admin email
-      - MOODLE_SITE_NAME=My Moodle # replace with your moodle site name
+      - MOODLE_SITE_NAME=My Moodle           # replace with your moodle site name
       - MOODLE_DATABASE_HOST=mydb
-      - MOODLE_DATABASE_NAME=${MOODLE_DATABASE:-moodledb}
+      - MOODLE_DATABASE_NAME=moodle
-      - MOODLE_DATABASE_USER=${MOODLE_USER:-user}
+      - MOODLE_DATABASE_USER=user
-      - MOODLE_DATABASE_PASSWORD=${MOODLE_PASSWORD:-secret} # set a stronger password in a .env file (must match MYSQL_PASSWORD)
+      - MOODLE_DATABASE_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
     networks:
       - bw-services
 
   mydb:
-    image: mariadb:10.10
+    image: mariadb:10.5
     volumes:
       - db-data:/var/lib/mysql
     environment:
-      MARIADB_RANDOM_ROOT_PASSWORD: "yes"
+      - MYSQL_ROOT_PASSWORD=db-root-pwd      # replace with a stronger password
-    entrypoint: sh -c "echo 'DROP USER IF EXISTS \"${MOODLE_USER:-user}\"; CREATE USER \"${MOODLE_USER:-user}\"@\"%\"; CREATE DATABASE IF NOT EXISTS ${MOODLE_DATABASE:-moodledb}; CREATE DATABASE IF NOT EXISTS ${BUNKERWEB_DATABASE:-bunkerweb}; GRANT ALL PRIVILEGES ON ${MOODLE_DATABASE:-moodledb}.* TO \"${MOODLE_USER:-user}\"@\"%\" IDENTIFIED BY \"${MOODLE_PASSWORD:-secret}\"; GRANT ALL PRIVILEGES ON ${BUNKERWEB_DATABASE:-bunkerweb}.* TO \"${MOODLE_USER:-user}\"@\"%\" IDENTIFIED BY \"${MOODLE_PASSWORD:-secret}\"; FLUSH PRIVILEGES;' > /docker-entrypoint-initdb.d/init.sql; /usr/local/bin/docker-entrypoint.sh --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci"
+      - MYSQL_DATABASE=moodle
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd           # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD)
+      - MARIADB_CHARACTER_SET=utf8mb4
+      - MARIADB_COLLATE=utf8mb4_unicode_ci
     networks:
-      - bw-universe
       - bw-services
 
 volumes:
   bw-data:
   db-data:
+  moodle-files:
+  moodle-data:
 
 networks:
   bw-universe:
@@ -99,4 +90,4 @@ networks:
       config:
         - subnet: 10.20.30.0/24
   bw-services:
-  net-docker:
+  bw-docker:

examples/moodle/swarm.yml

@@ -8,8 +8,8 @@ services:
     depends_on:
       - mydb
     volumes:
-      - moodle_files:/bitnami/moodle
+      - moodle-files:/bitnami/moodle
-      - moodle_data:/bitnami/moodledata
+      - moodle-data:/bitnami/moodledata
     environment:
       - MOODLE_USERNAME=admin # replace with your moodle admin username
       - MOODLE_PASSWORD=password # replace with your moodle admin password
@@ -29,10 +29,23 @@ services:
         - bunkerweb.REVERSE_PROXY_URL=/
         - bunkerweb.REVERSE_PROXY_HOST=https://mymoodle:8443
 
-  # For the database, you can refer to the swarm integration example including a database
+  mydb:
-  # In this example, you will need to add the following lines to the mydb service:
+    image: mariadb:10.5
-  # - MARIADB_CHARACTER_SET=utf8mb4
+    volumes:
-  # - MARIADB_COLLATE=utf8mb4_unicode_ci
+      - db_data:/var/lib/mysql
+    networks:
+      - bw-services
+    environment:
+      - MYSQL_ROOT_PASSWORD=db-root-pwd      # replace with a stronger password
+      - MYSQL_DATABASE=moodle
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd           # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD)
+      - MARIADB_CHARACTER_SET=utf8mb4
+      - MARIADB_COLLATE=utf8mb4_unicode_ci
+    deploy:
+      placement:
+        constraints:
+          - "node.role==worker"
 
