Squashed 'src/deps/src/headers-more-nginx-module/' changes from bea1be3bbf..576cb81979

576cb81979 Merge commit 'c473aa40807f32438ffe34bdfe07f8f0485a6aa4' into dev
c473aa4080 Squashed 'src/deps/src/lua-resty-openssl/' changes from b23c072a4..89195843c
456e6a33db Update lua-resty-openssl to v1.0.1
11c4fde616 Merge commit '805e5c9cee2a72af6b6297b2993109511b42d485' into dev
805e5c9cee Squashed 'src/deps/src/libmaxminddb/' changes from ac4d0d248..93a7e0e56
afcf420ee4 Update libmaxminddb to v1.8.0
7aa6affe10 Merge commit 'e3f305a953ef5dbf6802090c7013f4c38d762449' into dev
e3f305a953 Squashed 'src/deps/src/ngx_devel_kit/' changes from b4642d6ca..91e30eb05
cba20187c9 Update Nginx devel kit to v0.3.3
10a58377b8 Fix multiple CVEs related to libpq * CVE-2023-5869 * CVE-2023-5868 * CVE-2023-5870
7c564e4cb0 Update pre-commit hooks to latest versions
bff775f006 Fix issues with the Linux integration and external databases
71db00281d Merge pull request #759 from bunkerity/dependabot/github_actions/dev/ruby/setup-ruby-1.161.0
940eecd062 deps/gha: bump ruby/setup-ruby from 1.160.0 to 1.161.0
42f7ef4862 Update user interface demo image in README.md
b2a56a82a4 Update BunkerWeb UI demo to use thumbnail image
0d0bad79bc Update Python version in Dockerfiles
b539a97ad9 Fix CVE CVE-2023-5678 in Dockerfiles
05da26f010 Update dependencies to latest versions
e153c33aaa Update maxminddb and other dependencies versions
8d024a0996 Merge pull request #751 from bunkerity/dependabot/github_actions/dev/rickstaa/action-create-tag-1.7.1
ca6271c60a Merge pull request #750 from bunkerity/dependabot/github_actions/dev/ruby/setup-ruby-1.160.0
fbbec2f7f7 deps/gha: bump rickstaa/action-create-tag from 1.6.6 to 1.7.1
9c6f5289d1 deps/gha: bump ruby/setup-ruby from 1.159.0 to 1.160.0
bcded8f7ce Add refurb as a pre-commit-config hook and apply pre-commit-config
966a78da9e Update Git attributes to ignore text and end-of-line settings for vendored files
f111124b34 Update dependencies versions
d2b82b29d2 Fix CVEs CVE-2023-43787, CVE-2023-43785 and CVE-2023-43786
dc5a7b8b2a Update mmdb files
c32522ae29 Update Certbot module to version 2.7.4 + Update python deps hashes
54ead4e49c Merge pull request #744 from bunkerity/dependabot/github_actions/dev/rickstaa/action-create-tag-1.6.6
d835369699 deps/gha: bump rickstaa/action-create-tag from 1.6.4 to 1.6.6
b79b6548b3 Merge pull request #741 from bunkerity/dependabot/github_actions/dev/hashicorp/setup-terraform-3.0.0
b05b981858 docs - update plugins to 1.2
e8803e346f cache linux test images, fix linux example of proxy protocol and add more logs to k8s tests
7565b2df58 Merge branch 'dev' into staging
c817f45abd add ready checks to limit and redis core tests and fix wrong http port for behind reverse proxy linux test
f9f616a66f Merge branch 'dev' into staging
4871185dc0 Update python deps and pin Flask-Login version
cd773b6e80 add ready checks to reversecan and sessions tests
898ef2eff0 deps/gha: bump hashicorp/setup-terraform from 2.0.3 to 3.0.0
fa628cb7d6 linux - add default API_LISTEN_IP
18d682b5a6 linux - add missing API_LISTEN_IP initial setting and perform only hot reload
4fbd974d2f tests - set trace verbosity for geckodriver logs
a7c343369d Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
7d69b91056 tests - fix missing geckodriver log file in ui tests
29d7d94b2c [#739] Fix potential issue when fetching docker instances in the web UI
84eb947206 tests - add geckodriver log file for ui tests
40e118a712 tests - add more logs to ui linux tests
0e3d8e59cc tests - retry UI access in case of network exception
86875f4863 tests - fix misc ready check when using https and add ready checks for linux ui
d4a2ba5fc8 tests - add ready checks to customcert and misc
3020c5c8e5 tests - add ready check for customcert core test
c1562bc896 Merge pull request #737 from bunkerity/dependabot/github_actions/dev/github/codeql-action-2.22.5
322cfd2179 deps/gha: bump github/codeql-action from 2.22.4 to 2.22.5
caf732be1d Merge pull request #736 from bunkerity/dependabot/github_actions/dev/ruby/setup-ruby-1.159.0
667620b521 deps/gha: bump ruby/setup-ruby from 1.158.0 to 1.159.0
fb21786b8c linux - fixing nginx service not disabled and fix another missing error log path in UI
5887b894f0 ui - fix wrong error path when starting nginx
4e820f6de2 linux - remove sudo command when reloading nginx
35d16233cd ci/cd - ignore ready conf for db tests and fix linux path for ready conf
9775cd5bbd ci/cd - fix missing string in /ready endpoint and add /ready endpoint to linux tests
274a8cdfb9 ci/cd - trying to fix race condition for core tests
d73a5d0f45 Merge pull request #735 from bunkerity/dev
ed0e156bcb Update Werkzeug to version 3.0.1 in web UI
8ec9a7df40 Fix compatibility issue with Docker Compose v2 2.23.0 in examples and docs
72d856abe1 Update certbot to version 2.7.3 + regenerate hashes for db and scheduler
ab76c458ef Merge pull request #732 from bunkerity/dependabot/github_actions/dev/ruby/setup-ruby-1.158.0
6edf97a0d7 deps/gha: bump ruby/setup-ruby from 1.157.0 to 1.158.0
58d6b81423 use cap in Linux and add openssf badge
a83a74cfad Merge pull request #729 from bunkerity/dev
0975de1238 [#717] Add a pool_recycle database engine arg to avoid losing connection with database
762092e5e9 Remove no longer necessary retrying module
8963cb4d18 Update python deps
c2252503d0 Merge pull request #721 from bunkerity/dependabot/github_actions/dev/ossf/scorecard-action-2.3.1
626f10b4c1 Merge pull request #722 from bunkerity/dependabot/github_actions/dev/actions/setup-node-4.0.0
f2b9fc0f8f Merge pull request #724 from bunkerity/dependabot/docker/src/autoconf/dev/python-a5d1738
c8eae49e5b deps/autoconf: bump python from `dc2e889` to `a5d1738` in /src/autoconf
ab320794ad Merge pull request #723 from bunkerity/dependabot/docker/src/ui/dev/python-a5d1738
572436f208 Merge pull request #720 from bunkerity/dependabot/docker/src/scheduler/dev/python-a5d1738
6f366450bc deps/ui: bump python from `dc2e889` to `a5d1738` in /src/ui
f6d2e205cf deps/scheduler: bump python in /src/scheduler
50a60382a1 Fix CVE CVE-2023-5363
989c14ae73 Fix CVE CVE-2023-5363
a847f77782 deps/gha: bump actions/setup-node from 3.8.1 to 4.0.0
8708ad70c3 deps/gha: bump ossf/scorecard-action from 2.3.0 to 2.3.1
eeda7a18c3 Update python deps + add retrying module to db
5193d6cd19 Update docker images
09ee050833 Merge pull request #719 from bunkerity/dependabot/github_actions/dev/ruby/setup-ruby-1.157.0
0afed0621c Merge pull request #718 from bunkerity/dependabot/github_actions/dev/github/codeql-action-2.22.4
8919592f54 deps/gha: bump ruby/setup-ruby from 1.156.0 to 1.157.0
d253b4438f deps/gha: bump github/codeql-action from 2.22.3 to 2.22.4
f798a9ef9a Merge pull request #715 from bunkerity/dev
cd902eba30 prepare for 1.5.3 🚀
029217ff4a Fix update-version.sh script
10db67b871 Merge pull request #714 from bunkerity/dev
c7543df86a Add an handler when the ui test is reaching an error page due to a connectionFailure
1f5a1beac0 [#645] Fix web UI not keeping the data when changing the sub server names + Fix custom cert when the server name have multiple domains
ff1fc9280b [#712] Fix custom configuration changes not taking effect immediately
838dcb17c0 Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev
b18dbddcdf Merge pull request #713 from bunkerity/dependabot/pip/src/scheduler/dev/certbot-2.7.2
ca6938dfe4 Update ConfigFiles to use the correct name regex in web UI
643ea7c214 deps/scheduler: bump certbot from 2.7.1 to 2.7.2 in /src/scheduler
e41ce10e35 Merge pull request #711 from bunkerity/dev
b265cbad54 ci/cd - trying to fix azure/kubectl action
7e3aad9f09 [#645] Fix impossible to edit the server_name of an already existing service if the primary one was unchanged in web UI
60d43d0ce0 Handle service creation and editing more elegantly in web UI
2df85b2c93 Updated python:3.12.0-alpine image's sha256
3a3255e7b8 Merge pull request #709 from bunkerity/staging
4c273fe849 Merge pull request #708 from bunkerity/dev
9964f42e66 Fix magento k8s tests
b2cf8986f5 Tweak magento tests to use latest version back
7f219bea07 Fix CHANGELOG release date for v1.5.2
b9f05ad165 Downgrade magento versions to working ones
bd6065af86 Update python deps and pin urllib3 version to 1.26.18 + Update pre-commit-config to format requirements.in files as well + Apply pre-commit
619e5644f0 Remove pip caching when setting up python in workflows to avoid errors
3c36430212 Merge pull request #707 from bunkerity/dev
7598dbc54b Update python deps
f3982367a6 Update dependabot script to add reviewers and tweak the schedule
d4f65903e7 Update dependabot config file to include terraform and other python deps paths
38429efac9 Merge pull request #705 from bunkerity/dependabot/github_actions/dev/actions/checkout-4.1.1
d92e9a07a8 Fix k8s terraform script
6738b95524 deps/gha: bump actions/checkout from 4.1.0 to 4.1.1
0da22f44b0 Update k8s terraform file and update scaleway terraform version
d77f6a72c2 Fix README.md links and versions
7bf8be3246 Try to fix magento k8s tests with static versioning
b9c5d32778 Fix timeout in ui tests and access_page function
b1b1ab8680 Fix wrong values in helm chart values file for elasticsearch in k8s magento example
530b8a945d Fix allow empty values when saving a config in web UI
22552c5b85 [#694] Optimize certbot renew script to renew all domains in one command
db0dd5daee [#694] Fix rare bug where database is locked
f89456cd4f Merge pull request #699 from Crazy3lf/master
34d68e8b7c Update regex for email
476d867067 Fix magento k8s tests by removing elasticsearch
4a10ec8c30 Merge pull request #701 from bunkerity/dev
c4b873e3f2 Fix /etc/bunkerweb dir missing in linux core tests
bcaa8faa7b Replace deprecated `set-output` command with the new format
08944b901c Tweak test-core-linux to fix potential bugs
13be6a43c9 Add more logs when an url file is in cache and gets deleted
2737fe7ce2 Update python deps
2823fa2abb Update plugin.json
001246b38f Merge pull request #697 from bunkerity/ui
1a43380d2e Merge pull request #696 from bunkerity/dependabot/github_actions/dev/github/codeql-action-2.22.3
0b319d1aa1 Merge pull request #695 from bunkerity/dependabot/github_actions/dev/rickstaa/action-create-tag-1.6.4
7a15f8a654 deps/gha: bump github/codeql-action from 2.22.1 to 2.22.3
a4a413eece deps/gha: bump rickstaa/action-create-tag from 1.6.3 to 1.6.4
7e3dabc5fd Update patch commands in deps.json to skip Reversed warning
8093c61613 Merge commit '29737209b138a1485d55c53acf1a6783b6e60167' into dev
29737209b1 Squashed 'src/deps/src/luajit/' changes from e598aeb74..492cfdd0d
85913d6b26 Update luajit to v2.1-20231006
15d3180b64 move disabled inp msg
522527f0a8 Merge pull request #690 from bunkerity/dependabot/github_actions/dev/ruby/setup-ruby-1.156.0
85ef4e4dea Merge pull request #691 from bunkerity/dev
46d8acf7b4 Update dummy-plugin to new standards
77bfe2697f Add StyLua and luacheck to precommit config file and apply it
da2a1eaa5a deps/gha: bump ruby/setup-ruby from 1.155.0 to 1.156.0
cd1f87b9a2 Update pre-commit config hooks version
e25fab28b8 fix disabled msg behavior
c125a9bdd2 Merge pull request #689 from bunkerity/dev
10fd431fbb Tweak update python deps script to make it more elegant
309689185e Update pythons deps
7997561766 Merge pull request #684 from bunkerity/dependabot/github_actions/dev/github/codeql-action-2.22.1
a12e5ca893 Merge pull request #683 from bunkerity/dependabot/github_actions/dev/stefanzweifel/git-auto-commit-action-5.0.0
15ad3a6250 Merge pull request #681 from bunkerity/dependabot/github_actions/dev/ossf/scorecard-action-2.3.0
c57d725f44 Merge pull request #680 from bunkerity/dependabot/github_actions/dev/ruby/setup-ruby-1.155.0
95389260a6 Merge pull request #688 from bunkerity/dev
6e5dd55573 Fix CVE CVE-2023-44487
565f4e3f7c Merge pull request #687 from bunkerity/dev
f39adcab5b Update CHANGELOG.md
a3ec85b576 Fix often occurring error with ace script in web ui
b063ac8a32 [#652] Fix error when deleting a service that have custom configs on web UI
ff85f1c2bb Update CHANGELOG.md
4a9fdba42d [#645] Fix errors when using a server name with multiple values in web UI
47a7e16800 Fix secure_scheme_headers shenanigans with web ui
453108da94 Update mmdb files
2cbb10b3a3 Revert "Test Aqua security vulnerabilities with BW"
d4d9f87451 Test Aqua security vulnerabilities with BW
899484c381 deps/gha: bump github/codeql-action from 2.21.9 to 2.22.1
d461f3745b deps/gha: bump stefanzweifel/git-auto-commit-action from 4.16.0 to 5.0.0
cd0ceb48bb deps/gha: bump ossf/scorecard-action from 2.2.0 to 2.3.0
dc92ae825d deps/gha: bump ruby/setup-ruby from 1.154.0 to 1.155.0
f5fe685d42 Fix children classes of Test
f4ce2c68f2 Fix bw api not returning the reason of bans
d1a0f66c98 Merge pull request #677 from bunkerity/dev
6935d1cb84 Merge pull request #676 from bunkerity/dev
7ac66a6c65 Update python deps
2aa9f46ef4 Fix default values in whitelist job
8f456722e0 Augment delay in WebDriverWait in ui tests
8ae7b8f43b Fix redirect tests docker-compose file
9b4a9277da Add libpq as a dependency for the Database to be able to connect with postgres
172874d1c3 Fix redirect tests on docker
a518f47b92 Update CHANGELOG.md
0cee41867f [#656] Fix ACME renewal fails on redirection enabled Service
e956e03ba0 Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev
c08fd07a6b Update linguist-vendored to add modsecurity files and non patch deps files
466c8e584c Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
27d3ca1cdf autoconf - fix wrong types for dynamic settings
410557009a Add .gitattributes to override linguist-vendored paths
e7498279cd Revert Docker image update for tests
fe87486f97 Merge pull request #673 from bunkerity/dev
c2db157bb5 Update python docker image to 3.12.0
eb8088164b Tweak Dockerfiles to make the build nicer
202698f41f Fix python deps conflicts and update them
0eb18cb31e Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
f12a014104 autoconf - update settings from db
628068e9ae Lint files with prettier
f3694f0cc4 Add prettier as a precommit hook
b56cce63f7 Fix codespell typos in README.md
87ca176633 Fix typos raised by codespell
eea5dd9b75 Add codespell precommit hook
8fbe692618 Fix mkdocs.yml file duplicate copyright key
cf82e73e97 Fix swarm postgres ui integration example
6b2df35858 Tweak py file to respect flake8 rules
508c728b65 Tweak pre-commit config and pyproject.toml file + Add flake8 as linter in precommit config
75e8c83397 Update CHANGELOG.md
07676a3d0a Use hashes instead of versions in github workflows
f0761eed2c Revert "Add fuzzing tests in CI/CD"
4babce9749 Add fuzzing tests in CI/CD
a263f1f4f1 Update cron for dev-update-mmdb
31a8399688 Merge pull request #666 from bunkerity/dev
d8b2561675 Merge pull request #665 from bunkerity/dev
87d2f04eb8 Remove no longer necessary temp fix for Flask-login
c006e5088d Update python deps + Update Flask-Login to include the compatibility with Flask 3.0.0
df9bf1f561 Merge pull request #664 from bunkerity/dev
6b0e623e59 Update Dockerfiles to install pip and its deps before the project ones
85068bfeea Add temp fix to support Werkzeug>=3.0.0 with Flask-login
5a7f9147fa Update python deps and update script
3589057703 Fix bunkerweb-ui.sh script with variables not being exported correctly
5ed595be68 Fix shellcheck tests failing
e21e0c812b Add shellcheck and gitleaks to pre-commit-config + tweak excluded paths
1b7e1840cd Fix blacklist core tests' requirements.txt file
1f90d3668c Add a pre-commit-config file and passed all checks
f3fc69110e Fix typos in Dockerfile when installing python dependencies
073e8575e2 Updated Dockerfile, python deps and npm package to use pinned dependencies
cd4d529d7e Merge pull request #660 from bunkerity/dev
b4a320afaa Made ui tests better
8ed656068f Small fixes on linux paths creating unnecessary folders
8fa7adb615 Small refactor on how the autoconf updates the config
4ec754143a Handle changes more elegantly with the scheduler
0f7df13df3 Optimize save_config script
48096d711c Optimize the way the UI handles services creation and edition
c0816bb119 Fix potential cross-site scripting vulnerability in plugins.js in the UI
18e5f7bff6 Merge pull request #659 from bunkerity/dev
ece5ce1cdf Add HTML sanitization when injecting code in pages in the UI
4d50026744 Extract codeQL workflow to have a separate one + Add scorecards analysis workflow file + Add UI tests for the UI branch
1c71572f44 Update tsparticles in the UI + remove unused static files
685cb9809d Update README to fix a few links and add the security scorecard badge
65d0aa3a8a Merge pull request #658 from bunkerity/dev
6e2db59919 Add a sleep before changing from cache page to log page to avoid errors in ui tests
1db769c321 Remove bugged UI tests check in linux
db99d16874 Update the condition that checks the integration in core tests
579c80357f Update UI starting script and ui tests script on linux
b901d29710 Update python deps
e23f931bd6 Replace gevent with gthread in UI for security reasons
15eef6ef57 Try to fix python deps issues with linux and try to have more logs in linux ui tests
cc0167f427 Fix ui linux tests when waiting for the ui to be ready
fd4c147b89 Update how the scripts wait for the UI to get ready before starting the tests
95afba8792 Change how the ui tests waits for the ui to be ready
ea5cb0db2d Try to fix ui linux test by adding more sleeps
cb3250e4e7 Fix UI linux test (again)
153e9fecf1 Fix bunkerweb linux scripts
81b5e80da6 Try to fix deps permissions with linux ui tests (again)
6a162d7250 Fix linux permissions with ui tests
be5fe2830e Try to fix ui python deps in ui linux tests
380e609abd Change ui linux tests command into development mode
93006cf5ce Fix Firefox installation in core and ui linux tests
39f17bce60 Try to fix permission issues with Linux and ui python deps
94c7c832e6 Fix permissions with python deps in ui linux tests
42be334e40 Fix permissions with ui tests on linux
cad3012e6d Try to fix python dependencies error with test ui linux
a04282d3f8 Fix test core redis with linux
c757f5d49d Re generate requirements.txt file for the UI with python3.9
052e060222 Fix core and ui workflow file for staging tests
e71b711466 Merge pull request #655 from bunkerity/dev
b90da0f909 Add better health check in linux ui tests
5c1fafe518 Updated CHANGELOG.md
c964d68f99 Add more tries when the dnsbl server isn't found
78a29e65ea Tweak reversescan core test to avoid false negative
0e9f29cc52 Revert "Fix UI shenanigans with python deps"
70ab9740d9 Fix UI shenanigans with python deps
0303a8f7b9 Update staging workflow file to include core and ui linux tests
16d4c1133b Optimize the way errors are being checked in linux core tests
2ddc8cec72 Update dnsbl list regex to accept an empty one
6534a429af Fix looking for error in the wrong place in test code linux
25eb8de01e Try to fix a few shenanigans with linux core tests
2065d688f1 Fix ui tests with docker checking the wrong containers if healthy
87f84d438e Add a retry on nginx error in linux core tests
99b30af8ea Fix reverse scan python script
1ff2aed68c Fix UI docker tests docker compose file
48bcb11983 Rearrange imports for blacklist init core test
ae9450d0dc Add whitelist and greylist linux core tests
9a17e92d62 Fix typos in dnsbl core test
2244f734fa Add dnsbl linux test
a29ac80e4b Add country linux tests
cff5c77679 Fix sessions core test for linux
6ae6764f27 Fix blacklist core tests docker compose
27959e1aa9 Fix sessions permissions issues with python requirements
47e8f20f83 Fix CVE CVE-2023-38039
6283ce2dd7 Add linux tests for blacklist and bunkernet
f3d6f860e0 Remove old cached files if urls are empty
61c8ef73b0 Fix permission issues with sessions core test with linux
be25ae8e05 Fix failing linux core tests + add more logs when an error occur in ui tests
33e200f652 Fix UI using the wrong database when generating the new config
57374ecc2f Fix tests ui with linux
601f0fde62 Fix tests ui linux not starting the ui service
fdb9a7c294 Fix errors linux tests permission issues
df12058824 Fix tests ui linux executing the wrong file
db404a62c3 Fix ui tests misconfiguration
a0aced3e53 Fix tests ui linux workflow file
e378be9a92 Fix typo in tests ui linux file name + add more logs in ui docker tests
432d1587c7 Add linux ui tests
2ad8861788 Fix selfsigned job with cryptography not being found
da4390b488 Fix python modules version conflict with web ui
7bd48203aa Fix and update python deps
ce2fa3d360 Fix a few core tests for linux
bca36e2966 Update self-signed job to regenerate the cert if the subject or the date has changed
06da40bf13 Added more linux core tests
84a27a3fc3 Fix DB core test with docker
9e34251824 Fix path issues with db core test init
c90cd7399a Fix permission issues in tests core linux
91e5528a3f Fix already existing tests core linux
aeee38ad32 Fix misc problems related to linux
d97326656d Fix Database not clearing old services when not using multisite
8a6e14d8c8 Added linux tests to a few core plugins
0ece8fda00 Fix permission issues when starting BunkerWeb in antibot linux tests
e935132242 ci/cd Try to fix permission problems with Firefox in test core linux
761c01af6e ci/cd Fix test core linux shenanigans with Firefox
0d9349611e ci/cd Try to fix errors with firefox in test core linux
094d5d5dfe ci/cd Fix a few things with test core linux + finish antibot linux core tests
fdae4549ce ci/cd Fix permission issues (again) with test core linux
d59cf1835d ci/cd fix permissions issue in test core linux + fix shenanigans with antibot linux core tests
43b1a038f9 ci/cd clear out firefox before reinstalling it in test core linux
d192fbb829 ci/cd Install Firefox manually in test core linux
0239ca64b4 ci/cd test core linux remove dns resolvers override
1dd1caeea4 ci/cd Fix Firefox installation for test core linux
a0516f773f ci/cd Install firefox from apt instead of snap + fix antibot core tests for linux
480c680f19 ci/cd Fix timeout in geckodriver download for test core linux
a94dab2087 ci/cd fix retry job when downloading the geckodriver in test core linux
d0a1aab15c ci/cd Fix perms issues (again) and optimize some things in test core linux
dd0c4c93a6 ci/cd Install requirements and deps in test core linux
294402dbf2 ci/cd fix perms issues with test core linux
cd35d35c25 ci/cd Fix perms in variables.env for test core linux
4cce8385c5 ci/cd fix write in /etc/hosts file in test core linux
990b6336e2 ci/cd Fix test core linux with dpkg versioning
ccc5eb304a ci/cd Fix version error with ubuntu and test core linux
6a38390404 ci/cd Fix tee command not being ran as sudo in tests core linux
453cfc2dcc ci/cd Fix BunkerWeb installation job with linux core tests
0b14f8a5d0 ci/cd Fix install command in linux core tests
624f4b5bb5 ci/cd Fix path of the .deb file
61bc8a3b10 ci/cd fix .deb fetching in Linux core tests
fa91bf6c60 ci/cd change needs and logic in test core linux
b54c7eb61a ci/cd test secret inherit for ubuntu private test image
30cba0a77d ci/cd fix dev.yml
80d56fcca6 ci/cd start working on linux core tests
69307fba6f Fix issues with GitHub rejecting the requests
7c5177bf43 [#643] Fix UI clearing configs folder at startup
b5bd17d4da Merge pull request #641 from bunkerity/dev
ad65e01a87 Update CHANGELOG.md
1259fb67d9 Merge pull request #634 from bunkerity/dependabot/github_actions/dev/docker/setup-buildx-action-3
b9e752f12f Merge pull request #636 from bunkerity/dependabot/github_actions/dev/docker/login-action-3
278eb0c8a4 Merge pull request #635 from bunkerity/dependabot/github_actions/dev/docker/build-push-action-5
dec97c8c3b Merge pull request #637 from bunkerity/dependabot/github_actions/dev/docker/metadata-action-5
9222420b7a [#640] Fix shenanigans when executing docker compose restart
07fb7cf164 [#638] When renaming a service in the UI, migrate the custom configurations as well
f83b2278d0 Fix versions conflict between greenlet and gevent with UI
e51e178357 Update python deps
3c95971e3e Fix CVE CVE-2023-4863
bb7ef35aeb Merge commit '35d13d7a097dd094cdbe993f18f29de0b08f1f2b' into dev
35d13d7a09 Squashed 'src/deps/src/zlib/' changes from 04f42ceca..09155eaa2
d962538784 Merge commit '4430cf47ddc1f3647b3bc129f46fed2d7a145f8c' into dev
4430cf47dd Squashed 'src/deps/src/luasec/' changes from fddde111f..4c0628705
37a2343e24 Merge commit 'd8ee65aa70e9737330c8a83301fd66c7dc8a8d7a' into dev
d8ee65aa70 Squashed 'src/deps/src/lua-resty-session/' changes from 8b5f8752f..5f2aed616
6752b36471 Merge commit 'd7bde18da2a8a81f2d5f256bc975b1fb5b546107' into dev
d7bde18da2 Squashed 'src/deps/src/lua-ffi-zlib/' changes from 1fb69ca50..61e95cb43
af902fc4ec Merge commit 'e0a89a2fcd1d0dd4cc103fc054242e8e8b10b7bf' into dev
e0a89a2fcd Squashed 'src/deps/src/modsecurity/' changes from 205dac0e8..ccc2d9b53
5ec7eb53a1 Squashed 'src/deps/src/luajit/' changes from 04f33ff0..e598aeb7
26d3d6c6ce Merge commit '5ec7eb53a1fa30beb59d3358f16716483787b02e' into dev
0aaede4d61 Update core deps
955c7e0630 deps/gha: bump docker/metadata-action from 4 to 5
8ea823e061 deps/gha: bump docker/login-action from 2 to 3
a6efa52051 deps/gha: bump docker/build-push-action from 4 to 5
a6b30f6a6b deps/gha: bump docker/setup-buildx-action from 2 to 3
1144a73813 make logs optional in issues, change assignee for dependabot and edit sitemap URL of the doc
c364e46663 ci/cd - disable redirect when pushing doc
d4f38cc795 ci/cd - fix error when parsing ARM types
b6d49865b7 ci/cd - get ARM type availability
d0a8cc3818 ci/cd - use volume id instead of index for arm instance
30c952e9e4 ci/cd - set boot volume for arm instance
2382fdd377 ci/cd - start arm server after creation
05ecf558cb ci/cd - use latest scw cli version
2b7ce389b7 ci/cd - reflect changes on release tf from refactoring
d5d7364b1c Merge pull request #632 from bunkerity/dev
3adbd8757e [#628] Fix scheduler generating the wrong configuration with Linux
fd79508633 Merge pull request #631 from bunkerity/dev
3ae9636d5a Fix error with the CSP header override of the antibot
f993499007 Merge pull request #630 from bunkerity/dev
ea6ae52539 Update ANTIBOT_HCAPTCHA_SECRET setting's regex to support new format
5811dc549c Merge pull request #629 from bunkerity/dev
6404b701c0 Update changelog
2b5654ba3b Update coreruleset to version 3.3.5
c948e449a0 [#622] Handle configs dir more nicely in Linux
fb5a8dc4fb [#622] Fix permissions with folders in linux integrations
5f19b3fdab Merge pull request #627 from bunkerity/dev
2fce08b727 Upgrade issue templates
2ed6584dd7 Update python deps hashes
d6a14b6716 Merge pull request #626 from bunkerity/dev
b3c398cb56 Remove jinja2 from requirements.txt as it creates conflicts
6334a3d638 Merge pull request #623 from bunkerity/dev
8ab4ea2e26 Update id of ui.conf rules to avoid conflicts
11664cc1d8 Fix wrong variable name in limit core tests
9535c04142 Fix shinanigans with both multiple and global settings not being stored correctly in datastore
8cafded894 Fix variables that are both multiple and multisite not being stored properly in datastore
c6b2199dd3 prepare for 1.5.2 🚀
c418acdcfa Update CHANGELOG.md
9d0d72ba02 [#576] Add support for ModSecurity JSON LogFormat
cbc6259386 Update mmdb files
f57fc5d3f6 Fix menu.html dark_mode attribute in UI
c7e834a0dc Update python deps
673ee921f6 Lint files
9fb8dfca45 Fix Scheduler running two times for no reason
4787400d74 [#615] Fix BunkerWeb not being able to start after a restart because of the /var/run/bunkerweb directory missing in Linux
f59476c26d Merge pull request #621 from bunkerity/dev
4be53d0cbe Merge pull request #620 from bunkerity/ui
55ba29cd54 Fix UI error when values are empty
947690af8f Fix UI workflow
5cdf0ecf44 Merge pull request #619 from bunkerity/ui
d1dd1fbae7 Fix shinanigans with the /data volume in the doc
1b84c62024 [#613] Fix logs with web-ui and Linux
a2e0f1fe66 Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev
639eed8d05 Deactivate BunkerNet on first start with linux
500c3564a2 ci/cd - perform staging tests again
448efc0ef0 Merge branch 'staging' into dev
1b660691d5 ci/cd - fix typos for docker/packages pushes
e62b7c9d19 Remove unused js files in web-ui
b87316d7c4 Merge pull request #617 from bunkerity/ui
4cff39f490 Merge pull request #616 from bunkerity/dev
bceb286026 Lint files
d9d6ed9bb0 Fix settings regex with web-ui
01be5baea5 Merge pull request #611 from bunkerity/dev
059afec430 Update rhel docker image
e564d84079 Merge pull request #610 from bunkerity/dev
2c15b37461 Fix rhel typos "el" instead of "rhel"
6f26c42c89 Merge pull request #609 from bunkerity/dev
c5059ab220 Update doc to include TLS as well as HTTPS in some sections
a7a317b5bf Merge pull request #487 from bunkerity/dependabot/github_actions/dev/scaleway/action-scw-c718eca1fcb9fec1fb1433752d61599c6a0ad2e9
0681cf2c9b Update actions/checkout to v4
3a02c0ca5c Add more delays in badbehavior core test
040d447145 Change SQLite config to avoid locking
07725356b6 Merge branch 'staging' into dev
6a995723c0 autoconf - fix changes check bug with same variable name
47bf7299a1 Lint py files
656c5008de scheduler - ignore changes on first loop
c206daf9dd add basic config lock between autoconf and scheduler + remove reverse-proxy tests for linux
cf55ade15d ci/cd - various fixes for k8s tests
d28432e5f2 Fix API_SERVER_NAME regex
b5638aae19 ci/cd - move k8s login in staging-tests job
4450762b8c ci/cd - fix image name in k8s tests
6e1660cd00 autoconf - fix wrong config update
cb4c99f456 ci/cd - fix docker tag command for linux tests
64d2ed91ec ci/cd - fix secret key
0e2420cfff ci/cd - add timeout for cleanup jobs
fa165522e5 ci/cd - use same md for openssl commands
b036803884 ci/cd - remove double untar for k8s tests
bae27806b2 ci/cd - fix tf state upload/download again
11794da8c4 ci/cd - fix tf artefact command
c52e54b812 ci/cd - fix tf files again
e5c37a00ac ci/cd - fix k8s tf
9a3c26bf65 Merge branch 'dev' into staging
56422bca46 Update python deps regex for UI
ee47407dfe Merge pull request #606 from bunkerity/dev
936b1e88f0 Remove old CVE fixes for nginx image
f9f5b6570d Remove old CVE fixes for python images
8e8e042c25 Testing CVE on bw
1676ebeb7e Test CVE on autoconf
637573e591 Update docker images and python deps
c3a4847de5 Update startup and temp env in bash files
3db7904d41 ci/cd - fix wrong image tag for Linux test images
037e1ba566 docs - add ghcr.io
d6aa6a9b09 ci/cd - staging improvements
9aba006738 Fix oddities with the scheduler and the Database
f7d9af9d69 Fix potential infinite loop when waiting for a configuration from the autoconf
95c796c1ee ci/cd - delete temp compose downgrade
423e3b4a39 ci/cd - log to ghcr before getting tests containers
511597b7e0 ci/cd - fix tests image names
bb77dcedf5 ci/cd - edit username for ghcr auth
3d0f17808c ci/cd - add dummy username for ghcr auth
5a9836fec5 ci/cd - fix nested permissions
e1edfe4a7f ci/cd - fix missing permissions in wf
e81ab4ff9b Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
87b4053402 ci/cd - use gh cache for docker cache and pushes to ghcr.io
45a81203ed Update python deps
9feb66710b autoconf - force updating first configuration
3d13cf345e autoconf - only update data when needed and atomic changed metadata update
00cb6c1a8b tests - fix regex for geckodriver version
898ee7ec87 tests - tweak dpkg before installing BW
643b30f993 tests - ignore wrong testing version in deb packages
69e944d56a Revert "Fix LinuxTest package installation commands"
2b7f627d86 Merge pull request #602 from bunkerity/dev
82fb7b277d Fix LinuxTest package installation commands
1042e546b6 Merge pull request #601 from bunkerity/dev
6d1d464e16 Remove tries limit in wget commands (defaulting to 20 tries)
b5de52ead9 Add more retries when testing the newly created service in ui tests
2675227499 Merge pull request #599 from bunkerity/dev
4f82856b48 Update staging-create-infra to use a static version for monolithprojects.github_actions_runner == 1.18.1
d670b409bf Merge pull request #486 from bunkerity/dependabot/github_actions/dev/docker/build-push-action-4
0b93916a37 Merge branch 'dev' into dependabot/github_actions/dev/docker/build-push-action-4
76408cf04d Merge pull request #598 from bunkerity/dev
f7cd7d9daf Add dependency on tests-ui to not fail to push the testing image
8632dd3244 Fix exit code for ui tests
fbf0232d52 Update python deps
5b6f00dfc6 Revert "Remove unused imports in ui tests"
681def5f02 Remove unused imports in ui tests
a844b235b9 Remove geckodriver.log
73e31ca625 Add wget to fix error with tests
d82136f040 Fix UI tests not exiting if container fails to start
55fd177901 Fix wget command when downloading the geckodriver sometimes fails
d8c95869e8 Fix database with multisite variables
f24802b211 ci/cd - perform staging tests again
758fc13c3d ci/cd - replace version string for testing release
cd825cd341 ci/cd - fix wrong VERSION path for testing release
c03b1bb20b ci/cd - update VERSION file for testing release
a5e50d0f74 ci/cd - fix linux package name for staging
1a57e0a202 ci/cd - remove linux arm64 packages pushes
de568f335f ci/cd - temp disable staging tests
244b912476 ci/cd - fix syntax error in push-github wf
08ce31bb0f ci/cd - prepare for testing releases
7f47ac18c0 Fix plugins errors when reloading with a select and upgrade check
b6b87fcb03 Update python deps
8bada2a02d Update update-version script and bw version in after-remove scripts
b8778de08b use nightly tag for docker-socket-proxy
b42b732d74 Merge branch 'staging' into dev
fc1c81ce20 linux - add python3 dev dependency when building packages
76d36f3b91 v1.5.1 release
63355bb887 tests - increase radarr delay (again)
0ecf478761 Merge pull request #592 from bunkerity/staging
59dfb728ff Fix DNS_RESOLVERS regex to be more open
47c560dd30 Merge pull request #591 from bunkerity/dev
ff1e6cc28c k8s - use same namespace as ingress for services
81c2c3187c Fix config synchronization in scheduler + Remove MULTISITE variables being fetched when MULTISITE is set to no
7f3f3ac7e3 Add delay to radarr automatic tests
58d69ec20c Merge pull request #590 from bunkerity/dev
012bc3b43d Merge pull request #589 from bunkerity/staging
600ea7e168 Update python deps
18ee159711 lint python files
eee26b5d72 tests - add delay for reverse-proxy-singlesite
c00157ef32 fix wrong instances when using docker mode and add delay to docker-configs tests
6047a43358 set default value for ports in bw entrypoint, fix core db tests and fix missing PYTHONPATH for certbot job
ee2aeda13a tests - add static delay for linux tests and fix core db tests
bb6fd30739 linux - force kill nginx if graceful one doesn't work
6e6c08a716 ui - various edits
5df2a74caf improved LE certificates checks and fix missing full SERVER_NAME when MULTISITE=no
843c023707 tests - fix wrong command in linux tests
8f7833413b linux - fix letsencryt not working and fix permissions on /etc/bunkerweb/configs for tests
0ccd757817 linux - add missing pip to rhel
adbed77f74 linux - install pip the official way
ef7a6ac421 linux - fix fedora dockerfile
31ca183b1e Merge branch 'dev' into staging
a763879c1d doc - update settings
03ba91e968 autoconf - fix deadlock with k8s
38ab5ea21a redirect - custom status code
ee5397df55 bw - add HTTP and HTTPS port to temp config
9efd7a5a5f sessions - fix infinite loop when session checks fail
784ce643f0 db - disable connection pooling for one shot tasks
f3081e3c34 scheduler - fix parent setter call
26a1ef6898 Update mmdb files
e2fe947cb4 ci/cd - fix tests UI not showing logs
bf9cd367d0 fix missing Strict-Transport-Policy header, fix X-Forwarded-Prefix with regex URLs and print logs when UI tests failed
26f2852e54 scheduler - fix typo in fstring
e93b2f65ff cache dev container images, fix CVE-2023-35945 and force scheduler to reload when instances change
f3ba16be9d add instances changes check to scheduler and auto push dev container images
d9394567ef add missing ctx arg in core plugins, always add X-Forwarded-Prefix header and add doc about timezone in containers
d59b305f1e fix concepts image in doc, revert clientcache update and refactor headers
ad45bbb4d7 Update python deps and fix error with PyYAML compilation
db03aa9c79 Merge pull request #565 from bunkerity/dev
bb14be8202 Update python deps updater
bedcf0c17c Fix bug with newer version of PyYAML by downgrading
68e9b057d4 Merge pull request #564 from bunkerity/dev
810340a493 [#559] Fix typos for custom-cert's settings in docs and examples
a4db7c2942 Fix CVE CVE-2023-2975
758901dfc3 Fix CVE CVE-2023-2975
9216becb56 Update python deps
db413cc032 Merge pull request #555 from bunkerity/dev
a4f4dfe4e6 remove unused imports in save_config.py
0d554a5f5d Update SERVER_NAME regex to be more open
c11b44285b Merge pull request #554 from bunkerity/dev
25af02e4a4 FIx prevent the `DATABASE_URI` setting from being saved inside the database
9eec9e26c9 [#552] Fix scheduler not changing databases on linux
845364b2b6 Update log paths for linux based integrations
3dac0aef0e tests - temp fix for compose network errors
08f9e5f20a Fix bad behavior core tests by adding a custom subnet to the bw-docker network
fccb25bee6 Add automatic bw-docker network removal between each try
d6407b8186 Fix db core tests by making the network bw-docker entirely external
1cf281ef83 Update core tests to be even more verbose
3a714b9a3f Update core tests to be more verbose
864619542c Fix core db tests (again)
be46f7a8d8 Optimize db core tests
559039dfd1 Lint .conf files that contains lua code + remove useless comments
aa0769dde7 Merge pull request #549 from bunkerity/dev
ae6ccfcffc Apply patch to luajit-geoip
ed234fd63f Apply post_install script to lua-resty-openssl
09ae6da557 Apply patch to lua-resty-ipmatcher
b516ca2ea2 Apply patch to lua-ffi-zlib
1e7f92af80 Apply patches to Modsecurity-nginx
008dc09a60 Stop checking return code of post_install scripts in init_deps.sh
fcd230192f Fix init_deps.sh
f3809bc698 Add -R to pull commands in init_deps.sh
96586d4a68 Apply post_install script to Modsecurity
a75b90f525 Squashed 'src/deps/src/modsecurity/' changes from bbccedbdd..205dac0e8
948182ffd4 Merge commit 'a75b90f525b90bd74c090702034e02fdd6250e0e' into dev
544b4040e0 Add post_install scripts to init_deps.sh and update install.sh
6e146e2a54 Squashed 'src/deps/src/modsecurity/' changes from 205dac0e8..bbccedbdd
847ff5a3da Merge commit '6e146e2a54cb29eb0ac1bc9d65766fe90d30fa4f' into dev
bbccedbdd5 Change tags into hashes in deps.json
14d69fa594 Update mmdb files
d5e358b72c Merge pull request #548 from bunkerity/dev
e0055328af Fix add missing deps for core db tests
c93d5a2fcd Fix CVE CVE-2023-3316
5631e27378 Merge pull request #547 from bunkerity/subtrees
3505c0d18f Remove clone.sh file
7b566b885e Squashed 'src/deps/src/zlib/' content from commit 04f42ceca
ffd3100317 Merge commit '7b566b885e99301b243c5f61360e65238035e048' as 'src/deps/src/zlib'
45dca7b445 Merge commit '2ab324a69f219b4051b2e77d211ee1a7fb1462b5' as 'src/deps/src/stream-lua-nginx-module'
2ab324a69f Squashed 'src/deps/src/stream-lua-nginx-module/' content from commit 309198abf
f85f86e46c Merge commit 'c1073460677ba8aa2e325a1c57c3db1458f9fde5' as 'src/deps/src/luasocket'
c107346067 Squashed 'src/deps/src/luasocket/' content from commit 95b7efa9d
a7d4cc5bba Squashed 'src/deps/src/luasec/' content from commit fddde111f
bd600e0d0c Merge commit 'a7d4cc5bbaabf8683b3b5cc1f42f9bd145cf1aa8' as 'src/deps/src/luasec'
d156626938 Merge commit '2d86912af87048b94c2921a60b3a8a5a0953e132' as 'src/deps/src/lualogging'
2d86912af8 Squashed 'src/deps/src/lualogging/' content from commit 465c99478
1fb404757d Merge commit 'f3ceeb73a958e774b1e2fa55d2607cdd3eb419ca' as 'src/deps/src/luajit-geoip'
f3ceeb73a9 Squashed 'src/deps/src/luajit-geoip/' content from commit fde33e045
f81788c00c Merge commit '2678b91586e9183b47327fbb0f11ad23020f195f' as 'src/deps/src/lua-resty-upload'
2678b91586 Squashed 'src/deps/src/lua-resty-upload/' content from commit 03704aee4
2d06f2d7ab Merge commit 'bc06cd71b8896c6e7a1aac4610c9c3f878956238' as 'src/deps/src/lua-resty-template'
bc06cd71b8 Squashed 'src/deps/src/lua-resty-template/' content from commit c08c6bc9e
a6379356ea Merge commit '3038a0b027f09090e1cd8f101d2ee8c52c383070' as 'src/deps/src/lua-resty-string'
3038a0b027 Squashed 'src/deps/src/lua-resty-string/' content from commit b192878f6
fdf0050a91 Merge commit 'ee5198ba2810e33e08ff987ede5abe10fc74f6e3' as 'src/deps/src/lua-resty-signal'
ee5198ba28 Squashed 'src/deps/src/lua-resty-signal/' content from commit d07163e8c
a3cd342f3e Squashed 'src/deps/src/lua-resty-session/' content from commit 8b5f8752f
6f8ff3f12e Merge commit 'a3cd342f3e1fffd7b16b83a24e03bb9ed501b319' as 'src/deps/src/lua-resty-session'
2f1cde0978 Merge commit 'eca8662cfe981f66ab92b53bbf83af65da02b2b7' as 'src/deps/src/lua-resty-redis'
eca8662cfe Squashed 'src/deps/src/lua-resty-redis/' content from commit d7c25f1b3
0b94df0879 Merge commit 'e59161ec204c7a95e4751b1c0e9a6bead7fcab39' as 'src/deps/src/lua-resty-random'
e59161ec20 Squashed 'src/deps/src/lua-resty-random/' content from commit 17b604f7f
a280059882 Squashed 'src/deps/src/lua-resty-openssl/' content from commit b23c072a4
38fdd39d00 Merge commit 'a2800598825bb5a03b577cca2874ff1cfae863f4' as 'src/deps/src/lua-resty-openssl'
c2fa53ca17 Merge commit '31bf774f63b8b46a3c7b53028853036fff6fa0b8' as 'src/deps/src/lua-resty-mlcache'
31bf774f63 Squashed 'src/deps/src/lua-resty-mlcache/' content from commit f140f5666
7b2273aeb8 Merge commit 'c82b0bdd27762d2d4a9901a187506d2e5abd74f5' as 'src/deps/src/lua-resty-lrucache'
c82b0bdd27 Squashed 'src/deps/src/lua-resty-lrucache/' content from commit a79615ec9
3dc8cc87ca Merge commit '746a6e16d027ab3bddfc610c987e5d61ab9b69d0' as 'src/deps/src/lua-resty-lock'
746a6e16d0 Squashed 'src/deps/src/lua-resty-lock/' content from commit 9dc550e56
62e740a0bb Merge commit '19515d9b26f2f4886ca117b91384509087f0ff3a' as 'src/deps/src/lua-resty-ipmatcher'
19515d9b26 Squashed 'src/deps/src/lua-resty-ipmatcher/' content from commit 7fbb618f7
e566b98afc Merge commit '7160fd94e3dc22299ee3c9f8b0e71a5e2c1bb501' as 'src/deps/src/lua-resty-http'
7160fd94e3 Squashed 'src/deps/src/lua-resty-http/' content from commit 4ab4269cf
cdd42bf250 Merge commit '1a7d4e58be28238599df3f5c15c56380c3e99732' as 'src/deps/src/lua-resty-env'
1a7d4e58be Squashed 'src/deps/src/lua-resty-env/' content from commit adb294def
49db9c24d6 Merge commit '0f4a0cb0ef514bee6b810f6d6cf982c5ef0abfca' as 'src/deps/src/lua-resty-dns'
0f4a0cb0ef Squashed 'src/deps/src/lua-resty-dns/' content from commit 869d2fbb0
fe76b6830a Merge commit 'fd02afef8ec1ceb8a816dc202d05c6ece9887d31' as 'src/deps/src/lua-resty-core'
fd02afef8e Squashed 'src/deps/src/lua-resty-core/' content from commit 31fae862a
29d135bdbc Merge commit '36023392a6e3c8fb6aebb46140db759e61da220e' as 'src/deps/src/lua-nginx-module'
36023392a6 Squashed 'src/deps/src/lua-nginx-module/' content from commit c47084b5d
b01aa0b15f Merge commit '32485e2860c2ea31fcef5b575f446c7a3036a550' as 'src/deps/src/lua-gd'
32485e2860 Squashed 'src/deps/src/lua-gd/' content from commit 2ce8e478a
c46cd666ab Squashed 'src/deps/src/lua-ffi-zlib/' content from commit 1fb69ca50
909841ea63 Merge commit 'c46cd666ab76bad7bd05c6261d692cda5b380f32' as 'src/deps/src/lua-ffi-zlib'
47ee3884fb Merge commit '4f9b885a2e8b7a10653653fee3bb91cf5102b0ef' as 'src/deps/src/lua-cjson'
4f9b885a2e Squashed 'src/deps/src/lua-cjson/' content from commit 881accc8f
bb450ac965 Squashed 'src/deps/src/libmaxminddb/' content from commit ac4d0d248
e13868c63b Merge commit 'bb450ac96595432625ac34de8f7f42b3d06a5b30' as 'src/deps/src/libmaxminddb'
772e05d372 Merge commit '4a7228d2dcb7fe62526016b90a7c497fb6531e76' as 'src/deps/src/libinjection'
4a7228d2dc Squashed 'src/deps/src/libinjection/' content from commit 49904c42a
209d4a461b Merge commit 'ae8d8b233d52cbfdee68bd3ba21713149f5659c8' as 'src/deps/src/lbase64'
ae8d8b233d Squashed 'src/deps/src/lbase64/' content from commit c261320ed
9927106501 Merge commit '1d1739b4eaa274c25c52b8ceb79ebdc717633ec0' as 'src/deps/src/headers-more-nginx-module'
1d1739b4ea Squashed 'src/deps/src/headers-more-nginx-module/' content from commit bea1be3bb
e43880b083 Squashed 'src/deps/src/ngx_devel_kit/' content from commit b4642d6ca
a09d5eb2cb Merge commit 'e43880b08395df25663560da3d8154226a167a77' as 'src/deps/src/ngx_devel_kit'
8973eb0290 Merge commit '26773844e7bd57df1216bd74360a62ec2dc976e3' as 'src/deps/src/nginx_cookie_flag_module'
26773844e7 Squashed 'src/deps/src/nginx_cookie_flag_module/' content from commit 4e48acf13
79d1b44594 Merge commit '22e69251d9b5cd2611abf77ef7352abfa4d409d7' as 'src/deps/src/ngx_brotli'
22e69251d9 Squashed 'src/deps/src/ngx_brotli/' content from commit 6e975bcb0
4cd57ab8f2 Merge commit 'b99663928782619ef854b4bf10a2bf7450d75266' as 'src/deps/src/nginx'
b996639287 Squashed 'src/deps/src/nginx/' content from commit 84cd72177
d7f25398aa Merge commit 'a676d333fda890838d8fc4766720cc3f1d4c5389' as 'src/deps/src/modsecurity-nginx'
a676d333fd Squashed 'src/deps/src/modsecurity-nginx/' content from commit d59e4ad12
7e8f4adc3b Squashed 'src/deps/src/modsecurity/' content from commit 205dac0e8
999fb6b8ed Merge commit '7e8f4adc3b2b2a655640c73198fb920a5e8441d5' as 'src/deps/src/modsecurity'
6c0468f62b Squashed 'src/deps/src/luajit/' content from commit 04f33ff0
6d05b14eb5 Merge commit '6c0468f62b1120497a6fd0d21101dc41f29e7397' as 'src/deps/src/luajit'
1141afd203 Fix install.sh for nginx dynamic modules
97406bff4d Add libinjection deps back
a58ad9b506 Remove duplicate lua-ffi-zlib in deps
831ae129c4 Make init_deps.sh executable
451648fa71 Remove old deps temporarily except lua
185d75076b Update how the deps are initialized
6a048e68fc Update how the deps are managed
129e8f7e01 Merge pull request #546 from bunkerity/dev
265123835f Update python deps
b0bc9a1bf4 Update the documentation
2f7ed064fc docs - Fix typo in webhook link in plugins.md
7d6116163c Merge pull request #544 from bunkerity/dev
deed39a1fb Update lua-resty-openssl to version 0.8.23
dd295729bb Add deps project submodules
b27f38349b Update lua-resty-session to version 4.0.4 and remove lua-pack deps as it's no longer needed
aeca252d9d Bump lua-resty-core version to 0.1.27 and lua-nginx-module version to 0.10.25
1ec21261c4 Revert "Init work with submodules"
718a9305d8 Revert "Fix .gitmodules file"
a253f4a59c Revert "Remove old folders that are now submodules"
2e1e9a08cb Revert "Initialize submodules"
e2f1aba3cc Revert "Add other projects to submodules"
d9a98c6fa9 Revert "Update commit SHA for submodule libinjection"
5ed3ba1d50 Revert "Fix path resolution for modules and remove nginx submodule"
b529d85255 Revert "Update checkout part of workflow to include submodules"
43783edb9d Revert "Add nginx as a submodule"
8417ed1324 Add nginx as a submodule
ded0ec66de Merge pull request #542 from bunkerity/dev
6cbbd0d562 Update timeout for wordpress tests to 120 seconds
d687b228e2 Fix PERMISSIONS_POLICY authorizing self and links to be aside without spaces
bcc9fdef90 [#533] Fix SERVER_NAME regex to limit domains' size individually instead of the whole setting's value
524a140d24 [#534] [#504] Update ALLOWED_METHODS regex to accept more methods
a197e20d26 [#531] Fix typo in documentation about SSL
252a5831bf Merge pull request #541 from bunkerity/dev
07ed136afa Update setup-kubernetes of wordpress example
2eb73d15a1 Merge pull request #537 from bunkerity/dev
30fec8a142 Remove python submodule, will add it back in the next major
4b4e0f8b3b Update checkout part of workflow to include submodules
c2cfd4dd9f Remove checkout from dev.yml
642da402bc Fix dev workflow
4bb6d40a53 Update dev workflow to checkout the code and submodules first
3bcdd9ca24 Merge pull request #536 from bunkerity/submodules
28d59221b4 Fix path resolution for modules and remove nginx submodule
c8e25bcde0 Update commit SHA for submodule libinjection
e1a5782a3e Update how the dependencies are being cleaned up
68bea47edd Add other projects to submodules
2cd5c7f451 Initialize submodules
d7d3e24297 Remove old folders that are now submodules
a747278910 Fix .gitmodules file
b5fffc1f38 Init work with submodules
8c4c99e65d Merge pull request #530 from bunkerity/dev
ddc337394d Update log location for nginx and letsencrypt
1c362d0783 Remove the deletion of let's encrypt lib and log folders after the job is finished
95c9bad8e3 Remove unused enums in database model
7a972274f1 Add database schema to concepts.md in the docs
5614995364 Revert "Update README.md links to use local branch files"
4536e328e1 Update README.md links to use local branch files
89070cfb7d Merge pull request #529 from bunkerity/ui
d6942a46e7 Update where the scheduler copies its config
8a98da898b Merge pull request #528 from bunkerity/ui
26f831cb4d Merge branch 'dev' into ui
81f3914fc8 Merge pull request #527 from bunkerity/dev
162198bb93 Update db core tests to ignore the added value for env custom configs
7a524b43e6 Revert back to 30 seconds of sleep in tests ui after creating a custom config
b007916d6f Optimize the scheduler and gen even more (we love threads)
0661916ffc Update ui tests to wait more after creating a custom config
2105dc0f32 Update core db tests to use the right hash for plugins_page files