 networks:
   bw-services:
@@ -40,6 +53,6 @@ networks:
       name: bw-services
 
 volumes:
-  db_data:
+  db-data:
-  moodle_files:
+  moodle-files:
-  moodle_data:
+  moodle-data:

examples/nextcloud/autoconf.yml

@@ -4,7 +4,7 @@ services:
   mync:
     image: nextcloud:stable-apache
     volumes:
-      - ./nc-files:/var/www/html
+      - nc-files:/var/www/html
     networks:
       bw-services:
         aliases:
@@ -56,7 +56,25 @@ services:
         bunkerweb.CUSTOM_CONF_MODSEC_nextcloud=
         SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:1000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"
 
-  # For the database, you can refer to the autoconf integration example including a database
+
+  mydb:
+    image: mariadb
+    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
+    volumes:
+      - db-data:/var/lib/mysql
+    networks:
+      bw-services:
+        aliases:
+          - mydb
+    environment:
+      - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
+      - MYSQL_DATABASE=nc
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd      # replace with a stronger password (must match MYSQL_PASSWORD)
+
+volumes:
+  nc-files:
+  db-data:
 
 networks:
   bw-services:

examples/nextcloud/docker-compose.yml

@@ -1,49 +1,51 @@
 version: "3"
 
-x-bunkerweb-env: &bunkerweb-env
-  DATABASE_URI: "mariadb+pymysql://${NEXTCLOUD_USER:-user}:${NEXTCLOUD_PASSWORD:-secret}@mydb:3306/${BUNKERWEB_DATABASE:-bunkerweb}"
-
 services:
   mybunker:
     image: bunkerity/bunkerweb:1.5.0
     ports:
       - 80:8080
       - 443:8443
-    # ⚠️ read this if you use local folders for volumes ⚠️
-    # bunkerweb runs as an unprivileged user with UID/GID 101
-    # don't forget to edit the permissions of the files and folders accordingly
-    # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
-    # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
-    # more info at https://docs.bunkerweb.io
-    volumes:
-      - bw-data:/data
     environment:
-      <<: *bunkerweb-env
+      - SERVER_NAME=www.example.com # replace with your domain
-      SERVER_NAME: "www.example.com" # replace with your domain
+      - AUTO_LETS_ENCRYPT=yes
-      API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
+      - DISABLE_DEFAULT_SERVER=yes
-      AUTO_LETS_ENCRYPT: "yes"
+      - MAX_CLIENT_SIZE=10G
-      DISABLE_DEFAULT_SERVER: "yes"
+      - USE_CLIENT_CACHE=yes
-      MAX_CLIENT_SIZE: "10G"
+      - SERVE_FILES=no
-      USE_CLIENT_CACHE: "yes"
+      - ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS
-      SERVE_FILES: "no"
+      - X_FRAME_OPTIONS=SAMEORIGIN
-      ALLOWED_METHODS: "GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS"
+      - USE_GZIP=yes
-      X_FRAME_OPTIONS: "SAMEORIGIN"
+      - BAD_BEHAVIOR_STATUS_CODES=400 401 403 405 444
-      USE_GZIP: "yes"
+      - USE_REVERSE_PROXY=yes
-      BAD_BEHAVIOR_STATUS_CODES: "400 401 403 405 444"
+      - REVERSE_PROXY_URL=/
-      USE_REVERSE_PROXY: "yes"
+      - REVERSE_PROXY_HOST=http://mync
-      REVERSE_PROXY_URL: "/"
+      - LIMIT_REQ_URL_1=/apps
-      REVERSE_PROXY_HOST: "http://mync"
+      - LIMIT_REQ_RATE_1=5r/s
-      LIMIT_REQ_URL_1: "/apps"
+      - LIMIT_REQ_URL_2=/apps/text/session/sync
-      LIMIT_REQ_RATE_1: "5r/s"
+      - LIMIT_REQ_RATE_2=8r/s
-      LIMIT_REQ_URL_2: "/apps/text/session/sync"
+      - LIMIT_REQ_URL_3=/core/preview
-      LIMIT_REQ_RATE_2: "8r/s"
+      - LIMIT_REQ_RATE_3=5r/s
-      LIMIT_REQ_URL_3: "/core/preview"
+      - |
-      LIMIT_REQ_RATE_3: "5r/s"
+        CUSTOM_CONF_MODSEC_CRS_nextcloud=
-      CUSTOM_CONF_MODSEC_CRS_nextcloud:
+        SecAction \
-        'SecAction "id:900130,phase:1,nolog,pass,t:none,setvar:tx.crs_exclusions_nextcloud=1"
+         "id:900130,\
-
+          phase:1,\
-        # WebDAV SecAction "id:900200,phase:1,nolog,pass,t:none,setvar:''tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS''"'
+          nolog,\
-      CUSTOM_CONF_MODSEC_nextcloud: 'SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:1000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"'
+          pass,\
+          t:none,\
+          setvar:tx.crs_exclusions_nextcloud=1"
+        # WebDAV
+        SecAction \
+         "id:900200,\
+          phase:1,\
+          nolog,\
+          pass,\
+          t:none,\
+          setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'"
+      - |
+        CUSTOM_CONF_MODSEC_nextcloud=
+        SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:2000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"
     labels:
       - "bunkerweb.INSTANCE" # required for the scheduler to recognize the container
     networks:
@@ -55,27 +57,26 @@ services:
     depends_on:
       - mybunker
     environment:
-      <<: *bunkerweb-env
+      - DOCKER_HOST=tcp://bw-docker-proxy:2375
-      DOCKER_HOST: "tcp://docker-proxy:2375"
     volumes:
       - bw-data:/data
     networks:
       - bw-universe
-      - net-docker
+      - bw-docker
 