8231198219 Fix rare error when hashing dictionaries in the scheduler
1e62626ac0 Fix KeyError in scheduler
57eaedd8e9 Merge pull request #526 from bunkerity/dev
4d984f6237 Update CHANGELOG
d0fd6884ce Fix shinanigans with the custom configs and plugins jobs
8e6de2bdf2 Augment authelia timeout
3565dd7b37 Update CHANGELOG.md
145df1df4f Merge pull request #525 from bunkerity/dev
df1359e877 Add possibility to download lists and plugins from a file path + Update python deps + Plugins now support tar and tar.gz as well
b756b2d7d0 Lint py files
f57b6dad13 fix cursor gap on ace editor
91c33f1d43 Merge branch 'dev' into ui
ed2a54d166 Merge pull request #524 from bunkerity/dev
3e871efed8 Update python deps
d27edab351 Merge pull request #523 from bunkerity/dev
9982ec36d4 Remove useless import
80033642ce Add reverse proxy headers back
0836d4ee9f Merge pull request #522 from bunkerity/dev
2a2b7b6f5e Merge pull request #521 from bunkerity/staging
78236abe83 Check Aqua Security
c5ff63a40c Fix CVE CVE-2023-3138
78ef5c4827 Fix problems when creating custom configs or plugins and removing them completely
2c190ee969 add writeable /var/run/bunkerweb directory to hardened example
94867d0d63 letsencrypt - use same job name when retrieving data from db
9e00b9dd13 letsencrypt - use same job_name for both new and renew jobs
9adb209a81 lua - fix missing multisite variables in LRU
fdd3367a65 Merge branch 'staging' of github.com:bunkerity/bunkerweb into staging
dcf1561358 prepare for 1.5.1 🚀
4023e6dc69 road to v1.5.1
af9e125c86 linux - merge change for debian packager
ab6025ec91 linux - fix missing zope modules
7e221eb890 debian working
f1435f2312 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
b14dba7752 bw - fix multiple variables not loaded in LUA
81bb9ede14 Removing python 3.11 from linux
7e66c577f8 Removing python 3.11 in linux
236572f581 ui - remove python 3.11 import for Linux integrations
73060e42a1 Fix limit core tests
df0c03cef1 Fix UI wrong import
5d7ef69c9d Update limit core tests to avoid false negative
855ae89363 Update limit core tests to avoid false positive
16a1916dbb Remove useless imports in lua code + lint
605e237fd5 Remove 404 from Bad behavior status codes
fc8d76f33d Rollback on hcaptcha passive feature
c08e8d151a Update settings.md
44097cad09 Move the COEP, COOP and CORP headers to Cors plugin and change default values
3446e5f9b1 Upgrade antibot to add a custom CSP on each pages + update plugins order
70f227feb3 Fix error with multisite variables when requesting default server
f81b0bb4da Fix multisite variables not being added in helpers
9786975004 Fix has_variable method of utils
5b0b183a4d Remove no longer needed decode for plugin order from datastore
a2759e3771 Add small tweaks on the datastore
b6d8792575 Fix how we fetch plugins_order in the default server
94964a910a Update how we handle custom configs
6a1ff499c1 Fix Lets'encrypt plugin api and internal API
179a7aa34a Fix lua sessions with antibot
a1385fe9b3 fix ctx usage in reverse proxy + remove useless log in limit
23f9f14a46 Remove old CVEs fixes from Dockerfile
f77150bc26 Test Aqua Security CVEs
ec48e66011 Fix return value when no plugins have been found in api.lua
6ab48d9dd2 Update python image to tag 3.11.4-alpine
ce24a0482a apply changes to current core
02d9403937 perf - ctx caching and per worker LRU for readonly variables
a7069bd605 Update UI to stop using env variables but werkzeug middleware + Send X-Forwarded-Prefix headers to UI service
c39dd78aec Update cors plugin tests
3b459b0e20 Fix shinanigans with API (again)
718310312a Fix shinanigans with the API
5deeacc3d4 Fix letsencrypt jobs
c18f743d44 Fix PosixPath in jobs
85a53278e1 Add a charset to cors Content-Type header
e01c14f11f Add Cross-Origin-*-Policy headers management and default values
0b3c1a8a04 Update KEEP_UPSTREAM_HEADERS setting's default value
95f673c1d4 Update doc about headers
cee7672b55 Update settings.md in the doc
d5ea95da92 Increase load-balancer example test timeout
39e6821a4c Lint lua code
64aa12b70b Update python deps
c392a0b5f0 Update mmdb files
f93dd34f67 Extend KEEP_UPSTREAM_HEADERS setting to clientcache and reverseproxy core plugins
a23d189d3d Merge pull request #516 from bunkerity/dev
df47ba0e98 Merge pull request #515 from bunkerity/dev
0ca7de1de1 Add CVEs fixes back
84fcfb726d Test Aqua Security 2
c20bd05d35 Test Aqua Security
c85a4183d8 Fix Strict-Transport-Security not being sent
654172f436 Update headers core plugin lua code
afe6da4cf5 Automatically add Content-Security-Policy header to response headers in the UI
5c7cd38b51 Edit headers core plugins to use lua Code + Add new setting KEEP_UPSTREAM_HEADERS
299a0b5c25 Remove apk update at beginning of each Dockerfile
6cc20efe72 Update bad behavior test BAD_BEHAVIOR_COUNT_TIME to 30 seconds
e2a3bfb106 Bad behavior core tests change the ban time to 60 seconds
4bbddf7975 Merge pull request #509 from bunkerity/dev
1eeefead95 Core tests sleep between each request
9829ef7525 Update UI to automatically set SCRIPT_NAME and ABSOLUTE_URI
b27958a19c Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
410a64810b core - patch modsec to use access phase instead of preaccess
f7d986d6a5 Change the way linux starts and the scheduler
95d4f0f87c Small tweaks on core jobs
4f324231d2 Fix tmp variables path (again)
dc18f98846 Edit start.sh
3b36965f4a Fix tmp_variables_path in scheduler
ccc051e783 Fix /var/run/bunkerweb in fpm args
8b2517cdf0 Remove ui cache download test - to much unstable
d1138855ee Fix gunicorn config for Docker and Linux
0c8bc97fae Fix UI on Linux not using the right user
a68fb0c06a Refactor to make more sens and avoid specific errors
fff21746a9 Correcting: Dockerfile-ubuntu End of statement block Jinja
3ab4a59b6e Update debian Dockerfiles to avoid updating apt packages only once
760ec3b3b6 Add /var/run/bunkerweb removal script when uninstalling BunkerWeb
be459d240e Update pid files paths to /var/run/bunkerweb
8b697d87d1 Fix Scheduler errors with the internal apis
89a3c8b0b6 Update bunkerweb-ui file according to the new gunicorn usage
5e237d0d03 Update gunicorn to use a config file as well + Fix headers error + Small fixes
a424d59b1b Add apk update at the beginning of each Dockerfile
1d14db7e18 Update custom cert job to not duplicate certs if the cert is global
7efb82a7ee Update python deps
e920cba432 Fix CVE CVE-2023-2650
413b75b046 Fix customcert plugin to accept multisite certs as well
87a9545d9a Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
c533948452 various fixes
aca0d6da48 Small refactor on the ApiCaller and the Scheduler
1bd40a877a Removing vmware support in doc
612333d2ad Merge pull request #508 from bunkerity/dev
474ecbb41e Fix typo in phases list in plugin.lua
5fa21b3c89 Fix CVE CVE-2023-29491
16a459bf75 Lint antibot html files
fd06a1e715 Add Turnstile antibot
d5e64320c4 Fix small typo in misc.lua
4d6d95037a Merge pull request #507 from bunkerity/dev
b60657e21f Merge pull request #506 from gin-gitaxias/patch-3
1f2c973a3b Fix docker-compose file for custom cert job
b314f4349c Update integrations to add LOG_LEVEL=warning env variable to docker proxy
0edfb2db35 Update example to add a LOG_LEVEL=warning to the docker proxy
83413aef2b Remove open ports from core tests docker compose files
334be43462 Fix custom-cert core plugin
953128be6e Update scheduler changes check to reduce CPU usage
bb7dcda48d Refactor paths resolutions for core plugins
1088279524 whitelist - remove unused IPs of duckduckgo crawler
665b110c63 [#504] Fix ALLOWED_METHODS regex
5a2aa20bcd Update plugins.md
168dfc4390 Refactor paths resolutions for UI + optimizations on the plugin upload
6e80c7b8de Fix variable being ignored instead of saved inside the database when the value is empty
8dad7a0b79 Starting work on paths resolution refactor
b5a78c3aaa Test Acqua Security vulns (2)
ed6bee69c7 Test Acqua Security vulns
3dba058b45 Fix custom configs not being cleared out once created
d9b093dab5 Fix plugin example in documentation
162f1d978a Merge pull request #502 from bunkerity/ui
1f2fa95e77 Remove useless line in the head.html file + lint HTML files
1cd3567814 Add multiple plugin upload in one compressed folder support for the UI
29673f9182 fix font
1804936161 Fix CVE CVE-2023-1999
7fe7a997fd Merge pull request #501 from bunkerity/ui
5b75894d40 Fix UI latest version checking & Fix conditions in quick settings for services
1f6b3d59a1 Merge pull request #500 from bunkerity/dev
548630e3e9 Update python deps
aa299f0859 Update plugin update and add to get only the necessary keys
f0126b6d6e Fix update-check job
8585007bcb deps/gha: bump scaleway/action-scw
a7535c300a docs - fix yt preview in readme
340b4a4929 change arm server flavor
e7ea3952b6 ui - add missing dep for docker/x86
a586b5b6be deps/gha: bump docker/build-push-action from 3 to 4
3b7d8b6c11 Merge branch 'staging' into dev
6666a25fcc edit version, update images on docs and fix bug in Linux script
f84af34025 Add error ignoring when using the rmtree function
0b082bdab7 Add handling of stderr being None in the scheduler
1f2b550f60 ci/cd - fix swarm examples and init work on release workflow
d5fcc69694 Merge branch 'dev' into staging
eda275589d Merge pull request #485 from bunkerity/dev
7506768c4a Merge branch 'ui' into dev
be3d40f18a Fix CLIENT_CACHE_CONTROL setting's regex to also work with JS
41059fb282 Merge pull request #484 from Hado-K3n/patch-16
88f85b282c Merge branch 'dev' into patch-16
e5e031b6b7 Merge pull request #483 from Hado-K3n/patch-15
2dbadbd29f Merge pull request #482 from Hado-K3n/patch-14
95c7b54109 Merge pull request #481 from Hado-K3n/patch-13
00739a5ab6 Merge pull request #480 from Hado-K3n/patch-12
a9f4be475e Merge pull request #479 from Hado-K3n/patch-11
f85f736785 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
f1efe06e99 ci/cd - fix /opt/actions-runner perms for self-hosted runners
ad71be4608 login now use local font
dcb800d2b8 Update k8s.postgres.ui.yml
5a7f7f3c67 Update k8s.postgres.yml
e1f60127e2 Update k8s.postgres.ui.yml
7553ffb632 fix client_cache_control regex
9324648f21 Update k8s.mysql.yml
eafe006a6e Update k8s.mysql.ui.yml
62a8ec9758 Update k8s.mysql.ui.yml
dfcaba9ad2 Merge pull request #478 from bunkerity/dev
737b999cde Set CLIENT_CACHE_CONTROL setting's regex
9339af44c9 Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev
78f7570e16 core - Fix bwcli condition when checking bans
40e30ed441 use shared redis connection pool in cachestore when we can
d6ca98ed15 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
10a4cefd00 update lua-resty-openssl deps and replace nginx -s calls with signals
97723185ba core - Add bwcli tests
ab3b3ea8fd ui-tests - update waiting time after creating a custom conf
5adec84d5a fix redis not contacted in subsequent phases and reflect changes on stream configs
1624c4e766 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
eea6d32cd3 share common objects during the phase and add threading to DNSBL and reverse scan
99f8f69fa5 Merge pull request #477 from bunkerity/ui
9b58b397c9 Fix ui tests (again)
ace88d865d Fix plugins fetching for the UI
69b35636e3 Fix UI tests (once again)
5dfe35b7bc Update how the plugins are being fetched by the UI
b75690fdf0 Change the way python deps are installed
b19ebbe6a8 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
c0c646aae5 Merge pull request #476 from bunkerity/dev
edd6e2ded5 improved session management and add IP/UA checks
c7ca5a822f Fix Database overriding services_settings if a global_value is set
e1883a04be Merge pull request #475 from bunkerity/dev
af19cc226d core - Add redis tests
0087ae5832 Update python deps
8133c134e0 core - Fix db tests by removing "order" key check
f725d0fe63 Update keys name in datastore
05c478e834 Edit COOKIE_FLAGS regex
b5aaf62662 add forward reverse DNS to whitelist, disable redis in cachestore when sockets are not enabled, fix typo in cachestore and improve dns/rdns caching
8a8dd6fb7a db - remove order from plugin model
93c766e564 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
179beea4d7 improved core plugin execution order
1d126e1d0e core - fix cors tests with the preflight request
dbb8840992 core - Update allowed_methods test method to GET
62cb85453a core - Remove cert verification when testing allowed methods in misc tests
04919e8a08 Fix multiple CVEs
b32f318919 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
4962f786ba fix wrong env parsing in init phase, bypass modsec/crs when method is not allowed, refactor ALLOWED_METHODS and improve error page management
10bdf551aa core - Add misc tests
7158e7e9a1 core - Optimize cors tests
3f51f59bcb Add check when plugins are configured + Add Semaphore to accelerate jobs execution + Code optimization
4c4fa44fbc ci/cd - fix core/cors tests
84d43c84d2 Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev
b58798746d Update mmdb download to check the checksum at start
a9be973d5f use PCRE regex instead of LUA pattern and edit cors doc
4378f18cc8 fix typo in bunkernet.lua, add missing Origin header in cors tests and fix allow origin expected value
7d84e03a15 fix header plugin phase not called for internal request (fixes CORS), fix bunkernet init_worker bug where ngx.ctx.bw is not available, add CORS_DENY_REQUEST setting and edit values for core/cors tests
8386621419 Lint Lua code
36fdec1058 core - fix sessions tests
ab54b18e05 core - fix reverse scan cache retrieval
9c6ca6a860 cors - various improvements
991f7ff8d0 Fix tests core reverse scan wasn't using the image
9c77f77fa7 Fix test core DB
9ee74aef4f Add up back when retrying to up the stack + remove useless print
7bf4c11bc5 When docker up fails in core tests retry one time
82aadfa38c Update core db tests to add the settings.json file and optimizations
2a78d2c057 ci/cd - perform all core tests even if one failed
e3fc55be9f deps - add missing hash for python dep async-timeout
5f668aecaa ci/cd - fix syntax error in test core wf
e5e336c4f3 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
9a2e37984d ci/cd core tests and antibot refactoring
2ac77ee497 Fix deps not being synced
394f5fe4bd Move back to images in the whitelist tests
b06210bdfb Remove unused files in tests core
e6bb9fb55f Add tests for core plugins
29f020f15e Update python deps
051923b6ff fix deprecated external network in compose files, various fixes in the documentation and add ipv6 to doc
2e1296d9ae show useful info in BW logs after startup/reload and reduce container images size
a686562f18 performance - cache empty rdns results
e36c743c70 performance - cache dns responses
75f3d6490a init IPv6 support, add missing healthcheck script in UI and purge local cache on init
a258612e43 add global data on settings filter
bc3ea0ed35 change select method check
ab71c484ea add global condition for disabled state
5c415afa18 various fixes - ttl on /bans api, dnsbl undercover bug, greylist, whitelist and wrong path in realip job
5c50f57f1c Revert "regular inp and multiple global=true are enabled"
9ceaaa8746 regular inp and multiple global=true are enabled
3dde3ac0aa Fix no longer save SERVER_NAME when MULTISITE is set to "no"
c01b493c99 Increase compression level of tar files being saved in the database
4f4a8b5081 Fix default global values being added to database when MULTISITE is set to "no"
4088067186 Add external plugins being updated at the start of the scheduler
402ff16c82 Add "global" key to settings when fetching methods as well
dcdb43cf05 Merge pull request #473 from bunkerity/dev
ca8c56aaa0 Remove unused function in UI src.Config
905946463d Fix scheduler restarting for no reason when having an external database
8a308b1a88 Fix database not providing the right SERVER_NAME setting value
cf26d7aa22 Fix database saving default values to global_values when multisite was set to "no"
8bb6f63fa7 Merge pull request #472 from bunkerity/dev
64789276ac Update python deps
30194f9599 Fix Access-Control-Allow-Credentials not being set to the right value when deactivated
50ee37db0a cors - refactoring
b8d89fe79a Fix customcert plugin
63f4e44c61 Fix CORS when sending an OPTIONS request
ac2e4dd645 Merge branch 'staging' into dev
e14475de4a ci/cd - fix missing version in linux package name
136f68cd3b ci/cd - fix typo in beta wf
d83730cf75 ci/cd - fix linux package name in upload/download steps
ae042854f0 Fix blacklist download jobs where ignore urls were not being downloaded
86053d3dc5 Update RDNS regex in jobs files
b2e26fc8fc Revert "Revert "Update RDNS regex""
48354fb269 Revert "Update RDNS regex"
a544f18e26 Update update-check job to add stars so that the end of line shows
c6f304b371 Update RDNS regex
14ca85cdb6 ci/cd - fix package.sh name in linux build wf
dc1cb6a6fa ci/cd - fix scp command in linux build wf
73acbe0852 ci/cd - fix typo in linux build wf
45c90527c4 ci/cd - fix linux package generation when arch is ARM
f4590749d7 linux - fix arch in rhel package image
141f5a1d5b ci/cd - fix typo in beta wf (again)
6e82fde8a1 ci/cd - fix typo in beta wf
00ba46ebf0 prepare for 1.5.0-beta update
9a1c09c564 Merge branch 'staging' into beta
df787c75dc linux - add pcre dep to fedora package
93e567bb65 linux - fix fedora deps name and add architecture to fpm config
8b6d788c2e ci/cd - fix bitnami chart values
541b646980 increase drupal delay time for tests, fix tmp dir not created for realip-download job and fix has_*_variable check when multisite is yes
59324526cf speedup build process for python deps and fix default env value for autoconf/k8s
a58e5c60c0 deps - upgrade python dependencies
27b1dddb0d linux - pin pip version
fd056102d4 fix centos repo command in rhel dockerfiles and fix delete infras order for staging wf
fb03733433 ci/cd - use single quote in linux build wf
43cbc79c75 ci/cd - move ARM_* to secrets in linux build wf
7592e5a84f ci/cd - fix typo in staging.yml
39ace81755 fix load-balancer example and add server_name to cache keys when required
48d7e72e54 Merge branch 'dev' into ui
66921b0075 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
819ad60a48 fix hcaptcha antibot and refactor ci/cd for staging
20913808c5 Add .mypy_cache to .gitignore file
a086ff6909 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
a286e7bd32 fix wrong container in autoconf/k8s, init work on linux arm and ci/cd refactoring
5a233ff908 Fix Database model types
18b3d7148a Update db model to use SmallIntegers
b36cd924fa Add `bw_` prefix to database table names
63ce1afcdd Handle errors more gently when API requests fails
d4934cfee5 Remove test-ui service in the main docker compose file as it's been extracted
500d58e508 Separate the compose file back
21dc67b68d Update test.sh for ui-tests an the compose file
75d2be7db7 Update tests-ui to fix them
041b7f71e5 Update ui-tests to make a valid password
1245b8b01c Update regex in ui + Add regex module to requirements
913e9a2c2a Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev
97dc6540eb ci/cd - fix typo in dev wf
b75ba601b5 Merge branch 'staging' into dev
573fe8fee2 Change UI admin password check to a regex
51514df570 Remove not needed file in linux scripts
9ff64426b7 Fix ui tests with the external plugins
74fe9d5c16 Lint jobs py files
97b362bb17 Fix let's encrypt error when deactivated
964d318939 Fix wrong attribute value when checking for external plugins
914686e78e Fix often occurring bug when testing the web UI
58db1352fa Revert "Fix often occurring bug when testing UI"
987af951d8 Fix often occurring bug when testing UI
1c74c5d8d5 ci/cd - refactoring
1cc9f57739 prepare for v1.5.0-beta fixes
ac94e5072a fix double .conf suffix in custom conf, migrate /etc/letsencrypt to /var/cache/letsencrypt, fix bunkernet jobs and lua code and fix reload for jobs
773874154d move /etc/letsencrypt to /var/cache/bunkerweb/letsencrypt (wip)
75ca603b7d WIP - fix bunkernet and missing reload for scheduled jobs
0276054522 Fix bunkernet initial message when checking connection + add TODO
bddfb58a0d Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
c7ab002082 Merge pull request #462 from bunkerity/testmmdb
ef551846b9 ci/cd Update mmdb - Let only the schedule and change branch to push on
f41c096ec5 Merge branch 'testmmdb' of https://github.com/bunkerity/bunkerweb into testmmdb
a7b7c2031d ci/cd Update mmdb - Add check for curl commands
fb55295663 Monthly mmdb update
0afb250b91 ci/cd mmdb update - Changed branch to push on
019a927b06 ci/cd remove secret required for auto mmdb update
283a63f160 ci/cd try fixing workflow auto download mmdb
42707ad46a ci/cd test mmdb update
cd57eb423e ci/cd - fix automatic push of doc
01fbacf0ff ci/cd - fix pdf path for draft release + fix missing git fetch before deploying doc
d693d065f8 ci/cd - allow to update release tag, add PDF to release and fix multiline CHANGELOG in release
aa2ada0a00 ci/cd - update git user/mail for push doc wf
a47d7df401 ci/cd - execute apt install as root for doc to pdf workflow
c4093a2d7b ci/cd - increase ARM node storage
01e5994936 ci/cd - concurrent builds for ARM + fix version string for RPM packages
aaa0701659 linux - fix VERSION path in package script
0b93c6e10f ci/cd - add more cores to ARM instance
88db3fa344 ci/cd - fix build rhel var
5c01bd3f74 ci/cd - various fixes for push workflows
604d4c1a0c Merge pull request #459 from bunkerity/dev
bed6d742f0 Decrease the compression level when sending configs to BunkerWeb
57cb6e9c44 Update python deps
0d1580cffd Small code refactor of the jobs and the scheduler's function that generates configs
766ca0e9ce Merge pull request #458 from bunkerity/dev
0ab07678d3 Merge pull request #457 from bunkerity/ui
5412e6d240 fix logs checkbox
ba7422218d ci/cd - fix push workflows
fda2948e0e ci/cd - fix typo in push docker wf
59e5b1d54f ci/cd - fix push workflows
7ca7d78470 Merge branch 'beta' of github.com:bunkerity/bunkerweb into beta
9395456440 add missing postgresql-dev build deps for ARM images
0b5746aba3 ci/cd - add missing inputs for build arm
94dc501c17 ci/cd - remove load image in buildkit for ARM archs because of docker limitation
8ffaa7cf79 ci/cd - force shutdown when deleting ARM node
6e99e7a981 cicd - fix docker buildx arm driver
2eef2b8bb7 ci/cd - fix variable share for ARM (again)
406c686e4f ci/cd - fix variable share for ARM
6cecc70c32 ci/cd - fix ssh command for ARM builder
2f992baab3 Lint py files with black
7befd927d7 Update python deps
a4ae0d5178 Update cached mmdb files
c3d0d7ca70 Add workflow that automatically update cached mmdb files
d4ceb7c106 Remove dev comments for ui tests
b37c86e620 Fix ui tests problem with the logs page
a7b07c9599 Fix wrong condition when fetching the logs on Docker
3b237ed3cc Fix UI tests
a55a0df5de ci/cd - remove useless condition in create ARM workflow
ae33ca52ed ci/cd - fix wait-on variable
8867eb23be ci/cd - fix wrong json keys from scw api
1b79e291eb ci/cd - various fixes for arm build
98ce5041d2 ci/cd - use fixed sha1 commit for scw action in rm arm workflow
66d7216dc3 ci/cd - fix typo in create arm workflow
45fa4d1c26 ci/cd - ignore /root/.cargo dir for security checks, use fixed sha1 commit for scw actions and add missing deps for ui/arm
9cd13990e3 ci/cd - pass ARM ID as secret
266383abb1 ci/cd - dynamic arm build node
4e0d2fce5f add missing dependencies when prebuilt crypto package is not present
823c09195a ci/cd - add missing var for ARM builds
e71dc132ec ci/cd - fix typo in container build workflow
0db5f7cf0f ci/cd - fix typo in beta workflow
4bfc5b693f ci/cd - fix wrong cache name in container build workflow
93d0a991a9 ci/cd - fix typo in push doc workflow
1c178ed75c ci/cd - fix version output for beta/release workflows
ab7e1f6244 ci/cd - add missing runs-on in beta/release workflows
0f499c9d37 ci/cd - fix typo in push packagecloud workflow
d0f6d59f6f road to v1.5.0-beta 🚀
4086628697 ci/cd - fix typo in doc-to-pdf
312757594c ci/cd - fix typo in beta/release (again)
11f86ea754 ci/cd - fix typo in beta/release
ad16067420 use proper links in docs, automatic doc push and add pdf to releases
08e1d157d7 Fix ui-tests by removing no longer present checks
c8908695be Remove unnecessary prints
641a27f5ec ci/cd - remove useless needs for ui branch
4684070818 ci/cd - fix typo in staging workflow
6784bd6914 ci/cd - fix wrong condition for container-build workflow
ef1897de82 ci/cd - add missing needs to tests-ui staging
9815f22d72 ci/cd fix typo in container-build workflow
65c6e48e94 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
14a4db8bdb use current_bw_version for docs, add automatic tests to ui branch and fix letsencrypt permissions for linux
f6b8d23fba Fix ui tests by editing the attributes name to the new ones
58fd04430e ci/cd - fix typo in staging.yml
54a17c7752 init work on CI/CD for generic beta releases, remove useless autoconf examples and fix linux postinstall script
4f2c58bd7c temp disable authelia test for k8s and add missing folders for LE on Linux
5e4ce45793 various fixes
fa67c5d7ba ci/cd - fix missing arg for copytree
04db308c93 ci/cd - edit staging workflow
5d2045803c ci/cd - edit staging workflow
e7717ba7f9 Merge branch 'ui' into dev
bbaaad8487 docs - last polish
0658230e26 enhance responsive
f5c28b27df Merge branch 'ui' into dev
5753123368 harmonize all titles dark color
2f336be770 enhance file manager and jobs svg
81a37a3778 enhance actions btns
c3119f04ee docs - plugins
ffa91933e2 docs - add YT demo
5741dce6d3 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
7695a839f0 docs - web UI
5fe0e0bfda Merge pull request #454 from Hado-K3n/patch-7
8c71f7d278 Merge pull request #455 from Hado-K3n/patch-8
124378d7c9 Merge pull request #456 from Hado-K3n/patch-9
c6a184d90a fix ui integrations and fix stream support in db
d8b7db167e merge from ui
ddd83a8089 docs - add stream support info and plugin description to settings page
289b58567b docs - add stream support info on security tuning page
4dda54a118 enhance style
0ca473c690 fix style issue between load and page transition
1145b798f0 fix filter setting from custom selectors
63e7ccf132 better centering loading logo with text
001a63efc3 continue custom selectors + fix script + style
4144faa93b fix create service issue + remove stash
72bc9e4bb6 start creating custom selectors
98de3fc2fc docs - quickstart
f118f992f6 merge from ui
5285a2f4a1 force stash
1d354c9c6b docs - quickstart (wip)
55a7c8fee8 force stash
64a9fe4dba fix checkbox + style issues + script duplicate
a90d9e6273 ui - fix default value for inputs
7e1efcbc66 Merge branch 'ui' into dev
b5f0fe856e docks quickstart wip
01d8c65c96 remove hidden input checkbox + fix script
b7f63450ed add special method for mode
bc47f1fa5e Merge branch 'ui' into dev
7089e8b4d2 fix checked state
d4fd4c4733 fix checkbox + template
db5789fcb4 Merge branch 'ui' into dev
ab20f83b22 Update k8s.postgres.ui.yml
bbea8ba3fc Update k8s.mysql.ui.yml
9a2005d1a8 Update k8s.mariadb.ui.yml
9512de630c docs - quickstart guide (wip)
956a7bd234 Merge pull request #453 from gin-gitaxias/patch-2
f8c5543fd5 Update plugins.md
667bb30036 docs - quickstart guide (wip)
6b76596a88 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
78c2e16ead add missing cluster config for ui/k8s and start quickstart guide doc
1e6cfe8b0e fix filter disabled issue + reset on modal open
574ecbd6b3 Lower the environnement variable for the mode
aa3ce13a81 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
6f39fce6d6 docs - integrations
92fc5d981f Remove ascii art showing in UI logs
ae7e3ddd9f Fix how the ApiCaller is initialized for UI instances
df94bc4af7 Merge pull request #452 from bunkerity/dev
bf29fa2f92 Show how many plugins there are correctly in the home page
509bd21b06 Add log when deleting plugin
1530745a7e Merge pull request #451 from bunkerity/ui
a87abf3ce5 update home dark mode + variable
8a5836dd95 add popup darkmode
3a4a6ee5f2 new service doesn't force method="default"
1321a76c0c update service submit name for new or edit action
53e145b919 show method involved in disabled setting on hover
ceec21faa3 update web-ui INTERCEPTED_ERROR_CODES
63ba001805 Fix logic when saving a service in the UI
479f18b175 Merge pull request #450 from bunkerity/ui
ab43bf84a1 Make it so the UI and the scheduler no longer run as root in Linux
a7849a6e7a Fix mic mac with config files and UI
9009859aa7 Merge pull request #449 from gin-gitaxias/patch-1
0bf2116c44 docs - concepts
3616a9f202 Update security-tuning.md
435aae7cf1 docs - index and migrating
c0e649d680 fix logs + select custom
1c3bbf1bc3 stream - add example and fix ssl support
37ebde3635 fix logs and plugins dropdown + margin
b64e55f75a Add bigger timeout to loading.html
da4bb8dce6 Fix condition in helpers.lua
ab509c2705 Fix UI with Linux
6916a81c5d bunkerweb is now W3C friendly
c7bc493e35 stream - fix various errors
bc1dbe18a8 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
bd577cfb2e country fix (again) and init work on stream
a829528c3f Add bwcli to scheduler and fix it for the autoconf
9d829ebca1 Finish updating bwcli
94b97a6bb9 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
780c0c8c53 api - fix errors in calls and use ngx.ctx instead of ngx.var
5fb0be70ae Merge pull request #447 from Hado-K3n/patch-6
6843902db4 Merge pull request #446 from Hado-K3n/patch-5
3419dca980 Update k8s.postgres.ui.yml
38c71cf942 Update k8s.mysql.ui.yml
b7c260561d [WIP] Update bwcli
995ff250ff Update python deps + add redis for the gen
a04490b473 Replace unnecessary import
5112ed46e1 Merge pull request #445 from Hado-K3n/patch-4
8558785b17 Update k8s.mariadb.ui.yml
95e64d6c87 bw - fix black/grey/whitelist rdns check and country check
8ea94a2e4d Merge pull request #444 from bunkerity/dev
9f1405d69e Remove unnecessary {-raw-} in index.html when loading
9a2f7e9ab5 Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev
93b4714447 Add marging to antibot files hcaptcha and recaptcha
93c0cd437c Merge pull request #443 from bunkerity/ui
e7d61a67ce update antibot and default template
5d05eaeae8 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
a77d233eca bw - add zlib dependency
9a69ca135b Merge pull request #442 from bunkerity/ui
823c128233 fix SERVER_NAME + fix delete form + enhance
52806afe73 Merge pull request #441 from bunkerity/dev
2ea726c222 Merge branch 'ui' into dev
dffc770a99 fix and enhance
12f8b8197e bw - add missing lua-ffi-zlib dependency, fix syntax error for white/black/greylist, fix error for dnsbl and fix limit request not working in local mode
4871a21040 api - add missing ctx fill
bcc5e6bb50 bw - add missing json decode in api and add missing require in country
83428d6ccf bw - fix resolvers nil error when doing dns checks
7eefcb8f8d antibot - manage direct access to challenge page
a372ffd521 fix invalid session error handling and remove debug log in whitelist
e55912b34d Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
5f9f1e54f8 load inline multisite values for white/black/grey list core
3b4882d82b Revert "Remove no longer present CVEs fix because these are already fix in the images"
c2e0e51067 limit - use atomic script for redis case
4bc0771d95 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
edf7e06e07 various redis fixes and display ready log
a93d9a7d94 Remove no longer present CVEs fix because these are already fix in the images
e4465d9a12 Fix jobs cache when a database is used
c9af9457e4 Fix wrong condition when sending files
17a3d933b3 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
a60b6f3ada bad behavior - fix 500 error and do not pass objects with another lifetime to timers
c0e8e93aba Fix documentation mistakes when soft merging 1.4 into dev
f1a868c66b Fix when the cache from jobs is saved into DB + sleep 5 seconds when waiting for the database for the UI
d32102376f Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
510938fc23 antibot - fix bugs related to session
ed9605c103 Update python script that generates settings.md
3dabd42dfc Update python deps
834fbaf01d remove antibot back btn + update raw
95c231515e antibot - various fixes, not fully fixed yet
56028b087e update antibot / loading / default page
502d4fcc08 Add back the fact that we don't download the mmdb country if we don't blacklist or whitelist a country
ccd56d3b68 change antibot and misc template style
c949c02328 Update the security tuning's blacklist category according to the settings
671543e6e9 Add more ignored variables for missing setting name warning
dbd5739abd Fix wrong setting names under `Custom certificate` category
5f26ebc695 Fix php-cookie-flags example
bba26b5486 Reorder core plugins to stop having the warning at startup
db166c434b Add small fixes and lint to the error.html page
08f3d93ab5 Update jobs will now also check and save the cache in the db
63b1fb947a Fix CVE CVE-2023-1255
d5b11b8bb1 Merge pull request #440 from Hado-K3n/patch-3
92744c0913 Merge pull request #439 from Hado-K3n/patch-2
d46337f606 Merge pull request #438 from Hado-K3n/patch-1
9b52a5c3c5 clusterstore - various bug fixes
3f9d606e17 Update k8s.postgres.ui.yml
7e2f53c8c3 Update k8s.msql.ui.yml
1f5d8bfab4 Update k8s.mariadb.ui.yml
7a7d83a754 various fixes for redis/clusterstore - still WIP
a5e08e1c67 refactor of session management
0fdb108fe9 core - do not execute init() if BW is in loading state
00b50c1629 various fixes for core plugins
4ba5d66598 use ngx.ctx to store common values
860cc1a924 Merge branch 'dev' into ui
881d3a00d5 fix git issue on windows
76a2ff6563 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
28ef546a9a refactor - start to use ngx.ctx for per-request data
ed495b99ff Add CODE_OF_CONDUCT.md
0bd3e273b7 Update compression_level of sent tarfiles to 5 instead of 9
348ab7a1e2 Add feature that allow the copy of code blocks in markdown + Update copyright
cf2938bf2e Update web-ui docs according to the next major version
79a46e2cf6 Update the logic behind the check for linux os
9a325c7a9a Add new check for integrations in BunkerNet job
707256076a Add now the scheduler will pass his own env as well to jobs
9578ace026 Remove not used INTEGRATION file in BunkerWeb container
8c919c6768 Update links in the home page of the web UI
ad64ce22e9 Remove no longer needed packages that were fixing old CVEs
29cb6fe161 fix header phase and fix error template
d3d18e15a6 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
a83254bf20 fix wrong log in access
859343e185 Merge pull request #437 from bunkerity/dev
50829293c7 Merge branch 'ui' into dev
8e22b1f219 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
9849ce10ce fix wrong error check on phases and add missing ttl for *list cache items
3b5c083fc7 Soft merge branch "1.4" into "dev" + changing versions
4d95e32f18 update error page
1da4b78f0f Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
915b51c3b9 fix error pages for default http server
535f1a0552 Merge pull request #436 from bunkerity/staging
0afe038aa5 WIP Ui
3b6c3815eb fix default-server-http.conf
b5fa473ae3 Merge branch 'refactor' into staging
2fddbd8627 refactor - disable asn checks for non global IPs, use resty.template with antibot and various fixes
8d63e39740 refactor - fix various errors and add missing dependencies
23725d4831 Update prod shields.io link in README.md
303f380c76 Update demo.gif file
3c375039e9 Optimization on the download of mmdb files
a7773dae2f Update intro-overview.svg
5eb884fe9a Fix bug when showing cache files for services in the UI
3fac889ff2 Remove no longer used modsec rules for the UI
c3106e70e3 Update README.md and edit the demo GIF + edit the .prettierignore file
928ed2d6ce refactoring and road to nginx 1.24.0
34ab94640f Update python image in Dockerfiles + Add gevent to requirements for the UI
aa96c8503f update css
649d29b056 change news base url
217d1aa502 enhance style + menu script
e6ff51e200 Refactoring and Linting of py files and json
666b7a1bac refactor - blacklist, errors, greylist, letsencrypt and redis
496edb83ac Adding thel documentation
ee83cea7ff Add ascii art showing randomly when starting
6d1914d62d Update python deps
648f15e42c Add new core plugin update-check
2075a5d4c2 refactor - badbehavior, blacklist, bunkernet, cache, cors, country and dnsbl
5dd52186ba Fully adding vagrant in the doc
3a03f07f19 Changing vagrant integration
64997bae8c Adding vagrant integration
03ec271e21 refactor - improve clusterstore interface and automatically retrieve variables for plugins
29c57915cb antibot inherit from plugin
840c295684 continue work on refactoring
1ec83f256d renamed session to sessions
8c29081577 save work
afc0ac1988 init work on refactoring
4cd3fc6447 Merge pull request #434 from syrk4web/staging
bfc872be27 change flash logic when login
049e9c1ea6 Update python deps
bf9b94ebf8 Avoid Autoconf from running in root
92e6984581 magento - fix docker example (again)
a771bdb187 magento - fix docker example
7c21b3da2a deps - update lua-resty-session to v4.0.3
d4fae4b57b session - add missing settings
a850442203 init work on redis session
986f506e7d add missing API_WHITELIST_IP in mattermost and moodle examples
41e8f5c937 fix wrong init of counter in badbehavior and fix nextcloud/docker example
8e72050625 ci/cd - reduce dynamic subdomains for k8s tests because of annotation size limit of 63 chars
1bc42204d9 ci/cd - use dynamic random subdomains to bypass LE rate limit
a1e44f6e4b Merge pull request #431 from gin-gitaxias/staging
7ccd3ef926 fix moodle/swarm example and disable reverse-proxy-websocket test
8b54073a7e fix missing backslashes in autoconf custom configs and add missing full reload after custom configs update
622f2eb2ac autoconf - check if service exists before adding config
5d14813be4 fix typos after basic testing
9f70605643 autoconf - add missing import and fix double lock release
937cd10eeb refactoring and various improvements
6af3b985a0 fix deadlock in autoconf/swarm and fix missing favicon in default and loading pages
f6ed21b3b7 autoconf - fix global custom configs not supported in k8s/swarm mode
eee03c4ae1 autoconf - fix variable typo in k8s watch
ecf4e77b32 autoconf - fix deadlock in watch loop
0b71819d22 watch services for autoconf/k8s and support real IP in default http server
d3d0136bf5 various redis fixes and improvements
e80965ca9a lua - fix wrong variable name in access
220374db4b ci/cd - fix syntax error in jobs
9b8606d40e fix redis hostname for k8s files and only append tasks with a desired state of running for autoconf/swarm
c843be074c reverse proxy - allow all chars for URL settings
6a65104e7f fix return value of clusterstore.connect and disable auth basic for LE challenges
b429201ecc add missing LUA import for clusterstore and fix prestashop docker example
a9ce32c262 added a more precise scan response and modified .json like asked
f4442b6428 ci/cd - fix syntax error in k8s test class
1c3c0d63b7 ci/cd - fix missing k8s create infra job
e8c6d04aa6 ci/cd - various fixes for k8s tests
1caa9a1e7d adding reverse-scan
5d41a5b985 Merge pull request #1 from gin-gitaxias/reverse-scan
77fb8c420b Add files via upload
1bb79b155b linux - add geoip deps to rhel rpm
cf86446020 Merge branch 'staging' of github.com:bunkerity/bunkerweb into staging
ea1394b044 ci/cd - add linux/rhel tests, fix docker/behind-reverse-proxy, fix missing stream module for linux/fedora and remove placement constraints for swarm
87bd26da0d Add threatmap to README
b3eb647459 ci/cd - temp disable autoconf tests and add missing packages for linux/centos
202f21aab8 fix syntax error in ApiCaller
55a36f7190 fix docker/joomla, fix autoconf/nextcloud and fix API calls for swarm tasks
1c3f094cd9 ci/cd - fix wrong yaml edit for swarm and append LE settings for k8s
f07c0e66a3 ci/cd - various fixes
e8ee460efc fix CVE-2023-0464 and CVE-2023-0465
dd2c8cbcd1 Merge branch 'staging' of github.com:bunkerity/bunkerweb into staging
2d11a1c728 fix nextcloud modsec rule id, fix k8s pvc definition and remove useless logs from linux/start.sh
4f334a577a Add sleep between BunkerNet registering and ping to the API to avoid being rate limited
283828e8f7 Fix Now support WebDAV methods in the ALLOWED_METHODS setting's regex
e50c92250b various fixes
b8b50b165c Remove check for messages after creating the service - tests-UI
e88406b5d2 Fix ui tests with the new UI
922b32b2ee Merge pull request #429 from syrk4web/staging
671db37f73 fix autoconf/cors, fix docker/wordpress, fix wrong image name for k8s/scheduler and upgrade tests instances for swarm/k8s
be71b0781d format logs instance to avoid error
9e1876fea0 logs fix + checkbox fix
4d245f9fef change cache/download to jobs/download
6d16a766fe fix service delete + change style
5e598e90c9 fix bw-data volume not reused between docker tests, fix wrong bw-data volume path for autoconf tests, add let's encrypt to autoconf tests and fix temp env not generated for linux
dc8b7dbe7e fix form input
bf22faddc6 remove php-cookie-flags from tests, use HTTP(S)_PORT for temp nginx on linux and fix wrong volume path for autoconf tests
6c6845a794 enhance some responsive + change api
461789aed6 ci/cd - fix BW CVEs and fix Linux restart
318228e592 change and fix service logic
fa7c7ac91f ci/cd - add www volumes for autoconf
f88eced330 Handle services settings sent to the UI better
357dc3e3a4 Merge pull request #428 from syrk4web/staging
283306a07a Remove CVEs fix, it's no longer needed for now
276a96c55d Merge branch 'staging' of github.com:bunkerity/bunkerweb into staging
19870f154c various fixes for linux and get ui tests exit code from container
2485a47b20 Update python deps
bd88f9743b fix id rename error
82d8180d8e Merge branch 'staging' of https://github.com/syrk4web/bunkerweb into staging
41f43c46dc fix multiple
0f632803ff Merge branch 'staging' of https://github.com/syrk4web/bunkerweb into staging
53f480a66e enhance multiple logic + fix conflict
1cf4a5665d disable healthy checks for docker-poryx and dummy app in ui tests, add --no-reload-linux flag to generator and fix missing self arg in autoconf
041142a4f3 add healthchecks to ui and autoconf docker images
4f9748cc2e earlier init autoconf in DB, healthcheck for scheduler and fix syntax error in linux/start.sh
54813ecd4d Merge branch 'staging' of github.com:bunkerity/bunkerweb into staging
d97b5e1047 various fixes
8031c5060f Start handling disabled checkboxes + multiples
58ab870b2d increase cors/k8s/swarms timeout and fix tests/ui container names
cceda705b5 update flash count on remove
e91f3dc226 Add a log when database is ready in UI + Small refactor of the Configurator
1e9a55c240 Add small tweaks to the UI and scheduler Dockerfiles
7dc26dafae Fix disabled checkboxes no longer always have the value no with the UI
7dc25b3a52 fix redmine/docker example, remove double AUTOCONF_MODE in integrations, remove useless backslash in start.sh/linux, rename container for ui/tests
55d24a8d14 Change mmdb-country job to download the file only if needed
9e009f7bee Merge branch 'staging' of github.com:bunkerity/bunkerweb into staging
73b640bd3b fix cors/docker example, add missing AUTOCONF_MODE=yes to integrations YMLs, proper save_config for Linux and fix image name for UI tests
87bccaad6f Add `AUTOCONF_MODE` setting to scheduler in integrations examples
d331131c09 increase timeout for php-multisite, add API_LISTEN_IP setting, edit default variables.env for Linux and add more logs for tests
578a1a8c8b Add more precise logs in the jobs plugins
cb808c0ad1 Fix bunkernet-ip.list file not being created in case of an error (same as 1.4)
c8d39ba6b5 Fix scheduler no longer running as root + Fix permission errors with downloaded plugins
4a67a5f56e Merge pull request #426 from syrk4web/staging
4dea680acc enhance style + some fix
d810882720 Change the category if the user needs to log in in the UI
e003b751dd Fix when saving plugins with pages
b829e4edf1 Fix false positive error with plugin page in web UI
fc3ef33466 Add UI logs into console
ce85bc6b8f Fix openssl no longer prints progression in the console
2e144bf46e Merge pull request #424 from syrk4web/staging
defb2c3336 Change the way the error page is rendered
2ae37ce8d8 Fix regex for ANTIBOT_HCAPTCHA_SITEKEY setting
f335364fc6 Lint antibot.lua
16842fef10 Fix errors with missing % symbol + fix errors because of the symbol
5f5a5a8905 Fix css in antibot html files
ccde5c74f1 fix real ip jobs
d3402ff3ff change loading, error and test files
a02218bc83 end examples refactoring
5845446b9f Revert "Fix errors regex, authorize same path for multiple errors"
be0df41609 Fix errors regex, authorize same path for multiple errors
89812362a1 continue examples refactoring
5d214497ba Fix don't try to add an instance when saving the configuration with the UI
808b7b2206 Update jobs connect to the database only when needed
aa0eff7491 Fix regex in redis plugin that was breaking the UI + fix ui.conf missing comma + remove unused variables in templates
1ac434a5bc Update python deps
9c22f1e971 Refactor the py files
cfe5c6063a examples refactoring
e37e6c3460 Fix mixup of swarm and kubernetes when reading env variables + refactoring
0356250d9d Fix problem with the bunkerweb container and plugins
548d157fe3 Fix check if the Database is on read-only before trying to write
7c5aa48978 Update version string size to support new format
61b9517a87 Fix error when multiple jobs are trying to write in db at the same time
8c67d08aee Lint code
966f57ceaa init work on examples refactoring
0210ddd886 Add realip settings values to the initial BunkerWeb settings
6f29756dd7 ci/cd - pull only interesting images for UI tests
2b1dbb1d46 fix default cert path again and ignore pull errors for UI tests
74a11c2ed8 fix wrong cert/key path for default server
b3769b6e3f fix missing then in blacklist.lua, disable site search in redis.init(), remove counter from reverse-proxy/stream config and fix ui tests compose pull
c7d8b7dc18 update resty core and http lua to support latest version of stream lua and various fixes related to ci/cd
a62ef9f543 add missing init-stream-lua.conf and various fixes for ci/cd
65611020d8 fix duplicate datastore http/stream, fix missing /var/www/html for linux and various fixes in tests
b28668d68a ci/cd - revert back to old condition for pulling images
706305917a ci/cd - fix wrong autoconf local image name, add missing secrets for tests-ui, fix wrong IMAGE_TAG for tests-k8s and try to fix pcre issue on linux
2d440d26e1 ci/cd - add missing runs-on for reusable tests-ui
93945f391f ci/cd - add ui tests
5e31b6c4ae fix CVE-2022-1304 for autoconf, add missing load_module for ngx_stream_lua_module.so and fix missing -lpcre in configure step
01fab41620 ci/cd - fix CVE-2022-1304 and wrong TEST_DOMAINS
aa614b75ad ci/cd - replace Test.py with latest one, fix yaml paths, print logs when k8s stack is not healthy and fix wrong linux docker image name
88a2955173 ci/cd - fix log() call
b95d1bc6d5 ci/cd - add missing log() and fix TYPE for linux tests
2604d9a563 ci/cd - trying a hack to support dynamic runs-on
ed4d945293 ci/cd - trying to fix runs-on problem
53410e831b ci/cd - remove steps
609210021d ci/cd - inherit secrets for tests workflow
a168f2bceb ci/cd - fix rhel build and runs-on for tests
8bf211bc53 ci/cd - fix linux package generation (again)
9250faa524 ci/cd - fix linux package generation
139eaa2dd1 ci/cd - add missing scripts
7149a34cc5 ci/cd - add empty .trivyignore and rename redhat to rhel
5c5dbcfc72 ci/cd - fix type in push-packagecloud workflow
e826c619f8 ci/cd - fix wrong quotes in delete-infra workflow
b24cbf73da ci/cd - fix wrong quotes in tests workflow
99e27c4300 ci/cd - add missing input in tests workflow
ee0e608de7 ci/cd - fix negative conditions
10f9658f56 ci/cd - fix wrong jobs name in needs
27bac0382f ci/cd - trying to fix dynamic runs-on
97627cf836 ci/cd - pass runs-on to reusable workflows
8969b1e726 ci/cd - remove version from reusable workflows
8ca292fb36 ci/cd - change reusable workflow paths
8e73eb87cf ci/cd - fix syntax errors
46e3078dd9 ci/cd - crash test incoming
95c5e2e47f ci/cd - move dynamic runs-on from reusable to staging workflow
131857a9b3 ci/cd - fix wrong indent in staging/delete-infra-*
fc1cab1af4 ci/cd - remove subfolder and continue work on staging
25729fda74 ci/cd - init work
bb2d868fa9 Refactor tests
5e3dadbfe3 Refactor ui
7fe168892c Refactor scheduler
36b5c372ed Refactor Instance and remove unused method
596258559c Accept incoming changes for misc jobs
c5a10aaa3c merge default-server-cert job
06acae4057 rename *CUSTOM_HTTPS* to *CUSTOM_SSL* and continue work on stream support
6bf59b59a2 Refactor the plugins jobs
7a8a75901f Fix multiple CVEs (see comment) (finally)
10ec01e7b0 Fix wrong env var name in realip plugin
947ecf81f1 stream - add is_stream variable to check if we are in stream or http mode
4f4c8ebf08 init work on stream support
79036e9751 add ngx_devel_kit and lua-resty-env deps, support set_by_lua hook for plugins and init work on whitelisting support with modsecurity
c2402b118f fix duplicate root error when bw is starting, add modesec rule to core ui and init work on k8s/swarm integration files
dbd052e9a8 Remove unnecessary import and use parent list of supported custom conf instead
fb917960bc Revert changes on the custom conf regex for the autoconf
26de0a233a Lint files
0faa34ac7b Add a regex to the setting REDIS_HOST