-  docker-proxy:
+  bw-docker-proxy:
     image: tecnativa/docker-socket-proxy:0.1
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     environment:
       - CONTAINERS=1
     networks:
-      - net-docker
+      - bw-docker
 
   mync:
     image: nextcloud:24-apache
     volumes:
-      - ./nc-files:/var/www/html
+      - nc-files:/var/www/html
     environment:
       - NEXTCLOUD_ADMIN_USER=admin # replace with the admin username
       - NEXTCLOUD_ADMIN_PASSWORD=changeme # replace with a stronger password
@@ -90,12 +91,15 @@ services:
       - bw-services
 
   mydb:
-    image: mariadb:10.10
+    image: mariadb:10.9
+    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
     volumes:
-      - db-data:/var/lib/mysql
+      - ./db-data:/var/lib/mysql
     environment:
-      MARIADB_RANDOM_ROOT_PASSWORD: "yes"
+      - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
-    entrypoint: sh -c "echo 'DROP USER IF EXISTS \"${NEXTCLOUD_USER:-user}\"; CREATE USER \"${NEXTCLOUD_USER:-user}\"@\"%\"; CREATE DATABASE IF NOT EXISTS ${NEXTCLOUD_DATABASE:-nextclouddb}; CREATE DATABASE IF NOT EXISTS ${BUNKERWEB_DATABASE:-bunkerweb}; GRANT ALL PRIVILEGES ON ${NEXTCLOUD_DATABASE:-nextclouddb}.* TO \"${NEXTCLOUD_USER:-user}\"@\"%\" IDENTIFIED BY \"${NEXTCLOUD_PASSWORD:-secret}\"; GRANT ALL PRIVILEGES ON ${BUNKERWEB_DATABASE:-bunkerweb}.* TO \"${NEXTCLOUD_USER:-user}\"@\"%\" IDENTIFIED BY \"${NEXTCLOUD_PASSWORD:-secret}\"; FLUSH PRIVILEGES;' > /docker-entrypoint-initdb.d/init.sql; /usr/local/bin/docker-entrypoint.sh --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci"
+      - MYSQL_DATABASE=nc
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd      # replace with a stronger password (must match MYSQL_PASSWORD)
     networks:
       - bw-universe
       - bw-services
@@ -103,6 +107,7 @@ services:
 volumes:
   bw-data:
   db-data:
+  nc-files:
 
 networks:
   bw-universe:
@@ -111,4 +116,4 @@ networks:
       config:
         - subnet: 10.20.30.0/24
   bw-services:
-  net-docker:
+  bw-docker:

examples/nextcloud/swarm.yml

@@ -4,7 +4,7 @@ services:
   mync:
     image: nextcloud:24-apache
     volumes:
-      - nc_files:/var/www/html
+      - nc-files:/var/www/html
     networks:
       - bw-services
     environment:
@@ -37,7 +37,22 @@ services:
         - bunkerweb.LIMIT_REQ_URL_3=/core/preview
         - bunkerweb.LIMIT_REQ_RATE_3=5r/s
 
-  # For the database, you can refer to the swarm integration example including a database
+  mydb:
+    image: mariadb:10.9
+    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
+    volumes:
+      - db-data:/var/lib/mysql
+    networks:
+      - bw-services
+    environment:
+      - MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
+      - MYSQL_DATABASE=nc
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd      # replace with a stronger password (must match MYSQL_PASSWORD)
+    deploy:
+      placement:
+        constraints:
+          - "node.role==worker"
 
 networks:
   bw-services:
@@ -45,4 +60,5 @@ networks:
       name: bw-services
 
 volumes:
-  nc_files:
+  nc-files:
+  db-data:

examples/passbolt/autoconf.yml

@@ -12,14 +12,13 @@ services:
           - mypassbolt
     environment:
       - APP_FULL_BASE_URL=https://www.example.com # replace with your URL
-      - PASSBOLT_SSL_FORCE=false
       - DATASOURCES_DEFAULT_HOST=mydb
-      - DATASOURCES_DEFAULT_DATABASE=${PASSBOLT_DATABASE:-passboltdb}
+      - DATASOURCES_DEFAULT_PASSWORD=db-user-pwd     # replace with a stronger password (must match MYSQL_PASSWORD)
-      - DATASOURCES_DEFAULT_USERNAME=${PASSBOLT_USER:-user}
+      - DATASOURCES_DEFAULT_USERNAME=user
-      - DATASOURCES_DEFAULT_PASSWORD=${PASSBOLT_PASSWORD:-secret} # set a stronger password in a .env file (must match MYSQL_PASSWORD)
+      - DATASOURCES_DEFAULT_DATABASE=passbolt
     volumes:
-      - gpg_volume:/etc/passbolt/gpg
+      - gpg-data:/etc/passbolt/gpg
-      - jwt_volume:/etc/passbolt/jwt
+      - jwt-data:/etc/passbolt/jwt
     command:
       [
         "/usr/bin/wait-for.sh",
@@ -37,11 +36,24 @@ services:
       - bunkerweb.REVERSE_PROXY_URL=/
       - bunkerweb.REVERSE_PROXY_HOST=https://mypassbolt
 
-  # For the database, you can refer to the autoconf integration example including a database
+  mydb:
+    image: mariadb
+    volumes:
+      - db-data:/var/lib/mysql
+    networks:
+      bw-services:
+        aliases:
+          - mydb
+    environment:
+      - MYSQL_ROOT_PASSWORD=db-root-pwd              # replace with a stronger password
+      - MYSQL_DATABASE=passbolt
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd                   # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
 
 volumes:
-  gpg_volume:
+  gpg-data:
-  jwt_volume:
+  jwt-data:
+  db-data:
 
 networks:
   bw-services:

examples/passbolt/docker-compose.yml

@@ -1,36 +1,24 @@
 version: "3"
 