1d9459202d misc - add missing page.conf
1b113236a0 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
29b3731487 misc - default pages for default server
6cb714be03 Start adding integrations examples
99b85ec8a9 Fix Apicaller error with swarm
37114ee2f6 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
902fe6ad07 bw - init work on redis
7bf034fc9f Fix being able to delete autoconf services from UI (shouldn't be)
916caf2d6a Merge (soft) 1.4 branch into dev branch
f8e31f2878 Update mattermost to use a static image
0f35c05eee Ignore multiple CVEs due to missing deps in python:3.11-alpine
846e26e410 Fix multiple CVEs (again)
ebc7fbbcee Fix multiple CVEs (see comment)
f4081ebd3b Handle more errors with Bunkernet job
3b01b51445 Upgrade the way the jobs run_once are executed
8fa94d6a52 Edit DockerController regex to handle more custom confs and fix modsec conf mixing
c92d4224f2 Update python deps + add cryptography for autoconf and MySQL
5799758993 Fix checkbox not being sent when unchecked + double settings tab in UI
9358057211 Fix CVE CVE-2023-22490 and CVE-2023-23946
c671ccf7a2 Add unauthorized_handler to UI
5ac64758e3 Merge pull request #417 from syrk4web/dev
fdd0da35d5 Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev
34d12cd552 Fix file manager always use the database now + create log file for UI if not exists
47ccd9f047 Log events back in the UI
39b0f3f195 fix + show one mult group
7828c0225a add checkbox fallback + DL script
e425eef9a5 Fix weird shinanigans when saving services config
b75bc0344b Adjusting upgrade on file variables.env
79dabf7638 Change the way bunkernet check on which instance type it is
3f462fb3b3 Optimize logger
84f3a894fe Fix cache files not showing on UI
93933bde72 Fix custom conf MODSEC CRS being interpreted as MODSEC only
c22bccc763 Correcting nginx version for debian installation
8bedc9ce67 Correcting doc
3a60b34638 Modifying doc for packagecloud problem
9efa217090 Correcting fedora packagecloud problem
e3410058fb Correcting Ubuntu/Debian
60ac00f5fb fix inp value
6b13fbb844 change svg
c892050162 Adding Rhel integration
cb77a70106 change logs datepicker
8b0d8a9d3d remove log + fix service tab
facb597ee6 fix float buttons
89930f1a34 Remove encoding from Database engine args
6122d59d82 Update python deps
d3a02be59b Rhel cannot be supported yet
a51aa27e47 Add some checks and solutions to rare syntax error
ae8e65057b Fedora upgrade working Correcting backup during upgrade Database backuped TroubleShooting some errors with OS Centos working
77f41a0591 Backuping old confs working
8fcba30ab0 Upgrade Debian/Ubuntu working
2e9a0c79e6 fix select hover style
64961e3955 Remove unused imports
b662d8453b Update python deps and remove oracledb
e9d981a56e Fix checkbox being disabled every time
39418790a7 fix popover content
3d96fdb344 update dashboard
580f33e56c new file el is hidden on nav
4f6244e749 Lint code
1f20767565 Update Python deps
dcf9e301e4 Fix UI not exiting correctly with gunicorn
f1a28b01b7 Merge pull request #408 from syrk4web/dev
5739144e3d Fix bwcli /bans command
df7bbb9606 Update VERSION to 1.5.0
dd0f56bb0c Add password type for settings
d83d3aa3d9 Fedora working Modifying centos systemd Adding %postun to rpm Modifying postun deb Centos working
b85e6ee6b8 Updating to Fedora 37
ca0d88fcc7 Upgrading script: Ubuntu & Debian working
835f85d5d8 enhance input field style
c4b5ddb950 Add setting to intercept specifics error codes
86c81a6218 Merge pull request #407 from syrk4web/dev
e6cb5b0b09 Made the UI independent + update job download plugins
0ce5f216de handle password inp
44ce5381c2 Fix CVEs
12b4cfa226 Merge pull request #406 from syrk4web/dev
d7ee3ad667 fix file manager dropdown
efbcfd0e2c Beginning of automation testing for linux packages
50b83790a5 Merge pull request #405 from syrk4web/dev
bf1d19f33d remove prefix multiple input
4d49f2f4b6 Improving and correcting problems on packages
f5d87849a9 Fix errors in the UI when a service have multiple domains
d6d1dd1cef Merge pull request #403 from syrk4web/dev
0f5a734300 add condition for services
a5256dd80d Fix IPv4/Ipv6 CIDR regex
591a20cd86 Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev
c56fccbf20 Adjustements to upgrade
a3a5c1c740 Add ui tests requirements to the updated python deps
b1c99e4088 Add tests for the UI
65f2bf09b4 Remove the idea to store logs inside the database
7beb400b47 Fix stop gathering all the logs every time with the auto update
ab163ce134 Fix services settings saves and plugins deletion
6932f3dedb Add a new script to update python deps and update python deps
d143720750 Fix tar error when sending /etc/nginx to BW
9edf789ab8 Update python deps
4b3b9b3268 Merge pull request #397 from syrk4web/dev
557db479c9 refactorise logs script
13f1dadf5f Merge pull request #396 from syrk4web/dev
adf96cadc5 remove useless files
d2a634e7f7 plugins + global_config fix
1aaac2dcf3 Add regex for settings.json
871807b809 Add small fixes and tweaks
4c5172eda6 Correction of problems
331d58324e Fixing details
e9c1b0cf8c Adjusting some details
c220e5997c Linux UI fix
13fbbfb67e Update job database while locking the threads
ea4ceae7b3 Fix isPage logic in menu (UI)
8ee0ec88f9 Remove test files in UI
d81c526540 Lint ui files and change .prettierignore file
5cc80d2ba8 Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev
a6295248c8 Merge pull request #394 from syrk4web/dev
38b59954a3 Lint yml files
146338de63 Refactor every .py file
fcd8d8746a open another tab for doc
051192791f change style
9c80cdb321 add plugin page logic to menu
7689dac76d Filter CVEs fixes in Dockerfiles
0c8dfaaab1 Update bw and autoconf Dockerfiles for let's encrypt
c5d3e77c17 Fix letsencrypt permission error and optimize the ownership commands in scheduler
8304116fdd Send more variables to the home page front
4379e21ea5 Show dirs of every services even if they don't have a custom config
148d9d2d4d Remove user override in the job scheduler when executing jobs
c6498eda7e Add new php-cookie-flags example
f97e056ff2 Update jobs
13fe4b6eef Edit core plugins regex + make COOKIE_FLAGS multiple + edit DB model accordingly
2b2eadf441 Merge pull request #392 from syrk4web/dev
342fe956f7 change data creating new service
bb7ca889ce enhance darkmode + fix + factorisation
cdc3cfc81d add toggle multiples + style
191c88238c Merge pull request #388 from syrk4web/dev
dbe49bb8f4 Update intro image
7bdc46057b Change how the edit works in the config (UI)
364ef13b52 Fix error by calling a method on the wrong variable
1142ace55a Fix rare error with the jobs return code
477e87a2f4 news script + multiples groups
a04f983a09 Merge pull request #385 from syrk4web/dev
e5574fbdc6 change flash messages style
b1ca472537 Small tweaks and handle services variables better
98bda4d1e6 Remove unused line in Templator
0b1be727f5 Optimized the storage in the Database
47526dc8a0 Merge pull request #384 from syrk4web/dev
00d3073b08 get custom method and check disabled state
02d10f619a Fix datepicker.js not being found because of the caps
da634af4a3 Accelerate send_files method
be0ee60cdd handle stop signals with the web-ui
064f9eef94 Remove lines that will never be use in save_config
ec15a4e88a Handle stop signals from Docker in the scheduler
c49f50da2a Move BunkerWeb entrypoint to the correct dir
48bbb5e39b Merge pull request #382 from syrk4web/dev
b944de9e88 change service multiple script
07ab3deb03 Remove unused lines in selfsigned job
a4e863f09c Update authentik and migrate the example to the 1.5
eeb810546a Migrate authelia example to the 1.5
e2b2505d83 Fix saving config for multiple settings
a0c2db7a09 Fix how the config is get from the database
4595295bd8 fix tab focus style + dark mode style
0bd6d56551 add flash script to login + enhance style
6f5aab11d4 fix footer padding
37380b977e fix get multiple settings only
3f6432f4b7 Merge pull request #381 from TheophileDiot/dev
ff84656cd6 Update examples + add static versions
0e29d9f1f7 enhance and fix
c195ffc864 Fix autoconf not working properly with the shared volume
291d64e29d Update community example + linting
4346322f74 fix services settings on modal open
f2daf7368e Merge pull request #380 from TheophileDiot/dev
ba9c16a5d7 Merge branch 'dev' into dev
0db1550f2f Changed the way jobs' cache files are downloaded
fa54ebd491 Made a few tweaks + change the plugins for the services modals
0290f509e0 add plugin_name (change values)
77931b623f add plugin_name
6560ca0869 test
0d0f1aa95d Merge pull request #378 from TheophileDiot/dev
03e98985ea Migrate more examples and lint
016a8cd6d7 changes
5263be27d5 Change the way jobs are downloaded + folder created in configs
7813b51db4 Merge pull request #377 from TheophileDiot/dev
c4bd535acc Add autogen back for docker and the autoconf
243c4ca78d Merge pull request #376 from TheophileDiot/dev
e9687a5b13 Remove unnecessary comments
8537eea89d Merge pull request #375 from TheophileDiot/dev
3c9574dae7 Linux: Updating nginx to 1.22
9f84e02d8e refactoring services modal logic
b105896b28 add rename form
ff83b342de fix issues
8e31672ac5 Merge pull request #374 from TheophileDiot/dev
b3d80d7a66 Generate requirements with python3.9 + use new resolver
6bbbe70eea Merge pull request #373 from TheophileDiot/dev
e33bad4b9a Fix comments + updated passbolt to support the 1.5
37f21c5d41 Temporarily comment the post fetching
343d9d09e8 Show plugin pages even if there are none
0a4f0eb57d Fix error with jobs wrapper
1d4998356d Fix darkmode + Add new variables to pass to the front
547021e7b0 Fix job fetching for never ran jobs
0954e82f48 Fixes some bugs in the UI related to the plugins
3c5f6002d6 filter script + manage files + fix css + enhance
e988aacf38 Merge pull request #371 from TheophileDiot/dev
cce181a295 Update customcert job
9ba06b64d5 Update README
7f2eadacc9 Update python version for the scheduler and requirements
8d6c3d0b85 Fix db get_config
cc748a0480 enhance responsive + add loader
3bafe137d2 refactorisation
e9dfb59f31 handle settings type multiple (fetch, add, remove) on services
8e5dda5209 Changed the way the config is get from db
368122181a start multiple add and delete logic
fee59a51e9 separate multiple from others inputs
50ba229146 upload plugins + jobs template + global enhance
94b0e6a0d5 Changes on the flashed messages
2e0a733cdc Merge pull request #370 from TheophileDiot/dev
103e4a0ae9 Update modsec CRS to v3.3.4
f0f9d7dcf3 Merge pull request #369 from TheophileDiot/dev
4dabe6dae6 Advancements in the examples migration to 1.5
115bfbdc13 Merge pull request #368 from TheophileDiot/dev
81ad9e9ac0 Update examples and add docker-proxy
82ab6c7c43 Revert "Remove unsafe deps in the requirements and install setuptools manually"
b578823a19 Remove unsafe deps in the requirements and install setuptools manually
7fb61b5ef1 No longer dump the jobs to the front
37ece3de10 Merge pull request #367 from TheophileDiot/dev
719d779e01 Start updating the examples to the 1.5
2889b2638f Merge pull request #366 from TheophileDiot/dev
3c3bb7f200 Fix the way we fetch the config from the database (with suffixes)
f0d0dac914 Add the variables back instead of the "_" so it doesn't create an error
62ab9944cc Fix scheduler errors with sqlite in autoconf
7391900513 Make the bunkernet not run in a thread to avoid errors
840ef8cf89 Fix typo in selfsigned job
5a95e67030 Edit the way the UI updates the config
34b5aba1cb Merge pull request #364 from TheophileDiot/dev
b7f60dbdc7 Update deps and requirements
a0634b5736 Merge pull request #363 from TheophileDiot/dev
c0efdf9c00 Replace /usr/sbin/nginx with nginx
db35e575e3 Rename variables so they make more sens
b22cc44d82 Change the way jobs are sent from the database
4e96e57e05 Make certbot compatible with 1.5
aaeda53002 Change the jobs logic + add support for arm
6577229226 enhance templates
844b06e286 Fix how the jobs are sent to the front
3a0727b5cd login template done
0f5756cfb4 enhance logs + prepare jinja variables
08e7c2104b plugins done + add name to settings
6b5d6e07ee Revert changes on the check_settings function
3ccc12d789 add dropdown + responsive
3ed3fbe991 Autotonf now update the instances too
e56f96d04b Update database model + Save instances to database + add the option to add logs into the database
c87c3637db start plugins template
3a5d14952d Made few tweaks with the home page + remove useless functions
55e76b2803 Fix path for dropzone's scripts
64d261acc0 Change the way logs are parsed
f13455d11b send timestamp with ms
7aac0c352e fix ms
fb2e41c11e logs params
2967ed98cd fix fetch
4f9b2120e0 test
f1e614fae6 change ternary operator for fetch
fa5719db7f fetch logs + liveUpdate filter
2a2f2f1e9b Fix scheduler error
2087167228 Merge pull request #361 from TheophileDiot/dev
fa98003f22 Thread the jobs run_once
89e8839bbb Optimize the regex for the core lists
51c5836ae1 change logs script/template + continue jobs
f61b4428b5 Merge pull request #360 from TheophileDiot/1.5
a96771881e Change the logs date format + start editing the logs endpoint
d30adf6709 Changing rhel
bf19cfe3db Migrating Linux to 1.5. Still some details to adjust to be perfect
0cd6ed1af2 When downloading new plugins, update the database properly + update job every time now
8f75af3d60 edit the .dockerignore
4f4beeef99 Create the database variable even when passing the variables, just in case
7347fe9bc8 update jobs only once
b509ce16e3 Copy the files after installing the requirements
64601ebf58 Remove useless warnings
c9238f9930 Merge custom configs generation to avoid repetition
192c6755c3 Update db for the jobs that are ran only once
c14765c6c6 Change the way jobs are sent and how we update external plugins
888bedd510 Change how jobs are send from the database
babb1c72cd Revert "indentation"
44c74f9be4 Revert "indentation"
984b6c5f05 ci/cd - speedup codeql by ignoring some folders not containing python files
355c947a4a start jobs template + enhance menu
272de0b8be ci/cd - fix codeql config path
d9fc713c4d ci/cd - move codeql config to file
c2503d63d3 ci/cd - add codeql
b098478bdd enhance service + darkmode script
fa1739439d ci/cd - init work on dependabot
82df3f17f7 ci/cd - init work
f02adf3001 indentation
c1031cb2c6 indentation
e8581ecb48 enhance news/menu/base + logs scripts
eb99d00daa Revert "enhance news, menu + end logs scripts"
a7d3d04522 enhance news, menu + end logs scripts
c7556a39af Merge pull request #358 from TheophileDiot/1.5
e02e9c9ec5 Edit how plugins work with the UI
f1d7add739 Merge pull request #357 from TheophileDiot/1.5
1252d1651e Add the jobs feature and add the link when using sqlite
2154c7f544 Update database default DATABASE_URI
7957f63b80 Merge pull request #356 from TheophileDiot/1.5
73668b476f Optimize plugin gathering
b3cfc1f01c Remove unnecessary lines and add plugins_errors endpoint
b57e50db2d Send needed settings with the services in ui
a0e66ab30e Change Database default path for the sqlite file
fdd393826f add ui work in progress
6b9a6a7e3f Merge branch '1.5' of https://github.com/TheophileDiot/bunkerweb into 1.5
277e37bce4 Revert "add ui"
05d4b77bbd Merge branch '1.5' of https://github.com/TheophileDiot/bunkerweb into 1.5
e7e43e64dd Add dark_mode to ui
d40a93cb72 Revert "add ui"
d102f027f2 add ui
b70d976719 add ui
7db7aee7c2 Merge pull request #355 from TheophileDiot/1.5
70844ca604 Fix database with autoconf
1a7d8978b1 Merge pull request #353 from TheophileDiot/1.5
93c74154ab fix fedora python deps bug
f2eabc0df6 fix centos python dep bug
d199f124b8 remove exits in ingress controller
3ec15eb4b0 Update the docs from dev
5a8f812560 Merge branch 'dev' (softly)
d214352b7b Merge pull request #352 from TheophileDiot/1.5
891757dab5 Add support for arm + change scheduler python version
8dd377562f Merge pull request #351 from TheophileDiot/1.5
630cf8b885 Change the way services are sent to the UI
b0c09b4def Merge pull request #350 from TheophileDiot/1.5
fa655e6f06 Remove no longer used install.sh and uninstall.sh
c8fbcbeaea Merge pull request #349 from TheophileDiot/1.5
32101c3dc7 Move UI deps, Make the DB compatible with PostgreSQL, MySQL and Oracle
035eed8f6c ui - add custom PYTHONPATH in Dockerfile
2a3e24bd28 Merge pull request #348 from TheophileDiot/1.5
3984c4b0da Separate deps and change prettierignore file and pyproject
47afdc88e1 Merge pull request #347 from TheophileDiot/1.5
01bb6f5e65 Stop converting the files content to base64 when sending them to front
c358747973 Return dumps of settings instead of the dict
a8f27ccb1c Merge pull request #346 from TheophileDiot/1.5
edce79936a Update the structure and the paths
04578aab3f Changing path Linux folder
5ae714fc70 Merge pull request #344 from TheophileDiot/1.5
f65a4cdd65 SMall tweaks on the UI + edit the ConfigFiles edits
06aa73fcfe Merge pull request #343 from TheophileDiot/1.5
0811aad7f5 Edit scheduler and change DB
858f6e00f4 Change python version
b279d02403 Fix BunkerWeb gen on start
ef7fa5b4f5 Merge pull request #342 from TheophileDiot/1.5
11bcd98243 Merge branch '1.5' into 1.5
bacef768c7 Add integration manually in bunkerweb
5ec179affd The UI get the custom configs from the database
0e6a5f3f96 Merge pull request #341 from TheophileDiot/1.5
eec00ba2bf Update the Database and make it easier to gen
479b556fb5 Merge pull request #340 from TheophileDiot/1.5
375776e7de Fix UI path_to_dict with the cache files
df62fd410b Merge pull request #339 from TheophileDiot/1.5
1f58d0c517 Edit dockerfiles
6c07f99674 Merge pull request #338 from TheophileDiot/1.5
069b45f37b Add some tweaks
850530cd0e Merge pull request #337 from TheophileDiot/1.5
01b4145524 Make the Database support every feature + updates
a12d013fc3 Merge pull request #334 from TheophileDiot/1.5
5f8353c114 Adapt everything so that the UI can work with every integration (some more tests are needed)
fe89625921 Merge pull request #333 from TheophileDiot/1.5
66fb266f8e Centralize Database and optimize requests
7a03ed33f1 Update pip in Dockerfiles every time
b09c05d3ba Update BunkerWeb deps
9c02d5f9e7 Merge pull request #330 from TheophileDiot/1.5
7d743e1981 Update the database and the core plugins accordingly
ce6f01cf03 Merge pull request #329 from TheophileDiot/1.5
9140dc3244 Optimize Database connection and ApiCaller
81307c82c2 Merge pull request #328 from TheophileDiot/1.5
0edef7c520 Use Python 3.11 where we can
fe774e0009 temp nginx is dead, long live to the IS_LOADING setting
0bf402fd7a Merge pull request #327 from TheophileDiot/1.5
48242b9a3c Get all config with generator
0b73ea856c Merge pull request #326 from TheophileDiot/1.5
09378458dd db.get_config() get entire config and doesn't filter anymore
1008490234 Merge pull request #325 from TheophileDiot/1.5
8b54762fc3 Fix db init with autoconf
cfaeb10133 Merge pull request #324 from TheophileDiot/1.5
7e53bfe553 Fix gen for Docker integration
54530d535d Merge pull request #323 from TheophileDiot/1.5
79eea0e998 Linting + starting to migrate bunkerweb to the 1.5
316b84ad3f Merge pull request #318 from TheophileDiot/Feature-specific-order-for-plugins
ba56c9f55c Merge pull request #317 from TheophileDiot/Fix-scheduler-error-reload-nginx-linux
a8f79e58f3 Merge pull request #303 from TheophileDiot/Fix-custom-conf-disappearing
b2a7e053bb Merge pull request #314 from TheophileDiot/Feature-blacklist-ignore
96e6562732 fix indent
01cecf14e5 Merge pull request #313 from TheophileDiot/Feature-max-client-size-edit-modsec
873ccad9b2 Add MODSECURITY_SEC_RULE_ENGINE and MODSECURITY_SEC_AUDIT_LOG_PARTS (#292)
97bf473e1a deps - add update checker for deps (#293)
5af2fb7783 Complex example using autoconf (#271)
bd4c94e834 Add specific order for core plugins and check them
a96a8a8c2f Fix incorrect message while reloading nginx + more details on error
446ff93a49 Add ignore blacklist feature
5fdcc9e583 add g/G to the available file measurement units
d207aa4bf5 Variable MAX_CLIENT_SIZE change the SecRequestBodyLimit value
57ad9d7ee0 Fix old custom configs where never deleted
7860aeab94 Merge pull request #312 from TheophileDiot/dev
cac220023e Fix small typo in autoconf integration
5d9dc88cc5 Merge pull request #307 from TheophileDiot/Restrict-access-IP-NET
40863f28a5 Merge branch 'dev' into Restrict-access-IP-NET
67d514b53b Merge branch 'master' into dev
51e96416d9 Merge pull request #304 from TheophileDiot/Fix-Endless-loading-after-update-service
ace1dfca25 Merge pull request #308 from TheophileDiot/Fix-doc
b9e5badd94 Fix last typos
a9865f8502 Fix typo in plugins.md
e3d0120a0c Fix minor typos in the doc
9214bb9392 Merge pull request #309 from TheophileDiot/Fix-flask-dev
80c1b225bd Replace flask development server with gunicorn
de0954fac3 Fix typos in the docs
27b4ff330c Add the greylisting feature
06f65ffe27 Change the exposed port to 7000
b0a887a155 Fix errors and warnings when editing a service
803ff8cb56 Fix CUSTOM_CONF_SERVER_HTTP disappearing after 60 minutes (autoconf)
94ce249d74 [#290] Fix typos in docs
478e980189 ci/cd - temp disable k8s test
8f44e108bb ci/cd - add docker system prune
72caf907a0 ci/cd - temp disable swarm tests
01acb1cf30 ci/cd - temp disable nextcloud/swarm
fc3c7892da ci/cd - add missing prepare for prod tests
2a04a56428 ci/cd - update ruby version for CentOS builder
6afdb298fa lua - fix pcall for asn/country mmdb lookup
04019a617a tests - fix nextcloud/swarm
34649bf33a docs - add Ansible to README
469a5343ec ci/cd - remove old linux packages before building
4244399eb1 road to v1.4.3 🚀
66029a316c tests - edit prod workflow
d0c245ba83 tests - fix bug when testing if a swarm stack is healthy
5633d5ff5f tests - remove mongo-express/swarm
61d57b4ebb tests - fix mongo-express/swarm
76f035e21d fix wrong DENY_HTTP_STATUS setting in docs, fix autoconf ghost/prestashop tests and some UI warns/errors
b35dbdffc0 tests - fix ghost/docker
7e226301d4 tests - fix prestashop/docker
8f273a929d ci/cd - fix missing comment chars
45f4e06ace road to v1.4.3
7fe58ddd57 tests - disable systemd start limit
561e64a890 tests - road to debian
29933fdebb tests - add unzip package to linux container
7915da6dfb docker - fix CVE-2022-3209
d8f6c27560 tests - fix configs perms for linux
cb56e7d04a tests - add chown for custom linux configs
e847343143 tests - fix linux/drupal (again)
4caae414d5 tests - fix linux/drupal
8a23b96bf5 tests - disable linux/moodle
a4fd701d5d tests - temp disable linux/proxy-protocol
39ed524f02 tests - add missing variables.env for moodle/linux
d0e3f3ae26 tests - call cleanup-linux.sh
b0fa57b056 tests - replace restart with stop+start for linux tests
ec11360853 tests - print logs when setup_test fails
3be348ebe8 tests - add haproxy cleanup for linux tests
884ca0f6d0 tests - add missing variables.env files for linux
e4321629f1 tests - road to linux tests 🚀
c277a33e9c tests - add missing which command for fedora
512c60c519 tests - add some debug info when linux/setup fail
e64cc29a8c tests - create /run/php folder for rpm linux distros
42d29743b3 linux - fix 755 perm on /opt/bunkerweb
505d5c2ae4 tests - fix behind-reverse-proxy/linux
70992a0b50 tests - fix haproxy logging again
7e5465c595 tests - fix haproxy logging again
f5606b6933 tests - fix haproxy directive
265742cd94 tests - haproxy add logs
0580662cc8 linux - copy current variables.env to make temp one
8e15e2a400 linux - set /opt/bunkerweb permissions to 755
17801caebd temp disable arm
552588adf1 temp disable arm
5849c66e66 tests - fix www.conf
052dc23466 tests - increase php logs verbosity for linux tests
331c7e9545 tests - add debug log file for PHP
f71ad0f656 php - fix fastcgi_params path
34c648830b trying to fix PHP bug in Linux
5c99a4b0e2 refactor linux/start.sh and fix tests/cors www copy
eb6f0d6737 tests - fix purging wrong folder for linux tests
6ea38b1f77 bunkernet - fix wrong import in register job
b5c07dda01 tests - add cleanup for linux tests
17b6b0fdc8 tests - fix PHP www.conf for Linux
512ed7200d tests - add cors/linux
d8071e4c43 tests - install php-fpm
790fa37aeb tests - fix behind-reverse-proxy/linux
6005a8f73b tests - fix behind-reverse-proxy/linux again and again
09f56a1c6e tests - fix behind-reverse-proxy/linux again
0c4d2edf12 tests - fix behind-reverse-proxy/linux
d53c54d4b8 tests - add behind-reverse-proxy/linux
093d426bc9 better management of registration with BunkerNet and fix syntax error in LinuxTest
3762c38741 tests - copy variables.env for Linux tests
55525abf15 tests - fix mattermost/k8s
23f8ec9571 UI - fix container CVEs
a38ca51380 docker - dont generate config if already present
e92938f004 autoconf - fix container CVEs
c2ad79a792 Docker - fix CVE-2022-37434
8eefb4bf53 examples - fix mattermost/k8s
6d1ef606f7 examples - fix nextcloud/k8s
95c4ce723d enable bad behavior on default server and various k8s fixes
e295b020e4 tests - increase redmine timeout and add pvc cleanups
1e499db505 examples - fix gogs/k8s
a642761366 disable bad behavior if client is whitelisted and fix redmine/reverse-proxy-multisite examples
115d517c71 tests - add delays
7c1474cd89 examples - fix moodle/k8s port number
305870cc22 examples - edit moodle/k8s port number
3df0f8505b tests - add delay to moodle
897528b730 tests - fix magento/k8s again
4f4c446f7b examples - fix magento/k8s again
69848dccc9 examples - fix magento/k8s
0516f0a839 tests - assign bunkerweb-controller to srv1
41524a9e3d tests - force pv
0d44b098f4 tests - fix prestashop URL
0e315dc5fc tests - edit prestashopHost value
5741391de6 tests - change k8s service type of prestashop to clusterip
6adff9cebd tests - increase timeout and remove pvc for prestashop/k8s
97a2caf06e tests - fix Kubernetes missing variable assign
865f4f1b56 tests - fix prestashop/kubernetes
e8305b0b65 tests - fix missing prestashop/kubernetes.yml
840b875f70 docs - edit plugins page
978bbe9ca1 examples - fix missing configs subfolder in nextcloud/bw-data
502c9f2fe9 examples - fix radarr/swarm
1c4f8bf55c tests - automatic volumes prune for swarm tests
b6e2ad22a6 tests - fix joomla/swarm
216686fc8c tests - add delay parameter
d648b1fbea tests - increase magento timeout
d3b725294f tests - wait until swarm services are running
a48200bc02 examples - fix reverse-proxy-singlesite/swarm
b429dd8043 tests - increase timeout for swarm healthy check
0440c61d0c examples - fix gogs/swarm
ae36b98992 docs - quick edit on PHP
9a83fadd82 examples - fix gogs/setup.swarm.sh permissions
09141f2047 examples - fix magento/swarm
edf5421bf6 examples - fix permissions for magento/setup-swarm.sh
c67564c7c8 tests - increase timeout when doing requests
b076370090 examples - fix mongo-express/swarm
ec35b0a547 examples - fix mattermost/autoconf
95e3022eba examples - fix autoconf/reverse-proxy-singlesite
d63538fd58 examples - fix wordpress custom conf variable name for docker/autoconf
e01b240723 tests - ignore error when replacing patterns in files (binary files)
217924fe46 examples - fix reverse-proxy-singlesite regex
bb6d02e0f6 examples - escape dollars in reverse-proxy-singlesite compose files
5c42fb58d7 tests - fix reverse-proxy-singlesite
2f8c5a1e9f examples - fix host for reverse-proxy-multisite
af866e8256 edit docs/integrations for ansible and fix examples/mongo-express compose file
e90d4cc7e2 tests - fix json for reverse-proxy-multisite
70ac3c01b3 tests - fix missing arg no_copy_container
07a962466b tests - inline configs for docker/autoconf
87c57c67c7 tests - refactoring on the road, still needs some work
8fb03a3171 tests - on the road of refactoring
dc8570ca87 tests - add status type
1513785705 tests - refactor mattermost example
4e7d795ea6 tests - support custom cleanup-kubernetes.sh script and refactor some k8s tests with helm charts
cc9d228abd update compose version to 3.3 for swarm examples so config directive is supported
1819571473 remove trailing space in DockerController and add missing bunkerweb prefix for autoconf-configs example
324feb593d autoconf - fix missing configs update for DockerController
22398d5678 cors - fix typos in autoconf.yml
5119c8da7c gogs - missing setting for autoconf
0fca93e3e8 tests - sleep 30s between autoconf tests
17e14f4d53 tests - fix wildcard with sudo
3a46d318ee tests - remove only content of subfolders
4eff0c3f9d tests - fix behind reverse proxy url
bf58a17b8a gogs - add setup-docker
08d8bc8804 tests - remove whole subfolders in bw-data
b38f7c54e6 tests - add kubernetes-configs and fix missing s in urls
06f7fb096e tests - fix docker-configs (again)
b7101eb475 tests - fix docker-configs
a08b51bd03 tests - fix gogs expected string
b2bcfb8c7f tests - fix hardened expected string
d3014b42f7 examples - refactoring in progress
7eae497194 tests - prevent default rate limit
be21b3933a tests - fix sudo cp again
7bb881aa39 tests - fix rename
a607bd67cb tests - replace python cp with sudo cp
6d06a32cc9 tests - list example_data as root
c5526ef2fd Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
75b2ae868b tests - fix example_data path for docker
72965e230e Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev
201e2cf0f3 Correction logs Linux
2033974442 tests - init cors and fix example_data path for autoconf
d8c8ceab36 tests - fix LinuxTest setup and init work on integrating examples with the new test system
c02d888b32 examples - rename setup scripts for drupal
9a9f9ebf36 examples - fix linux-setup.sh for drupal
6e381ee028 tests - disable copying bw-data files for k8s and swarm tests
0ee09d47da tests - force removing directories with AutoconfTest
da2f6cb4f4 tests - force removing directories with DockerTest
d1d2e51a31 cleanup tests directory and init tests refactoring for drupal
c14b08faa7 examples - edit authelia configuration.yml file for Linux integration
80fee58e47 bunkernet - add default api server in jobs
37690a7a4c configs - enable default server if TEMP_NGINX is set
b3fdd109a8 linux - fix wrong variables.env path when running jobs once
193449512a Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
f5ede78974 examples - fix authelia variables.env
767a7ab315 Adjustements doc Ansible/Linux
81b3703660 wait until Linux test container is initialized and fix variables.env for authelia
44fbf03158 authelia - extract tarball to tmp
02db54ce0d examples - follow redirect when downloading authelia for linux
14d61854e5 add sudo to linux dependencies and curl to linux test images
6f35561fae tests - fix cp and end_fun for LinuxTest
2505bc015f tests - add linux to authelia kinds
b1df38374f tests - temp enable docker
410212b158 tests - run docker cp in a shell
f2ac7bca74 tests - fix typo in LinuxTest
a0948923ec tests - copy local files for Linux tests
458ebe07ff tests - dynamically find deb/rpm name
2205043e75 tests - fix LinuxTest.docker_exec()
d370f1b053 tests - add missing chmod import to LinuxTest
bf6dd93aa7 tests - replace rmdir with rmtree for LinuxTest
773517311e Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
850a8057cf ignore CVE-2022-30065 until we have a fix
e6271ccd63 Final proofreading FPM
f0ddb8328e docker - fix CVE-2022-30065 for autoconf
f260bcf23c Small adjustements
fa319ec101 tests - fix argv len check
0294064532 tests - fix typo in LinuxTest
f47ab0adc5 tests - integrated LinuxTest
eca010231c FPM Linux/Ansible Doc
4d61e96e47 tests - LinuxTest on the road
c9c7303460 tests - fix linux.sh
58a82ddcd6 tests - copy Linux packages to local directory
8062d043c1 tests - fix Linux dockerfile path
0a09f8a750 fix CVE-2022-29458
bb425bc361 tests - init work on Linux tests
aa729daebb examples - remove double $ from kubernetes authelia
7edd55544f fix k8s example for authelia and ignore error code when doing debug_fail for k8s tests
0fd77a8092 examples - fix typo in kubernetes authelia
720f36f473 tests - init kubernetes refactoring
ea98b453d1 tests - use unique domains for swarm tests
4bd0129e46 tests - also edit root domain
6e47b29919 tests - add sleep in the end of SwarmTest.init()
abc500a4d4 tests - fix domains for SwarmTest
3780477940 examples - fix authelia swarm compose version
4a5e50005b fix typo in SwarmTest and fix authelia swarm example
3b73c50c32 tests - ignore docker stack ps return code
ba6fddb56a tests - init swarm refactoring
9ecd2bd98d examples - add missing network aliases to authelia autoconf
7bbf77b7a5 fix authelia autoconf example and debug fail before cleaning tests
f02fe1ed91 tests - remove only subdirectory on new tests and add cleanup when test failed
0383cadd69 tests - fix compose filename for autoconf tests
aeba0ba72c tests - add missing AutoconfTest object
67608a463a tests - add missing decode
8b3b1291cc tests - from replace/rename functions to class method
1c5c81d2cd tests - add missing import
fa2d52d80f tests - remove useless log and return boolean from Test.end
68bf5ef850 tests - remove wrong cleanup call
424b37bec9 tests - change permissions as root
2780ee190d tests - add debug_fail function
07b0bb38dd docker - fix CVE-2022-29187 for ui and autoconf
b47c2696ee docker - fix CVE-2022-29187
fdb8ca3cad tests - replace internal _log with logger.log
eb59a9377d tests - init refactoring for autoconf
2e0542dbb0 tests - ignore case when performing test
0a996bf123 tests - replace match with search
48a6ba6328 tests - fix rm command
991ddb9eb9 tests - remove file as root
1e1d7d7f14 tests - replace variable typo in get request
ebc94f515e tests - add missing char when replacing Docker volumes
e4f6017d64 tests - replace example domains with test domains
dfc5f2e79e tests - export runner env
c07f85a424 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
ab57be6570 tests - fix missing copytree import and self parameter
5f79aea4bb fpm single/multiple docker&autoconf
cc760a646b tests - fix datetime import again
db2c35cb3f tests - fix datetime import
28f1b4f734 tests - rename variable
e1183a0d4c fix tests.json for authelia and exit when test exception occurs
16573a397e tests - do not run as root
de8cee491a tests - add missing imports
56afbd4577 tests - run as root
590ad46cd8 tests - fix missing chmod import and Test.init log call
8d580bc165 tests - fix missing Test import
a91fc73072 tests - fix indent and isfile import
773a37d456 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
b64af85262 tests - DockerTest on the road
0d3e1e2a13 Update the plugins docs
85217b57c3 Fix a typo in the plugin page in the docs
ba75154d07 Add url_for function to custom plugins templates
c055ec7ec3 Fix duplication in plugins
2c4efe9d0e Add Plugin Pages feature
795dfc0778 Add static map files
8b4b3f3b04 ansible docs
2e4758e948 tests - DockerTest improvement
c155227ec6 tests - init work on refactoring
dde1851416 tests - increase timeout for magento
e62523d1dc lua - use pcall with mmdb functions
658ab75049 docs - add ansible diagram
8d6397a6ba Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
f5c86cc4e2 examples - add cors example
8760110fba Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev
cc4f0b26a1 Quickstart Ansible and integration
7b769361af cors - init work on core plugin for CORS
97e607110c linux - rename bunkerweb-ui.env to ui.env
c3ee7929be docs - change target of the web UI demo link to blank
969a1e5d70 Merge branch 'dev' of github.com:bunkerity/bunkerweb into dev
5bf59c85d5 docs - replace web UI gif with YT video
430f665cdc Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev
5be21f9bf8 Adding www folder
afdd4de5a4 fix regex checks with *_CUSTOM_CONF_* setting, add doc about DENY_STATUS_CODE
5586b3733b misc - add DENY_HTTP_STATUS setting (403 or 444)
90e58f2612 fix ui.env path for Linux integration and add docs for autoconf with rootless docker
a00607af2e docs - add instructions for podman
e880b7d598 docs - add infos about Docker in rootless mode
fc925ccb11 edit docs typo for UI and variable typo in autoconf
5714221319 ui - fix CVE-2022-2097
287e763e0d autoconf - fix CVE-2022-2097
89f81140ae container - fix CVE-2022-2097 (again)
a5c98f7099 container - fix CVE-2022-2097
429214727b tests - fix data folder permissions (again)
6b1c5a93e1 tests - fix data folder permissions
fb85d1d2d1 autoconf - fix typo in variable
fdcbc8d361 custom conf - fix wrong path with multisite configs
b2bb93bcf8 examples - fix docker-configs again
2b59086f66 examples - fix docker-configs
e09d4901ea containers - fix regex for *^CUSTOM_CONF_*
3594618e4c examples - fix typo in docker-configs (again)
e443112819 examples - fix typo in docker-configs
738e3b6e1a containers - use python hack to get env var values from string
5ac80a135c containers - replace compgen command with a python hack because compgen -e do not display var with dots
8f258486ef fix multiple CVE with curl/libcurl and add autoconf/docker CUSTOM_CONF configs examples
2dc18a7942 autoconf - support both configs from files and autoconf
e0a7005062 autoconf - init support of custom variables using labels
385b7c4134 docs - add docs for custom config using labels
e25babe3d2 custom conf - docker
a5457a164c custom conf - init setting support
0a1e8be71f examples - add missing setup.sh for mattermost
70c60f2a9b tests - add mattermost and radarr
f2dfb01724 examples - edit mattermost and add radarr
1a8eef2c85 fix autoconf import for IngressController and init work on mattermost example
cb106a112e autoconf - fix indent in IngressController
492648eeb2 autoconf - fix 410 exceptions (k8s)
1425ad0b42 docs - update settings list
f7290b2c79 v1.4.2 release
c0a8a356c2 linux - include bwcli in /usr/local/bin
40007b0866 add slack to official plugins and init work on EXTERNAL_PLUGIN_URLS setting
6478512e48 scheduler - only send /data folder if apis are present
7aa6852d3c autoconf - fix missing scheduler in autoconf mode and missing apis list
7bba81b16b autoconf - fix wrong variable name for environment
5cb61380d7 autoconf - add missing call to ConfigCaller constructor
b2758cea76 autoconf - init work on _get_static_services method
a18d77aeee autoconf - init work on static server configs as env var
4a699ef6c6 fix missing local Linux images import in ci/cd, and fix bug related to jobs in Linux integration
5690a58ab9 fix IFS checking permissions
e55928a37b fix bwcli commands when using Linux integration
0f2388b1f2 fix permissions check when file has space in the name
2b43a9cbf5 Merge branch 'dev' of https://github.com/bunkerity/bunkerized-nginx into dev
5ecf39ee02 Fix web-ui example with X-Script-Name
ad091493c3 examples - add various certbot-dns examples
a65606c369 examples - add certbot-dns-ovh
cd0d70b8f6 cache dev Linux images in ci/cd and disable site config generation for autoconf/swarm/k8s
e21a35017a plugins - support log_default() hook, same as log() but for default server
c563731e86 autoconf - fix overwrite configs file when using Docker autoconf
3c417d2ff0 linux - fix fedora NGINX version in Dockerfile, fix missing arg when building DEB/RPM and force NGINX version DEB deps
970082f92e linux - force NGINX version in RPM deps
4a2504c3b8 reflect ci/cd changes to dev
fd0c7b1e53 ci/cd - add automatic build for Linux images
1e6d62ce79 fix packagecloud yank name
1a4e21481e docs - edit supported architectures for prebuilt Docker images
bcaca6f034 v1.4.1 release
424214fd56 add changelog and add missing s in authentik url
82b42d5b9c Merge pull request #259 from Brawdunoir/master
db4e2cf266 update linux docs, minor fix in ingress example and update default value for bunkernet job
0ef82619b8 temp disable automatic tests for authentik and test automatic arm build on dedicated hardware
f2655e331d remove arm build again, fix proxy_*_timeout directives and add authelia example
d51ae1c1b9 Remove USE_ before authbasic plugin settings
cd0438b8ce support REVERSE_PROXY_*_TIMEOUT settings, remove useless push in CI/CD and try to build arm on GH runners
f9a042526e add docs about compiling BW from source on Linux, add docs about packages pinning on Linux and fix regex for REVERSE_PROXY_AUTH_REQUEST and REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL
15ac64b05f let's encrypt - fix bug when AUTOCONF_MODE=yes
e0f8895e9a init support for auth_request and add authentik example
e852298352 don't send local IP to BunkerNet on default server, fix certbot new when MULTISITE=no and fix unknown reason in get_reason
972a284efd docker - drop support for prebuilt arm images
5258d8e58f docs - edit linux install procedure
acb4bea97d reflect CI/CD changes for master pushes
42067e864a GHA - temp disable armv7 build until we have a fix for cryptography dependency
217bddabfd GHA - different caches for armv7 and armv8 images
c5fba13674 fix GHA typos
1b21f9eac3 fix UI tag in GHA jobs
389e050943 fix links in docs and change cache location for GHA jobs
05a89c3037 fix registry URL in GHA jobs
a0ed8a27e9 add debug flag to GHA buildx steps
d0ac5e3059 update GHA actions version
b16f8f11ad update GHA actions version
a23ed06e66 fix typo in GHA jobs
6b9be078b8 refactoring of GHA jobs
8e198ed82e linux - fix documentation link in systemd unit files
c3b527afe8 actions - fix RPMs path
972e5471d1 actions - fix linux deb/rpm generation
b246c6d7e2 fix wrong branch name in actions and image name for linux tests
b78fd55427 fix freetype CVE
945241339a actions - rename main branch to master
1af2264fab temp stop push to private repo
6f28708c10 docs - add missing setting
a9f886804a bunkerweb 1.4.0
3a078326c5 Merge pull request #199 from Myzel394/patch-1
d43b82b757 remote API - only do action if 403
3850cacb9c prepare for v1.3.2
c00c7f46a0 lua - verify certs when doing HTTPS requests
163af4a49d prepare for v1.3.2
98e85eb99f docs - update security tuning sections : distributed blacklist and request limit
2e63bb0256 docs - reflect kubernetes/swarm changes into the doc
6546a0edb7 disable country ban if IP is local, update default values of PERMISSIONS_POLICY and FEATURE_POLICY, upgrade archlinux packages before testing
ab00381746 ui - fix ROOT_FOLDER bug in serve-files.conf
9f7097de0d request limit - fix some LUA code
24d6337a57 limit req - multiple url support
bfb5319c16 limit req - add burst and delay parameters
4c77a14825 use annotations as env var in Ingress definition, fix cidr parsing for reserved ips, fix missing empty when job is external, fix ping check for remote api and init work hour/day support for request limit
4e45fa3874 integrations - acme without shared folder when using k8s/swarm
a9a26b82d9 fixed typo
00d91dcaaa jobs - move certbot hooks to python
650ad7ea49 integrations - fix missing acme folder when using Swarm or Kubernetes
7045c0c2b6 jobs - fix encoding error on CentOS
f0f432487b remote API - ban IP from distributed DB
fdc02be051 remote API - basic send of bad IPs
fb799765a4 jobs - fix str/bytes hell
d53f02b5b3 api - client side (untested)
7b9722fac4 jobs - add remote API
31ed4ff834 centos - update ca-certificates in install script
bc5f3ee88e fix CVEs and add init to Debian test image
a6b21aae8c fix typo in settings.json, bump Debian to bullseyes, init support of Arch Linux
64aa9c2530 init work remote API
5d94cc8f43 docs - init changes about storageless
e7ee21cbb5 antibot - fix path for templates and data
a0f8cbdac1 antibot - fix LUA typo in recaptcha mode
178d7a6849 Merge pull request #182 from Nakinox/patch-2
ca81535bb3 swarm/k8s - less storage, more API
062fa3e78a integration - continue work on storageless config for k8s and swarm
95f2d2af9c Update docker-compose.yml
e55dff8128 api - init work on storageless configuration
f0f1c79d40 v1.3.1 release
3d2f5e2389 conf - add REVERSE_PROXY_KEEPALIVE
b079c99fb9 Merge branch 'patch-15' of github.com:thelittlefireman/bunkerized-nginx into keepalive
2e403c6ebc config - add CUSTOM_HEADER
f75a05584e config - add REVERSE_PROXY_BUFFERING
148edf6814 tests - add github token to trivy scanner
a19d8aa041 Merge pull request #180 from vepito/vepito-patch-1
480cff86bc Merge pull request #179 from thelittlefireman/patch-16
35df3423d0 missing blank line
29f4069de7 switch the use cases
72e4384596 Fix typo related to non-HTTP configuration
a4a2647737 jobs - fix docker reload and only do cron jobs when necessary
892e533694 Missmatch in docs with modsec folder
a056141609 deps - use ModSecurity v3.0.4 instead of v3.0.5 to avoid memory leak
0772a9ba8e docs - edit badge version
33e0ffd5b1 Merge branch 'master' into dev
4cb3e089e3 linux - git SHA1 commit in install.sh
8808f161c5 docs - dev to master links and VERSION upgrade
1c60ec9804 tests - fix volume wait with linux tests
b13ff34569 add REDIRECT_TO_REQUEST_URI variable and edit environment variables docs
58f2926e95 docs - various examples fixes
9de628f3eb Missing proxy_set_header for keep alive
6cc1abc893 Allow keep alive connection when ws is off
a824e15684 linux - rename cron
fd52bb7c8d linux - fix cron jobs
0938b20eb8 UI - use sudo for Linux integration
b948e08bd5 UI - use systemctl on Linux
fde14d1621 linux - fix unknown scheme error and do nginx reload as root in UI
8a4eb3f2a3 remove .site files (gen), uninstall remove folder at the end (linux) and run jobs when reloading local instances (UI)
2a0b84074a ui - fix bug when Docker is used but Swarm is disabled, add jobs from API /reload and fix docker-compose doc
aec22d1a81 ui - edit docs and fix CSRF
028fc61b4f docs - add dns_resolvers and permissions to Linux
a903960b4c docs - fix missing subfolder in Linux quickstart guide
a28f06f08f linux - run temp nginx to solve let's encrypt challenges
6c8bc6b349 tests - fix Linux systemd bug when writing to /tmp folder
2b3b4a5c3f linux - systemd support
57e4247eab linux - systemd unit file
f9d4e90894 docs - edit k8s php service port and append suffix to hosts
4f024ec566 docs - add DNS_RESOLVERS for k8s integration
bc46fc3d4c append suffix to ingress hosts
0be1da18a6 remove old conf before generation, dynamic DNS for PHP and reverse proxy and swarm fixes in quickstart guide
3cedc0ae13 quickstart guide fixes
f1d5c07cc1 autoconf - various kubernetes fixes
c9a6b6c27d autoconf - fixed infinite lock
b199464a73 various bug fixes related to Swarm integration
4a9d64d9d9 add favicon to web UI and fix some tech docs
31536a3fe2 linux - reload as root
7b47c7304f examples - minor fixes in architecture images
83e7ce9cde examples - polishing before next release
0ad5159a33 docs - add changelog for next version
6240d8e28d ui - read variables.env when Linux is used
2f80f64dd5 docs - last polish
e98da9b637 docs polishing and fix install.sh gpg --verify
d9f7706969 docs - web UI
75f299978c docs - special folders
ef34b2cec1 docs quickstart / multisite
9b9110214a docs - quickstart guide / php
9e2a8070e4 docs - quickstart guide / reverse proxy
733136ac1a docs - init quickstart
fa172ce5a9 docs - linux integration
f6a9184ae9 docs - k8s integration
d37dc2b629 docs - swarm integration
f7c115edff docs - add autoconf doc to Docker section
dfbb091361 docs - init integrations/Docker
8e4a65feca fix global.env generation and add web UI gif to README
0573ba7b5a ui - centering things without breaking sticky navbar and menu
bcd421de09 ui - various bug fixes more or less related to UI
2ec28c79cb docs - fix README toc
fec60a4b14 ui - minor styling fixes
dd7d1a2c78 ui - fix example, subpath behind reverse proxy and add socket proxy rights for swarm
0c1883472d docs - edit kubernetes overview image and add configuration section on the readme
4e6eab794d docs - fix wrong swarm image
b23135b663 docs - add docker and kubernetes images
ace9be3979 docs - add autoconf and swarm images
8958e5107c docs - add overview image
b2cfc15c2a security - add security policy
94bef079a8 examples - add architecture images
50266c2285 examples - add the last missing README.md stubs
22e2fe869f examples improvement - added some README.md stubs
55186bbef5 examples improvement - hardened, joomla, kubernetes, load-balancer and moodle
d8286ced7c examples improvement - certbot cloudflare and wildcard, clamav, crowdsec, ghost and gogs
44de2253d2 examples improvement - traefik alternative, autoconf reverse proxy and basic website
6d73fbdedb examples - update authelia and autoconf-php
b6809266af autoconf - let's encrypt support for ingress controller
4e178b474c autoconf - basic ingress controller support for kubernetes
021147f9d9 autoconf - fix wait and redis
5a26d06c87 autoconf - fix infinite lock and honor DOCKER_HOST env var
bc01427def ignore CVE-2021-36159 and redirect job logs as root when using autoconf
652614f41b autoconf - use DNS for Swarm instances discovery
24d9cce82f autoconf - various bug fixes in Swarm mode
f866ef6325 autoconf - minor fixes, prepare Swarm testing
1a32e7c02c autoconf - various bug fixes with DockerController
7180378d0c autoconf - init Config refactoring
6e66571fb9 various cleaning
f44e41cede jobs - lock and reload management
26db144df4 autoconf refactoring and fix CVE-2021-36159
a68ad53c3f autoconf - controller classes
01bba1d3f6 autoconf - init refactoring before k8s integration
0597074438 k8s - init work on parsing ingress rules, helpers to setup on k8s, basic examples
bc3c17a2f0 examples - init k8s example
556836b499 autoconf - init annotations parser for k8s
22612f1757 minor edit on Linux tests and init work on k8s API
50c279617b jobs - improved log and reload management
ef8969e2cf certbot - add USE_LETS_ENCRYPT_STAGING=yes/no env var for using staging or production servers of let's encrypt
0dc2a5ec25 edit visibility of Job members and integration of a generic checker for nginx
9a207dfdc5 fix missing import in generator, expand networks to ips in jobs and init work on a generic checker with shared dict and redis support