-x-bunkerweb-env: &bunkerweb-env
-  DATABASE_URI: "mariadb+pymysql://${PASSBOLT_USER:-user}:${PASSBOLT_PASSWORD:-secret}@mydb:3306/${BUNKERWEB_DATABASE:-bunkerweb}"
-
 services:
   mybunker:
     image: bunkerity/bunkerweb:1.5.0
     ports:
       - 80:8080
       - 443:8443
-    # ⚠️ read this if you use local folders for volumes ⚠️
-    # bunkerweb runs as an unprivileged user with UID/GID 101
-    # don't forget to edit the permissions of the files and folders accordingly
-    # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
-    # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
-    # more info at https://docs.bunkerweb.io
-    volumes:
-      - bw-data:/data
     environment:
-      <<: *bunkerweb-env
+      - SERVER_NAME=www.example.com                  # replace with your domain
-      SERVER_NAME: "www.example.com" # replace with your domain
+      - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
-      API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
+      - AUTO_LETS_ENCRYPT=yes
-      AUTO_LETS_ENCRYPT: "yes"
+      - DISABLE_DEFAULT_SERVER=yes
-      COOKIE_FLAGS: "* SameSite=Lax"
+      - COOKIE_FLAGS=* SameSite=Lax
-      DISABLE_DEFAULT_SERVER: "yes"
+      - ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE
-      ALLOWED_METHODS: "GET|POST|HEAD|PUT|DELETE"
+      - SERVE_FILES=no
-      SERVE_FILES: "no"
+      - USE_CLIENT_CACHE=yes
-      USE_CLIENT_CACHE: "yes"
+      - USE_GZIP=yes
-      USE_GZIP: "yes"
+      - USE_REVERSE_PROXY=yes
-      USE_REVERSE_PROXY: "yes"
+      - REVERSE_PROXY_URL=/
-      REVERSE_PROXY_URL: "/"
+      - REVERSE_PROXY_HOST=https://mypassbolt
-      REVERSE_PROXY_HOST: "https://mypassbolt"
     labels:
       - "bunkerweb.INSTANCE" # required for the scheduler to recognize the container
     networks:
@@ -42,22 +30,21 @@ services:
     depends_on:
       - mybunker
     environment:
-      <<: *bunkerweb-env
+      - DOCKER_HOST=tcp://bw-docker-proxy:2375
-      DOCKER_HOST: "tcp://docker-proxy:2375"
     volumes:
       - bw-data:/data
     networks:
       - bw-universe
-      - net-docker
+      - bw-docker
 
-  docker-proxy:
+  bw-docker-proxy:
     image: tecnativa/docker-socket-proxy:0.1
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     environment:
       - CONTAINERS=1
     networks:
-      - net-docker
+      - bw-docker
 
   # you will need to add a user by hand
   # example : docker-compose exec mypassbolt su -m -c "/usr/share/php/passbolt/bin/cake passbolt register_user -u <your@email.com> -f <yourname> -l <surname> -r admin" -s /bin/sh www-data
@@ -70,14 +57,13 @@ services:
       - mydb
     environment:
       - APP_FULL_BASE_URL=https://www.example.com # replace with your URL
-      - PASSBOLT_SSL_FORCE=false
       - DATASOURCES_DEFAULT_HOST=mydb
-      - DATASOURCES_DEFAULT_DATABASE=${PASSBOLT_DATABASE:-passboltdb}
+      - DATASOURCES_DEFAULT_PASSWORD=db-user-pwd     # replace with a stronger password (must match MYSQL_PASSWORD)
-      - DATASOURCES_DEFAULT_USERNAME=${PASSBOLT_USER:-user}
+      - DATASOURCES_DEFAULT_USERNAME=user
-      - DATASOURCES_DEFAULT_PASSWORD=${PASSBOLT_PASSWORD:-secret} # set a stronger password in a .env file (must match MYSQL_PASSWORD)
+      - DATASOURCES_DEFAULT_DATABASE=passbolt
     volumes:
-      - gpg_volume:/etc/passbolt/gpg
+      - gpg-data:/etc/passbolt/gpg
-      - jwt_volume:/etc/passbolt/jwt
+      - jwt-data:/etc/passbolt/jwt
     command:
       [
         "/usr/bin/wait-for.sh",
@@ -95,15 +81,16 @@ services:
     volumes:
       - db-data:/var/lib/mysql
     environment:
-      MARIADB_RANDOM_ROOT_PASSWORD: "yes"
+      - MYSQL_ROOT_PASSWORD=db-root-pwd              # replace with a stronger password
-    entrypoint: sh -c "echo 'DROP USER IF EXISTS \"${PASSBOLT_USER:-user}\"; CREATE USER \"${PASSBOLT_USER:-user}\"@\"%\"; CREATE DATABASE IF NOT EXISTS ${PASSBOLT_DATABASE:-passboltdb}; CREATE DATABASE IF NOT EXISTS ${BUNKERWEB_DATABASE:-bunkerweb}; GRANT ALL PRIVILEGES ON ${PASSBOLT_DATABASE:-passboltdb}.* TO \"${PASSBOLT_USER:-user}\"@\"%\" IDENTIFIED BY \"${PASSBOLT_PASSWORD:-secret}\"; GRANT ALL PRIVILEGES ON ${BUNKERWEB_DATABASE:-bunkerweb}.* TO \"${PASSBOLT_USER:-user}\"@\"%\" IDENTIFIED BY \"${PASSBOLT_PASSWORD:-secret}\"; FLUSH PRIVILEGES;' > /docker-entrypoint-initdb.d/init.sql; /usr/local/bin/docker-entrypoint.sh --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci"
+      - MYSQL_DATABASE=passbolt
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd                   # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
     networks:
-      - bw-universe
       - bw-services
 
 volumes:
-  gpg_volume:
+  gpg-data:
-  jwt_volume:
+  jwt-data:
   db-data:
   bw-data:
 
@@ -114,4 +101,4 @@ networks:
       config:
         - subnet: 10.20.30.0/24
   bw-services:
-  net-docker:
+  bw-docker:

examples/passbolt/swarm.yml

@@ -10,14 +10,13 @@ services:
       - bw-services
     environment:
       - APP_FULL_BASE_URL=https://www.example.com # replace with your URL
-      - PASSBOLT_SSL_FORCE=false
       - DATASOURCES_DEFAULT_HOST=mydb
-      - DATASOURCES_DEFAULT_DATABASE=${PASSBOLT_DATABASE:-passboltdb}
+      - DATASOURCES_DEFAULT_PASSWORD=db-user-pwd     # replace with a stronger password (must match MYSQL_PASSWORD)
-      - DATASOURCES_DEFAULT_USERNAME=${PASSBOLT_USER:-user}
+      - DATASOURCES_DEFAULT_USERNAME=user
-      - DATASOURCES_DEFAULT_PASSWORD=${PASSBOLT_PASSWORD:-secret} # set a stronger password in a .env file (must match MYSQL_PASSWORD)
+      - DATASOURCES_DEFAULT_DATABASE=passbolt
     volumes:
-      - gpg_volume:/etc/passbolt/gpg
+      - gpg-data:/etc/passbolt/gpg
-      - jwt_volume:/etc/passbolt/jwt
+      - jwt-data:/etc/passbolt/jwt
     command:
       [
         "/usr/bin/wait-for.sh",
@@ -39,7 +38,21 @@ services:
         - bunkerweb.REVERSE_PROXY_URL=/
         - bunkerweb.REVERSE_PROXY_HOST=https://mypassbolt
 
-  # For the database, you can refer to the swarm integration example including a database
+  mydb:
+    image: mariadb
+    volumes:
+      - db-data:/var/lib/mysql
+    networks:
+      - bw-services
+    environment:
+      - MYSQL_ROOT_PASSWORD=db-root-pwd              # replace with a stronger password
+      - MYSQL_DATABASE=passbolt
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd                   # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
+    deploy:
+      placement:
+        constraints:
+          - "node.role==worker"
 
 networks:
   bw-services:
@@ -47,4 +60,6 @@ networks:
       name: bw-services
 
 volumes:
-  db_data:
+  db-data:
+  gpg-data:
+  jwt-data:

src/common/core/ui/confs/modsec/ui.conf

@@ -1,5 +1,5 @@
 {% if USE_UI == "yes" +%}
-SecRule REQUEST_FILENAME "@rx /services$" "id:1,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-generic,nolog"
+SecRule REQUEST_FILENAME "@rx /services$" "id:1001,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-generic,nolog"
-SecRule REQUEST_FILENAME "@rx /global_config$" "id:2,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-generic,ctl:ruleRemoveByTag=platform-pgsqlnolog"
+SecRule REQUEST_FILENAME "@rx /global_config$" "id:1002,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-generic,ctl:ruleRemoveByTag=platform-pgsqlnolog"
-SecRule REQUEST_FILENAME "@rx /configs$" "id:3,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-generic,nolog"
+SecRule REQUEST_FILENAME "@rx /configs$" "id:1003,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-generic,nolog"
 {% endif +%}