a60fbbb5b3 hotfix - fix CVE-2021-33560
a1b9010d9e pull v1.2.8 fixes when applicable
3178545c2f v1.2.8 release
36b8760d4d resolve bugs on the stable version
8bb6676f58 settings - fix PHP_* again
4234f82c01 settings - edit EMAIL_LETS_ENCRYPT regex
b99fb27df5 fix missing parameter when calling reload in autoconf and edit REMOTE_PHP_PATH regex
876fcd1814 conf - add WORKER_PROCESSES
26dc796155 jobs - fix line edit
280d189864 jobs - avoid reload when not necessary
5f845680ff jobs - edit referrers and user-agents data and init work on autoconf integration
d12369c900 jobs - various bugs fixed and old files removed
366e39f591 jobs - SelfSignedCert, runner and reloader
71741b2d34 jobs - cache management
2fca4cd014 jobs - logging and error management
fccf14627f jobs - python stubs
b3684efaf6 jobs - init work on refactoring
82548378ae crowdsec - move as external plugin
b926b0db62 examples - use example.com instead of website.com
6713f56ec1 linux - fix centos install
2b923c05c1 compile and install LUA 5.1.5 to /opt/bunkerized-nginx/deps and introduced REDIRECT_TO feature
71cf3cf5c1 use local sources when building Docker image, add LOCAL_PHP and LOCAL_PHP_REMOTE to settings.json and fix pip bug related to removed working directory
8e3dbf1c70 fixed some fedora bugs, support LOCAL_PHP and LOCAL_PHP_PATH and sample variables.env
49ada6a8c5 linux - init work on fedora support
947e86f7c3 linux - uninstall script
a12561a85b remove useless nginx-keys folder and add lua_package_cpath to http conf
6b19bd0264 deps - add cjson LUA files to deps folder
6738b28b99 deps - move dependencies to dedicated /opt/bunkerized-nginx/deps folder to avoid messing with the system
010c0fd6d4 rename gen/requirements.py to requirements.txt, add git/bash to Docker deps and fix typos in README
ecf30a71f7 deps - init work on single install script
ffc4fc950e deps - manual compile/install of libmaxmind and upgrade lua-resty-core
b9955699b7 Merge pull request #152 from thelittlefireman/patch-11
860fd1ace5 Upgrade desps
eb5d13fb8d Upgrade lua-nginx module to 0.10.20
ca41987cd6 Upgrade corerules to 3.3.0 & modsecurity to 3.0.5
3af1b397fa UI - digging bugs from services, still some work to do
72a09eac6d UI - add CSRF protection
0d3f7d3925 UI - admin authentication and bootstrap update
6be082e0a9 UI - init work on admin account
4947796c99 UI - fix instances bugs
ba197dfa43 UI - bind gunicorn to 127.0.0.1/0.0.0.0:5000
4dd1ff8479 UI - copy from helpers, systemd service and instances page update
f771ec43f1 ui - init Instances class to support Linux and API for Docker/Swarm
e241b0c939 logs - move everything from /var/log to /var/log/nginx
d03a1a6e3b linux - add jobs.log
2c9c9fb62c linux - run master process as root
deb28c5991 autoconf - fix folders
2ea7331dad jobs - disable post-jobs when SWARM_MODE=yes on SIGHUP
92ee40819e whitelist - fix /.well-known/acme-challenge whitelist for let's encrypt
2ccfb26e81 docker - fix CVE-2021-33560
70f9f8417e templates - add missing new line when necessary
c4aef1d606 authelia - choose portal or auth basic mode
a385183d88 authelia - various fixes
cec47f3a75 body injection feature and add authelia to documentation
c894c8370e authelia - add variables to settings.json
f73b088f79 authelia - initial work
130c6752dd Merge pull request #148 from aFresquetIntech/dev
f97ea67855 Create .env
8504299861 Correction
4a8da40cf2 reverse-proxy-zammad
0114c7b09f examples - edit basic PHP
bebe89afb0 linux - edit path for default errors, ignore comments in variables.env, install/prepare certbot
b2cceb608c linux - fix centos
37f5e4ed71 linux - fixed debian/ubuntu but still some work needed on centos
98568a57c9 linux - fix /var/log and typo in daemon directive
4991922878 linux - fix daemon directive and rights on /etc/nginx
bcb8acc364 linux - add RX permissions to /opt
a9279053a4 linux - add executable right to gen/main.py
60057a17e3 linux - fix tests docker cp and pass single -c argument to su
d0366fcc0d linux - started work on bunkerized-nginx command
b448d91ca8 actions - fix centos test and docker image name when pushing
e309ce6fd5 docker - fix permissions on /opt
37090dc66e actions - fix manifest error with buildx and load
6bb6facd88 add load: true when autobuilding images and move from /bin/sh to /bin/bash
a1fcbd4b83 fix actions and configure
09a2a4f9e5 github actions refactoring
1e02368e8a linux/docker - common /opt/bunkerized-nginx folder
bbb5134a39 fix configure arguments and CRS include
b0f93fb840 fix Dockerfile again
c892f037db fix Dockerfile
731c0f61df linux - init work on installer
93543d3962 Linux - use the same dependencies script for Docker
5ec9e6ab49 linux - CentOS 7 install
cc0d0af8d2 linux - ubuntu installer
43d2097d14 linux - nginx install on Debian
f880e5e2aa linux - continued work on install helpers for Debian
9636013f5e linux - started work on installer
15bdb076c8 hotfix - fix docs get_git_branch
d62c4f466d v1.2.7 release
ad52ef3260 autoconf - prevent race condition by checking health state
3bd3b6fd7a Merge pull request #145 from thelittlefireman/patch-10
e41acc20c2 Upgrade ModSecurity-nginx to v1.0.2
3c721dc2a0 add HEALTHCHECK to Dockerfile and append 10.0.0.0/8 to DNSBL whitelist
491d879fec jobs - cleaning the mess when using autoconf without swarm mode
52534510ec fix bug when AUTO_LETS_ENCRYPT=yes and certbot can't resolve challenges
2c7337576d jobs - fix syntax error
9e4961ccb5 docs - rename sitemap to bypass rtd rewrite
01857d8ac0 gen - display the reason when ignoring a variable
ab9f9e0a4c jobs - fix jobs when MULTISITE=yes
29dc64ca30 actions - add Docker cache to speedup auto build on the dev branch
b5cd4e0375 docker - build and push images from GitHub actions because of future DockerHub restrictions on autobuild
16101144c5 self-signed cert - fix bugs
95510e6e1d settings - add underscore to CUSTOM_HTTPS_CERT/KEY regex
dd5890e760 geoip - fix bug when using GeoIP
c3a437fa82 docs - rename the sitemap to avoid conflicts ?
518ddd3236 docs - custom robots.txt
177a82ee6e docs - automated sitemap.yml
39db7b368f v1.2.6 release
9442e59141 jobs - fix jobs in Swarm mode
fcc6b3b5e4 various bug fixes related to Swarm
678ad70b01 docs, various fixes and certbot-cloudflare example
e8f5db0b29 docs - add plugins system
8295f6aeba plugins - clamav example
388fc1a0e8 plugins - started basic plugin system
62217a3210 add contributing guidelines and license
53e433b1a4 readme - replace some badges
f640157b1f Merge pull request #138 from bunkerity/feature-request-template
d646f3e5b7 Update issue templates
4b31d005eb crowdsec and generator fixes
d2135c19c0 docs - road to v1.2.6
8cda1baf77 fix web ui multiple variables and add default error pages
445032406b dnsbl - disable checks when IP is local
74fb015366 web UI - init work on using docker-socket-proxy
ee178de6ab web ui - mostly finished templating integration (needs some testing)
7323525b69 ui - show only multisite vars for settings
82e47f147d ui - Dockerfile fixes and missing get_config function
2db967ad1d templating - road to web ui
1d96620ae6 templating - init integration into web ui
99c259bf18 templating - prepare integration into ui
c7b81cfc10 various bug fixes related to HTTPS
dfce0c06dd autoconf - fixing various bug when SWARM_MODE=yes
0f8e56a668 templating - fixing bugs with autoconf
f950abdc24 templating - started integration into autoconf
4a73ae8197 various bug fixes on templates and nginx update to 1.20.1
e2f02ee91e templating - prepare integration for autoconf
a991b262ef remove ClamAV because of GPL and started work on read-only filesystem
a8bc17e836 templating - started integration into docker image
ec19f93081 templating - added missing features in site templates
23aa053003 templating - auth basic support
289ad106cb templating - multisite support
bbc5bbc9e9 templating - fix some site templates
633a07686f templating - init work on site templates
996c45df42 templating - init work on global templates
801530baf3 templating - road to full jinja2 templates
c65dda3917 templating - init work on templating with jinja2
ea891969c1 templating - updated settings.json with global settings
698ae17c49 templating - init work on generic settings management
6645632846 antibot - basic pow with javascript
16e5ede130 antibot - custom templates
8260746fe1 logs/lua - add logger tool
de560490d3 fix LUA array variables and add LOG_LEVEL to the troubleshooting section
96db3a450d log - add LOG_LEVEL variable
73543f4b0e hardening - add no-new-privileges
d9bb97be50 lua - move global vars from lua to site config (untested)
863283d090 started work on moving variables from .lua to nginx
600484b16e crowdsec - fix bugs and update example
7c6a13c549 examples - improve nextcloud example so it works with webdav clients
b3bb4ec40f remove unnecessary dependencies and update doc about certificate bundle
69f4657208 examples - fix typo BAD_BEHAVIOR_STATUS_CODES
d02985d213 check permissions for missing volumes and add comment about permissions on examples
b0ca85ff75 v1.2.5 - performance improvement
2f115c444d Merge pull request #131 from bunkerity/issue-templates
7f15741ea2 Update issue templates
288b8eb851 docs improvement + road to v1.2.5
61c08fb97b docs - troubleshooting
01ef47a669 docs - security tuning improvement
71515a9101 doc - volumes list
a33d0658c6 docs - road to a beautiful documentation
0b3ff6a9f4 bad behavior - move from fail2ban to pure lua
eb2d0d330d performance - rsyslog and fail2ban removing
5bcbb38638 doc - official document started
ca660b2501 init work on official doc
3a34436cd8 add AquaeAtrae example for ROOT_SITE_SUBFOLDER
b1d03cd11c performance - move bad user-agents and referrers checks from nginx to LUA with caching
42c3fb8740 add sandbox allow-downloads to the default value of CONTENT_SECURITY_POLICY
f1c043604a add missing backslash in the quickstart guide and update autoconf examples with the depends_on directive
fd61df205f performance - move external blacklists checks from nginx to LUA
009d6fb5ae choose connection and nofile numbers, increase error_log level to get modsecurity rules, add MODSECURITY_SEC_AUDIT_ENGINE var
ba4185a42e jobs - fix automatic reload
70976d0fbc fix user-agent not blocking and add documentation on bundle when USE_CUSTOM_HTTPS=yes
062a39c63a integrate AquaeAtrae work - add ROOT_SITE_SUBFOLDER
83841b290a jobs - edit adren work on external blacklists
10dc58cb6d Merge pull request #126 from adren/patch-6
668754686c Merge pull request #125 from adren/patch-5
84b1933f63 Merge pull request #124 from adren/patch-4
15f6d0a32a Merge pull request #123 from adren/patch-3
e628361a89 Merge pull request #122 from adren/patch-1
f8d71e067e improved way to generate user-agent file
02ae3b6bd3 change IFS before subshell
2fb0e7c473 deduplicate list of user-agents
9adcc2f1a7 more optimized way to generate map referrer file
7b98db4d14 improve the generation of blocking file (abusers)
ddb2b85916 improve generation of block file (Tor exit nodes)
da1a460a64 huge improvement to generate blocking file
07be626842 hotfix - fix API in autoconf swarm mode
3bb164395e hotfix - move API_WHITELIST_IP edit to lua.sh
bc2568a172 v1.2.4 - nginx 1.20.0 support
5ec74880d8 update README for v1.2.4
f84fd7c9a2 fix permissions issues for autoconf and fix volume for ghost example
6521d7a27a fix client cache so it works in combination with reverse proxy and examples update
813607fbc3 improve crowdsec example and disable modsec logging when not necessary
843644f806 log - replace some WARN tags from LUA logs with NOTICE to avoid confusion
19fa0eb25f log - print modsec_audit.log to make debugging easier
b4df287228 log - send logs to remote syslog server
5ce41edc03 api - whitelist IP/network for API
a3cfb50b4d example - fix certbot wildcard
25494acace example - wildcard certificate with certbot
a98dae1fb6 fix CVE-2021-20205 and examples update
1a7abab570 nginx 1.20.0 support
42b7a57f01 fix autoconf bug when removing config with multiple server name and increase default LIMIT_CONN_MAX for average website with HTTP2
02f9fbe5fc autoconf - fix certbot bug when multiple server_name for one service
69fe066777 autoconf - fix bug when multiple server_name for one service
74417abc9c fixing bugs - run as GID 101 instead of 0, different permissions checks in swarm mode and disable including server confs in swarm mode
ba7524a419 fixed LUA bug
b55aafb997 finding the LUA bug
deeb7a76a2 Merge pull request #117 from thelittlefireman/patch-9
ee8aaa4e7e fix lua crash 2
605d59a45c Fix lua mistake
b85c991b6e bug fixes - /usr/local/lib/lua rights and syntax error in site-config
0d3658adf0 REVERSE_PROXY_HEADERS - use proxy_set_header instead of more_set_headers
0b22209c96 documentation - userns remap feature
e44a1f3e14 added the uri to limit_req_zone key to limit bruteforce attack on a specific resource instead of the whole service
aa614f82f9 print error when permissions are wrong on common volumes
c03d410b0a refactored whitelisting of user-agents
e190167bfc CIDR support with whitelist/blacklist IP
31e72dce1c fix /usr/local/lib/lua rights and multiple server_name support with autoconf
b8105fc558 feature - whitelist URI
e73c10fd80 crowdsec - fix permissions on /usr/local/lib/lua and on /var/log files
a122a259c0 minor fix on AutoConf logs and auto disable etag with reverse proxy
7c4894d3b8 autoconf - fix remove event, generate config from nginx vars, more logs
533c2a1034 fix sed script when writing site env
5611d544d6 remove reference to USE_PHP
397182f18d add link to twitter account
c5c5fb17b5 v1.2.3 - swarm support
017a7780fb README update, default cron update and new parameters to ui
34d9db7a8b web ui - bug fixes
361c66ca61 fixed bugs with MULTISITE variables and swarm example
afc6678855 road to v1.2.3 - fixing bugs
c40fb33175 road to swarm - automatic reload after jobs
93ad3c0b51 road to swarm - let's encrypt fix
ceed904882 road to swarm - still some mess to fix
b8027d2bac Merge pull request #102 from thelittlefireman/proxy_custom_headers
8d03a14a6a Merge pull request #103 from thelittlefireman/fix_truncated_3
d16f4517a4 Enhancement add custom proxy headers #97
89ca91b3ff Fix truncated variables (last commit)
6a714e2ece road to swarm - fix race condition on initial configuration
0d3da03534 prepare /www directory, fix log socket path and whitelist acme challenges path
33163f65b3 init work on disabling root processes
a2543384cd road to swarm - add openssl to autoconf, fix api_uri in LUA, fix file rights
3591715f21 road to swarm - fixing things
95f7ca5b2d road to swarm support - needs a lot of testing
816fa47cbb introducing SWARM_MODE env var
7756c2df3c Merge pull request #98 from mromanelli9/fix/readme
7509ec2f2c basic API to be used in swarm mode
6e93575e16 remove ALLOWALL from X_FRAME_OPTIONS options
ba4c977550 remove old anchor
781e4c8cbb autoconf little work on swarm support
e04c783d1e autoconf - init work on swarm mode
e12b656bd5 Merge branch 'patch-7' of https://github.com/thelittlefireman/bunkerized-nginx into dev
cae05447d3 custom crontab values
4b58e22657 Merge branch 'patch-5' of https://github.com/thelittlefireman/bunkerized-nginx into dev
6b56e21a09 Merge branch 'whitelist_ua' of https://github.com/thelittlefireman/bunkerized-nginx into dev
544a09e8da Update lua-cs-bouncer
8386dd4a2a custom config outside server block
f052a25168 Merge branch 'pre_server_confs' of https://github.com/thelittlefireman/bunkerized-nginx into dev
43750f5536 Merge pull request #73 from thelittlefireman/patch-4
9142afdb54 Merge pull request #72 from thelittlefireman/patch-3
66c4fed791 Fix env variable with space are truncated 2
f41846e9d6 Fix env variable with space are truncated
92cc705b92 Reduce memory usage : set cron tasks at different hours.
47fb3a05b3 Upgrade crowdsecurity/lua-cs-bouncer
5940f402c7 improve default tls security
d9ca275d53 Add before `server {}` config.
8353bd9c85 Allow to add a whitelist by site on user-agent
d902e2f297 Add last missing reverse proxy header
1a8b8043c8 Add LIMIT_CONN var to server.conf
65120a7e97 Add USE_CONN_LIMIT info to Readme.md
b093a47554 Add default values for LIMIT_CONN
73dbf03c9a add USE_LIMIT_CONN zone to global config
6ee746236a Add USE_LIMIT_CONN to site-config
fa935eb6e3 edit nginx.conf to add limit_conn
cf231e13cb Add limit-conn.conf
d5d699252c v1.2.2 - web UI (beta)
50f95420b5 README update - road to v1.2.2
dc382c3e04 various fixes - autoconf process order, multisite config and examples
0026328f25 edit default FAIL2BAN_IGNOREIP subnets
9023ab5aed Merge pull request #67 from thelittlefireman/patch-2
124474ad66 Edit README.md to add FAIL2BAN_IGNOREIP
eac9c8f513 Prepare FAIL2BAN_IGNOREIP to avoid self blocking
1ee490de6d Prepare FAIL2BAN_IGNOREIP to avoid self blocking
825e6a747e crowdsec v1 integrated
09a984c86b started crowdsec v1 integration
fd7afa17b3 fix missing ';' in include
b9b7fdfcc4 Merge pull request #63 from thelittlefireman/patch-1
58e1d66bc7 UI - minor alert css fix
7026643f8a UI - fix missing MULTISITE env var when managing services
06f688fe97 fixed stop and reload operations
c65b78b1cc UI - instances/services backend update (needs testing)
f9b9b9546f UI - introduced multiple config parameters (like reverse proxy) in frontend
b5fe6335c7 UI - instances backend started
951f3957fd UI - default service values
0f520b8914 UI - services backend started
569ad75c42 UI - config.json refactoring
bd7b6af668 UI - load config template from json
459bb8ea1c UI services modals and default CSP update (fix new tab links)
208b5acb30 UI - minor services list improvement
59b2fed416 UI - basic services list
a4871a915e Add missing proxy headers
026783f018 Fix missing reverse proxy headers
8115853453 Fix missing proxy headers on site-config.sh
c5f283b00e UI - minor front update
03ce7a6483 fix modsec double inclusion when MULTISITE=yes
3f7e2c54b3 JOBS - fixed some job script and right temp nginx reload
bb0f46d8af JOBS - fix job_log
c5b32dfc4c fix CVE-2020-1971 again
9a4f96ad18 fix CVE-2020-1971
f258426f55 JOBS - fallback to old conf in case reload failed
119e963612 JOBS - be more verbose about jobs failure/success
373988670a Merge pull request #54 from thelittlefireman/patch-4
2a956f2cd3 Fix #52
15a37a8682 UI - minor UI improvement
3a3d527907 UI - basic read fixes
e6b5f460c9 UI - basic read from docker API
002e3ed2ba security tests for autoconf and ui
7b55acbe8b web UI example and CVE-2020-8231 fix again
559b7835d4 ui - automated build
4ea01bd93f print some logs when blocking bots
a73891a3b8 fix CVE-2020-8231
26199f52c8 remove additional / in modsecurity include
5c3f94a84f edit reverse proxy var name in README
043fcdc136 autoconf - automated build
b86ded3d1c autoconf - multi arch Dockerfile
92569679b6 dynamic reload of nginx by sending SIGHUP
15e74e4860 more work on standalone autoconf
fd0a6412d0 init work on standalone autoconf
419fdfc86e fix auth basic when MULTISITE=yes
0bc1f652b4 v1.2.1 - autoconf feature (beta)
6c7461e298 integrate thelittlefireman work
d01bc5e014 Merge branch 'patch-1' of https://github.com/thelittlefireman/bunkerized-nginx into dev
75c69c8105 last fixes before next release ?
e26b8482aa Add missing EMAIL_LETS_ENCRYPT parameter
f618c73e6c road to v1.2.1
78c1e5c676 examples - same domains for internal tests
481e10d3ef reverse proxy - websocket example
aae2a71983 autoconf - php example
f3bf04e390 dirty fix to disable default server when MULTISITE=yes
36cbb927c0 autoconf - various fixes
95153dbc5d moved UA, referrer and country check after whitelist and blacklist check
26947179a4 moved UA and referrer check to LUA
88f27bfeb8 autoconf - reverse proxy example and pass default vars
3cc1615c4d fix user-agent script
8bacf722a6 Merge branch 'fix/variable-naming' of https://github.com/mromanelli9/bunkerized-nginx into dev
2bfc4b41fa first work on automatic configuration
587d4a92eb incorrect variable naming
c311d0c825 add crawler-detecter bad UA
0d03f49ebc websocket support with reverse proxy
2112c306a8 custom log format
8f9dcc5ab8 last fix ?
2fe05d3fd3 fixing scripts again and again
db04c0345c fix referrers again
ed8bd902b1 fix referrers script
3a7aa5d9c0 block bad referrers
9ec9de6ca2 multiple lets encrypt certificates when MULTISITE=yes
791342cbe6 fix LUA DNS code when answers is nil
2f23671c3b fail2ban fix when MULTISITE=yes
e350a717ff fix default DNS_RESOLVERS
e818acb0d1 prestashop example
b92f74ed98 dirty fix for CVE-2020-28928
9688e66508 check all vulnerabilities with trivy
700dfc0184 v1.2.0 release
42e4298b5c readme update - v1.2.0 changes
813b42cfa9 php and nextcloud examples fix
58fcf0a725 added Permissions-Policy header
5879183802 custom headers to remove
2032596880 automatic trivy scan
eaf817d57a php config and examples fixes
dd7768c856 whitelist/blacklist country at LUA level to avoid SEO issues
fe1d724c9f country whitelist/blacklist
0635eb368b various bug fixes
fbf81c94be cached blacklists data
ed451877ae examples update and multiple REVERSE_PROXY_* on single site
0f18e9c552 reverse proxy support via env vars
8f7cb5318e proxy caching support
60fbbc1013 move some http directives to server
0f0593456c various fixes
8cdc155ac0 multisite examples and certbot renew fix
1abe1da89e brotli support
f18c054b42 gzip support
4dea1975e2 client caching
c2b05c463c fix BLOCK_COUNTRY bug and add support for ModSecurity custom confs when multisite=yes
2da51d92a6 multisite - bug fixes
bd7997497b autotest through github actions
e89e34a84f auto test fix
ff02878dd8 auto test setup
44b016be93 road to multi server block support
36c4f3e065 v1.1.2 - CrowdSec integration and custom ports
798f6c726d examples - nextcloud fix and tomcat
761c14a0b8 custom HTTP and HTTPS ports
4a07eca696 crowdsec integration
e1274a6082 passbolt example
3ec81cd849 Fix broken line in README
95752ff0c4 v1.1.1 - TLS 1.2 support
8623510f8c https fix
95a76b11fa peterkimzz integration and dhparam
b0e4740a7d [New Features] - Added "HTTPS_PROTOCOLS" environment value to enable to customize TLS version. default value is "TLSv1.3". (because TLSv1.2 sometimes needed) - READMD.md
e843608575 README update - v1.1.0
2f68667893 logrotate copytruncate
1d63838ee6 examples - fix port number
e4bdd4af5d examples - nextcloud fix and moodle
2c33463af7 renamed logrotate script
9ff210bed8 wordpress and nextcloud examples
0b73018865 install CRS by tag in compile.sh
e1356e3eb0 logrotate.conf update and some cleanup
34a0da444f logging fix again
022a653ebc display fail2ban.log and logging bug fix
4c11a9125c automatic docker tags with VERSION
88b52478c3 automatic Secure flag on cookies
ce82e22dbe remove integrated PHP
397415211e antibot - check IP with sessions and recaptcha
68d7988551 tor hidden service example
16eab0f631 README update
6a22f7711c load balancer example
222426854e Merge pull request #13 from FacundoAcevedo/patch-1
d63c57985e Fix typo in the link in the TOC
e19a7c693d run master nginx process as non-root user
7a8795883b dockerfile fix - compile
01095bd72f gpg fix and secure git clone
0e6729c62e check GPG signature of nginx sources
040b6a2234 Merge branch 'patch-1' of https://github.com/fabianmoronzirfas/bunkerized-nginx into dev
5f62120e4d fix(typo): add missing »find«
e8503b9cc5 ARM build fix
676571e4a4 use nginx:stable-alpine as base image
34254a09e9 examples and DNS_RESOLVERS fix
81cff3648c readme update
e166b1fea9 awesome gif resized
f08bba8cc2 awesome gif
ccf4392280 session secret fix
c1d44387b5 basic antibot feature through recaptcha v3
135126e3f4 readme fix
ac251b0f69 Merge branch 'master' of https://github.com/ZILosoft/bunkerized-nginx into dev
ac242c9774 Update README.md
2909b79891 basic antibot feature through captcha
446ee3761b basic antibot using javascript
6e1c43c4cd basic antibot feature through cookie
652d8ac979 fixed typo in manifest
de1952b5f9 README - toc update and title fix
16a458db23 README improvement
f27d80e0d5 various fixes and lua logging
fc3d911ff7 improved blacklist/whitelist/dnsbl with lua
ef7d842ff0 arm64v8 auto build and master manifest
0e57049832 manifest for automated builds
aaef370079 improved logging with rsyslog
6e3c2ddcc2 integrated ajarmoszuk work
919b418d58 Added the ability to self generate SSL certificates
fb1a0182e2 Added the ability to see Real IPs if Nginx is running under another proxy (such as Traefik).
2e0a8307d1 i386 fix again
181003efe1 i386 fix
fca7bb0758 automatic builds
764038d40d README update
f4c43a2148 block proxies and abusers
3a9afa47b6 Merge pull request #5 from ajarmoszuk/patch-1
2c12df3b96 update default req_limit values
2f967a9f47 Update entrypoint.sh
eba5f6280e req limit
44155b5d62 dnsbl ipairs fix
829c1c6974 some fixes and README update
f3721a50db sitewide auth basic
b56e4e765a dnsbl feature
1654e913a4 lua support
3e5ca583c9 remote PHP-FPM support
bcd17dbea2 automatic geoip update
14ec9f3e63 logrotate and compile fixes
5b5e6e33a6 awesome logo
1aa1dcf50d logrotate support
f30a06d943 syslog integration and fail2ban improvement
cd19841ec3 readme - details about modsec include order
94b29a6ca2 fixed some include orders
bf605ce59d custom root folder and little fixes
b14b09ad5d default CSP update
4f5e5f013e readme improve
76bd069f25 php POST max size and custom HTTPS cert
1d6ab7275f http basic auth fix
472ec31cd2 readme fix
caa415e126 http basic auth
8561d47be0 create a customized image
4bede275fb fix typo
efcf937109 inspectFile fix
ccaaa8b57d readme fix
b83111ad17 realip, minor fixes and README
a2be2e8ae1 improved README : format, modsec, fail2ban and clamav
48a0036d26 updated readme
bf0bef289d clamav support
193070b148 fail2ban support
716e54e597 custom http/server confs and better modsec customization
43403f69ee disable default server
69ac95b29e block country and various fixes
ecf2de8b72 multiple let's encrypt domains
8427564f4d user-agents escape fix
c56bde4f0c fix certbot-renew.sh syntax
834afa1327 http to https redirect
d5f8c7647d custom modules and write access
5bcdb0219e f**k markup ?
3233f3b76f fix readme
62eda8173b improved README
09e6b50e58 custom conf
5d16f6a8f2 fix README
1b5f6deb22 cookie flags and maxmind update
ea1dbc617c updated readme
0b703ea559 content security policy
1e642e2f13 initial readme
e90060ce68 initial work
70f849fbb5 Initial commit
REVERT: bea1be3bbf doc: Fix typo. (#97)
REVERT: d502e41996 bugfix: nginx crash when accessing uninitialized pointer.
REVERT: 91eb0db9ef bugfix: update handling of multiple headers changed in nginx 1.23.0.
REVERT: e536bc595d bugfix: fixed build error with nginx >= 1.23.0
REVERT: 00be83f1dd doc: update the description of nginx compatibility. (#131)
REVERT: a4a0686605 travis-ci: upgrade dist of travis-ci to ubuntu bionic. (#124)
REVERT: f85af9649b travis-ci: bumped the NGINX core to 1.19.9, remove clang compiler mode from travis to save credits. (#121)
REVERT: d6d7ebab3c travis-ci: bumped the NGINX core to 1.19.3. (#114)
REVERT: af8160e017 doc: we now work with nginx 1.17.x (up to 1.17.8 at least).
REVERT: 743a4bb1a2 travis-ci: bumped the NGINX core to 1.17.8.
REVERT: 552e216a0d travis-ci: switched to OpenResty's fork of LuaJIT.
REVERT: 7255ae95d9 travis-ci: bumped the NGINX core to 1.17.4.
REVERT: 380e994d31 doc: updated the nginx compatibility list.
REVERT: ab40f34464 travis: bumped the nginx core version to 1.17.1.
REVERT: d3a920ad34 travis: clone the lua-resty-core and lua-resty-lrucache repositories.
REVERT: 085fbbc28f travis: bumped the nginx core version to 1.15.8.
REVERT: f1fadb9e29 tests: t/input-cookie.t: fixed a failing test case with our newest version of ngx_http_lua's LuaJIT alert log.
REVERT: a9f7c7e86c tests: added a passing test for overriding Cache-Control header created by proxy module.
REVERT: 55fbdaba96 doc: bumped version to 0.33.
REVERT: f389f11785 tests: added new valgrind false positives in the latest nginx core.
REVERT: 79ac9547b7 tests: valgrind.suppress: removed too aggressive suppressions in nginx mem pools and luajit lj_str_new.
REVERT: a799a97ba3 tests: minor tweaks in valgrind.suppress.
REVERT: d63cf91edc tests: removed extra file-trailing newlines.
REVERT: 4512b82a82 feature: add wildcard match support for more_clear_input_headers.
REVERT: 7b0762aba6 doc: adjusted the doc for the use of wildcards in header names. thanks Dejiang Zhu for the report.
REVERT: 8096689630 doc: updated copyright notice.
REVERT: 732874a0fc travis-ci: several improvements and tweaks.
REVERT: 491df7f8d8 doc: fixed more_clear_input_headers usage examples.
REVERT: 5aa76052d5 doc: bumped version to 0.32.
REVERT: 04916fbc45 tests: skipped the newly added test case that cannot run in check leak test mode.
REVERT: 30fb25901c bugfix: more_set_input_headers: skips setting multi-value headers for bad requests to avoid segfaults.
REVERT: 84241e444b doc: bumped version to 0.31.
REVERT: 2054d92618 doc: typo fixes.
REVERT: 72c81c922d skipped check leak mode for two test cases using malformed requests.
REVERT: fbab586961 doc: claims that we work with 1.10.x since it is essentially the same as 1.9.x.
REVERT: 4fccc2a196 bugfix: fixed a typo in an error message.
REVERT: 0a5bad9073 bugfix: when the nginx core does not properly initialize r->headers_in.headers (due to 400 bad requests and etc), more_set_input_headers might lead to crashes. thanks Marcin Teodorczyk for the report.
REVERT: 7fc33974dc doc: fixed the release year.
REVERT: 4cb061b575 travis-ci: use "prove -r t" to run the test suite and test against nginx 1.10.0 instead of 1.8.1.
REVERT: cf016595f6 various coding style fixes.
REVERT: 4612cb62dc Merge branch 'master' of github.com:openresty/headers-more-nginx-module
REVERT: 63b8039d7d doc: release 0.30 and compatibility with nginx cores as far as 1.9.15.
REVERT: b120f866ec Merge pull request #52 from chipitsine/master
REVERT: 182d12a19b fixed "exit 0" on failed build
REVERT: 981a6914a4 feature: initial travis-ci support.
REVERT: f5559ec571 doc: documented the dynamic module support in this module.
REVERT: cabd03a867 doc: typo fix.
REVERT: 2f93b9a310 feature: now this module can be compiled as a dynamic module with ./configure --add-dynamic-module=PATH in NGINX 1.9.11+. thanks Sjir Bagmeijer for the original patch in #44.
REVERT: cc19196c71 minor test tweaks.
REVERT: e77178fd2a config: some refactoring.
REVERT: 443753c53a doc: ngx_openresty -> OpenResty.
REVERT: f14b3667ca doc: stated that we are compatible with nginx cores as far as 1.9.7.
REVERT: 88f797a5cb bumped version to 0.29.
REVERT: e8822662b0 bugfix: changing the built-in header X-Forwarded-For via more_set_input_headers or more_clear_input_headersmight not take effect in some parts of the nginx core (like $proxy_add_x_forwarded_for).
REVERT: bbaa39fd96 added a .gitattributes file to correct GitHub's language tag.
REVERT: 51dcf09014 doc: bumped version to 0.28.
REVERT: 473fc9d8e8 bugfix: fixed errors and warnings with C compilers without variadic macro support.
REVERT: a744defdfa removed the useless code snippet enabled by the unused NGX_HTTP_HEADERS macro. it also triggered a compilation error. thanks Vadim A. Misbakh-Soloviov for the report in #39.
REVERT: c8b4b0a958 updated docs to reflect recent changes.
REVERT: 5031112c0e tests: fixed the test plan in input.t.
REVERT: 42d8019f04 bugfix: setting (builtin) request headers Upgrade, Accept, Accept-Language, Depth, Destination, Overwrite, and Date might not take effect in standard nginx modules like ngx_http_proxy, ngx_http_headers, and ngx_http_dav.
REVERT: bc48417d87 bugfix: when the response header Content-Type contains params like "; charset=utf-8", the -t MIME-List options did not work as expected at all. thanks Joseph Bartels for the report in #38.
REVERT: 4648e827ec doc: we no longer sync from the nginx wiki site.
REVERT: d0e1a74087 util/build.sh: removed $LUAJIT_LIB and /usr/local/lib from the RPATH list.
REVERT: f6a745a160 bugfix: clearing input headers If-Unmodified-Since, If-Match, and If-None-Match did not clear the builtin "shortcut" fields in ngx_http_headers_in_t which might confuse other nginx modules like ngx_http_not_modified_filter_module. The first header gets "shortcuts" fields since nginx 0.9.2 while the latter two since nginx 1.3.3.
REVERT: 4b20caa633 tests: disabled the test cases exercising multiple http {} blocks since this undocumented feature has been disabled since nginx 1.9.3.
REVERT: ccaede8899 doc: bumped version to 0.26.
REVERT: fdf4eabef3 minor coding style fixes.
REVERT: d20bf26a80 fixed compilation failures with nginx 1.7.11+ configured with --with-threads.
REVERT: a7f81f20be updated doc to reflect recent changes.
REVERT: 02fd3778ab style: fixed the coding style of labels.
REVERT: b4f9e524a1 optimize: removed the unused C function ngx_http_headers_more_rm_header. thanks Markus Linnala for the catch in #28.
REVERT: 2a33f3d017 doc: made it clear that more_set_headers always override existing headers with the same name.
REVERT: 95d8178b05 suppressed a valgrind false positive in libdl.
REVERT: 0c6e05d312 updated docs to reflect recent changes.
REVERT: 61af6c9eed doc: documented the limitation that we cannot remove the "Connection" response header with this module. thanks Michael Orlando for bringing this up in #22.
REVERT: 6e9dd00bb2 added the missing bit in commit 40414ca1. thanks Edwin Cleton for the report.
REVERT: 6d4d619b37 minor coding style fix.
REVERT: 40414ca1f6 fixed a warning from the Microsoft C compiler. thanks Edwin Cleton for the report.
REVERT: 4b718e786f various coding style fixes.
REVERT: 7a6fd11368 doc: bumped version to 0.24 and claims that we work with nginx 1.4.4.
REVERT: fe2a70ea51 updated valgrind.suppress for i386.
REVERT: 540c6770fa bugfix: more_set_input_headers did not completely override the existing request header with multiple values. thanks Aviram Cohen for the report.
REVERT: bb92718431 doc: minor markdown formatting tweaks.
REVERT: b66e2ef1be removed the plain text README file.
REVERT: ad3d8d622a bumped version to 0.23.
REVERT: 35f8faf541 doc: added syntax highlighting to the code samples.
REVERT: 9c4b6ee1dd minor coding style fixes.
REVERT: 1caf5cc413 bugfix: removing request headers might lead to memory corruptions.
REVERT: 566cebf002 minor coding style fixes.
REVERT: 6f06b3720d doc: markdown: added a "table of contents" seciton and lots of "Back to TOC" links.
REVERT: 5f1425508a docs: eliminated links to the nginx wiki wherever possible.
REVERT: 211760978b bugfix: more_set_input_headers might overwrite the value of the $host variable with bad values.
REVERT: 5a70b6b468 bugfix: more_set_headers and more_clear_headers might now work when multiple http {} blocks were used in nginx.conf.
REVERT: 3bc9f941b4 bugfix: eliminated use of C global variables during configuration phase.
REVERT: 035a5f3d31 updated docs to reflect recent changes.
REVERT: 6d19a39805 fixed the test plan in sanity.t.
REVERT: 31d0e78b7b bumped version to 0.22.
REVERT: 3392914d27 added a (passing) test for setting response headers for HTTP 0.9 requests.
REVERT: 625c550aa5 updated .gitignore a bit.
REVERT: 147c2737b0 bugfix: segfaults would happen in more_set_input_headers and more_clear_input_headers when processing HTTP 0.9 requests. thanks Bin Wang for the report in #14.
REVERT: 26f96fb419 bugfix: we did not properly initialize the location response header field in commit b21333e2d. this is a further fix for issue #7.
REVERT: 00ee3cfcf8 massive coding style fixes.
REVERT: b21333e2dc bugfix: segfault might happen when using more_set_headers or more_clear_headers in the case that the nginx core initiated a 301 redirect. this issue was caused by an optimization in the nginx core where ngx_http_core_find_config_phase, for example, does not fully initialize the "Location" response header after creating the header. thanks Brian Akins for the original report in #7 and Vladimir Protasov for the insight in chaoslawful/lua-nginx-module#260.
REVERT: ec05b8981d updated docs to reflect recent changes.
REVERT: be5ea9a6d6 bugfix: segmentation fault might happen in nginx 1.4.x when using more_set_input_headers on the Cookie request headers because recent versions of nginx no longer always initialize r->headers_in.cookies.
REVERT: 0df17d017b bumped version to 0.20.
REVERT: 376b7bc233 massive coding style fixes in ngx_http_headers_more_headers_in.c.
REVERT: e9f060d50d added test cases for the recent fixes in the Cookie request header handling.
REVERT: 2da1aaa9f5 fixed places where we should return NGX_ERROR instead of NGX_HTTP_INTERNAL_SERVER_ERROR; also fixed a clang warning.
REVERT: a45243e2f7 bugfix: modifying the Cookie request headers via more_set_input_headers/more_clear_input_headers did not update the Nginx internal data structure, r->headers_in.cookies, at the same time, which might cause issues when reading variables $cookie_COOKIE, for example.
REVERT: e9b817509c bugfix: modifying the Via request header via more_set_input_headers/more_clear_input_headers did not update the special internal field in the Nginx core, "r->headers_in.via", when the ngx_gzip_filter module is enabled.
REVERT: c7feaa395e bugfix: modifying the X-Real-IP request header via more_set_input_headers/more_clear_input_headers did not update the special internal field in the Nginx core, "r->headers_in.x_real_ip", when the ngx_realip module is enabled.
REVERT: 27c2137c67 bugfix: modifying the Connection request header via more_set_input_headers/more_clear_input_headers did not update the special internal flags in the Nginx core, "r->headers_in.connection_type" and "r->headers_in.keep_alive_n".
REVERT: 95ed9ce74e bugfix: modifying the User-Agent request header via more_set_input_headers/more_clear_input_headers did not update those special internal flags in the Nginx core, like "r->headers_in.msie6" and "r->headers_in.opera".
REVERT: 22ed8a4143 updated docs to reflect recent changes.
REVERT: 9ba50727f2 updated tests to reflect recent changes in ngx_echo regarding the $echo_client_request_headers variable (commit agentzh/echo-nginx-module@2adcf59ec5.
REVERT: 27bcbd290f updated docs to reflect recent changes.
REVERT: 5f9684bbdc updated .gitignore a bit.
REVERT: d658a2f908 bugfix: more_clear_input_headers would result in memory invalid reads when removing the 21st request headers. thanks Umesh Sirsiwal for reporting this issue as chaoslawful/lua-nginx-module#176.
REVERT: 0f6132327b removed the sendmsg/ngx_channel valgrind suppression rules.
REVERT: 07702cf8ba updated valgrind.suppress for valgrind 3.8.0.
REVERT: bdb1068b6c updated docs to fix my English name. also fixed an issue in the sample code in docs that Transfer-Encoding cannot be cleared. thanks koukou73gr.
REVERT: 658698495b updated docs to reflect recent changes.
REVERT: 3147c8b4fc updated .gitignore.
REVERT: 278ba7d207 bugfix: fixed a set-but-not-read warning from the clang static analyzer.
REVERT: 05a862b334 fixed compatibility with nginx 0.7.65. thanks Banping for reporting this.
REVERT: b7c8cfcd36 updated docs to reflect recent changes.
REVERT: 2f5f6601a3 updated .gitignore.
REVERT: 4ea0a75ad2 bugfix: more_clear_input_headers did not remove all the instances for the builtin headers or custom headers. bugfix: more_clear_input_headers might accidentally remove request headers that are not specified at all and leave the specified headers with just empty header values when removing multiple built-in headers. thanks Matthieu Tourne for reporting the issues.
REVERT: de80b79722 added a (passing) test for rewrite + more_set_input_headers.
REVERT: 81c8750f15 updated valgrind.suppress for linux i386.
REVERT: cf7e2d5877 updated valgrind.suppress for the "hup reload" + valgrind/memcheck testing mode.
REVERT: 33a82ed11c updated valgrind.suppress and .gitignore.
REVERT: aa2ae0f8b1 updated valgrind.suppress.
REVERT: 4b4bfca98a updated valgrind.suppress.
REVERT: 34e2389212 updated valgrind.suppress.
REVERT: 3580526017 allow use of the DDEBUG macro from the outside (via the "-D DDEBUG=1" cc opton).
REVERT: de77fd22c3 updated docs to reflect recent changes.
REVERT: 719ffa26a8 reindexed the test cases.
REVERT: 5f082e5647 Merge branch 'master' of github.com:agentzh/headers-more-nginx-module
REVERT: 006ecab226 bugfix: removing builtin headers in huge request headers with 20+ entries could result in data loss. thanks Chris Dumoulin for the patch in github issue #6.
REVERT: 4f911f68d9 updated valgrind.suppress for gcc 4.6.
REVERT: 87595f7445 optimized the previous commit for padding header value strings with '\0'.
REVERT: 7a719b8aef bugfix: the more_set_input_headers directive might cause invalid memory reads because nginx request header values must be null terminated. thanks Maxim Dounin.
REVERT: ffdda45351 bugfix: more_set_input_headers did not handle the Accept-Encoding request headers properly. thanks 天街夜色.
REVERT: 6cd7ae83cb bugfix: Cache-Control header modification might introduce empty value headers when using with the standard ngx_headers module.
REVERT: 55ad2f48ec fixed the download page links in docs.
REVERT: be6a17e768 updated docs to state that we work with nginx 1.0.8 and 1.1.5.
REVERT: f7cb29e248 fixed setting Cache-Control response headers. we should properly prepare the r->cache_control array as well.
REVERT: 5de933dc40 we should not set header->hash with ngx_hash_key_lc, not simply to 1.
REVERT: b3c6230a3c use Test::Nginx::Socket instead of Test::Nginx::LWP.
REVERT: ff219e96e2 fixed a bug when setting a multi-value response header to a single value: the single value will be repeated on each old value.
REVERT: 3790855327 confirmed that we work with nginx 1.0.6.
REVERT: 9057b09916 fixed on-demand hander/filter registration trick for HUP.
REVERT: 936a555d6a fixed the "<" and ">" symbols in the markdown doc.
REVERT: 5d484ecc78 updated links in docs.
REVERT: 8b78aec445 renamed the wiki file.
REVERT: 264e523fa6 added internal cross links to README.markdown.
REVERT: e6c6358562 added more hyper-links to README.markdown.
REVERT: 61db52f559 removed unused utilities.
REVERT: 12ccabb154 fixed source lines exceeding 80 cols; checked README.markdown.
REVERT: 78286ca0d8 confirmed that we work with nginx 1.0.5.
REVERT: 137855d9d7 release v0.15.
REVERT: 5fac223792 now more_set_headers supports overriding charset in Content-Type. thanks ML.
REVERT: 2c629dee0e fixed an issue in more_clear_headers: we should remove all the instances of the headers specified, not only the first occurrence. thanks 李杨.
REVERT: b1c4273ae5 back-ported a bugfix from ngx_lua: in output header set, we should always set the header->hash to 1. thanks moodydeath for reporting it.
REVERT: 6a12aa5243 confirmed that we work with nginx 1.0.2.
REVERT: ef15b439f0 minor updates.
REVERT: b27e5d92ab minor coding style fixes.
REVERT: 28c62d1d27 added more tests for Accept-Ranges and also fixed a bug when clearing this header. thanks Bo Blangstrup.
REVERT: 7bba2a12bc fixed the links to the test suite.
REVERT: 2cbbc15d68 updated the documentation to reflect recent changes.
REVERT: 3641ccfd58 updated .gitignore.
REVERT: fb2d8935d6 now we postpone the rewrite phase handler only once rather than on every main request previously. this will save some CPU cycles on every request.
REVERT: d732166ebd removed the bundled Test::Nginx module from our repos; also raised test/t to the toplevel directory.
REVERT: 19e17f08b6 fixed two spots where we did not check against null pointers when allocating memory.
REVERT: 592845e904 now we use the 2-clause bsd license.
REVERT: 8bd248f0d7 updated README from the wiki page.
REVERT: df422fe8ab minor tweaks of coding style and .gitignore.
REVERT: c808e71eb6 renamed the source file names a bit.
REVERT: c5b6141b4b minor coding style tweaks.
REVERT: b4abf2bbf6 Merge branch 'master' of github.com:agentzh/headers-more-nginx-module
REVERT: 80bcb021b6 Update Test::Nginx.
REVERT: 442f866381 updated Test::Nginx.
REVERT: 8447e58c5d updated Test::Nginx.
REVERT: 780408eff1 Use build farm's default server port in tests.
REVERT: 27735dd306 Update Test::Nginx.
REVERT: 9508330b04 releng work for 0.13.
REVERT: 7c6b53e245 fixed a bug in rewrite phase postponing algorithm which may cause eval {...} running after "if". thanks Liseen Wan (xunxin).
REVERT: 7d2db6fa01 enabled the no-pool-nginx patch in our build.sh script for nginx 0.8.41.
REVERT: b140336073 added a test case for adding a header with an empty variable as its value (from Piotr Sikora).
REVERT: 435fee6d33 updated readme to reflect recent changes.
REVERT: 079fa9507d fixed a vim typo...
REVERT: e64e736af8 we should explicitly clear r->headers_out.content_type_lowcase or it will defeat the gzip filter module.
REVERT: 55cbcab47d added tests for issue 3 ("breaks mime types") on GitHub but cannot reproduce the issue with nginx 0.7.66 nor nginx 0.8.40.
REVERT: b8c8721523 updated docs for v0.11.
REVERT: 87e6e73182 fixed the variables-in-Range-header issue reported by Alexander Vetrin.
REVERT: 2afd97b483 use the name "ngx_headers_more" to help SEO.
REVERT: ae532d8d9f updated docs for v0.10.
REVERT: aaf5fce53b removed input headers physically from the r->headers_in.headers list because ngx_proxy does not honor h->hash.
REVERT: 793158dcf4 removed some debugging code.
REVERT: c68a095c47 now we can completely erase any output headers (both custom and builtin ones).
REVERT: 75b1bfa5d2 updated README to reflect recent changes.
REVERT: 00c986fdee minor style tweaks in the .t files.
REVERT: c47b63790b fixed a memory initialization issue for more_set_input_headers -r, we should always initialize hv.replace even when replace == 0. thanks valgrind++ :D
REVERT: 1b93def22d implemented wildcard header clear
REVERT: 3a67ad8305 work around the links in README.
REVERT: 126fce84cf updated Test::Nginx.
REVERT: 5cd9a384f8 documented the -r option.
REVERT: 0b16d5c3fe Merge branch 'dobe-r'
REVERT: 0febdfca7f added -r flag to more_set_input_headers
REVERT: 7da6665dab updated .gitignore.
REVERT: d0f2bb40e3 sync'd the test scaffold with Test::Nginx 0.08 on CPAN.
REVERT: fb5ebd5683 use ngx_null_string whenever possible.
REVERT: 348da493f6 sync'd Test::Nginx to 0.07.
REVERT: 4629b7f8e1 some coding style tweaks.
REVERT: a127664fcc added t/bug.t
REVERT: db9913e9c4 updated docs to reflect recent changes.
REVERT: fc18a5cec1 fixed the more_clear_headers directive for builtin headers like "Server" and "Last-Modified" by always inserting an empty header when absent. Thanks Sebastiaan Deckers for reporting it.
REVERT: 753e74c668 sync'd Test::Nginx 0.05.
REVERT: 985eeb0b73 updated the test scaffold to Test::Nginx 0.04.
REVERT: dd3ec52a2b updated test scaffold.
REVERT: e427600d2b git ignore reindex.
REVERT: 1792f2d93a releng work for v0.06.
REVERT: f901cecf9c confirmed that we also work in subrequests in t/subrequest.t.
REVERT: 1cc21a7152 now the input header handler runs at the *end* of the rewrite phase.
REVERT: b154fdb6b7 now we free empty headers and types array structs eagerly.
REVERT: 1a2d9c6f9a updated the test scaffold.
REVERT: 05e0fd6c06 sync'd the docs with the wiki page and confirmed that it works with the new nginx 0.8.28 release.
REVERT: 219e6dd055 added a test for rewriting the input Content-Length header using the rewrite module's set directive.
REVERT: d5af630591 sync'd with the wiki page.
REVERT: 6289231571 added the wiki page as the main doc.
REVERT: bce15002dd added a (passing) test for mixed input/output setters.
REVERT: 8288003cc9 more docs.
REVERT: 3391d9d718 fixed variables in more_set_input_headers by registering the handler in the "access phase".
REVERT: e2a7a9630d added new directives more_set_input_headers and more_clear_input_headers.
REVERT: 83bf8ed38d now we require at least 0.7.44 due to the use of ngx_http_complex_value_t.
REVERT: ad8b0e5eac releng for v0.03.
REVERT: b93bd9b1fb fixed the uninitialized s/t bug in parse_statuses and parse_types. also added a (failing) test for the input header directives.
REVERT: 219d75425d first big refactoring in order to introduce input header support.
REVERT: 91cf5b797f refactored the structs into the header.
REVERT: 993e75b205 more README tweaks.
REVERT: 6023eac18f tested against the latest 0.8.27 and 0.7.64.
REVERT: 1da2c87212 added more docs to README.
REVERT: 8483f9a629 removed explicit clear header handlers.
REVERT: ade7573bac now we support variables in new headers' values.
REVERT: 742097fdc9 fixed a typo in README.
REVERT: c131b08ed8 0.7.21 is the minimum nginx version requirement.
REVERT: 5e86ea3794 more docs and more love.
REVERT: 934fe6677a updated README.
REVERT: c6af9971ed this module is now usable.
REVERT: 0593d3b427 added tests for the Charset header.
REVERT: 6fdb040be9 more tests and more fixes.
REVERT: 51c4328839 fixed Content-Type.
REVERT: ba695a3c0c fixed various bugs and all tests are passing now.
REVERT: b3b5245537 fixed a bug where I carelessly used r->headers_in for r->headers_out. the test is passing now.
REVERT: 2298986216 added a simple test which is failing atm :P
REVERT: 5af162eb95 things are complete now but we haven't tested anything yet :P
REVERT: bb0a53ca09 it finally compiles :)
REVERT: af379a7356 implemented parsers for the -t and -s options in the config directives.
REVERT: 1485546379 added usage to README.
REVERT: 8b0498a951 added README.
REVERT: 8876cec82b initial checkin

git-subtree-dir: src/deps/src/headers-more-nginx-module
git-subtree-split: 576cb81979

.dockerignore

@@ -0,0 +1,6 @@
+.git
+.idea/
+.vscode/
+__pycache__
+env
+node_modules

.gitattributes

@@ -1 +1,17 @@
-*.t linguist-language=Text
+* text=auto eol=lf
+
+# Folders
+src/deps/src/** -text -eol linguist-vendored=true
+src/common/core/modsecurity/files/** -text -eol linguist-vendored=true
+src/ui/static/js/editor/** -text -eol linguist-vendored=true
+src/ui/static/js/utils/purify/** -text -eol linguist-vendored=true
+src/ui/static/webfonts/** -text -eol linguist-vendored=true
+
+# Files
+src/deps/misc/lua-pack.Makefile -linguist-vendored=true
+src/deps/misc/ngx_http_modsecurity_access.c -linguist-vendored=true
+src/ui/static/css/datepicker-foundation.css -linguist-vendored=true
+src/ui/static/css/flatpickr.css -linguist-vendored=true
+src/ui/static/css/flatpickr.dark.css -linguist-vendored=true
+src/ui/static/js/tsparticles.bundle.min.js -linguist-vendored=true
+src/ui/static/js/utils/flatpickr.js -linguist-vendored=true

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,91 @@
+name: 🐛 Bug Report
+description: Create a report to help us reproduce and fix the bug
+title: "[BUG] "
+labels: ["bug"]
+body:
+  - type: markdown
+    attributes:
+      value: >
+        #### Before submitting a bug, please make sure the issue hasn't been already addressed by searching through [the existing and past issues](https://github.com/bunkerity/bunkerweb/issues?q=is%3Aissue+sort%3Acreated-desc+).
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: Concise description of what you're trying to do, the expected behavior and the current bug.
+      placeholder: Describe the bug, the expected behavior and the current behavior
+    validations:
+      required: true
+  - type: textarea
+    id: how-to-reproduce
+    attributes:
+      label: How to reproduce?
+      description: Concise description of how to reproduce the issue.
+      placeholder: Describe how to reproduce the issue
+    validations:
+      required: true
+  - type: textarea
+    id: configuration-file
+    attributes:
+      label: Configuration file(s) (yaml or .env)
+      description: |
+        Please copy and paste your configuration file or the relevant part of it.
+        ⚠️ DON'T FORGET TO REMOVE PRIVATE DATA LIKE IP ADDRESSES ! ⚠️
+      placeholder: Configuration file
+      render: YAML
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: |
+        Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks.
+        ⚠️ DON'T FORGET TO REMOVE PRIVATE DATA LIKE IP ADDRESSES ! ⚠️
+      placeholder: Log output
+      render: shell
+  - type: input
+    id: version
+    attributes:
+      label: BunkerWeb version
+      description: What version of BunkerWeb are you running?
+      placeholder: Version
+      value: 1.5.3
+    validations:
+      required: true
+  - type: dropdown
+    id: integration
+    attributes:
+      label: What integration are you using?
+      options:
+        - Docker
+        - Autoconf
+        - Swarm
+        - Kubernetes
+        - Linux
+        - Ansible
+        - Vagrant
+      default: 0
+    validations:
+      required: true
+  - type: input
+    id: linux-distribution
+    attributes:
+      label: Linux distribution (if applicable)
+      description: What Linux distribution are you using? (e.g. Ubuntu Server 18.04)
+      placeholder: Linux distribution
+  - type: checkboxes
+    id: removed-private-data
+    attributes:
+      label: Removed private data
+      description: |
+        We would like to emphasize that we are not responsible for any private data that may be inadvertently included in the logs or configuration files.
+        ⚠️ I have removed all private data from the configuration file and the logs ⚠️
+      options:
+        - label: I have removed all private data from the configuration file and the logs
+          required: true
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Code of Conduct
+      description: By submitting this issue, you agree to follow our [Code of Conduct](https://github.com/bunkerity/bunkerweb/blob/master/CODE_OF_CONDUCT.md)
+      options:
+        - label: I agree to follow this project's Code of Conduct
+          required: true

.github/ISSUE_TEMPLATE/documentation.yml

@@ -0,0 +1,29 @@
+name: 📚 Documentation enhancement
+description: Suggest an idea that will improve BunkerWeb documentation or declare a bug in the documentation
+title: "[DOC] "
+labels: ["documentation"]
+body:
+  - type: markdown
+    attributes:
+      value: >
+        #### Before submitting a documentation enhancement request, please make sure the feature hasn't been already addressed by searching through [the existing and past documentation enhancement requests](https://github.com/bunkerity/bunkerweb/issues?q=is%3Aissue+sort%3Acreated-desc+%5BDOC%5D+in%3Atitle).
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: Concise description of the error or what is missing.
+    validations:
+      required: true
+  - type: textarea
+    id: proposed-solution
+    attributes:
+      label: Proposed solution (optional)
+      description: How it should be fixed or what should be added ?
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Code of Conduct
+      description: By submitting this documentation enhancement request, you agree to follow our [Code of Conduct](https://github.com/bunkerity/bunkerweb/blob/master/CODE_OF_CONDUCT.md)
+      options:
+        - label: I agree to follow this project's Code of Conduct
+          required: true

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,29 @@
+name: 🚀 Feature Request
+description: Suggest an idea that will improve BunkerWeb
+title: "[FEATURE] "
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: >
+        #### Before submitting a feature request, please make sure the feature hasn't been already addressed by searching through [the existing and past feature requests](https://github.com/bunkerity/bunkerweb/issues?q=is%3Aissue+sort%3Acreated-desc+%5BFEATURE%5D+in%3Atitle).
+  - type: textarea
+    id: whats-needed-and-why
+    attributes:
+      label: What's needed and why?
+      description: Describe the feature you would like to see in the project and why it should be implemented.
+    validations:
+      required: true
+  - type: textarea
+    id: implementations-ideas
+    attributes:
+      label: Implementations ideas (optional)
+      description: How it should be used and integrated into the project ? List some posts, research papers or codes that we can use as implementation.
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Code of Conduct
+      description: By submitting this feature request, you agree to follow our [Code of Conduct](https://github.com/bunkerity/bunkerweb/blob/master/CODE_OF_CONDUCT.md)
+      options:
+        - label: I agree to follow this project's Code of Conduct
+          required: true

.github/codeql.yml

@@ -0,0 +1,13 @@
+name: "CodeQL config"
+
+paths:
+  - src/autoconf
+  - src/scheduler
+  - src/ui
+  - src/common
+paths-ignore:
+  - src/ui/static/js/tsparticles.bundle.min.js
+  - src/ui/static/js/editor
+  - src/ui/static/js/utils/flatpickr.js
+  - src/ui/static/js/utils/purify
+  - src/common/core/modsecurity/files

.github/dependabot.yml

@@ -0,0 +1,172 @@
+version: 2
+
+updates:
+  # GHA
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+      time: "09:00"
+      timezone: "Europe/Paris"
+    assignees:
+      - "TheophileDiot"
+    reviewers:
+      - "TheophileDiot"
+    commit-message:
+      prefix: "deps/gha"
+    target-branch: "dev"
+
+  # BW
+  - package-ecosystem: "docker"
+    directory: "/src/bw"
+    schedule:
+      interval: "daily"
+      time: "09:00"
+      timezone: "Europe/Paris"
+    assignees:
+      - "TheophileDiot"
+    reviewers:
+      - "TheophileDiot"
+    commit-message:
+      prefix: "deps/bw"
+    target-branch: "dev"
+
+  # Scheduler
+  - package-ecosystem: "docker"
+    directory: "/src/scheduler"
+    schedule:
+      interval: "daily"
+      time: "09:00"
+      timezone: "Europe/Paris"
+    assignees:
+      - "TheophileDiot"
+    reviewers:
+      - "TheophileDiot"
+    commit-message:
+      prefix: "deps/scheduler"
+    target-branch: "dev"
+  - package-ecosystem: "pip"
+    directory: "/src/scheduler"
+    schedule:
+      interval: "daily"
+      time: "09:00"
+      timezone: "Europe/Paris"
+    assignees:
+      - "TheophileDiot"
+    reviewers:
+      - "TheophileDiot"
+    commit-message:
+      prefix: "deps/scheduler"
+    target-branch: "dev"
+
+  # Autoconf
+  - package-ecosystem: "docker"
+    directory: "/src/autoconf"
+    schedule:
+      interval: "daily"
+      time: "09:00"
+      timezone: "Europe/Paris"
+    assignees:
+      - "TheophileDiot"
+    reviewers:
+      - "TheophileDiot"
+    commit-message:
+      prefix: "deps/autoconf"
+    target-branch: "dev"
+  - package-ecosystem: "pip"
+    directory: "/src/autoconf"
+    schedule:
+      interval: "daily"
+      time: "09:00"
+      timezone: "Europe/Paris"
+    assignees:
+      - "TheophileDiot"
+    reviewers:
+      - "TheophileDiot"
+    commit-message:
+      prefix: "deps/autoconf"
+    target-branch: "dev"
+
+  # UI
+  - package-ecosystem: "docker"
+    directory: "/src/ui"
+    schedule:
+      interval: "daily"
+      time: "09:00"
+      timezone: "Europe/Paris"
+    assignees:
+      - "TheophileDiot"
+    reviewers:
+      - "TheophileDiot"
+    commit-message:
+      prefix: "deps/ui"
+    target-branch: "dev"
+  - package-ecosystem: "pip"
+    directory: "/src/ui"
+    schedule:
+      interval: "daily"
+      time: "09:00"
+      timezone: "Europe/Paris"
+    assignees:
+      - "TheophileDiot"
+    reviewers:
+      - "TheophileDiot"
+    commit-message:
+      prefix: "deps/ui"
+    target-branch: "dev"
+
+  # Misc
+  - package-ecosystem: "pip"
+    directory: "/src/deps"
+    schedule:
+      interval: "daily"
+      time: "09:00"
+      timezone: "Europe/Paris"
+    assignees:
+      - "TheophileDiot"
+    reviewers:
+      - "TheophileDiot"
+    commit-message:
+      prefix: "deps/deps"
+    target-branch: "dev"
+  - package-ecosystem: "pip"
+    directory: "/src/common/gen"
+    schedule:
+      interval: "daily"
+      time: "09:00"
+      timezone: "Europe/Paris"
+    assignees:
+      - "TheophileDiot"
+    reviewers:
+      - "TheophileDiot"
+    commit-message:
+      prefix: "deps/common/gen"
+    target-branch: "dev"
+  - package-ecosystem: "pip"
+    directory: "/src/common/db"
+    schedule:
+      interval: "daily"
+      time: "09:00"
+      timezone: "Europe/Paris"
+    assignees:
+      - "TheophileDiot"
+    reviewers:
+      - "TheophileDiot"
+    commit-message:
+      prefix: "deps/common/db"
+    target-branch: "dev"
+
+  # Terraform
+  - package-ecosystem: "terraform"
+    directory: "/tests/terraform"
+    schedule:
+      interval: "daily"
+      time: "09:00"
+      timezone: "Europe/Paris"
+    assignees:
+      - "fl0ppy-d1sk"
+    reviewers:
+      - "fl0ppy-d1sk"
+    commit-message:
+      prefix: "deps/terraform"
+    target-branch: "dev"

.github/workflows/beta.yml

@@ -0,0 +1,283 @@
+name: Automatic push (BETA)
+
+permissions: read-all
+
+on:
+  push:
+    branches: [beta]
+
+jobs:
+  # Build amd64 + 386 containers images
+  build-containers:
+    strategy:
+      matrix:
+        image: [bunkerweb, scheduler, autoconf, ui]
+        arch: [linux/amd64, linux/386]
+        include:
+          - release: beta
+            cache: false
+            push: false
+          - image: bunkerweb
+            dockerfile: src/bw/Dockerfile
+          - image: scheduler
+            dockerfile: src/scheduler/Dockerfile
+          - image: autoconf
+            dockerfile: src/autoconf/Dockerfile
+          - image: ui
+            dockerfile: src/ui/Dockerfile
+          - arch: linux/amd64
+            cache_suffix: amd64
+          - arch: linux/386
+            cache_suffix: "386"
+    uses: ./.github/workflows/container-build.yml
+    with:
+      RELEASE: ${{ matrix.release }}
+      ARCH: ${{ matrix.arch }}
+      IMAGE: ${{ matrix.image }}
+      DOCKERFILE: ${{ matrix.dockerfile }}
+      CACHE: ${{ matrix.cache }}
+      PUSH: ${{ matrix.push }}
+      CACHE_SUFFIX: ${{ matrix.cache_suffix }}
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
+
+  # Create ARM environment
+  create-arm:
+    uses: ./.github/workflows/create-arm.yml
+    secrets:
+      SCW_ACCESS_KEY: ${{ secrets.SCW_ACCESS_KEY }}
+      SCW_SECRET_KEY: ${{ secrets.SCW_SECRET_KEY }}
+      SCW_DEFAULT_PROJECT_ID: ${{ secrets.SCW_DEFAULT_PROJECT_ID }}
+      SCW_DEFAULT_ORGANIZATION_ID: ${{ secrets.SCW_DEFAULT_ORGANIZATION_ID }}
+      ARM_SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
+      ARM_SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
+
+  # Build arm64 + arm/v7 images
+  build-containers-arm:
+    needs: [create-arm]
+    strategy:
+      matrix:
+        image: [bunkerweb, scheduler, autoconf, ui]
+        arch: ["linux/arm64,linux/arm/v7"]
+        include:
+          - release: beta
+            cache: false
+            push: false
+            cache_suffix: arm
+          - image: bunkerweb
+            dockerfile: src/bw/Dockerfile
+          - image: scheduler
+            dockerfile: src/scheduler/Dockerfile
+          - image: autoconf
+            dockerfile: src/autoconf/Dockerfile
+          - image: ui
+            dockerfile: src/ui/Dockerfile
+    uses: ./.github/workflows/container-build.yml
+    with:
+      RELEASE: ${{ matrix.release }}
+      ARCH: ${{ matrix.arch }}
+      IMAGE: ${{ matrix.image }}
+      DOCKERFILE: ${{ matrix.dockerfile }}
+      CACHE: ${{ matrix.cache }}
+      PUSH: ${{ matrix.push }}
+      CACHE_SUFFIX: ${{ matrix.cache_suffix }}
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
+      ARM_SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
+      ARM_SSH_IP: ${{ needs.create-arm.outputs.ip }}
+      ARM_SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
+
+  # Build Linux packages
+  build-packages:
+    needs: [create-arm]
+    strategy:
+      matrix:
+        linux: [ubuntu, debian, fedora, rhel]
+        platforms: [linux/amd64, linux/arm64]
+        include:
+          - release: beta
+          - linux: ubuntu
+            package: deb
+          - linux: debian
+            package: deb
+          - linux: fedora
+            package: rpm
+          - linux: rhel
+            package: rpm
+    uses: ./.github/workflows/linux-build.yml
+    with:
+      RELEASE: ${{ matrix.release }}
+      LINUX: ${{ matrix.linux }}
+      PACKAGE: ${{ matrix.package }}
+      TEST: false
+      PLATFORMS: ${{ matrix.platforms }}
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
+      PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
+      PRIVATE_REGISTRY_TOKEN: ${{ secrets.PRIVATE_REGISTRY_TOKEN }}
+      ARM_SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
+      ARM_SSH_IP: ${{ needs.create-arm.outputs.ip }}
+      ARM_SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
+
+  # Wait for all builds and extract VERSION
+  wait-builds:
+    runs-on: ubuntu-latest
+    needs: [build-containers, build-containers-arm, build-packages]
+    outputs:
+      version: ${{ steps.getversion.outputs.version }}
+      versionrpm: ${{ steps.getversionrpm.outputs.versionrpm }}
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Get VERSION
+        id: getversion
+        run: echo "version=$(cat src/VERSION | tr -d '\n')" >> "$GITHUB_OUTPUT"
+      - name: Get VERSION (for RPM based)
+        id: getversionrpm
+        run: echo "versionrpm=$(cat src/VERSION | tr -d '\n' | sed 's/-/_/g')" >> "$GITHUB_OUTPUT"
+
+  # Push Docker images
+  push-images:
+    needs: [create-arm, wait-builds]
+    strategy:
+      matrix:
+        image:
+          [bunkerweb, bunkerweb-scheduler, bunkerweb-autoconf, bunkerweb-ui]
+        include:
+          - release: beta
+          - image: bunkerweb
+            cache_from: bunkerweb
+            dockerfile: src/bw/Dockerfile
+          - image: bunkerweb-scheduler
+            cache_from: scheduler
+            dockerfile: src/scheduler/Dockerfile
+          - image: bunkerweb-autoconf
+            cache_from: autoconf
+            dockerfile: src/autoconf/Dockerfile
+          - image: bunkerweb-ui
+            cache_from: ui
+            dockerfile: src/ui/Dockerfile
+    uses: ./.github/workflows/push-docker.yml
+    with:
+      IMAGE: bunkerity/${{ matrix.image }}:${{ matrix.release }},bunkerity/${{ matrix.image }}:${{ needs.wait-builds.outputs.version }}
+      CACHE_FROM: ${{ matrix.cache_from }}-${{ matrix.release }}
+      DOCKERFILE: ${{ matrix.dockerfile }}
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
+      ARM_SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
+      ARM_SSH_IP: ${{ needs.create-arm.outputs.ip }}
+      ARM_SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
+
+  # Push Linux packages
+  push-packages:
+    needs: [wait-builds]
+    strategy:
+      matrix:
+        linux: [ubuntu, debian, fedora, rhel]
+        arch: [amd64, arm64]
+        include:
+          - release: beta
+            repo: bunkerweb
+          - linux: ubuntu
+            separator: _
+            suffix: ""
+            version: jammy
+            package: deb
+          - linux: debian
+            separator: _
+            suffix: ""
+            version: bullseye
+            package: deb
+          - linux: fedora
+            separator: "-"
+            suffix: "1."
+            version: 38
+            package: rpm
+          - linux: el
+            separator: "-"
+            suffix: "1."
+            version: 8
+            package: rpm
+          - linux: ubuntu
+            arch: amd64
+            package_arch: amd64
+          - linux: debian
+            arch: amd64
+            package_arch: amd64
+          - linux: fedora
+            arch: amd64
+            package_arch: x86_64
+          - linux: el
+            arch: amd64
+            package_arch: x86_64
+          - linux: ubuntu
+            arch: arm64
+            package_arch: arm64
+          - linux: debian
+            arch: arm64
+            package_arch: arm64
+          - linux: fedora
+            arch: arm64
+            package_arch: aarch64
+          - linux: el
+            arch: arm64
+            package_arch: aarch64
+    uses: ./.github/workflows/push-packagecloud.yml
+    with:
+      SEPARATOR: ${{ matrix.separator }}
+      SUFFIX: ${{ matrix.suffix }}
+      REPO: ${{ matrix.repo }}
+      LINUX: ${{ matrix.linux }}
+      VERSION: ${{ matrix.version }}
+      PACKAGE: ${{ matrix.package }}
+      BW_VERSION: ${{ matrix.package == 'rpm' && needs.wait-builds.outputs.versionrpm || needs.wait-builds.outputs.version }}
+      PACKAGE_ARCH: ${{ matrix.package_arch }}
+      ARCH: ${{ matrix.arch }}
+    secrets:
+      PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
+
+  # Create doc PDF
+  doc-pdf:
+    needs: [wait-builds, push-images, push-packages]
+    uses: ./.github/workflows/doc-to-pdf.yml
+    with:
+      VERSION: ${{ needs.wait-builds.outputs.version }}
+
+  # Push on GH
+  push-gh:
+    needs: [wait-builds, doc-pdf]
+    permissions:
+      contents: write
+      discussions: write
+    uses: ./.github/workflows/push-github.yml
+    with:
+      VERSION: ${{ needs.wait-builds.outputs.version }}
+      PRERELEASE: true
+
+  # Push doc
+  push-doc:
+    needs: [wait-builds, push-gh]
+    permissions:
+      contents: write
+    uses: ./.github/workflows/push-doc.yml
+    with:
+      VERSION: ${{ needs.wait-builds.outputs.version }}
+      ALIAS: beta
+    secrets:
+      BUNKERBOT_TOKEN: ${{ secrets.BUNKERBOT_TOKEN }}
+
+  # Remove ARM VM
+  rm-arm:
+    if: ${{ always() }}
+    needs: [create-arm, push-images, build-packages]
+    uses: ./.github/workflows/rm-arm.yml
+    secrets:
+      ARM_ID: ${{ needs.create-arm.outputs.id }}
+      SCW_ACCESS_KEY: ${{ secrets.SCW_ACCESS_KEY }}
+      SCW_SECRET_KEY: ${{ secrets.SCW_SECRET_KEY }}
+      SCW_DEFAULT_PROJECT_ID: ${{ secrets.SCW_DEFAULT_PROJECT_ID }}
+      SCW_DEFAULT_ORGANIZATION_ID: ${{ secrets.SCW_DEFAULT_ORGANIZATION_ID }}

.github/workflows/codeql.yml

@@ -0,0 +1,31 @@
+name: CodeQL Analysis
+
+on:
+  schedule:
+    # Weekly on Saturdays.
+    - cron: "30 1 * * 6"
+  workflow_call:
+
+jobs:
+  code-security:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["python", "javascript"]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
+        with:
+          languages: ${{ matrix.language }}
+          config-file: ./.github/codeql.yml
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/container-build.yml

@@ -0,0 +1,134 @@
+name: Build container (REUSABLE)
+
+on:
+  workflow_call:
+    inputs:
+      RELEASE:
+        required: true
+        type: string
+      ARCH:
+        required: true
+        type: string
+      IMAGE:
+        required: true
+        type: string
+      DOCKERFILE:
+        required: true
+        type: string
+      CACHE:
+        required: false
+        type: boolean
+        default: true
+      PUSH:
+        required: false
+        type: boolean
+        default: true
+      CACHE_SUFFIX:
+        required: false
+        type: string
+        default: ""
+    secrets:
+      DOCKER_USERNAME:
+        required: true
+      DOCKER_TOKEN:
+        required: true
+      ARM_SSH_KEY:
+        required: false
+      ARM_SSH_IP:
+        required: false
+      ARM_SSH_CONFIG:
+        required: false
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      # Prepare
+      - name: Checkout source code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Replace VERSION
+        if: inputs.RELEASE == 'testing'
+        run: ./misc/update-version.sh testing
+      - name: Setup SSH for ARM node
+        if: inputs.CACHE_SUFFIX == 'arm'
+        run: |
+          mkdir -p ~/.ssh
+          echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
+          chmod 600 ~/.ssh/id_rsa_arm
+          echo "$SSH_CONFIG" | sed "s/SSH_IP/$SSH_IP/g" > ~/.ssh/config
+        env:
+          SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
+          SSH_IP: ${{ secrets.ARM_SSH_IP }}
+          SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
+      - name: Setup Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+        if: inputs.CACHE_SUFFIX != 'arm'
+      - name: Setup Buildx (ARM)
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+        if: inputs.CACHE_SUFFIX == 'arm'
+        with:
+          endpoint: ssh://root@arm
+          platforms: linux/arm64,linux/arm/v7,linux/arm/v6
+      - name: Login to Docker Hub
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+      - name: Login to ghcr
+        if: inputs.PUSH == true
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      # Compute metadata
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+        with:
+          images: bunkerity/${{ inputs.IMAGE }}
+      # Build cached image
+      - name: Build image
+        if: inputs.CACHE == true
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        with:
+          context: .
+          file: ${{ inputs.DOCKERFILE }}
+          platforms: ${{ inputs.ARCH }}
+          load: true
+          tags: local/${{ inputs.IMAGE }}
+          cache-from: type=gha,scope=${{ inputs.IMAGE }}-${{ inputs.RELEASE }}
+          cache-to: type=gha,scope=${{ inputs.IMAGE }}-${{ inputs.RELEASE }},mode=min
+          labels: ${{ steps.meta.outputs.labels }}
+      # Build non-cached image
+      - name: Build image
+        if: inputs.CACHE != true
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        with:
+          context: .
+          file: ${{ inputs.DOCKERFILE }}
+          platforms: ${{ inputs.ARCH }}
+          load: ${{ inputs.CACHE_SUFFIX != 'arm' }}
+          tags: local/${{ inputs.IMAGE }}
+          cache-to: type=gha,scope=${{ inputs.IMAGE }}-${{ inputs.RELEASE }}-${{ inputs.CACHE_SUFFIX }},mode=min
+          labels: ${{ steps.meta.outputs.labels }}
+      # Check OS vulnerabilities
+      - name: Check OS vulnerabilities
+        if: ${{ inputs.CACHE_SUFFIX != 'arm' }}
+        uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4 # master
+        with:
+          vuln-type: os
+          skip-dirs: /root/.cargo
+          image-ref: local/${{ inputs.IMAGE }}
+          format: table
+          exit-code: 1
+          ignore-unfixed: false
+          severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+          trivyignores: .trivyignore
+      # Push image
+      - name: Push image
+        if: inputs.PUSH == true
+        run: docker tag local/$IMAGE ghcr.io/bunkerity/$IMAGE-tests:$TAG && docker push ghcr.io/bunkerity/$IMAGE-tests:$TAG
+        env:
+          IMAGE: "${{ inputs.IMAGE }}"
+          TAG: "${{ inputs.RELEASE }}"

.github/workflows/create-arm.yml

@@ -0,0 +1,86 @@
+name: Create ARM node (REUSABLE)
+
+on:
+  workflow_call:
+    outputs:
+      id:
+        description: "ARM ID"
+        value: ${{ jobs.build.outputs.id }}
+      ip:
+        description: "ARM IP"
+        value: ${{ jobs.build.outputs.ip }}
+
+    secrets:
+      SCW_ACCESS_KEY:
+        required: true
+      SCW_SECRET_KEY:
+        required: true
+      SCW_DEFAULT_PROJECT_ID:
+        required: true
+      SCW_DEFAULT_ORGANIZATION_ID:
+        required: true
+      ARM_SSH_KEY:
+        required: true
+      ARM_SSH_CONFIG:
+        required: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      id: ${{ steps.getinfo.outputs.id }}
+      ip: ${{ steps.getinfo.outputs.ip }}
+    steps:
+      # Prepare
+      - name: Checkout source code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Get ARM availabilities
+        id: availabilities
+        uses: scaleway/action-scw@c718eca1fcb9fec1fb1433752d61599c6a0ad2e9
+        with:
+          args: instance server-type get zone=fr-par-2
+          export-config: true
+          access-key: ${{ secrets.SCW_ACCESS_KEY }}
+          secret-key: ${{ secrets.SCW_SECRET_KEY }}
+          default-project-id: ${{ secrets.SCW_DEFAULT_PROJECT_ID }}
+          default-organization-id: ${{ secrets.SCW_DEFAULT_ORGANIZATION_ID }}
+      - name: Extract ARM type
+        run: |
+          TYPE=$(echo "$JSON" | jq '.servers | with_entries(select(.key | contains("AMP"))) | with_entries(select(.value.availability != "shortage")) | keys[] | select(. | test("^AMP2-C[0-9]+$")) | sub("AMP2-C"; "") | tonumber' | sort -n | tail -n 1 | xargs -I {} echo "AMP2-C{}")
+          echo "Type is $TYPE"
+          echo "TYPE=$TYPE" >> "$GITHUB_ENV"
+        env:
+          JSON: ${{ steps.availabilities.outputs.json }}
+      - name: Create ARM VM
+        id: scw
+        uses: scaleway/action-scw@c718eca1fcb9fec1fb1433752d61599c6a0ad2e9
+        with:
+          args: instance server create zone=fr-par-2 type=${{ env.TYPE }} root-volume=block:50GB
+      - name: Get info
+        id: getinfo
+        run: |
+          echo "id=${{ fromJson(steps.scw.outputs.json).id }}" >> "$GITHUB_OUTPUT"
+          echo "ip=${{ fromJson(steps.scw.outputs.json).public_ip.address }}" >> "$GITHUB_OUTPUT"
+      - name: Wait for VM
+        uses: scaleway/action-scw@c718eca1fcb9fec1fb1433752d61599c6a0ad2e9
+        with:
+          args: instance server wait ${{ fromJson(steps.scw.outputs.json).ID }} zone=fr-par-2
+      - name: Wait for SSH
+        uses: iFaxity/wait-on-action@628831cec646e6dacca502f34a6c6b46e131e51d
+        with:
+          resource: tcp:${{ fromJson(steps.scw.outputs.json).public_ip.address }}:22
+          timeout: 300000
+      - name: Setup SSH for ARM node
+        run: |
+          mkdir -p ~/.ssh
+          echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
+          chmod 600 ~/.ssh/id_rsa_arm
+          echo "$SSH_CONFIG" | sed "s/SSH_IP/$SSH_IP/g" > ~/.ssh/config
+        env:
+          SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
+          SSH_IP: ${{ fromJson(steps.scw.outputs.json).public_ip.address }}
+          SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
+      - name: Install Docker
+        run: ssh root@$SSH_IP "curl -fsSL https://test.docker.com -o test-docker.sh ; sh test-docker.sh"
+        env:
+          SSH_IP: ${{ fromJson(steps.scw.outputs.json).public_ip.address }}

.github/workflows/dev-update-mmdb.yml

@@ -0,0 +1,61 @@
+name: Update cached mmdb files
+
+permissions:
+  contents: write
+
+on:
+  schedule:
+    - cron: "0 12 1 * *"
+
+jobs:
+  mmdb-update:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.BUNKERBOT_TOKEN }}
+          ref: dev
+      - name: Download mmdb files
+        run: |
+          mkdir -p src/bw/misc/
+          cd src/bw/misc/
+          CURL_RETURN_CODE=0
+          CURL_OUTPUT=`curl -w httpcode=%{http_code} -s -o asn.mmdb.gz https://download.db-ip.com/free/dbip-asn-lite-$(date +%Y-%m).mmdb.gz 2> /dev/null` || CURL_RETURN_CODE=$?
+          if [ ${CURL_RETURN_CODE} -ne 0 ]; then
+            echo "Curl connection failed when downloading asn-lite mmdb file with return code - ${CURL_RETURN_CODE}"
+            exit 1
+          else
+              echo "Curl connection success"
+              # Check http code for curl operation/response in  CURL_OUTPUT
+              httpCode=$(echo "${CURL_OUTPUT}" | sed -e 's/.*\httpcode=//')
+              if [ ${httpCode} -ne 200 ]; then
+                  echo "Curl operation/command failed due to server return code - ${httpCode}"
+                  exit 1
+              fi
+          fi
+          CURL_RETURN_CODE=0
+          CURL_OUTPUT=`curl -w httpcode=%{http_code} -s -o country.mmdb.gz https://download.db-ip.com/free/dbip-country-lite-$(date +%Y-%m).mmdb.gz 2> /dev/null` || CURL_RETURN_CODE=$?
+          if [ ${CURL_RETURN_CODE} -ne 0 ]; then
+            echo "Curl connection failed when downloading country-lite mmdb file with return code - ${CURL_RETURN_CODE}"
+            exit 1
+          else
+              echo "Curl connection success"
+              # Check http code for curl operation/response in  CURL_OUTPUT
+              httpCode=$(echo "${CURL_OUTPUT}" | sed -e 's/.*\httpcode=//')
+              if [ ${httpCode} -ne 200 ]; then
+                  echo "Curl operation/command failed due to server return code - ${httpCode}"
+                  exit 1
+              fi
+          fi
+          rm -f asn.mmdb country.mmdb
+          gunzip asn.mmdb.gz country.mmdb.gz
+      - name: Commit and push changes
+        uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v5.0.0
+        with:
+          branch: dev
+          commit_message: "Monthly mmdb update"
+          commit_options: "--no-verify"
+          commit_user_name: "BunkerBot"
+          commit_user_email: "bunkerbot@bunkerity.com"

.github/workflows/dev.yml

@@ -0,0 +1,214 @@
+name: Automatic tests (DEV)
+
+permissions: read-all
+
+on:
+  push:
+    branches: [dev]
+
+jobs:
+  # Containers
+  build-containers:
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        image: [bunkerweb, scheduler, autoconf, ui]
+        include:
+          - image: bunkerweb
+            dockerfile: src/bw/Dockerfile
+          - image: scheduler
+            dockerfile: src/scheduler/Dockerfile
+          - image: autoconf
+            dockerfile: src/autoconf/Dockerfile
+          - image: ui
+            dockerfile: src/ui/Dockerfile
+    uses: ./.github/workflows/container-build.yml
+    with:
+      RELEASE: dev
+      ARCH: linux/amd64
+      CACHE: true
+      IMAGE: ${{ matrix.image }}
+      DOCKERFILE: ${{ matrix.dockerfile }}
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
+
+  # Build Linux packages
+  build-packages:
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        linux: [ubuntu, debian, fedora, rhel]
+        include:
+          - linux: ubuntu
+            package: deb
+          - linux: debian
+            package: deb
+          - linux: fedora
+            package: rpm
+          - linux: rhel
+            package: rpm
+    uses: ./.github/workflows/linux-build.yml
+    with:
+      RELEASE: dev
+      LINUX: ${{ matrix.linux }}
+      PACKAGE: ${{ matrix.package }}
+      TEST: true
+      PLATFORMS: linux/amd64
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
+
+  codeql:
+    uses: ./.github/workflows/codeql.yml
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+  # UI tests
+  tests-ui:
+    needs: [codeql, build-containers]
+    uses: ./.github/workflows/tests-ui.yml
+    with:
+      RELEASE: dev
+  tests-ui-linux:
+    needs: [codeql, build-packages]
+    uses: ./.github/workflows/tests-ui-linux.yml
+    with:
+      RELEASE: dev
+
+  # Core tests
+  prepare-tests-core:
+    needs: [codeql, build-containers, build-packages]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - id: set-matrix
+        run: |
+          tests=$(find ./tests/core/ -maxdepth 1 -mindepth 1 -type d -printf "%f\n" | jq -c --raw-input --slurp 'split("\n")| .[0:-1]')
+          echo "tests=$tests" >> $GITHUB_OUTPUT
+    outputs:
+      tests: ${{ steps.set-matrix.outputs.tests }}
+  tests-core:
+    needs: prepare-tests-core
+    strategy:
+      fail-fast: false
+      matrix:
+        test: ${{ fromJson(needs.prepare-tests-core.outputs.tests) }}
+    uses: ./.github/workflows/test-core.yml
+    with:
+      TEST: ${{ matrix.test }}
+      RELEASE: dev
+  tests-core-linux:
+    needs: prepare-tests-core
+    strategy:
+      fail-fast: false
+      matrix:
+        test: ${{ fromJson(needs.prepare-tests-core.outputs.tests) }}
+    uses: ./.github/workflows/test-core-linux.yml
+    with:
+      TEST: ${{ matrix.test }}
+      RELEASE: dev
+    secrets: inherit
+
+  # Push with dev tag
+  push-dev:
+    needs: [tests-ui, tests-core]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Login to Docker Hub
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+      - name: Login to ghcr
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Push BW image
+        run: docker pull ghcr.io/bunkerity/$FROM-tests:dev && docker tag ghcr.io/bunkerity/$FROM-tests:dev bunkerity/$TO:dev && docker tag ghcr.io/bunkerity/$FROM-tests:dev ghcr.io/bunkerity/$TO:dev && docker push bunkerity/$TO:dev && docker push ghcr.io/bunkerity/$TO:dev
+        env:
+          FROM: "bunkerweb"
+          TO: "bunkerweb"
+      - name: Push scheduler image
+        run: docker pull ghcr.io/bunkerity/$FROM-tests:dev && docker tag ghcr.io/bunkerity/$FROM-tests:dev bunkerity/$TO:dev && docker tag ghcr.io/bunkerity/$FROM-tests:dev ghcr.io/bunkerity/$TO:dev && docker push bunkerity/$TO:dev && docker push ghcr.io/bunkerity/$TO:dev
+        env:
+          FROM: "scheduler"
+          TO: "bunkerweb-scheduler"
+      - name: Push UI image
+        run: docker pull ghcr.io/bunkerity/$FROM-tests:dev && docker tag ghcr.io/bunkerity/$FROM-tests:dev bunkerity/$TO:dev && docker tag ghcr.io/bunkerity/$FROM-tests:dev ghcr.io/bunkerity/$TO:dev && docker push bunkerity/$TO:dev && docker push ghcr.io/bunkerity/$TO:dev
+        env:
+          FROM: "ui"
+          TO: "bunkerweb-ui"
+      - name: Push autoconf image
+        run: docker pull ghcr.io/bunkerity/$FROM-tests:dev && docker tag ghcr.io/bunkerity/$FROM-tests:dev bunkerity/$TO:dev && docker tag ghcr.io/bunkerity/$FROM-tests:dev ghcr.io/bunkerity/$TO:dev && docker push bunkerity/$TO:dev && docker push ghcr.io/bunkerity/$TO:dev
+        env:
+          FROM: "autoconf"
+          TO: "bunkerweb-autoconf"
+
+  # Push Linux packages
+  push-packages:
+    needs: [tests-ui-linux, tests-core-linux]
+    strategy:
+      matrix:
+        linux: [ubuntu, debian, fedora, el]
+        arch: [amd64]
+        include:
+          - release: dev
+            repo: bunkerweb
+          - linux: ubuntu
+            separator: _
+            suffix: ""
+            version: jammy
+            package: deb
+          - linux: debian
+            separator: _
+            suffix: ""
+            version: bullseye
+            package: deb
+          - linux: fedora
+            separator: "-"
+            suffix: "1."
+            version: 38
+            package: rpm
+          - linux: el
+            separator: "-"
+            suffix: "1."
+            version: 8
+            package: rpm
+          - linux: ubuntu
+            arch: amd64
+            package_arch: amd64
+          - linux: debian
+            arch: amd64
+            package_arch: amd64
+          - linux: fedora
+            arch: amd64
+            package_arch: x86_64
+          - linux: el
+            arch: amd64
+            package_arch: x86_64
+    uses: ./.github/workflows/push-packagecloud.yml
+    with:
+      SEPARATOR: ${{ matrix.separator }}
+      SUFFIX: ${{ matrix.suffix }}
+      REPO: ${{ matrix.repo }}
+      LINUX: ${{ matrix.linux }}
+      VERSION: ${{ matrix.version }}
+      PACKAGE: ${{ matrix.package }}
+      BW_VERSION: ${{ matrix.release }}
+      PACKAGE_ARCH: ${{ matrix.package_arch }}
+      ARCH: ${{ matrix.arch }}
+    secrets:
+      PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}

.github/workflows/doc-to-pdf.yml

@@ -0,0 +1,38 @@
+name: Generate documentation PDF (REUSABLE)
+
+on:
+  workflow_call:
+    inputs:
+      VERSION:
+        required: true
+        type: string
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      # Prepare
+      - name: Checkout source code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Install Python
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+        with:
+          python-version: "3.10"
+      - name: Install doc requirements
+        run: pip install --no-cache-dir --require-hashes -r docs/requirements.txt
+      - name: Install chromium
+        run: sudo apt install chromium-browser
+      - name: Install node
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        with:
+          node-version: 18
+      - name: Install puppeteer
+        run: cd docs && npm install
+      - name: Run mkdocs serve in background
+        run: mkdocs serve & sleep 10
+      - name: Run pdf script
+        run: node docs/misc/pdf.js http://localhost:8000/print_page/ BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf 'BunkerWeb documentation v${{ inputs.VERSION }}'
+      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf
+          path: BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf

.github/workflows/linux-build.yml

@@ -0,0 +1,152 @@
+name: Build Linux package (REUSABLE)
+
+on:
+  workflow_call:
+    inputs:
+      RELEASE:
+        required: true
+        type: string
+      LINUX:
+        required: true
+        type: string
+      PACKAGE:
+        required: true
+        type: string
+      PLATFORMS:
+        required: true
+        type: string
+      TEST:
+        required: false
+        type: boolean
+        default: false
+    secrets:
+      DOCKER_USERNAME:
+        required: true
+      DOCKER_TOKEN:
+        required: true
+      ARM_SSH_KEY:
+        required: false
+      ARM_SSH_IP:
+        required: false
+      ARM_SSH_CONFIG:
+        required: false
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      # Prepare
+      - name: Checkout source code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Replace VERSION
+        if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui'
+        run: ./misc/update-version.sh ${{ inputs.RELEASE }}
+      - name: Extract arch
+        run: |
+          echo "ARCH=${{ env.PLATFORMS }}" | sed 's/linux//g' | sed 's@/@@g' >> "$GITHUB_ENV"
+        env:
+          PLATFORMS: ${{ inputs.PLATFORMS }}
+      - name: Extract linux arch
+        if: inputs.PACKAGE == 'rpm'
+        run: |
+          echo "LARCH=${{ env.ARCH }}" | sed 's/amd64/x86_64/g' | sed 's/arm64/aarch64/g' >> "$GITHUB_ENV"
+        env:
+          ARCH: ${{ env.ARCH }}
+      - name: Extract linux arch
+        if: inputs.PACKAGE == 'deb'
+        run: |
+          echo "LARCH=${{ env.ARCH }}" >> "$GITHUB_ENV"
+        env:
+          ARCH: ${{ env.ARCH }}
+      - name: Setup SSH for ARM node
+        if: startsWith(env.ARCH, 'arm') == true
+        run: |
+          mkdir -p ~/.ssh
+          echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
+          chmod 600 ~/.ssh/id_rsa_arm
+          echo "$SSH_CONFIG" | sed "s/SSH_IP/$SSH_IP/g" > ~/.ssh/config
+        env:
+          SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
+          SSH_IP: ${{ secrets.ARM_SSH_IP }}
+          SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
+      - name: Setup Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+        if: startsWith(env.ARCH, 'arm') == false
+      - name: Setup Buildx (ARM)
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+        if: startsWith(env.ARCH, 'arm') == true
+        with:
+          endpoint: ssh://root@arm
+          platforms: linux/arm64,linux/arm/v7,linux/arm/v6
+      - name: Login to Docker Hub
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+      - name: Login to ghcr
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      # Build testing package image
+      - name: Build package image
+        if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui'
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        with:
+          context: .
+          load: true
+          file: src/linux/Dockerfile-${{ inputs.LINUX }}
+          platforms: ${{ inputs.PLATFORMS }}
+          tags: local/bunkerweb-${{ inputs.LINUX }}:latest
+          cache-from: type=gha,scope=${{ inputs.LINUX }}-${{ inputs.RELEASE }}
+          cache-to: type=gha,scope=${{ inputs.LINUX }}-${{ inputs.RELEASE }},mode=min
+      # Build non-testing package image
+      - name: Build package image
+        if: inputs.RELEASE != 'testing' && inputs.RELEASE != 'dev'
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        with:
+          context: .
+          load: true
+          file: src/linux/Dockerfile-${{ inputs.LINUX }}
+          platforms: ${{ inputs.PLATFORMS }}
+          tags: local/bunkerweb-${{ inputs.LINUX }}:latest
+      # Generate package
+      - name: Generate package
+        if: startsWith(env.ARCH, 'arm') == false
+        run: ./src/linux/package.sh ${{ inputs.LINUX }} ${{ env.LARCH }}
+        env:
+          LARCH: ${{ env.LARCH }}
+      - name: Generate package (ARM)
+        if: startsWith(env.ARCH, 'arm') == true
+        run: |
+          docker save local/bunkerweb-${{ inputs.LINUX }}:latest | ssh -C root@arm docker load
+          scp ./src/linux/package.sh root@arm:/opt
+          ssh root@arm chmod +x /opt/package.sh
+          ssh root@arm /opt/package.sh ${{ inputs.LINUX }} ${{ env.LARCH }} "$(cat src/VERSION | tr -d '\n')"
+          scp -r root@arm:/root/package-${{ inputs.LINUX }} ./package-${{ inputs.LINUX }}
+        env:
+          LARCH: ${{ env.LARCH }}
+      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: package-${{ inputs.LINUX }}-${{ env.LARCH }}
+          path: package-${{ inputs.LINUX }}/*.${{ inputs.PACKAGE }}
+      # Build test image
+      - name: Extract metadata
+        if: inputs.TEST == true
+        id: meta
+        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+        with:
+          images: ghcr.io/bunkerity/${{ inputs.LINUX }}-tests:${{ inputs.RELEASE }}
+      - name: Build test image
+        if: inputs.TEST == true
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        with:
+          context: .
+          file: tests/linux/Dockerfile-${{ inputs.LINUX }}
+          platforms: ${{ inputs.PLATFORMS }}
+          push: true
+          tags: ghcr.io/bunkerity/${{ inputs.LINUX }}-tests:${{ inputs.RELEASE }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha,scope=${{ inputs.LINUX }}-${{ inputs.RELEASE }}-tests
+          cache-to: type=gha,scope=${{ inputs.LINUX }}-${{ inputs.RELEASE }}-tests,mode=min

.github/workflows/push-doc.yml

@@ -0,0 +1,41 @@
+name: Push documentation (REUSABLE)
+
+on:
+  workflow_call:
+    inputs:
+      VERSION:
+        required: true
+        type: string
+      ALIAS:
+        required: true
+        type: string
+    secrets:
+      BUNKERBOT_TOKEN:
+        required: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.BUNKERBOT_TOKEN }}
+      - name: Replace VERSION
+        if: inputs.VERSION == 'testing'
+        run: ./misc/update-version.sh testing
+      - name: Setup git user
+        run: |
+          git config --global user.name "BunkerBot"
+          git config --global user.email "bunkerbot@bunkerity.com"
+      - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+        with:
+          python-version: "3.10"
+      - name: Install doc requirements
+        run: pip install --no-cache-dir --require-hashes -r docs/requirements.txt
+      - name: Push doc
+        run: mike deploy --update-aliases --push --no-redirect ${{ inputs.VERSION }} ${{ inputs.ALIAS }}
+      - name: Set default doc
+        if: inputs.ALIAS == 'latest'
+        run: mike set-default --push latest

.github/workflows/push-docker.yml

@@ -0,0 +1,82 @@
+name: Push image (REUSABLE)
+
+on:
+  workflow_call:
+    inputs:
+      IMAGE:
+        required: true
+        type: string
+      TAGS:
+        required: true
+        type: string
+      CACHE_FROM:
+        required: true
+        type: string
+      DOCKERFILE:
+        required: true
+        type: string
+    secrets:
+      DOCKER_USERNAME:
+        required: true
+      DOCKER_TOKEN:
+        required: true
+      ARM_SSH_KEY:
+        required: true
+      ARM_SSH_CONFIG:
+        required: true
+      ARM_SSH_IP:
+        required: true
+
+jobs:
+  push:
+    runs-on: ubuntu-latest
+    steps:
+      # Prepare
+      - name: Check out repository code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Login to Docker Hub
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+      - name: Login to ghcr
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Setup SSH for ARM node
+        run: |
+          mkdir -p ~/.ssh
+          echo "$SSH_KEY" > ~/.ssh/id_rsa_arm
+          chmod 600 ~/.ssh/id_rsa_arm
+          echo "$SSH_CONFIG" | sed "s/SSH_IP/$SSH_IP/g" > ~/.ssh/config
+        env:
+          SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
+          SSH_IP: ${{ secrets.ARM_SSH_IP }}
+          SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
+      - name: Setup Buildx (ARM)
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+        with:
+          endpoint: ssh://root@arm
+          platforms: linux/arm64,linux/arm/v7,linux/arm/v6
+      # Compute metadata
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+        with:
+          images: bunkerity/${{ inputs.IMAGE }}
+      # Build and push
+      - name: Build and push
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        with:
+          context: .
+          file: ${{ inputs.DOCKERFILE }}
+          platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7
+          push: true
+          tags: ${{ inputs.TAGS }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: |
+            type=gha,scope=${{ inputs.CACHE_FROM }}-amd64
+            type=gha,scope=${{ inputs.CACHE_FROM }}-386
+            type=gha,scope=${{ inputs.CACHE_FROM }}-arm

.github/workflows/push-github.yml

@@ -0,0 +1,97 @@
+name: Push on GitHub (REUSABLE)
+
+on:
+  workflow_call:
+    inputs:
+      VERSION:
+        required: true
+        type: string
+      PRERELEASE:
+        required: true
+        type: boolean
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      # Get PDF doc
+      - name: Get documentation
+        if: inputs.VERSION != 'testing'
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf
+      # Create tag
+      - uses: rickstaa/action-create-tag@861755f3fcbce1b21a65c17bad10e7d35c27b6d9 # v1.7.1
+        name: Create tag
+        if: inputs.VERSION != 'testing'
+        with:
+          tag: "v${{ inputs.VERSION }}"
+          message: "v${{ inputs.VERSION }}"
+          force_push_tag: true
+      # Create tag
+      - uses: rickstaa/action-create-tag@861755f3fcbce1b21a65c17bad10e7d35c27b6d9 # v1.7.1
+        name: Create tag
+        if: inputs.VERSION == 'testing'
+        with:
+          tag: "${{ inputs.VERSION }}"
+          message: "${{ inputs.VERSION }}"
+          force_push_tag: true
+      # Extract changelog
+      - name: Extract changelog
+        if: inputs.VERSION != 'testing'
+        id: getchangelog
+        run: |
+          content=$(awk -v n=2 '/##/{n--}; n > 0' CHANGELOG.md | grep -v '# Changelog' | grep -v '##' | sed '/^$/d')
+          content="${content//'%'/'%25'}"
+          content="${content//$'\n'/'%0A'}"
+          content="${content//$'\r'/'%0D'}"
+          echo "content=$content" >> $GITHUB_OUTPUT
+      # Create release
+      - name: Create release
+        if: inputs.VERSION != 'testing'
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
+        with:
+          body: |
+            Documentation : https://docs.bunkerweb.io/${{ inputs.VERSION }}/
+
+            Docker tags :
+            - BunkerWeb : `bunkerity/bunkerweb:${{ inputs.VERSION }}` or `ghcr.io/bunkerity/bunkerweb:${{ inputs.VERSION }}`
+            - Scheduler : `bunkerity/bunkerweb-scheduler:${{ inputs.VERSION }}` or `ghcr.io/bunkerity/bunkerweb-scheduler:${{ inputs.VERSION }}`
+            - Autoconf : `bunkerity/bunkerweb-autoconf:${{ inputs.VERSION }}` or `ghcr.io/bunkerity/bunkerweb-autoconf:${{ inputs.VERSION }}`
+            - UI : `bunkerity/bunkerweb-ui:${{ inputs.VERSION }}` or `ghcr.io/bunkerity/bunkerweb-ui:${{ inputs.VERSION }}`
+
+            Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=${{ inputs.VERSION }}&filter=all&dist=
+
+            Changelog :
+            ${{ steps.getchangelog.outputs.content }}
+          draft: true
+          prerelease: ${{ inputs.PRERELEASE }}
+          name: v${{ inputs.VERSION }}
+          tag_name: v${{ inputs.VERSION }}
+          discussion_category_name: Announcements
+          files: BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf
+      # Create release
+      - name: Create release
+        if: inputs.VERSION == 'testing'
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
+        with:
+          body: |
+            **The testing version of BunkerWeb should not be used in production, please use the latest stable version instead.**
+
+            Documentation : https://docs.bunkerweb.io/${{ inputs.VERSION }}/
+
+            Docker tags :
+            - BunkerWeb : `bunkerity/bunkerweb:${{ inputs.VERSION }}` or `ghcr.io/bunkerity/bunkerweb:${{ inputs.VERSION }}`
+            - Scheduler : `bunkerity/bunkerweb-scheduler:${{ inputs.VERSION }}` or `ghcr.io/bunkerity/bunkerweb-scheduler:${{ inputs.VERSION }}`
+            - Autoconf : `bunkerity/bunkerweb-autoconf:${{ inputs.VERSION }}` or `ghcr.io/bunkerity/bunkerweb-autoconf:${{ inputs.VERSION }}`
+            - UI : `bunkerity/bunkerweb-ui:${{ inputs.VERSION }}` or `ghcr.io/bunkerity/bunkerweb-ui:${{ inputs.VERSION }}`
+
+            Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=${{ inputs.VERSION }}&filter=all&dist=
+
+            Please note that when using Linux Debian or Ubuntu integration, you will need to add the `force-bad-version` directive to your `/etc/dpkg/dpkg.cfg` file before installing the testing version of BunkerWeb.
+          draft: false
+          prerelease: ${{ inputs.PRERELEASE }}
+          name: Testing
+          tag_name: ${{ inputs.VERSION }}

.github/workflows/push-packagecloud.yml

@@ -0,0 +1,79 @@
+name: Push packagecloud (REUSABLE)
+
+on:
+  workflow_call:
+    inputs:
+      SEPARATOR:
+        required: true
+        type: string
+      SUFFIX:
+        required: true
+        type: string
+      REPO:
+        required: true
+        type: string
+      LINUX:
+        required: true
+        type: string
+      VERSION:
+        required: true
+        type: string
+      PACKAGE:
+        required: true
+        type: string
+      BW_VERSION:
+        required: true
+        type: string
+      ARCH:
+        required: true
+        type: string
+      PACKAGE_ARCH:
+        required: true
+        type: string
+    secrets:
+      PACKAGECLOUD_TOKEN:
+        required: true
+
+jobs:
+  push:
+    runs-on: ubuntu-latest
+    steps:
+      # Prepare
+      - name: Check out repository code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Install ruby
+        uses: ruby/setup-ruby@8575951200e472d5f2d95c625da0c7bec8217c42 # v1.161.0
+        with:
+          ruby-version: "3.0"
+      - name: Install packagecloud
+        run: gem install package_cloud
+      # Download packages
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        if: inputs.LINUX != 'el'
+        with:
+          name: package-${{ inputs.LINUX }}-${{ inputs.PACKAGE_ARCH }}
+          path: /tmp/${{ inputs.LINUX }}
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        if: inputs.LINUX == 'el'
+        with:
+          name: package-rhel-${{ inputs.PACKAGE_ARCH }}
+          path: /tmp/${{ inputs.LINUX }}
+      # Remove existing packages
+      - name: Remove existing package
+        run: package_cloud yank bunkerity/${{ inputs.REPO }}/${{ inputs.LINUX }}/${{ inputs.VERSION }} bunkerweb${{ inputs.SEPARATOR }}${{ inputs.BW_VERSION }}${{ inputs.SEPARATOR }}${{ inputs.SUFFIX }}${{ inputs.PACKAGE_ARCH }}.${{ inputs.PACKAGE }}
+        continue-on-error: true
+        env:
+          PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
+      # Update name
+      # - name: Rename package
+      #   if: inputs.BW_VERSION == 'testing'
+      #   run: sudo apt install -y rename && rename 's/[0-9]\.[0-9]\.[0-9]/testing/' /tmp/${{ inputs.LINUX }}/*.${{ inputs.PACKAGE }}
+      # Push package
+      - name: Push package to packagecloud
+        uses: danielmundi/upload-packagecloud@46cd0e61152bf952dbc0d1759e609d3d22649030 # v1
+        with:
+          PACKAGE-NAME: /tmp/${{ inputs.LINUX }}/*.${{ inputs.PACKAGE }}
+          PACKAGECLOUD-USERNAME: bunkerity
+          PACKAGECLOUD-REPO: ${{ inputs.REPO }}
+          PACKAGECLOUD-DISTRIB: ${{ inputs.LINUX }}/${{ inputs.VERSION }}
+          PACKAGECLOUD-TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}

.github/workflows/release.yml

@@ -0,0 +1,295 @@
+name: Automatic push (RELEASE)
+
+permissions: read-all
+
+on:
+  push:
+    branches: [master]
+
+jobs:
+  scorecards-analysis:
+    uses: ./.github/workflows/scorecards-analysis.yml
+
+  codeql:
+    uses: ./.github/workflows/codeql.yml
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+  # Build amd64 + 386 containers images
+  build-containers:
+    strategy:
+      matrix:
+        image: [bunkerweb, scheduler, autoconf, ui]
+        arch: [linux/amd64, linux/386]
+        include:
+          - release: latest
+            cache: false
+            push: false
+          - image: bunkerweb
+            dockerfile: src/bw/Dockerfile
+          - image: scheduler
+            dockerfile: src/scheduler/Dockerfile
+          - image: autoconf
+            dockerfile: src/autoconf/Dockerfile
+          - image: ui
+            dockerfile: src/ui/Dockerfile
+          - arch: linux/amd64
+            cache_suffix: amd64
+          - arch: linux/386
+            cache_suffix: "386"
+    uses: ./.github/workflows/container-build.yml
+    with:
+      RELEASE: ${{ matrix.release }}
+      ARCH: ${{ matrix.arch }}
+      IMAGE: ${{ matrix.image }}
+      DOCKERFILE: ${{ matrix.dockerfile }}
+      CACHE: ${{ matrix.cache }}
+      PUSH: ${{ matrix.push }}
+      CACHE_SUFFIX: ${{ matrix.cache_suffix }}
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
+
+  # Create ARM environment
+  create-arm:
+    uses: ./.github/workflows/create-arm.yml
+    secrets:
+      SCW_ACCESS_KEY: ${{ secrets.SCW_ACCESS_KEY }}
+      SCW_SECRET_KEY: ${{ secrets.SCW_SECRET_KEY }}
+      SCW_DEFAULT_PROJECT_ID: ${{ secrets.SCW_DEFAULT_PROJECT_ID }}
+      SCW_DEFAULT_ORGANIZATION_ID: ${{ secrets.SCW_DEFAULT_ORGANIZATION_ID }}
+      ARM_SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
+      ARM_SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
+
+  # Build arm64 + arm/v7 images
+  build-containers-arm:
+    needs: [create-arm]
+    strategy:
+      matrix:
+        image: [bunkerweb, scheduler, autoconf, ui]
+        arch: ["linux/arm64,linux/arm/v7"]
+        include:
+          - release: latest
+            cache: false
+            push: false
+            cache_suffix: arm
+          - image: bunkerweb
+            dockerfile: src/bw/Dockerfile
+          - image: scheduler
+            dockerfile: src/scheduler/Dockerfile
+          - image: autoconf
+            dockerfile: src/autoconf/Dockerfile
+          - image: ui
+            dockerfile: src/ui/Dockerfile
+    uses: ./.github/workflows/container-build.yml
+    with:
+      RELEASE: ${{ matrix.release }}
+      ARCH: ${{ matrix.arch }}
+      IMAGE: ${{ matrix.image }}
+      DOCKERFILE: ${{ matrix.dockerfile }}
+      CACHE: ${{ matrix.cache }}
+      PUSH: ${{ matrix.push }}
+      CACHE_SUFFIX: ${{ matrix.cache_suffix }}
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
+      ARM_SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
+      ARM_SSH_IP: ${{ needs.create-arm.outputs.ip }}
+      ARM_SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
+
+  # Build Linux packages
+  build-packages:
+    needs: [create-arm]
+    strategy:
+      matrix:
+        linux: [ubuntu, debian, fedora, rhel]
+        platforms: [linux/amd64, linux/arm64]
+        include:
+          - release: latest
+          - linux: ubuntu
+            package: deb
+          - linux: debian
+            package: deb
+          - linux: fedora
+            package: rpm
+          - linux: rhel
+            package: rpm
+    uses: ./.github/workflows/linux-build.yml
+    with:
+      RELEASE: ${{ matrix.release }}
+      LINUX: ${{ matrix.linux }}
+      PACKAGE: ${{ matrix.package }}
+      TEST: false
+      PLATFORMS: ${{ matrix.platforms }}
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
+      ARM_SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
+      ARM_SSH_IP: ${{ needs.create-arm.outputs.ip }}
+      ARM_SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
+
+  # Wait for all builds and extract VERSION
+  wait-builds:
+    runs-on: ubuntu-latest
+    needs: [codeql, build-containers, build-containers-arm, build-packages]
+    outputs:
+      version: ${{ steps.getversion.outputs.version }}
+      versionrpm: ${{ steps.getversionrpm.outputs.versionrpm }}
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Get VERSION
+        id: getversion
+        run: echo "version=$(cat src/VERSION | tr -d '\n')" >> "$GITHUB_OUTPUT"
+      - name: Get VERSION (for RPM based)
+        id: getversionrpm
+        run: echo "versionrpm=$(cat src/VERSION | tr -d '\n' | sed 's/-/_/g')" >> "$GITHUB_OUTPUT"
+
+  # Push Docker images
+  push-images:
+    permissions:
+      contents: read
+      packages: write
+    needs: [create-arm, wait-builds]
+    strategy:
+      matrix:
+        image:
+          [bunkerweb, bunkerweb-scheduler, bunkerweb-autoconf, bunkerweb-ui]
+        include:
+          - release: latest
+          - image: bunkerweb
+            cache_from: bunkerweb
+            dockerfile: src/bw/Dockerfile
+          - image: bunkerweb-scheduler
+            cache_from: scheduler
+            dockerfile: src/scheduler/Dockerfile
+          - image: bunkerweb-autoconf
+            cache_from: autoconf
+            dockerfile: src/autoconf/Dockerfile
+          - image: bunkerweb-ui
+            cache_from: ui
+            dockerfile: src/ui/Dockerfile
+    uses: ./.github/workflows/push-docker.yml
+    with:
+      IMAGE: ${{ matrix.image }}
+      TAGS: bunkerity/${{ matrix.image }}:${{ matrix.release }},bunkerity/${{ matrix.image }}:${{ needs.wait-builds.outputs.version }},ghcr.io/bunkerity/${{ matrix.image }}:${{ matrix.release }},ghcr.io/bunkerity/${{ matrix.image }}:${{ needs.wait-builds.outputs.version }}
+      CACHE_FROM: ${{ matrix.cache_from }}-${{ matrix.release }}
+      DOCKERFILE: ${{ matrix.dockerfile }}
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
+      ARM_SSH_KEY: ${{ secrets.ARM_SSH_KEY }}
+      ARM_SSH_IP: ${{ needs.create-arm.outputs.ip }}
+      ARM_SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
+
+  # Push Linux packages
+  push-packages:
+    needs: [wait-builds]
+    strategy:
+      matrix:
+        linux: [ubuntu, debian, fedora, el]
+        arch: [amd64, arm64]
+        include:
+          - release: latest
+            repo: bunkerweb
+          - linux: ubuntu
+            separator: _
+            suffix: ""
+            version: jammy
+            package: deb
+          - linux: debian
+            separator: _
+            suffix: ""
+            version: bullseye
+            package: deb
+          - linux: fedora
+            separator: "-"
+            suffix: "1."
+            version: 38
+            package: rpm
+          - linux: el
+            separator: "-"
+            suffix: "1."
+            version: 8
+            package: rpm
+          - linux: ubuntu
+            arch: amd64
+            package_arch: amd64
+          - linux: debian
+            arch: amd64
+            package_arch: amd64
+          - linux: fedora
+            arch: amd64
+            package_arch: x86_64
+          - linux: el
+            arch: amd64
+            package_arch: x86_64
+          - linux: ubuntu
+            arch: arm64
+            package_arch: arm64
+          - linux: debian
+            arch: arm64
+            package_arch: arm64
+          - linux: fedora
+            arch: arm64
+            package_arch: aarch64
+          - linux: el
+            arch: arm64
+            package_arch: aarch64
+    uses: ./.github/workflows/push-packagecloud.yml
+    with:
+      SEPARATOR: ${{ matrix.separator }}
+      SUFFIX: ${{ matrix.suffix }}
+      REPO: ${{ matrix.repo }}
+      LINUX: ${{ matrix.linux }}
+      VERSION: ${{ matrix.version }}
+      PACKAGE: ${{ matrix.package }}
+      BW_VERSION: ${{ matrix.package == 'rpm' && needs.wait-builds.outputs.versionrpm || needs.wait-builds.outputs.version }}
+      PACKAGE_ARCH: ${{ matrix.package_arch }}
+      ARCH: ${{ matrix.arch }}
+    secrets:
+      PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
+
+  # Create doc PDF
+  doc-pdf:
+    needs: [wait-builds, push-images, push-packages]
+    uses: ./.github/workflows/doc-to-pdf.yml
+    with:
+      VERSION: ${{ needs.wait-builds.outputs.version }}
+
+  # Push on GH
+  push-gh:
+    needs: [wait-builds, doc-pdf]
+    permissions:
+      contents: write
+      discussions: write
+    uses: ./.github/workflows/push-github.yml
+    with:
+      VERSION: ${{ needs.wait-builds.outputs.version }}
+      PRERELEASE: false
+
+  # Push doc
+  push-doc:
+    needs: [wait-builds, push-gh]
+    permissions:
+      contents: write
+    uses: ./.github/workflows/push-doc.yml
+    with:
+      VERSION: ${{ needs.wait-builds.outputs.version }}
+      ALIAS: latest
+    secrets:
+      BUNKERBOT_TOKEN: ${{ secrets.BUNKERBOT_TOKEN }}
+
+  # Remove ARM VM
+  rm-arm:
+    if: ${{ always() }}
+    needs: [create-arm, push-images, build-packages]
+    uses: ./.github/workflows/rm-arm.yml
+    secrets:
+      ARM_ID: ${{ needs.create-arm.outputs.id }}
+      SCW_ACCESS_KEY: ${{ secrets.SCW_ACCESS_KEY }}
+      SCW_SECRET_KEY: ${{ secrets.SCW_SECRET_KEY }}
+      SCW_DEFAULT_PROJECT_ID: ${{ secrets.SCW_DEFAULT_PROJECT_ID }}
+      SCW_DEFAULT_ORGANIZATION_ID: ${{ secrets.SCW_DEFAULT_ORGANIZATION_ID }}

.github/workflows/rm-arm.yml

@@ -0,0 +1,32 @@
+name: Create ARM node (REUSABLE)
+
+on:
+  workflow_call:
+    secrets:
+      SCW_ACCESS_KEY:
+        required: true
+      SCW_SECRET_KEY:
+        required: true
+      SCW_DEFAULT_PROJECT_ID:
+        required: true
+      SCW_DEFAULT_ORGANIZATION_ID:
+        required: true
+      ARM_ID:
+        required: true
+
+jobs:
+  rm:
+    if: ${{ always() }}
+    runs-on: ubuntu-latest
+    steps:
+      # Prepare
+      - name: Checkout source code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Delete ARM VM
+        uses: scaleway/action-scw@c718eca1fcb9fec1fb1433752d61599c6a0ad2e9
+        with:
+          args: instance server delete ${{ secrets.ARM_ID }} zone=fr-par-2 with-ip=true with-volumes=all force-shutdown=true
+          access-key: ${{ secrets.SCW_ACCESS_KEY }}
+          secret-key: ${{ secrets.SCW_SECRET_KEY }}
+          default-project-id: ${{ secrets.SCW_DEFAULT_PROJECT_ID }}
+          default-organization-id: ${{ secrets.SCW_DEFAULT_ORGANIZATION_ID }}

.github/workflows/scorecards-analysis.yml

@@ -0,0 +1,30 @@
+name: Scorecard analysis workflow
+
+on:
+  branch_protection_rule:
+  schedule:
+    # Weekly on Saturdays.
+    - cron: "30 1 * * 6"
+  workflow_call:
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+      - name: "Upload SARIF results to code scanning"
+        uses: github/codeql-action/upload-sarif@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
+        with:
+          sarif_file: results.sarif

.github/workflows/staging-create-infra.yml

@@ -0,0 +1,62 @@
+name: Create staging infra (REUSABLE)
+
+on:
+  workflow_call:
+    inputs:
+      TYPE:
+        required: true
+        type: string
+    secrets:
+      CICD_SECRETS:
+        required: true
+      SECRET_KEY:
+        required: true
+      K8S_IP:
+        required: true
+
+jobs:
+  create:
+    runs-on: ubuntu-latest
+    steps:
+      # Prepare
+      - name: Generate SSH keypair
+        run: ssh-keygen -b 2048 -t rsa -f ~/.ssh/id_rsa -q -N "" && ssh-keygen -f ~/.ssh/id_rsa -y > ~/.ssh/id_rsa.pub && echo -e "Host *\n  StrictHostKeyChecking no" > ~/.ssh/ssh_config
+        if: inputs.TYPE != 'k8s'
+      - name: Checkout source code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Install terraform
+        uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
+      - name: Install kubectl
+        uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 # v3.2
+        if: inputs.TYPE == 'k8s'
+        with:
+          version: "v1.28.2"
+      - name: Set up Python 3.11
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+        if: inputs.TYPE != 'k8s'
+        with:
+          python-version: "3.11"
+      - name: Install ansible
+        run: pip install --no-cache-dir --require-hashes -r misc/requirements-ansible.txt
+        if: inputs.TYPE != 'k8s'
+      - name: Install ansible libs
+        run: ansible-galaxy install --timeout 120 monolithprojects.github_actions_runner,1.18.1 && ansible-galaxy collection install --timeout 120 community.general
+        if: inputs.TYPE != 'k8s'
+      # Create infra
+      - run: ./tests/create.sh ${{ inputs.TYPE }}
+        env:
+          CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
+          K8S_IP: ${{ secrets.K8S_IP }}
+      - run: |
+          tar -cf terraform.tar /tmp/${{ inputs.TYPE }}
+          echo "$SECRET_KEY" > /tmp/.secret_key
+          openssl enc -in terraform.tar -aes-256-cbc -pbkdf2 -iter 100000 -md sha256 -pass file:/tmp/.secret_key -out terraform.tar.enc
+          rm -f /tmp/.secret_key
+        if: always()
+        env:
+          SECRET_KEY: ${{ secrets.SECRET_KEY }}
+      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        if: always()
+        with:
+          name: tf-${{ inputs.TYPE }}
+          path: terraform.tar.enc

.github/workflows/staging-delete-infra.yml

@@ -0,0 +1,49 @@
+name: Delete staging infra (REUSABLE)
+
+on:
+  workflow_call:
+    inputs:
+      TYPE:
+        required: true
+        type: string
+    secrets:
+      CICD_SECRETS:
+        required: true
+      SECRET_KEY:
+        required: true
+
+jobs:
+  delete:
+    if: ${{ always() }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      # Prepare
+      - name: Checkout source code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Install terraform
+        uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: tf-${{ inputs.TYPE }}
+          path: /tmp
+      - run: |
+          echo "$SECRET_KEY" > /tmp/.secret_key
+          openssl enc -d -in /tmp/terraform.tar.enc -aes-256-cbc -pbkdf2 -iter 100000 -md sha256 -pass file:/tmp/.secret_key -out /tmp/terraform.tar
+          rm -f /tmp/.secret_key
+          tar xf /tmp/terraform.tar -C / && mkdir ~/.ssh && touch ~/.ssh/id_rsa.pub
+        env:
+          SECRET_KEY: ${{ secrets.SECRET_KEY }}
+      - uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 # v3.2
+        if: inputs.TYPE == 'k8s'
+        with:
+          version: "v1.28.2"
+      # Remove infra
+      - run: kubectl delete daemonsets,replicasets,services,deployments,pods,rc,ingress,statefulsets --all --all-namespaces --timeout=60s ; kubectl delete pvc --all --timeout=60s ; kubectl delete pv --all --timeout=60s
+        if: inputs.TYPE == 'k8s'
+        continue-on-error: true
+        env:
+          KUBECONFIG: /tmp/k8s/kubeconfig
+      - run: ./tests/rm.sh ${{ inputs.TYPE }}
+        env:
+          CICD_SECRETS: ${{ secrets.CICD_SECRETS }}

.github/workflows/staging-tests.yml

@@ -0,0 +1,138 @@
+name: Perform staging tests (REUSABLE)
+
+on:
+  workflow_call:
+    inputs:
+      TYPE:
+        required: true
+        type: string
+      RUNS_ON:
+        required: true
+        type: string
+    # secrets:
+    #   PRIVATE_REGISTRY:
+    #     required: true
+    #   PRIVATE_REGISTRY_TOKEN:
+    #     required: true
+    #   TEST_DOMAINS:
+    #     required: true
+    #   ROOT_DOMAIN:
+    #     required: true
+
+jobs:
+  tests:
+    runs-on: ${{ fromJSON(inputs.RUNS_ON) }}
+    steps:
+      # Prepare
+      - name: Checkout source code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Login to ghcr
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - run: docker pull ghcr.io/bunkerity/bunkerweb-tests:testing && docker tag ghcr.io/bunkerity/bunkerweb-tests:testing local/bunkerweb-tests:latest
+        if: contains(fromJSON('["linux", "k8s"]'), inputs.TYPE) != true
+      - run: docker pull ghcr.io/bunkerity/scheduler-tests:testing && docker tag ghcr.io/bunkerity/scheduler-tests:testing local/scheduler-tests:latest
+        if: contains(fromJSON('["linux", "k8s"]'), inputs.TYPE) != true
+      - run: docker pull ghcr.io/bunkerity/autoconf-tests:testing && docker tag ghcr.io/bunkerity/autoconf-tests:testing local/autoconf-tests:latest
+        if: contains(fromJSON('["autoconf", "swarm"]'), inputs.TYPE)
+      - name: Push images to local repo
+        run: docker tag local/bunkerweb-tests:latest 192.168.42.100:5000/bunkerweb-tests:latest && docker push 192.168.42.100:5000/bunkerweb-tests:latest && docker tag local/scheduler-tests:latest 192.168.42.100:5000/scheduler-tests:latest && docker push 192.168.42.100:5000/scheduler-tests:latest && docker tag local/autoconf-tests:latest 192.168.42.100:5000/autoconf-tests:latest && docker push 192.168.42.100:5000/autoconf-tests:latest
+        if: inputs.TYPE == 'swarm'
+      - name: Install test dependencies
+        run: pip3 install --no-cache-dir --require-hashes -r tests/requirements.txt
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: tf-k8s
+          path: /tmp
+        if: inputs.TYPE == 'k8s'
+      - run: |
+          echo "$SECRET_KEY" > /tmp/.secret_key
+          openssl enc -d -in /tmp/terraform.tar.enc -aes-256-cbc -pbkdf2 -iter 100000 -md sha256 -pass file:/tmp/.secret_key -out /tmp/terraform.tar
+          rm -f /tmp/.secret_key
+          tar xf /tmp/terraform.tar -C /
+          mkdir /tmp/reg
+          cp tests/terraform/k8s-reg.tf /tmp/reg
+          cp tests/terraform/providers.tf /tmp/reg
+          cd /tmp/reg
+          export TF_VAR_k8s_reg_user=${REG_USER}
+          export TF_VAR_k8s_reg_token=${REG_TOKEN}
+          terraform init
+          terraform apply -auto-approve
+        env:
+          SECRET_KEY: ${{ secrets.SECRET_KEY }}
+          REG_USER: ${{ github.actor }}
+          REG_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        if: inputs.TYPE == 'k8s'
+      - uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 # v3.2
+        if: inputs.TYPE == 'k8s'
+        with:
+          version: "v1.28.2"
+      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+        if: inputs.TYPE == 'k8s'
+      - name: Pull BW linux ubuntu test image
+        if: inputs.TYPE == 'linux'
+        run: docker pull ghcr.io/bunkerity/ubuntu-tests:testing && docker tag ghcr.io/bunkerity/ubuntu-tests:testing local/ubuntu:latest
+      - name: Pull BW linux debian test image
+        if: inputs.TYPE == 'linux'
+        run: docker pull ghcr.io/bunkerity/debian-tests:testing && docker tag ghcr.io/bunkerity/debian-tests:testing local/debian:latest
+      - name: Pull BW linux fedora test image
+        if: inputs.TYPE == 'linux'
+        run: docker pull ghcr.io/bunkerity/fedora-tests:testing && docker tag ghcr.io/bunkerity/fedora-tests:testing local/fedora:latest
+      - name: Pull BW linux rhel test image
+        if: inputs.TYPE == 'linux'
+        run: docker pull ghcr.io/bunkerity/rhel-tests:testing && docker tag ghcr.io/bunkerity/rhel-tests:testing local/rhel:latest
+      # Do tests
+      - name: Run tests
+        if: inputs.TYPE == 'docker'
+        run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "${{ inputs.TYPE }}"
+        env:
+          TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_DOCKER }}
+          ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
+      - name: Run tests
+        if: inputs.TYPE == 'autoconf'
+        run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "${{ inputs.TYPE }}"
+        env:
+          TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_AUTOCONF }}
+          ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
+      - name: Run tests
+        if: inputs.TYPE == 'swarm'
+        run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "${{ inputs.TYPE }}"
+        env:
+          TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_SWARM }}
+          ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
+      - name: Run tests
+        if: inputs.TYPE == 'k8s'
+        run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "kubernetes"
+        env:
+          TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_KUBERNETES }}
+          ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
+          KUBECONFIG: "/tmp/k8s/kubeconfig"
+          PRIVATE_REGISTRY: ${{ secrets.PRIVATE_REGISTRY }}
+          IMAGE_TAG: "testing"
+      - name: Run Linux ubuntu tests
+        if: inputs.TYPE == 'linux'
+        run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "linux" "ubuntu"
+        env:
+          TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
+          ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
+      - name: Run Linux debian tests
+        if: inputs.TYPE == 'linux'
+        run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "linux" "debian"
+        env:
+          TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
+          ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
+      - name: Run Linux fedora tests
+        if: inputs.TYPE == 'linux'
+        run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "linux" "fedora"
+        env:
+          TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
+          ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}
+      - name: Run Linux rhel tests
+        if: inputs.TYPE == 'linux'
+        run: export $(echo "$TEST_DOMAINS" | xargs) && ./tests/main.py "linux" "rhel"
+        env:
+          TEST_DOMAINS: ${{ secrets.TEST_DOMAINS_LINUX }}
+          ROOT_DOMAIN: ${{ secrets.ROOT_DOMAIN }}

.github/workflows/staging.yml

@@ -0,0 +1,273 @@
+name: Automatic tests (STAGING)
+
+permissions: read-all
+
+on:
+  push:
+    branches: [staging]
+
+jobs:
+  # Build Docker images
+  build-containers:
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        image: [bunkerweb, scheduler, autoconf, ui]
+        include:
+          - image: bunkerweb
+            dockerfile: src/bw/Dockerfile
+          - image: scheduler
+            dockerfile: src/scheduler/Dockerfile
+          - image: autoconf
+            dockerfile: src/autoconf/Dockerfile
+          - image: ui
+            dockerfile: src/ui/Dockerfile
+    uses: ./.github/workflows/container-build.yml
+    with:
+      RELEASE: testing
+      ARCH: linux/amd64
+      CACHE: true
+      PUSH: true
+      IMAGE: ${{ matrix.image }}
+      DOCKERFILE: ${{ matrix.dockerfile }}
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
+
+  # Build Linux packages
+  build-packages:
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        linux: [ubuntu, debian, fedora, rhel]
+        include:
+          - linux: ubuntu
+            package: deb
+          - linux: debian
+            package: deb
+          - linux: fedora
+            package: rpm
+          - linux: rhel
+            package: rpm
+    uses: ./.github/workflows/linux-build.yml
+    with:
+      RELEASE: testing
+      LINUX: ${{ matrix.linux }}
+      PACKAGE: ${{ matrix.package }}
+      TEST: true
+      PLATFORMS: linux/amd64
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
+
+  codeql:
+    uses: ./.github/workflows/codeql.yml
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+  # Create infrastructures and prepare tests
+  create-infras:
+    needs: [codeql, build-containers, build-packages]
+    strategy:
+      matrix:
+        type: [docker, autoconf, swarm, k8s, linux]
+    uses: ./.github/workflows/staging-create-infra.yml
+    with:
+      TYPE: ${{ matrix.type }}
+    secrets:
+      CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
+      SECRET_KEY: ${{ secrets.SECRET_KEY }}
+      K8S_IP: ${{ secrets.K8S_IP }}
+  prepare-tests-core:
+    needs: [codeql, build-containers, build-packages]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - id: set-matrix
+        run: |
+          tests=$(find ./tests/core/ -maxdepth 1 -mindepth 1 -type d -printf "%f\n" | jq -c --raw-input --slurp 'split("\n")| .[0:-1]')
+          echo "tests=$tests" >> $GITHUB_OUTPUT
+    outputs:
+      tests: ${{ steps.set-matrix.outputs.tests }}
+
+  # Perform tests
+  tests-ui:
+    needs: [codeql, build-containers]
+    uses: ./.github/workflows/tests-ui.yml
+    with:
+      RELEASE: testing
+  tests-ui-linux:
+    needs: [codeql, build-packages]
+    uses: ./.github/workflows/tests-ui-linux.yml
+    with:
+      RELEASE: testing
+  staging-tests:
+    needs: [create-infras]
+    strategy:
+      matrix:
+        type: [docker, autoconf, swarm, k8s, linux]
+        include:
+          - type: docker
+            runs_on: "['self-hosted', 'bw-docker']"
+          - type: autoconf
+            runs_on: "['self-hosted', 'bw-autoconf']"
+          - type: swarm
+            runs_on: "['self-hosted', 'bw-swarm']"
+          - type: k8s
+            runs_on: "['ubuntu-latest']"
+          - type: linux
+            runs_on: "['self-hosted', 'bw-linux']"
+    uses: ./.github/workflows/staging-tests.yml
+    with:
+      TYPE: ${{ matrix.type }}
+      RUNS_ON: ${{ matrix.runs_on }}
+    secrets: inherit
+  tests-core:
+    needs: prepare-tests-core
+    strategy:
+      fail-fast: false
+      matrix:
+        test: ${{ fromJson(needs.prepare-tests-core.outputs.tests) }}
+    uses: ./.github/workflows/test-core.yml
+    with:
+      TEST: ${{ matrix.test }}
+      RELEASE: testing
+  tests-core-linux:
+    needs: prepare-tests-core
+    strategy:
+      fail-fast: false
+      matrix:
+        test: ${{ fromJson(needs.prepare-tests-core.outputs.tests) }}
+    uses: ./.github/workflows/test-core-linux.yml
+    with:
+      TEST: ${{ matrix.test }}
+      RELEASE: testing
+    secrets: inherit
+
+  # Delete infrastructures
+  delete-infras:
+    if: ${{ always() }}
+    needs: [staging-tests]
+    strategy:
+      matrix:
+        type: [docker, autoconf, swarm, k8s, linux]
+    uses: ./.github/workflows/staging-delete-infra.yml
+    with:
+      TYPE: ${{ matrix.type }}
+    secrets:
+      CICD_SECRETS: ${{ secrets.CICD_SECRETS }}
+      SECRET_KEY: ${{ secrets.SECRET_KEY }}
+
+  # Push Docker images
+  push-images:
+    needs: [staging-tests, tests-ui, tests-core]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Login to Docker Hub
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+      - name: Login to ghcr
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Push BW image
+        run: docker pull ghcr.io/bunkerity/bunkerweb-tests:testing && docker tag ghcr.io/bunkerity/bunkerweb-tests:testing bunkerity/bunkerweb:testing && docker push bunkerity/bunkerweb:testing && docker tag bunkerity/bunkerweb:testing ghcr.io/bunkerity/bunkerweb:testing && docker push ghcr.io/bunkerity/bunkerweb:testing
+      - name: Push scheduler image
+        run: docker pull ghcr.io/bunkerity/scheduler-tests:testing && docker tag ghcr.io/bunkerity/scheduler-tests:testing bunkerity/bunkerweb-scheduler:testing && docker push bunkerity/bunkerweb-scheduler:testing && docker tag bunkerity/bunkerweb-scheduler:testing ghcr.io/bunkerity/bunkerweb-scheduler:testing && docker push ghcr.io/bunkerity/bunkerweb-scheduler:testing
+      - name: Push UI image
+        run: docker pull ghcr.io/bunkerity/ui-tests:testing && docker tag ghcr.io/bunkerity/ui-tests:testing bunkerity/bunkerweb-ui:testing && docker push bunkerity/bunkerweb-ui:testing && docker tag bunkerity/bunkerweb-ui:testing ghcr.io/bunkerity/bunkerweb-ui:testing && docker push ghcr.io/bunkerity/bunkerweb-ui:testing
+      - name: Push autoconf image
+        run: docker pull ghcr.io/bunkerity/autoconf-tests:testing && docker tag ghcr.io/bunkerity/autoconf-tests:testing bunkerity/bunkerweb-autoconf:testing && docker push bunkerity/bunkerweb-autoconf:testing && docker tag bunkerity/bunkerweb-autoconf:testing ghcr.io/bunkerity/bunkerweb-autoconf:testing && docker push ghcr.io/bunkerity/bunkerweb-autoconf:testing
+
+  # Push Linux packages
+  push-packages:
+    needs: [staging-tests, tests-ui-linux, tests-core-linux]
+    strategy:
+      matrix:
+        linux: [ubuntu, debian, fedora, el]
+        arch: [amd64]
+        include:
+          - release: testing
+            repo: bunkerweb
+          - linux: ubuntu
+            separator: _
+            suffix: ""
+            version: jammy
+            package: deb
+          - linux: debian
+            separator: _
+            suffix: ""
+            version: bullseye
+            package: deb
+          - linux: fedora
+            separator: "-"
+            suffix: "1."
+            version: 38
+            package: rpm
+          - linux: el
+            separator: "-"
+            suffix: "1."
+            version: 8
+            package: rpm
+          - linux: ubuntu
+            arch: amd64
+            package_arch: amd64
+          - linux: debian
+            arch: amd64
+            package_arch: amd64
+          - linux: fedora
+            arch: amd64
+            package_arch: x86_64
+          - linux: el
+            arch: amd64
+            package_arch: x86_64
+    uses: ./.github/workflows/push-packagecloud.yml
+    with:
+      SEPARATOR: ${{ matrix.separator }}
+      SUFFIX: ${{ matrix.suffix }}
+      REPO: ${{ matrix.repo }}
+      LINUX: ${{ matrix.linux }}
+      VERSION: ${{ matrix.version }}
+      PACKAGE: ${{ matrix.package }}
+      BW_VERSION: ${{ matrix.release }}
+      PACKAGE_ARCH: ${{ matrix.package_arch }}
+      ARCH: ${{ matrix.arch }}
+    secrets:
+      PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
+
+  # Push doc
+  push-doc:
+    needs: [push-images, push-packages]
+    permissions:
+      contents: write
+    uses: ./.github/workflows/push-doc.yml
+    with:
+      VERSION: testing
+      ALIAS: unstable
+    secrets:
+      BUNKERBOT_TOKEN: ${{ secrets.BUNKERBOT_TOKEN }}
+
+  # Push on GH
+  push-gh:
+    needs: [push-doc]
+    permissions:
+      contents: write
+      discussions: write
+    uses: ./.github/workflows/push-github.yml
+    with:
+      VERSION: testing
+      PRERELEASE: true

.github/workflows/test-core-linux.yml

@@ -0,0 +1,97 @@
+name: Core test Linux (REUSABLE)
+
+on:
+  workflow_call:
+    inputs:
+      TEST:
+        required: true
+        type: string
+      RELEASE:
+        required: true
+        type: string
+
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    steps:
+      # Prepare
+      - name: Checkout source code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Set up Python 3.11
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+        with:
+          python-version: "3.11"
+      - name: Install Firefox manually and dependencies
+        run: |
+          sudo apt purge -y firefox
+          sudo apt update
+          sudo apt install --no-install-recommends -y openssl git nodejs tar bzip2 wget curl grep libx11-xcb1 libappindicator3-1 libasound2 libdbus-glib-1-2 libxtst6 libxt6 php-fpm unzip
+          wget -O firefox-setup.tar.bz2 "https://download.mozilla.org/?product=firefox-latest-ssl&os=linux64"
+          sudo tar -xjf firefox-setup.tar.bz2 -C /opt/
+          sudo rm -f /usr/bin/firefox
+          sudo ln -s /opt/firefox/firefox /usr/bin/firefox
+          sudo chmod 755 /opt/firefox /opt/firefox/firefox
+          rm -f firefox-setup.tar.bz2
+      - name: Download geckodriver
+        uses: nick-fields/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # v2.9.0
+        with:
+          max_attempts: 3
+          timeout_minutes: 20
+          command: |
+            GECKODRIVER_VERSION=`curl -i https://github.com/mozilla/geckodriver/releases/latest | grep -Po 'v[0-9]+\.[0-9]+\.[0-9]+'` && \
+            wget -O geckodriver.tar.gz -w 5 https://github.com/mozilla/geckodriver/releases/download/$GECKODRIVER_VERSION/geckodriver-$GECKODRIVER_VERSION-linux64.tar.gz
+            sudo tar -xzf geckodriver.tar.gz -C /usr/local/bin
+            sudo chmod +x /usr/local/bin/geckodriver
+            rm -f geckodriver.tar.gz
+      - name: Login to ghcr
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Pull BW linux ubuntu test image
+        run: docker pull ghcr.io/bunkerity/ubuntu-tests:${{ inputs.RELEASE }}
+      - name: Copy deb file to host
+        run: |
+          container_id=$(docker create "ghcr.io/bunkerity/ubuntu-tests:${{ inputs.RELEASE }}")
+          docker cp "$container_id:/opt/bunkerweb_${{ inputs.RELEASE }}-1_amd64.deb" "/tmp/bunkerweb.deb"
+          docker rm "$container_id"
+      - name: Install BunkerWeb
+        run: |
+          sudo apt install -y gnupg2 ca-certificates lsb-release ubuntu-keyring
+          curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
+          echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
+          sudo apt update
+          sudo apt install -y nginx=1.24.0-1~jammy
+      - name: Fix version without a starting number
+        if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev'
+        run: echo "force-bad-version" | sudo tee -a /etc/dpkg/dpkg.cfg
+      - name: Edit configuration files
+        run: |
+          # Misc
+          echo "127.0.0.1 www.example.com" | sudo tee -a /etc/hosts
+          echo "127.0.0.1 app1.example.com" | sudo tee -a /etc/hosts
+          echo "127.0.0.1 bwadm.example.com" | sudo tee -a /etc/hosts
+          sudo cp ./tests/www-deb.conf /etc/php/8.1/fpm/pool.d/www.conf
+          sudo systemctl stop php8.1-fpm
+          sudo systemctl start php8.1-fpm
+          # BunkerWeb
+          sudo mkdir -p /etc/bunkerweb
+          echo "SERVER_NAME=www.example.com" | sudo tee /etc/bunkerweb/variables.env
+          echo "HTTP_PORT=80" | sudo tee -a /etc/bunkerweb/variables.env
+          echo "HTTPS_PORT=443" | sudo tee -a /etc/bunkerweb/variables.env
+          echo 'DNS_RESOLVERS=9.9.9.9 8.8.8.8 8.8.4.4' | sudo tee -a /etc/bunkerweb/variables.env
+          echo 'API_LISTEN_IP=127.0.0.1' | sudo tee -a /etc/bunkerweb/variables.env
+          echo "USE_BUNKERNET=no" | sudo tee -a /etc/bunkerweb/variables.env
+          echo "USE_BLACKLIST=no" | sudo tee -a /etc/bunkerweb/variables.env
+          echo "LOG_LEVEL=info" | sudo tee -a /etc/bunkerweb/variables.env
+          sudo chown nginx:nginx /etc/bunkerweb/variables.env
+          sudo chmod 777 /etc/bunkerweb/variables.env
+      - name: Install BunkerWeb
+        run: sudo apt install -fy /tmp/bunkerweb.deb
+      - name: Run tests
+        run: |
+          cd ./tests/core/${{ inputs.TEST }}
+          MAKEFLAGS="-j $(nproc)" find . -name "requirements.txt" -exec pip install --no-cache-dir --require-hashes -r {} \;
+          sudo truncate -s 0 /var/log/bunkerweb/error.log
+          ./test.sh "linux"

.github/workflows/test-core.yml

@@ -0,0 +1,36 @@
+name: Core test (REUSABLE)
+
+on:
+  workflow_call:
+    inputs:
+      TEST:
+        required: true
+        type: string
+      RELEASE:
+        required: true
+        type: string
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      # Prepare
+      - name: Checkout source code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Login to ghcr
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Pull BW image
+        run: docker pull ghcr.io/bunkerity/bunkerweb-tests:${{ inputs.RELEASE }} && docker tag ghcr.io/bunkerity/bunkerweb-tests:${{ inputs.RELEASE }} bunkerweb-tests
+      - name: Pull Scheduler image
+        run: docker pull ghcr.io/bunkerity/scheduler-tests:${{ inputs.RELEASE }} && docker tag ghcr.io/bunkerity/scheduler-tests:${{ inputs.RELEASE }} scheduler-tests
+      # Run test
+      - name: Run test
+        run: |
+          cd ./tests/core/${{ inputs.TEST }}
+          find . -type f -name 'docker-compose.*' -exec sed -i "s@bunkerity/bunkerweb:.*@bunkerweb-tests@" {} \;
+          find . -type f -name 'docker-compose.*' -exec sed -i "s@bunkerity/bunkerweb-scheduler:.*@scheduler-tests@" {} \;
+          ./test.sh "docker"

.github/workflows/tests-ui-linux.yml

@@ -0,0 +1,118 @@
+name: Core test Linux (REUSABLE)
+
+on:
+  workflow_call:
+    inputs:
+      RELEASE:
+        required: true
+        type: string
+
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    steps:
+      # Prepare
+      - name: Checkout source code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Set up Python 3.11
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+        with:
+          python-version: "3.11"
+      - name: Install Firefox manually and dependencies
+        run: |
+          sudo apt purge -y firefox
+          sudo apt update
+          sudo apt install --no-install-recommends -y zip nodejs tar bzip2 wget curl grep libx11-xcb1 libappindicator3-1 libasound2 libdbus-glib-1-2 libxtst6 libxt6
+          wget -O firefox-setup.tar.bz2 "https://download.mozilla.org/?product=firefox-latest-ssl&os=linux64"
+          sudo tar -xjf firefox-setup.tar.bz2 -C /opt/
+          sudo rm -f /usr/bin/firefox
+          sudo ln -s /opt/firefox/firefox /usr/bin/firefox
+          sudo chmod 755 /opt/firefox /opt/firefox/firefox
+          rm -f firefox-setup.tar.bz2
+      - name: Download geckodriver
+        uses: nick-fields/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # v2.9.0
+        with:
+          max_attempts: 3
+          timeout_minutes: 20
+          command: |
+            GECKODRIVER_VERSION=`curl -i https://github.com/mozilla/geckodriver/releases/latest | grep -Po 'v[0-9]+\.[0-9]+\.[0-9]+'` && \
+            wget -O geckodriver.tar.gz -w 5 https://github.com/mozilla/geckodriver/releases/download/$GECKODRIVER_VERSION/geckodriver-$GECKODRIVER_VERSION-linux64.tar.gz
+            sudo tar -xzf geckodriver.tar.gz -C /usr/local/bin
+            sudo chmod +x /usr/local/bin/geckodriver
+            rm -f geckodriver.tar.gz
+      - name: Login to ghcr
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Pull BW linux ubuntu test image
+        run: docker pull ghcr.io/bunkerity/ubuntu-tests:${{ inputs.RELEASE }}
+      - name: Copy deb file to host
+        run: |
+          container_id=$(docker create "ghcr.io/bunkerity/ubuntu-tests:${{ inputs.RELEASE }}")
+          docker cp "$container_id:/opt/bunkerweb_${{ inputs.RELEASE }}-1_amd64.deb" "/tmp/bunkerweb.deb"
+          docker rm "$container_id"
+      - name: Install BunkerWeb
+        run: |
+          sudo apt install -y gnupg2 ca-certificates lsb-release ubuntu-keyring
+          curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
+          echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
+          sudo apt update
+          sudo apt install -y nginx=1.24.0-1~jammy
+      - name: Fix version without a starting number
+        if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui'
+        run: echo "force-bad-version" | sudo tee -a /etc/dpkg/dpkg.cfg
+      - name: Install BunkerWeb
+        run: sudo apt install -fy /tmp/bunkerweb.deb
+      - name: Edit configuration files
+        run: |
+          # Misc
+          echo "127.0.0.1 www.example.com" | sudo tee -a /etc/hosts
+          echo "127.0.0.1 app1.example.com" | sudo tee -a /etc/hosts
+          # BunkerWeb
+          echo "SERVER_NAME=www.example.com" | sudo tee /etc/bunkerweb/variables.env
+          echo "HTTP_PORT=80" | sudo tee -a /etc/bunkerweb/variables.env
+          echo "HTTPS_PORT=443" | sudo tee -a /etc/bunkerweb/variables.env
+          echo 'DNS_RESOLVERS=9.9.9.9 8.8.8.8 8.8.4.4' | sudo tee -a /etc/bunkerweb/variables.env
+          echo 'API_LISTEN_IP=127.0.0.1' | sudo tee -a /etc/bunkerweb/variables.env
+          echo "MULTISITE=yes" | sudo tee -a /etc/bunkerweb/variables.env
+          echo "LOG_LEVEL=info" | sudo tee -a /etc/bunkerweb/variables.env
+          echo "USE_BUNKERNET=no" | sudo tee -a /etc/bunkerweb/variables.env
+          echo "USE_BLACKLIST=no" | sudo tee -a /etc/bunkerweb/variables.env
+          echo "DISABLE_DEFAULT_SERVER=yes" | sudo tee -a /etc/bunkerweb/variables.env
+          echo "USE_CLIENT_CACHE=yes" | sudo tee -a /etc/bunkerweb/variables.env
+          echo "USE_GZIP=yes" | sudo tee -a /etc/bunkerweb/variables.env
+          echo "DATASTORE_MEMORY_SIZE=384m" | sudo tee -a /etc/bunkerweb/variables.env
+          echo "www.example.com_USE_UI=yes" | sudo tee -a /etc/bunkerweb/variables.env
+          echo "www.example.com_SERVE_FILES=no" | sudo tee -a /etc/bunkerweb/variables.env
+          echo "www.example.com_USE_REVERSE_PROXY=yes" | sudo tee -a /etc/bunkerweb/variables.env
+          echo "www.example.com_REVERSE_PROXY_URL=/admin" | sudo tee -a /etc/bunkerweb/variables.env
+          echo "www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000" | sudo tee -a /etc/bunkerweb/variables.env
+          echo "www.example.com_INTERCEPTED_ERROR_CODES=400 405 413 429 500 501 502 503 504" | sudo tee -a /etc/bunkerweb/variables.env
+
+          echo "ADMIN_USERNAME=admin" | sudo tee /etc/bunkerweb/ui.env
+          echo "ADMIN_PASSWORD=S\$cr3tP@ssw0rd" | sudo tee -a /etc/bunkerweb/ui.env
+
+          sudo chown nginx:nginx /etc/bunkerweb/variables.env /etc/bunkerweb/ui.env
+          sudo chmod 777 /etc/bunkerweb/variables.env /etc/bunkerweb/ui.env
+      - name: Run tests
+        run: |
+          cd ./tests/ui
+          MAKEFLAGS="-j $(nproc)" find . -name "requirements.txt" -exec pip install --no-cache-dir --require-hashes -r {} \;
+          touch test.txt
+          zip test.zip test.txt
+          rm test.txt
+          echo '{
+            "id": "discord",
+            "name": "Discord",
+            "description": "Send alerts to a Discord channel (using webhooks).",
+            "version": "0.1",
+            "stream": "no",
+            "settings": {}
+            }' | tee plugin.json
+          zip discord.zip plugin.json
+          rm plugin.json
+          ./tests.sh "linux"
+        env:
+          MODE: ${{ inputs.RELEASE }}

.github/workflows/tests-ui.yml

@@ -0,0 +1,34 @@
+name: Perform tests for UI (REUSABLE)
+
+on:
+  workflow_call:
+    inputs:
+      RELEASE:
+        required: true
+        type: string
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    steps:
+      # Prepare
+      - name: Checkout source code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Login to ghcr
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Pull BW image
+        run: docker pull ghcr.io/bunkerity/bunkerweb-tests:${{ inputs.RELEASE }} && docker tag ghcr.io/bunkerity/bunkerweb-tests:${{ inputs.RELEASE }} bunkerweb-tests
+      - name: Pull Scheduler image
+        run: docker pull ghcr.io/bunkerity/scheduler-tests:${{ inputs.RELEASE }} && docker tag ghcr.io/bunkerity/scheduler-tests:${{ inputs.RELEASE }} scheduler-tests
+      - name: Pull UI image
+        run: docker pull ghcr.io/bunkerity/ui-tests:${{ inputs.RELEASE }} && docker tag ghcr.io/bunkerity/ui-tests:${{ inputs.RELEASE }} ui-tests
+      # Do tests
+      - name: Run tests
+        run: |
+          cd ./tests/ui
+          ./tests.sh "docker"
+        env:
+          MODE: ${{ inputs.RELEASE }}

.github/workflows/ui.yml

@@ -0,0 +1,75 @@
+name: Automatic tests (UI)
+
+permissions: read-all
+
+on:
+  push:
+    branches: [ui]
+
+jobs:
+  # Containers
+  build-containers:
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        image: [bunkerweb, scheduler, ui]
+        include:
+          - image: bunkerweb
+            dockerfile: src/bw/Dockerfile
+          - image: scheduler
+            dockerfile: src/scheduler/Dockerfile
+          - image: ui
+            dockerfile: src/ui/Dockerfile
+    uses: ./.github/workflows/container-build.yml
+    with:
+      RELEASE: ui
+      CACHE: true
+      ARCH: linux/amd64
+      IMAGE: ${{ matrix.image }}
+      DOCKERFILE: ${{ matrix.dockerfile }}
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
+
+  # Build Linux packages
+  build-packages:
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        linux: [ubuntu]
+        include:
+          - linux: ubuntu
+            package: deb
+    uses: ./.github/workflows/linux-build.yml
+    with:
+      RELEASE: ui
+      LINUX: ${{ matrix.linux }}
+      PACKAGE: ${{ matrix.package }}
+      TEST: true
+      PLATFORMS: linux/amd64
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
+
+  codeql:
+    uses: ./.github/workflows/codeql.yml
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+  # UI tests
+  tests-ui:
+    needs: [codeql, build-containers]
+    uses: ./.github/workflows/tests-ui.yml
+    with:
+      RELEASE: ui
+  tests-ui-linux:
+    needs: [codeql, build-packages]
+    uses: ./.github/workflows/tests-ui-linux.yml
+    with:
+      RELEASE: ui

.gitignore

@@ -1,54 +1,8 @@
-reindex
-.libs
-*.swp
-*.slo
-*.la
-*.swo
-*.lo
-*~
-*.o
-print.txt
-.rsync
-*.tar.gz
-dist
-build[78]
-build
-tags
-update-readme
-*.tmp
-test/Makefile
-test/blib
-test.sh
-t.sh
-t/t.sh
-test/t/servroot/
-releng
-reset
-*.t_
-genmobi.sh
-*.mobi
-misc/chunked
-src/headers.c
-src/headers.h
-src/module.c
-src/module.h
-src/util.c
-src/util.h
-go
-ctags
-src/in.c
-src/in.h
-src/out.c
-src/out.h
-build[89]
-build1[0-9]
-buildroot/
-work/
-all
-t/servroot
-analyze
-cov
-nginx
-*.plist
-a.patch
-Makefile
+site/
+.idea/
+.vscode/
+__pycache__
+env
+node_modules
+/src/ui/*.txt
+.mypy_cache

.luacheckrc

@@ -0,0 +1,2 @@
+globals = {"ngx", "delay", "unpack"}
+ignore = {"411"}

.pre-commit-config.yaml

@@ -0,0 +1,77 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+exclude: (^LICENSE.md$|^src/VERSION$|^src/(bw/misc/root-ca.pem$|deps/src/|common/core/modsecurity/files|ui/static/js/(editor/|utils/purify/|tsparticles\.bundle\.min\.js))|\.(svg|drawio|patch\d?|ascii|tf|tftpl)$)
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: c4a0b883114b00d8d76b479c820ce7950211c99b # frozen: v4.5.0
+    hooks:
+      - id: requirements-txt-fixer
+        name: Fix requirements.txt and requirements.in files
+        description: Sorts entries in requirements.txt and requirements.in files.
+        files: (requirements|constraints).*\.(txt|in)$
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+        exclude: ^(mkdocs.yml|examples/bigbluebutton/docker-compose.yml)$
+        args: ["--allow-multiple-documents"]
+      - id: check-case-conflict
+
+  - repo: https://github.com/ambv/black
+    rev: 2a1c67e0b2f81df602ec1f6e7aeb030b9709dc7c # frozen: 23.11.0
+    hooks:
+      - id: black
+        name: Black Python Formatter
+        language_version: python3.9
+
+  - repo: https://github.com/pre-commit/mirrors-prettier
+    rev: ffb6a759a979008c0e6dff86e39f4745a2d9eac4 # frozen: v3.1.0
+    hooks:
+      - id: prettier
+        name: Prettier Code Formatter
+
+  - repo: https://github.com/JohnnyMorganz/StyLua
+    rev: f9afc7f33bc19f7708fbc1d7eea0606e0d41080a # frozen: v0.19.1
+    hooks:
+      - id: stylua-github
+        exclude: ^src/(bw/lua/middleclass.lua|common/core/antibot/captcha.lua)$
+
+  - repo: https://github.com/lunarmodules/luacheck
+    rev: ababb6d403d634eb74d2c541035e9ede966e710d # frozen: v1.1.1
+    hooks:
+      - id: luacheck
+        exclude: ^src/(bw/lua/middleclass.lua|common/core/antibot/captcha.lua)$
+        args: ["--std", "min", "--codes", "--ranges", "--no-cache"]
+
+  - repo: https://github.com/pycqa/flake8
+    rev: 10f4af6dbcf93456ba7df762278ae61ba3120dc6 # frozen: 6.1.0
+    hooks:
+      - id: flake8
+        name: Flake8 Python Linter
+        args: ["--max-line-length=250", "--ignore=E266,E402,E722,W503"]
+
+  - repo: https://github.com/dosisod/refurb
+    rev: 63209fc1735ef2497dd9c00774ba72a23bb1cdf9 # frozen: v1.23.0
+    hooks:
+      - id: refurb
+        name: Refurb Python Refactoring Tool
+        exclude: ^tests/
+
+  - repo: https://github.com/codespell-project/codespell
+    rev: 6e41aba91fb32e9feb741a6258eefeb9c6e4a482 # frozen: v2.2.6
+    hooks:
+      - id: codespell
+        name: Codespell Spell Checker
+        exclude: (^src/(common/core/.+/files|bw/loading)/.+.html|modsecurity-rules.conf.*)$
+        entry: codespell --ignore-regex="(tabEl|Widgits)" --skip src/ui/static/js/utils/flatpickr.js,CHANGELOG.md
+        language: python
+        types: [text]
+
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: b813e6fe08b87541cb77296359ba1b7a50a00c98 # frozen: v8.18.0
+    hooks:
+      - id: gitleaks
+
+  - repo: https://github.com/koalaman/shellcheck-precommit
+    rev: 3f77b826548d8dc2d26675f077361c92773b50a7 # frozen: v0.9.0
+    hooks:
+      - id: shellcheck

.prettierignore

@@ -0,0 +1,20 @@
+docs/
+env/
+*/env/
+*.min*
+src/common/core/modsecurity/
+src/deps/src/
+mkdocs.yml
+CHANGELOG.md
+CONTRIBUTING.md
+CODE_OF_CONDUCT.md
+LICENSE.md
+README.md
+SECURITY.md
+tsparticles.bundle.min.js
+flatpickr.*
+src/ui/static/js/editor/*
+src/ui/static/js/utils/purify/*
+src/ui/templates/*
+datepicker-foundation.css
+examples/*

CHANGELOG.md

@@ -0,0 +1,324 @@
+# Changelog
+
+## v1.5.3 -
+
+- [BUGFIX] Fix BunkerWeb not loading his own settings after a docker restart
+- [BUGFIX] Fix Custom configs not following the service name after an update on the UI
+- [BUGFIX] Fix UI clearing configs folder at startup
+- [BUGFIX] Fix Database not clearing old services when not using multisite
+- [BUGFIX] Fix UI using the wrong database when generating the new config when using an external database
+- [BUGFIX] Small fixes on linux paths creating unnecessary folders
+- [BUGFIX] Fix ACME renewal fails on redirection enabled Service
+- [BUGFIX] Fix errors when using a server name with multiple values in web UI
+- [BUGFIX] Fix error when deleting a service that have custom configs on web UI
+- [BUGFIX] Fix rare bug where database is locked
+- [MISC] Updated core dependencies
+- [MISC] Updated self-signed job to regenerate the cert if the subject or the expiration date has changed
+- [MISC] Jobs that download files from urls will now remove old cached files if urls are empty
+- [MISC] Replaced gevent with gthread in UI for security reasons
+- [MISC] Add HTML sanitization when injecting code in pages in the UI
+- [MISC] Optimize the way the UI handles services creation and edition
+- [MISC] Optimize certbot renew script to renew all domains in one command
+- [MISC] Use capability instead of sudo in Linux
+- [SECURITY] Init work on OpenSSF best practices
+
+## v1.5.2 - 2023/09/10
+
+- [BUGFIX] Fix UI fetching only default values from the database (fixes no trash button too)
+- [BUGFIX] Fix infinite loop when using autoconf
+- [BUGFIX] Fix BunkerWeb fails to start after reboot on Fedora and Rhel
+- [BUGFIX] Fix logs page not working in UI on Linux integrations
+- [BUGFIX] Fix settings regex that had issues in general and with the UI
+- [BUGFIX] Fix scheduler error with external plugins when reloading
+- [BUGFIX] Fix permissions with folders in linux integrations
+- [MISC] Push Docker images to GitHub packages (ghcr.io repository)
+- [MISC] Improved CI/CD
+- [MISC] Updated python dependencies
+- [MISC] Updated Python Docker image to 3.11.5-alpine in Dockerfiles
+- [MISC] Add support for ModSecurity JSON LogFormat
+- [MISC] Updated OWASP coreruleset to 3.3.5
+
+## v1.5.1 - 2023/08/08
+
+- [BUGFIX] New version checker in logs displays "404 not found"
+- [BUGFIX] New version checker in UI
+- [BUGFIX] Only get the right keys from plugin.json files when importing plugins
+- [BUGFIX] Remove external resources for Google fonts in UI
+- [BUGFIX] Support multiple plugin uploads in one zip when using the UI
+- [BUGFIX] Variable being ignored instead of saved in the database when value is empty
+- [BUGFIX] ALLOWED_METHODS regex working with LOCK/UNLOCK methods
+- [BUGFIX] Custom certificate bug after the refactoring
+- [BUGFIX] Wrong variables in header phase (fix CORS feature too)
+- [BUGFIX] UI not working in Ubuntu (python zope module)
+- [BUGFIX] Patch ModSecurity to run it after LUA code (should fix whitelist problems)
+- [BUGFIX] Custom configurations from env were not being deleted properly
+- [BUGFIX] Missing concepts image not displayed in the documentation
+- [BUGFIX] Scheduler not picking up new instances IPs in autoconf modes
+- [BUGFIX] Autoconf deadlock in k8s
+- [BUGFIX] Missing HTTP and HTTPS ports for temp nginx
+- [BUGFIX] Infinite loop when sessions is not valid
+- [BUGFIX] Missing valid LE certificates in edge cases
+- [BUGFIX] Wrong service namespace in k8s
+- [BUGFIX] DNS_RESOLVERS regex not accepting hostnames
+- [PERFORMANCE] Reduce CPU and RAM usage of scheduler
+- [PERFORMANCE] Cache ngx.ctx instead of loading it each time
+- [PERFORMANCE] Use per-worker LRU cache for common RO LUA values
+- [FEATURE] Add Turnstile antibot mode
+- [FEATURE] Add more CORS headers
+- [FEATURE] Add KEEP_UPSTREAM_HEADERS to preserve headers when using reverse proxy
+- [FEATURE] Add the possibility to download the different lists and plugins from a local file (like the blacklist)
+- [FEATURE] External plugins can now be downloaded from a tar.gz and tar.xz file as well as zip
+- [FEATURE] Add X-Forwarded-Prefix header when using reverse proxy
+- [FEATURE] Add REDIRECT_TO_STATUS_CODE to choose status code 301 or 302 when redirecting
+- [DOCUMENTATION] Add timezone information
+- [DOCUMENTATION] Add timezone informat
+- [MISC] Add LOG_LEVEL=warning for docker socket proxy in docs, examples and boilerplates
+- [MISC] Temp remove VMWare provider for Vagrant integration
+- [MISC] Remove X-Script-Name header and ABSOLUTE_URI variable when using UI
+- [MISC] Move logs to /var/log/bunkerweb folder
+- [MISC] Reduce "Got an error reading communication packets" warnings in mariadb/mysql
+
+## v1.5.0 - 2023/05/23
+
+- Refactoring of almost all the components of the project
+- Dedicated scheduler service to manage jobs and configuration
+- Store configuration in a database backend
+- Improved web UI and make it working with all integrations
+- Improved internal LUA code
+- Improved internal cache of BW
+- Add Redis support when using clustered integrations
+- Add RHEL integration
+- Add Vagrant integration
+- Init support of generic TCP/UDP (stream)
+- Init support of IPv6
+- Improved CI/CD : UI tests, core tests and release automation
+- Reduce Docker images size
+- Fix and improved core plugins : antibot, cors, dnsbl, ...
+- Use PCRE regex instead of LUA patterns
+- Connectivity tests at startup/reload with logging
+
+## v1.5.0-beta - 2023/05/02
+
+- Refactoring of almost all the components of the project
+- Dedicated scheduler service to manage jobs and configuration
+- Store configuration in a database backend
+- Improved web UI and make it working with all integrations
+- Improved internal LUA code
+- Improved internal cache of BW
+- Add Redis support when using clustered integrations
+- Add RHEL integration
+- Add Vagrant integration
+- Init support of generic TCP/UDP (stream)
+- Init support of IPv6
+- Improved CI/CD : UI tests, core tests and release automation
+- Reduce Docker images size
+- Fix and improved core plugins : antibot, cors, dnsbl, ...
+- Use PCRE regex instead of LUA patterns
+- Connectivity tests at startup/reload with logging
+
+## v1.4.8 - 2023/04/05
+
+- Fix UI bug related to multiple settings
+- Increase check reload interval in UI to avoid rate limit
+- Fix Let's Encrypt error when using auth basic
+- Fix wrong setting name in realip job (again)
+- Fix blog posts retrieval in the UI
+- Fix missing logs for UI
+- Fix error log if BunkerNet ip list is empty
+- Updated python dependencies
+- Gunicorn will now show the logs in the console for the UI
+- BunkerNet job will now create the ip list file at the beginning of the job to avoid errors
+
+## v1.4.7 - 2023/02/27
+
+- Fix DISABLE_DEFAULT_SERVER=yes not working with HTTPS (again)
+- Fix wrong setting name in realip job
+- Fix whitelisting not working with modsecurity
+
+## v1.4.6 - 2023/02/14
+
+- Fix error in the UI when a service have multiple domains
+- Fix bwcli bans command
+- Fix documentation about Linux Fedora install
+- Fix DISABLE_DEFAULT_SERVER=yes not working with HTTPS
+- Add INTERCEPTED_ERROR_CODES setting
+
+## v1.4.5 - 2022/11/26
+
+- Fix bwcli syntax error
+- Fix UI not working using Linux integration
+- Fix missing openssl dep in autoconf
+- Fix typo in selfsigned job
+
+## v1.4.4 - 2022/11/10
+
+- Fix k8s controller not watching the events when there is an exception
+- Fix python dependencies bug in CentOS and Fedora
+- Fix incorrect log when reloading nginx using Linux integration
+- Fix UI dev mode, production mode is now the default
+- Fix wrong exposed port in the UI container
+- Fix endless loading in the UI
+- Fix \*_CUSTOM_CONF_\* dissapear when jobs are executed
+- Fix various typos in documentation
+- Fix warning about StartLimitIntervalSec directive when using Linux
+- Fix incorrect log when issuing certbot renew
+- Fix certbot renew error when using Linux or Docker integration
+- Add greylist core feature
+- Add BLACKLIST_IGNORE_\* settings
+- Add automatic change of SecRequestBodyLimit modsec directive based on MAX_CLIENT_SIZE setting
+- Add MODSECURITY_SEC_RULE_ENGINE and MODSECURITY_SEC_AUDIT_LOG_PARTS settings
+- Add manual ban and get bans to the API/CLI
+- Add Brawdunoir community example
+- Improve core plugins order and add documentation about it
+- Improve overall documentation
+- Improve CI/CD
+
+## v1.4.3 - 2022/08/26
+
+- Fix various documentation errors/typos and add various enhancements
+- Fix ui.env not read when using Linux integration
+- Fix wrong variables.env path when using Linux integration
+- Fix missing default server when TEMP_NGINX=yes
+- Fix check if BunkerNet is activated on default server
+- Fix request crash when mmdb lookup fails
+- Fix bad behavior trigger when request is whitelisted
+- Fix bad behavior not triggered when request is on default server
+- Fix BW overriding config when config is already present
+- Add Ansible integration in beta
+- Add \*_CUSTOM_CONF_\* setting to automatically add custom config files from setting value
+- Add DENY_HTTP_STATUS setting to choose standard 403 error page (default) or 444 to close connection when access is denied
+- Add CORS (Cross-Origin Resource Sharing) core plugin
+- Add documentation about Docker in rootless mode and podman
+- Improve automatic tests setup
+- Migrate CI/CD infrastructure to another provider
+
+## v1.4.2 - 2022/06/28
+
+- Fix "too old resource version" exceptions when using k8s integration
+- Fix missing bwcli command with Linux integration
+- Fix various bugs with jobs scheduler when using autoconf/swarm/k8s
+- Fix bwcli unban command when using Linux integration
+- Fix permissions check when filename has a space
+- Fix static config (SERVER_NAME not empty) support when using autoconf/swarm/k8s
+- Fix config files overwrite when using Docker autoconf
+- Add EXTERNAL_PLUGIN_URLS setting to automatically download and install external plugins
+- Add log_default() plugin hook
+- Add various certbot-dns examples
+- Add mattermost example
+- Add radarr example
+- Add Discord and Slack to list of official plugins
+- Force NGINX version dependencies in Linux packages DEB/RPM
+
+## v1.4.1 - 2022/06/16
+
+- Fix sending local IPs to BunkerNet when DISABLE_DEFAULT_SERVER=yes
+- Fix certbot bug when AUTOCONF_MODE=yes
+- Fix certbot bug when MULTISITE=no
+- Add reverse proxy timeouts settings
+- Add auth_request settings
+- Add authentik and authelia examples
+- Prebuilt Docker images for arm64 and armv7
+- Improve documentation for Linux integration
+- Various fixes in the documentation
+
+## v1.4.0 - 2022/06/06
+
+- Project renamed to BunkerWeb
+- Internal architecture fully revised with a modular approach
+- Improved CI/CD with automatic tests for multiple integrations
+- Plugin improvement
+- Volume improvement for container-based integrations
+- Web UI improvement with various new features
+- Web tool to generate settings from a user-friendly UI
+- Linux packages
+- Various bug fixes
+
+## v1.3.2 - 2021/10/24
+
+- Use API instead of a shared folder for Swarm and Kubernetes integrations
+- Beta integration of distributed bad IPs database through a remote API
+- Improvement of the request limiting feature : hour/day rate and multiple URL support
+- Various bug fixes related to antibot feature
+- Init support of Arch Linux
+- Fix Moodle example
+- Fix ROOT_FOLDER bug in serve-files.conf when using the UI
+- Update default values for PERMISSIONS_POLICY and FEATURE_POLICY
+- Disable COUNTRY ban if IP is local
+
+## v1.3.1 - 2021/09/02
+
+- Use ModSecurity v3.0.4 instead of v3.0.5 to fix memory leak
+- Fix ignored variables to control jobs
+- Fix bug when LISTEN_HTTP=no and MULTISITE=yes
+- Add CUSTOM_HEADER variable
+- Add REVERSE_PROXY_BUFFERING variable
+- Add REVERSE_PROXY_KEEPALIVE variable
+- Fix documentation for modsec and modsec-crs special folders
+
+## v1.3.0 - 2021/08/23
+
+- Kubernetes integration in beta
+- Linux integration in beta
+- autoconf refactoring
+- jobs refactoring
+- UI refactoring
+- UI security : login/password authentication and CRSF protection
+- various dependencies updates
+- move CrowdSec as an external plugin
+- Authelia support
+- improve various regexes
+- add INJECT_BODY variable
+- add WORKER_PROCESSES variable
+- add USE_LETS_ENCRYPT_STAGING variable
+- add LOCAL_PHP and LOCAL_PHP_PATH variables
+- add REDIRECT_TO variable
+
+## v1.2.8 - 2021/07/22
+
+- Fix broken links in README
+- Fix regex for EMAIL_LETS_ENCRYPT
+- Fix regex for REMOTE_PHP and REMOTE_PHP_PATH
+- Fix regex for SELF_SIGNED_*
+- Fix various bugs related to web UI
+- Fix bug in autoconf (missing instances parameter to reload function)
+- Remove old .env files when generating a new configuration
+
+## v1.2.7 - 2021/06/14
+
+- Add custom robots.txt and sitemap to RTD
+- Fix missing GeoIP DB bug when using BLACKLIST/WHITELIST_COUNTRY
+- Add underscore "_" to allowed chars for CUSTOM_HTTPS_CERT/KEY
+- Fix bug when using automatic self-signed certificate
+- Build and push images from GitHub actions instead of Docker Hub autobuild
+- Display the reason when generator is ignoring a variable
+- Various bug fixes related to certbot and jobs
+- Split jobs into pre and post jobs
+- Add HEALTHCHECK to image
+- Fix race condition when using autoconf without Swarm by checking healthy state
+- Bump modsecurity-nginx to v1.0.2
+- Community chat with bridged platforms
+
+## v1.2.6 - 2021/06/06
+
+- Move from "ghetto-style" shell scripts to generic jinja2 templating
+- Init work on a basic plugins system
+- Move ClamAV to external plugin
+- Reduce image size by removing unnecessary dependencies
+- Fix CrowdSec example
+- Change some global variables to multisite
+- Add LOG_LEVEL environment variable
+- Read-only container support
+- Improved antibot javascript with a basic proof of work
+- Update nginx to 1.20.1
+- Support of docker-socket-proxy with web UI
+- Add certbot-cloudflare example
+- Disable DNSBL checks when IP is local
+
+## v1.2.5 - 2021/05/14
+
+- Performance improvement : move some nginx security checks to LUA and external blacklist parsing enhancement
+- Init work on official documentation on readthedocs
+- Fix default value for CONTENT_SECURITY_POLICY to allow file downloads
+- Add ROOT_SITE_SUBFOLDER environment variable
+
+## TODO - retrospective changelog

CODE_OF_CONDUCT.md

@@ -0,0 +1,128 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+contact@bunkerity.com.
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior,  harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.

CONTRIBUTING.md

@@ -0,0 +1,21 @@
+# Contributing to bunkerweb
+
+First off all, thanks for being here and showing your support to the project !
+
+We accept many types of contributions whether they are technical or not. Every community feedback, work or help is, and will always be, appreciated.
+
+## Talk about the project
+
+The first thing you can do is to talk about the project. You can share it on social media (by the way, you can can also follow us on [LinkedIn](https://www.linkedin.com/company/bunkerity/), [Twitter](https://twitter.com/bunkerity) and [GitHub](https://github.com/bunkerity)), make a blog post about it or simply tell your friends/colleagues that's an awesome project..
+
+## Join the community
+
+You can join the [Discord server](https://discord.com/invite/fTf46FmtyD), the [GitHub discussions](https://github.com/bunkerity/bunkerweb/discussions) and the [/r/BunkerWeb](https://www.reddit.com/r/BunkerWeb) subreddit to talk about the project and help others.
+
+## Reporting bugs / ask for features
+
+The preferred way to report bugs and asking for features is using [issues](https://github.com/bunkerity/bunkerweb/issues). Before opening a new one, please check if a related issue is already opened using the "filters" bar. When creating a new issue please select and fill the "Bug report" or "Feature request" template.
+
+## Code contribution
+
+The preferred way to contribute code is using [pull requests](https://github.com/bunkerity/bunkerweb/pulls). Before creating a pull request, please check if your code is related to an opened issue. If that's not the case, you should first create an issue so we can discuss about it. This procedure is here to avoid wasting your time in case the PR will be rejected. For minor changes (e.g. : typo, quick fix, ...), opening an issue might be facultative. **Don't forget to edit the documentations when needed !**

LICENSE.md

@@ -0,0 +1,660 @@
+### GNU AFFERO GENERAL PUBLIC LICENSE
+
+Version 3, 19 November 2007
+
+Copyright (C) 2007 Free Software Foundation, Inc.
+<https://fsf.org/>
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+### Preamble
+
+The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
+
+The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works. By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains
+free software for all its users.
+
+When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
+
+A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate. Many developers of free software are heartened and
+encouraged by the resulting cooperation. However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
+
+The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community. It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server. Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
+
+An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals. This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing
+under this license.
+
+The precise terms and conditions for copying, distribution and
+modification follow.
+
+### TERMS AND CONDITIONS
+
+#### 0. Definitions.
+
+"This License" refers to version 3 of the GNU Affero General Public
+License.
+
+"Copyright" also means copyright-like laws that apply to other kinds
+of works, such as semiconductor masks.
+
+"The Program" refers to any copyrightable work licensed under this
+License. Each licensee is addressed as "you". "Licensees" and
+"recipients" may be individuals or organizations.
+
+To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of
+an exact copy. The resulting work is called a "modified version" of
+the earlier work or a work "based on" the earlier work.
+
+A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy. Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies. Mere interaction with a user
+through a computer network, with no transfer of a copy, is not
+conveying.
+
+An interactive user interface displays "Appropriate Legal Notices" to
+the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License. If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+#### 1. Source Code.
+
+The "source code" for a work means the preferred form of the work for
+making modifications to it. "Object code" means any non-source form of
+a work.
+
+A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form. A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities. However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work. For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+The Corresponding Source need not include anything that users can
+regenerate automatically from other parts of the Corresponding Source.
+
+The Corresponding Source for a work in source code form is that same
+work.
+
+#### 2. Basic Permissions.
+
+All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met. This License explicitly affirms your unlimited
+permission to run the unmodified Program. The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work. This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+You may make, run and propagate covered works that you do not convey,
+without conditions so long as your license otherwise remains in force.
+You may convey covered works to others for the sole purpose of having
+them make modifications exclusively for you, or provide you with
+facilities for running those works, provided that you comply with the
+terms of this License in conveying all material for which you do not
+control copyright. Those thus making or running the covered works for
+you must do so exclusively on your behalf, under your direction and
+control, on terms that prohibit them from making any copies of your
+copyrighted material outside their relationship with you.
+
+Conveying under any other circumstances is permitted solely under the
+conditions stated below. Sublicensing is not allowed; section 10 makes
+it unnecessary.
+
+#### 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such
+circumvention is effected by exercising rights under this License with
+respect to the covered work, and you disclaim any intention to limit
+operation or modification of the work as a means of enforcing, against
+the work's users, your or third parties' legal rights to forbid
+circumvention of technological measures.
+
+#### 4. Conveying Verbatim Copies.
+
+You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+#### 5. Conveying Modified Source Versions.
+
+You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these
+conditions:
+
+-   a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+-   b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under
+    section 7. This requirement modifies the requirement in section 4
+    to "keep intact all notices".
+-   c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy. This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged. This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+-   d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit. Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+#### 6. Conveying Non-Source Forms.
+
+You may convey a covered work in object code form under the terms of
+sections 4 and 5, provided that you also convey the machine-readable
+Corresponding Source under the terms of this License, in one of these
+ways:
+
+-   a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+-   b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the Corresponding
+    Source from a network server at no charge.
+-   c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source. This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+-   d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge. You need not require recipients to copy the
+    Corresponding Source along with the object code. If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source. Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+-   e) Convey the object code using peer-to-peer transmission,
+    provided you inform other peers where the object code and
+    Corresponding Source of the work are being offered to the general
+    public at no charge under subsection 6d.
+
+A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal,
+family, or household purposes, or (2) anything designed or sold for
+incorporation into a dwelling. In determining whether a product is a
+consumer product, doubtful cases shall be resolved in favor of
+coverage. For a particular product received by a particular user,
+"normally used" refers to a typical or common use of that class of
+product, regardless of the status of the particular user or of the way
+in which the particular user actually uses, or expects or is expected
+to use, the product. A product is a consumer product regardless of
+whether the product has substantial commercial, industrial or
+non-consumer uses, unless such uses represent the only significant
+mode of use of the product.
+
+"Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to
+install and execute modified versions of a covered work in that User
+Product from a modified version of its Corresponding Source. The
+information must suffice to ensure that the continued functioning of
+the modified object code is in no case prevented or interfered with
+solely because modification has been made.
+
+If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information. But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or
+updates for a work that has been modified or installed by the
+recipient, or for the User Product in which it has been modified or
+installed. Access to a network may be denied when the modification
+itself materially and adversely affects the operation of the network
+or violates the rules and protocols for communication across the
+network.
+
+Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+#### 7. Additional Terms.
+
+"Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law. If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it. (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.) You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders
+of that material) supplement the terms of this License with terms:
+
+-   a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+-   b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+-   c) Prohibiting misrepresentation of the origin of that material,
+    or requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+-   d) Limiting the use for publicity purposes of names of licensors
+    or authors of the material; or
+-   e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+-   f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions
+    of it) with contractual assumptions of liability to the recipient,
+    for any liability that these contractual assumptions directly
+    impose on those licensors and authors.
+
+All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10. If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term. If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions; the
+above requirements apply either way.
+
+#### 8. Termination.
+
+You may not propagate or modify a covered work except as expressly
+provided under this License. Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+However, if you cease all violation of this License, then your license
+from a particular copyright holder is reinstated (a) provisionally,
+unless and until the copyright holder explicitly and finally
+terminates your license, and (b) permanently, if the copyright holder
+fails to notify you of the violation by some reasonable means prior to
+60 days after the cessation.
+
+Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License. If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+#### 9. Acceptance Not Required for Having Copies.
+
+You are not required to accept this License in order to receive or run
+a copy of the Program. Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance. However,
+nothing other than this License grants you permission to propagate or
+modify any covered work. These actions infringe copyright if you do
+not accept this License. Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+#### 10. Automatic Licensing of Downstream Recipients.
+
+Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License. You are not responsible
+for enforcing compliance by third parties with this License.
+
+An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations. If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License. For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+#### 11. Patents.
+
+A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based. The
+work thus licensed is called the contributor's "contributor version".
+
+A contributor's "essential patent claims" are all patent claims owned
+or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version. For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement). To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients. "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+A patent license is "discriminatory" if it does not include within the
+scope of its coverage, prohibits the exercise of, or is conditioned on
+the non-exercise of one or more of the rights that are specifically
+granted under this License. You may not convey a covered work if you
+are a party to an arrangement with a third party that is in the
+business of distributing software, under which you make payment to the
+third party based on the extent of your activity of conveying the
+work, and under which the third party grants, to any of the parties
+who would receive the covered work from you, a discriminatory patent
+license (a) in connection with copies of the covered work conveyed by
+you (or copies made from those copies), or (b) primarily for and in
+connection with specific products or compilations that contain the
+covered work, unless you entered into that arrangement, or that patent
+license was granted, prior to 28 March 2007.
+
+Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+#### 12. No Surrender of Others' Freedom.
+
+If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under
+this License and any other pertinent obligations, then as a
+consequence you may not convey it at all. For example, if you agree to
+terms that obligate you to collect a royalty for further conveying
+from those to whom you convey the Program, the only way you could
+satisfy both those terms and this License would be to refrain entirely
+from conveying the Program.
+
+#### 13. Remote Network Interaction; Use with the GNU General Public License.
+
+Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your
+version supports such interaction) an opportunity to receive the
+Corresponding Source of your version by providing access to the
+Corresponding Source from a network server at no charge, through some
+standard or customary means of facilitating copying of software. This
+Corresponding Source shall include the Corresponding Source for any
+work covered by version 3 of the GNU General Public License that is
+incorporated pursuant to the following paragraph.
+
+Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work. The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+#### 14. Revised Versions of this License.
+
+The Free Software Foundation may publish revised and/or new versions
+of the GNU Affero General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation. If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever
+published by the Free Software Foundation.
+
+If the Program specifies that a proxy can decide which future versions
+of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+Later license versions may give you additional or different
+permissions. However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+#### 15. Disclaimer of Warranty.
+
+THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT
+WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND
+PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE
+DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
+CORRECTION.
+
+#### 16. Limitation of Liability.
+
+IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR
+CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES
+ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT
+NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR
+LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM
+TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER
+PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+#### 17. Interpretation of Sections 15 and 16.
+
+If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+END OF TERMS AND CONDITIONS
+
+### How to Apply These Terms to Your New Programs
+
+If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these
+terms.
+
+To do so, attach the following notices to the program. It is safest to
+attach them to the start of each source file to most effectively state
+the exclusion of warranty; and each file should have at least the
+"copyright" line and a pointer to where the full notice is found.
+
+        <one line to give the program's name and a brief idea of what it does.>
+        Copyright (C) <year>  <name of author>
+
+        This program is free software: you can redistribute it and/or modify
+        it under the terms of the GNU Affero General Public License as
+        published by the Free Software Foundation, either version 3 of the
+        License, or (at your option) any later version.
+
+        This program is distributed in the hope that it will be useful,
+        but WITHOUT ANY WARRANTY; without even the implied warranty of
+        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+        GNU Affero General Public License for more details.
+
+        You should have received a copy of the GNU Affero General Public License
+        along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper
+mail.
+
+If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source. For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code. There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for
+the specific requirements.
+
+You should also get your employer (if you work as a programmer) or
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. For more information on this, and how to apply and follow
+the GNU AGPL, see <https://www.gnu.org/licenses/>.

README.md

@@ -0,0 +1,363 @@
+<p align="center">
+	<img alt="BunkerWeb logo" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.3/misc/logo.png" />
+</p>
+
+<p align="center">
+	<img src="https://img.shields.io/github/v/release/bunkerity/bunkerweb?label=stable" />
+	<img src="https://img.shields.io/github/v/release/bunkerity/bunkerweb?include_prereleases&label=latest" />
+	<br />
+	<img src="https://img.shields.io/github/last-commit/bunkerity/bunkerweb" />
+	<img src="https://img.shields.io/github/issues/bunkerity/bunkerweb">
+	<img src="https://img.shields.io/github/issues-pr/bunkerity/bunkerweb">
+	<br />
+	<img src="https://img.shields.io/github/actions/workflow/status/bunkerity/bunkerweb/dev.yml?branch=dev&label=CI%2FCD%20dev" />
+	<img src="https://img.shields.io/github/actions/workflow/status/bunkerity/bunkerweb/staging.yml?branch=staging&label=CI%2FCD%20staging" />
+	<a href="https://www.bestpractices.dev/projects/8001">
+		<img src="https://www.bestpractices.dev/projects/8001/badge">
+	</a>
+</p>
+
+<p align="center">
+	📓 <a href="https://docs.bunkerweb.io">Documentation</a>
+	 &#124;
+	👨‍💻 <a href="https://demo.bunkerweb.io">Demo</a>
+	 &#124;
+	🛡️ <a href="https://github.com/bunkerity/bunkerweb/raw/v1.5.3/examples">Examples</a>
+	 &#124;
+	💬 <a href="https://discord.com/invite/fTf46FmtyD">Chat</a>
+	 &#124;
+	📝 <a href="https://github.com/bunkerity/bunkerweb/discussions">Forum</a>
+	 &#124;
+	⚙️ <a href="https://config.bunkerweb.io">Configurator</a>
+	 &#124;
+	🗺️ <a href="https://threatmap.bunkerweb.io">Threatmap</a>
+</p>
+
+> 🛡️ Make security by default great again !
+
+# BunkerWeb
+
+<p align="center">
+	<img alt="Overview banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.3/docs/assets/img/intro-overview.svg" />
+</p>
+
+BunkerWeb is a next-generation and open-source Web Application Firewall (WAF).
+
+Being a full-featured web server (based on [NGINX](https://nginx.org/) under the hood), it will protect your web services to make them "secure by default". BunkerWeb integrates seamlessly into your existing environments ([Linux](https://docs.bunkerweb.io/1.5.3/integrations/#linux), [Docker](https://docs.bunkerweb.io/1.5.3/integrations/#docker), [Swarm](https://docs.bunkerweb.io/1.5.3/integrations/#swarm), [Kubernetes](https://docs.bunkerweb.io/1.5.3/integrations/#kubernetes), …) and is fully configurable (don't panic, there is an [awesome web UI](https://docs.bunkerweb.io/1.5.3/web-ui/) if you don't like the CLI) to meet your own use-cases . In other words, cybersecurity is no more a hassle.
+
+BunkerWeb contains primary [security features](https://docs.bunkerweb.io/1.5.3/security-tuning/) as part of the core but can be easily extended with additional ones thanks to a [plugin system](https://docs.bunkerweb.io/1.5.3/plugins/)).
+
+## Why BunkerWeb ?
+
+- **Easy integration into existing environments** : support for Linux, Docker, Swarm, Kubernetes, Ansible, Vagrant, ...
+- **Highly customizable** : enable, disable and configure features easily to meet your use case
+- **Secure by default** : offers out-of-the-box and hassle-free minimal security for your web services
+- **Awesome web UI** : keep control of everything more efficiently without the need of the CLI
+- **Plugin system** : extend BunkerWeb to meet your own use-cases
+- **Free as in "freedom"** : licensed under the free [AGPLv3 license](https://www.gnu.org/licenses/agpl-3.0.en.html)
+
+## Security features
+
+A non-exhaustive list of security features :
+
+- **HTTPS** support with transparent **Let's Encrypt** automation
+- **State-of-the-art web security** : HTTP security headers, prevent leaks, TLS hardening, ...
+- Integrated **ModSecurity WAF** with the **OWASP Core Rule Set**
+- **Automatic ban** of strange behaviors based on HTTP status code
+- Apply **connections and requests limit** for clients
+- **Block bots** by asking them to solve a **challenge** (e.g. : cookie, javascript, captcha, hCaptcha or reCAPTCHA)
+- **Block known bad IPs** with external blacklists and DNSBL
+- And much more ...
+
+Learn more about the core security features in the [security tuning](https://docs.bunkerweb.io/1.5.3/security-tuning/) section of the documentation.
+
+## Demo
+
+<p align="center">
+	<a href="https://www.youtube.com/watch?v=ZhYV-QELzA4" target="_blank"><img alt="BunkerWeb demo" src="https://img.youtube.com/vi/ZhYV-QELzA4/0.jpg" /></a>
+</p>
+
+A demo website protected with BunkerWeb is available at [demo.bunkerweb.io](https://demo.bunkerweb.io). Feel free to visit it and perform some security tests.
+
+# Concepts
+
+<p align="center">
+	<img alt="Concepts banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.3/docs/assets/img/concepts.svg" />
+</p>
+
+You will find more information about the key concepts of BunkerWeb in the [documentation](https://docs.bunkerweb.io/1.5.3/concepts).
+
+## Integrations
+
+The first concept is the integration of BunkerWeb into the target environment. We prefer to use the word "integration" instead of "installation" because one of the goals of BunkerWeb is to integrate seamlessly into existing environments.
+
+The following integrations are officially supported :
+
+- [Docker](https://docs.bunkerweb.io/1.5.3/integrations/#docker)
+- [Docker autoconf](https://docs.bunkerweb.io/1.5.3/integrations/#docker-autoconf)
+- [Swarm](https://docs.bunkerweb.io/1.5.3/integrations/#swarm)
+- [Kubernetes](https://docs.bunkerweb.io/1.5.3/integrations/#kubernetes)
+- [Linux](https://docs.bunkerweb.io/1.5.3/integrations/#linux)
+- [Ansible](https://docs.bunkerweb.io/1.5.3/integrations/#ansible)
+- [Vagrant](https://docs.bunkerweb.io/1.5.3/integrations/#vagrant)
+
+## Settings
+
+Once BunkerWeb is integrated into your environment, you will need to configure it to serve and protect your web applications.
+
+The configuration of BunkerWeb is done by using what we call the "settings" or "variables". Each setting is identified by a name such as `AUTO_LETS_ENCRYPT` or `USE_ANTIBOT`. You can assign values to the settings to configure BunkerWeb.
+
+Here is a dummy example of a BunkerWeb configuration :
+
+```conf
+SERVER_NAME=www.example.com
+AUTO_LETS_ENCRYPT=yes
+USE_ANTIBOT=captcha
+REFERRER_POLICY=no-referrer
+USE_MODSECURITY=no
+USE_GZIP=yes
+USE_BROTLI=no
+```
+
+You will find an easy to use settings generator at [config.bunkerweb.io](https://config.bunkerweb.io).
+
+## Multisite mode
+
+The multisite mode is a crucial concept to understand when using BunkerWeb. Because the goal is to protect web applications, we intrinsically inherit the concept of "virtual host" or "vhost" (more info [here](https://en.wikipedia.org/wiki/Virtual_hosting)) which makes it possible to serve multiple web applications from a single (or a cluster of) instance.
+
+By default, the multisite mode of BunkerWeb is disabled which means that only one web application will be served and all the settings will be applied to it. The typical use case is when you have a single application to protect : you don't have to worry about the multisite and the default behavior should be the right one for you.
+
+When multisite mode is enabled, BunkerWeb will serve and protect multiple web applications. Each web application is identified by a unique server name and have its own set of settings. The typical use case is when you have multiple applications to protect and you want to use a single (or a cluster depending of the integration) instance of BunkerWeb.
+
+## Custom configurations
+
+Because meeting all the use cases only using the settings is not an option (even with [external plugins](https://docs.bunkerweb.io/1.5.3/plugins)), you can use custom configurations to solve your specific challenges.
+
+Under the hood, BunkerWeb uses the notorious NGINX web server, that's why you can leverage its configuration system for your specific needs. Custom NGINX configurations can be included in different [contexts](https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/#contexts) like HTTP or server (all servers and/or specific server block).
+
+Another core component of BunkerWeb is the ModSecurity Web Application Firewall : you can also use custom configurations to fix some false positives or add custom rules for example.
+
+## Database
+
+State of the current configuration of BunkerWeb is stored in a backend database which contains the following data :
+
+- Settings defined for all the services
+- Custom configurations
+- BunkerWeb instances
+- Metadata about jobs execution
+- Cached files
+
+The following backend database are supported : SQLite, MariaDB, MySQL and PostgreSQL
+
+## Scheduler
+
+To make things automagically work together, a dedicated service called the scheduler is in charge of :
+
+- Storing the settings and custom configurations inside the database
+- Executing various tasks (called jobs)
+- Generating a configuration which is understood by BunkerWeb
+- Being the intermediary for other services (like web UI or autoconf)
+
+In other words, the scheduler is the brain of BunkerWeb.
+
+# Setup
+
+## Docker
+
+<p align="center">
+	<img alt="Docker banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.3/docs/assets/img/integration-docker.svg" />
+</p>
+
+We provide ready to use prebuilt images for x64, x86, armv7 and arm64 platforms on [Docker Hub](https://hub.docker.com/u/bunkerity).
+
+Docker integration key concepts are :
+
+- **Environment variables** to configure BunkerWeb
+- **Scheduler** container to store configuration and execute jobs
+- **Networks** to expose ports for clients and connect to upstream web services
+
+You will find more information in the [Docker integration section](https://docs.bunkerweb.io/1.5.3/integrations/#docker) of the documentation.
+
+## Docker autoconf
+
+<p align="center">
+	<img alt="Docker autoconf banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.3/docs/assets/img/integration-autoconf.svg" />
+</p>
+
+The downside of using environment variables is that the container needs to be recreated each time there is an update which is not very convenient. To counter that issue, you can use another image called **autoconf** which will listen for Docker events and automatically reconfigure BunkerWeb in real-time without recreating the container.
+
+Instead of defining environment variables for the BunkerWeb container, you simply add **labels** to your web applications containers and the **autoconf** will "automagically" take care of the rest.
+
+You will find more information in the [Docker autoconf section](https://docs.bunkerweb.io/1.5.3/integrations/#docker-autoconf) of the documentation.
+
+## Swarm
+
+<p align="center">
+	<img alt="Swarm banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.3/docs/assets/img/integration-swarm.svg" />
+</p>
+
+To automatically configure BunkerWeb instances, a special service, called **autoconf** will listen for Docker Swarm events like service creation or deletion and automatically configure the **BunkerWeb instances** in real-time without downtime.
+
+Like the [Docker autoconf integration](https://docs.bunkerweb.io/1.5.3/integrations/#docker-autoconf), configuration for web services is defined using labels starting with the special **bunkerweb.** prefix.
+
+You will find more information in the [Swarm section](https://docs.bunkerweb.io/1.5.3/integrations/#swarm) of the documentation.
+
+## Kubernetes
+
+<p align="center">
+	<img alt="Kubernetes banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.3/docs/assets/img/integration-kubernetes.svg" />
+</p>
+
+The autoconf acts as an [Ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) and will configure the BunkerWeb instances according to the [Ingress resources](https://kubernetes.io/docs/concepts/services-networking/ingress/). It also monitors other Kubernetes objects like [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) for custom configurations.
+
+You will find more information in the [Kubernetes section](https://docs.bunkerweb.io/1.5.3/integrations/#kubernetes) of the documentation.
+
+## Linux
+
+<p align="center">
+	<img alt="Linux banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.3/docs/assets/img/integration-linux.svg" />
+</p>
+
+List of supported Linux distros :
+
+- Debian 11 "Bullseye"
+- Ubuntu 22.04 "Jammy"
+- Fedora 38
+- RHEL 8.7
+
+Repositories of Linux packages for BunkerWeb are available on [PackageCloud](https://packagecloud.io/bunkerity/bunkerweb), they provide a bash script to automatically add and trust the repository (but you can also follow the [manual installation](https://packagecloud.io/bunkerity/bunkerweb/install) instructions if you prefer).
+
+You will find more information in the [Linux section](https://docs.bunkerweb.io/1.5.3/integrations/#linux) of the documentation.
+
+## Ansible
+
+<p align="center">
+	<img alt="Ansible banner" src="https://github.com/bunkerity/bunkerweb/raw/v1.5.3/docs/assets/img/integration-ansible.svg" />
+</p>
+
+List of supported Linux distros :
+
+- Debian 11 "Bullseye"
+- Ubuntu 22.04 "Jammy"
+- Fedora 38
+- RHEL 8.7
+
+[Ansible](https://www.ansible.com/) is an IT automation tool. It can configure systems, deploy software, and orchestrate more advanced IT tasks such as continuous deployments or zero downtime rolling updates.
+
+A specific BunkerWeb Ansible role is available on [Ansible Galaxy](https://galaxy.ansible.com/bunkerity/bunkerweb) (source code is available [here](https://github.com/bunkerity/bunkerweb-ansible)).
+
+You will find more information in the [Ansible section](https://docs.bunkerweb.io/1.5.3/integrations/#ansible) of the documentation.
+
+## Vagrant
+
+We maintain ready to use Vagrant boxes hosted on Vagrant cloud for the following providers :
+
+- virtualbox
+- libvirt
+
+You will find more information in the [Vagrant section](https://docs.bunkerweb.io/1.5.3/integrations/#vagrant) of the documentation.
+
+# Quickstart guide
+
+Once you have setup BunkerWeb with the integration of your choice, you can follow the [quickstart guide](https://docs.bunkerweb.io/1.5.3/quickstart-guide/) that will cover the following common use cases :
+
+- Protecting a single HTTP application
+- Protecting multiple HTTP application
+- Retrieving the real IP of clients when operating behind a load balancer
+- Adding custom configurations
+- Protecting generic TCP/UDP applications
+- In combination with PHP
+
+# Security tuning
+
+BunkerWeb offers many security features that you can configure with [settings](https://docs.bunkerweb.io/1.5.3/settings). Even if the default values of settings ensure a minimal "security by default", we strongly recommend you to tune them. By doing so you will be able to ensure a security level of your choice but also manage false positives.
+
+You will find more information in the [security tuning section](https://docs.bunkerweb.io/1.5.3/security-tuning) of the documentation.
+
+# Settings
+
+To help you tuning BunkerWeb we have made an easy to use settings generator tool available at [config.bunkerweb.io](https://config.bunkerweb.io).
+
+As a general rule when multisite mode is enabled, if you want to apply settings with multisite context to a specific server you will need to add the primary (first) server name as a prefix like `www.example.com_USE_ANTIBOT=captcha` or `myapp.example.com_USE_GZIP=yes` for example.
+
+When settings are considered as "multiple", it means that you can have multiple groups of settings for the same feature by adding numbers as suffix like `REVERSE_PROXY_URL_1=/subdir`, `REVERSE_PROXY_HOST_1=http://myhost1`, `REVERSE_PROXY_URL_2=/anotherdir`, `REVERSE_PROXY_HOST_2=http://myhost2`, ... for example.
+
+Check the [settings section](https://docs.bunkerweb.io/1.5.3/settings) of the documentation to get the full list.
+
+# Web UI
+
+<p align="center">
+	<a href="https://www.youtube.com/watch?v=Ao20SfvQyr4">
+		<img src="https://github.com/bunkerity/bunkerweb/raw/v1.5.3/docs/assets/img/user_interface_demo.png" height="300" />
+	</a>
+</p>
+
+The "Web UI" is a web application that helps you manage your BunkerWeb instance using a user-friendly interface instead of the command-line one.
+
+- Start, stop, restart and reload your BunkerWeb instance
+- Add, edit and delete settings for your web applications
+- Add, edit and delete custom configurations for NGINX and ModSecurity
+- Install and uninstall external plugins
+- Explore the cached files
+- Monitor jobs execution
+- View the logs and search pattern
+
+You will find more information in the [Web UI section](https://docs.bunkerweb.io/1.5.3/web-ui) of the documentation.
+
+# Plugins
+
+BunkerWeb comes with a plugin system to make it possible to easily add new features. Once a plugin is installed, you can manage it using additional settings defined by the plugin.
+
+Here is the list of "official" plugins that we maintain (see the [bunkerweb-plugins](https://github.com/bunkerity/bunkerweb-plugins) repository for more information) :
+
+|      Name      | Version | Description                                                                                                                      |                                                Link                                                 |
+| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------: |
+|   **ClamAV**   |   1.2   | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. |     [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav)     |
+|   **Coraza**   |   1.2   | Inspect requests using a the Coraza WAF (alternative of ModSecurity).                                                            |     [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza)     |
+|  **CrowdSec**  |   1.2   | CrowdSec bouncer for BunkerWeb.                                                                                                  |   [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec)   |
+|  **Discord**   |   1.2   | Send security notifications to a Discord channel using a Webhook.                                                                |    [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord)    |
+|   **Slack**    |   1.2   | Send security notifications to a Slack channel using a Webhook.                                                                  |      [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack)      |
+| **VirusTotal** |   1.2   | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious.          | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
+|  **WebHook**   |   1.2   | Send security notifications to a custom HTTP endpoint using a	Webhook.                                                           |     [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook)     |
+
+You will find more information in the [plugins section](https://docs.bunkerweb.io/1.5.3/plugins) of the documentation.
+
+# Support
+
+## Professional
+
+We offer professional services related to BunkerWeb like :
+
+* Consulting
+* Support
+* Custom development
+* Partnership
+
+Please contact us at [contact@bunkerity.com](mailto:contact@bunkerity.com) if you are interested.
+
+## Community
+
+To get free community support you can use the following media :
+
+* The #help channel of BunkerWeb in the [Discord server](https://discord.com/invite/fTf46FmtyD)
+* The help category of [GitHub discussions](https://github.com/bunkerity/bunkerweb/discussions)
+* The [/r/BunkerWeb](https://www.reddit.com/r/BunkerWeb) subreddit
+* The [Server Fault](https://serverfault.com/) and [Super User](https://superuser.com/) forums
+
+Please don't use [GitHub issues](https://github.com/bunkerity/bunkerweb/issues) to ask for help, use it only for bug reports and feature requests.
+
+# License
+
+This project is licensed under the terms of the [GNU Affero General Public License (AGPL) version 3](https://github.com/bunkerity/bunkerweb/raw/v1.5.3/LICENSE.md).
+
+# Contribute
+
+If you would like to contribute to the plugins you can read the [contributing guidelines](https://github.com/bunkerity/bunkerweb/raw/v1.5.3/CONTRIBUTING.md) to get started.
+
+# Security policy
+
+We take security bugs as serious issues and encourage responsible disclosure, see our [security policy](https://github.com/bunkerity/bunkerweb/raw/v1.5.3/SECURITY.md) for more information.
+
+# Stargazers over time
+
+[![Stargazers over time](https://starchart.cc/bunkerity/bunkerweb.svg)](https://starchart.cc/bunkerity/bunkerweb)

SECURITY.md

@@ -0,0 +1,17 @@
+# Security policy
+
+Even though this project is focused on security, it is still prone to possible vulnerabilities. We consider every security bug as a serious issue and will try our best to address it.
+
+## Responsible disclosure
+
+If you have found a security bug, please send us an email at security \[@\] bunkerity.com (using a ProtonMail if possible) with technical details so we can resolve it as soon as possible.
+
+Here is a non-exhaustive list of issues we consider as high risk :
+- Vulnerability in the code
+- Bypass of a security feature
+- Vulnerability in a third-party dependency
+- Risk in the supply chain
+
+## Bounty
+
+To encourage responsible disclosure, we may reward you with a bounty at the sole discretion of the maintainers.

TODO

@@ -0,0 +1,5 @@
+- Ansible
+- Vagrant
+- Plugins
+- Find a way to do rdns in background
+- fix db warnings (Got an error reading communication packets)

docs/Dockerfile

@@ -0,0 +1,4 @@
+FROM squidfunk/mkdocs-material@sha256:e5f28aa0c3ac8206f93e44a0c52ea85616b0d6c674319cd1d87a241594788355
+
+COPY mkdocs.yml /docs
+COPY docs /docs/docs

docs/about.md

@@ -0,0 +1,97 @@
+# About
+
+## Who maintains BunkerWeb ?
+
+BunkerWeb is maintained by [Bunkerity](https://www.bunkerity.com), a French 🇫🇷 company specialized in Cybersecurity 🛡️.
+
+## Do you offer professional services ?
+
+Yes, we offer professional services related to BunkerWeb such as :
+
+- Consulting
+- Support
+- Custom development
+- Partnership
+
+Please contact us at [contact@bunkerity.com](mailto:contact@bunkerity.com) if you are interested.
+
+## Where to get community support ?
+
+To get free community support, you can use the following media :
+
+- The #help channel of BunkerWeb in the [Discord server](https://discord.com/invite/fTf46FmtyD)
+- The help category of [GitHub discussions](https://github.com/bunkerity/bunkerweb/discussions)
+- The [/r/BunkerWeb](https://www.reddit.com/r/BunkerWeb) subreddit
+- The [Server Fault](https://serverfault.com/) and [Super User](https://superuser.com/) forums
+
+Please don't use [GitHub issues](https://github.com/bunkerity/bunkerweb/issues) to ask for help, use it only for bug reports and feature requests.
+
+## How can I contribute ?
+
+Here is a non-exhaustive list of what you can do :
+
+- Join the [Discord server](https://discord.com/invite/fTf46FmtyD), [/r/BunkerWeb](https://www.reddit.com/r/BunkerWeb) subreddit and [GitHub discussions](https://github.com/bunkerity/bunkerweb/discussions) to talk about the project and help others
+- Follow us on [LinkedIn](https://www.linkedin.com/company/bunkerity/), [Twitter](https://twitter.com/bunkerity) and [GitHub](https://github.com/bunkerity)
+- Report bugs and propose new features using [issues](https://github.com/bunkerity/bunkerweb/issues)
+- Contribute to the code using [pull requests](https://github.com/bunkerity/bunkerweb/pulls)
+- Write an awesome [plugin](plugins.md)
+- Talk about BunkerWeb to your friends/colleagues, on social media, on your blog, ...
+
+## How to report security issue ?
+
+Please contact us at [security@bunkerity.com](mailto:security@bunkerity.com) using the following PGP key :
+
+```conf
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGCEMiMBEACtXJBDbF86qjC/Q1cfmJfYcYrbk6eE5czknG294XObC97wAgDf
+/MbX6bnti4kDRpflGDqQtwOXudcEzledTD4bdDUKvZwqPoYQGa24uCuUxSINTLXr
+RuoMaKfpvs7trsFXp5iYUqf4Org2aaJE7Tk/9sOvxgdqsT22jEgCZXTRU1qG494U
+u6XRQN8hKlw6aa6njjX9vUk6Jpl46/kwwO9mpXBZX6iFKYnBlUWs2k8d6D6cO5aZ
+KLoYyz5v3Gw2hHSqj4qbVQPTIT7qrrcfd8nblYK7Dh3IM+vQq7a7lB0AudIyBNPd
+rsypi9ZYgwI3lv/rmQnDc32Ua5cLvTvgg/XoaNK9ogc3kei1+hXODEgRA/zvSKqq
+20i/1Y0OnIGv89LOI6urWpOgDAhQUV5xvANll2lm3Bkmy29UOzNadUc/yImxrM06
+HwX82ju6PFAqOaxMW6SEE71ylGOSlikAGNcmmc5Ihd1J/VRZA4PBiQ31gQxFRpUC
+3NTw2QNAD1kjni5PuQD10Q1Ognvb6uJh/MtqsoX6r1t+Oly9MblFSuyqFkqNO3F0
+QAJqprhJlQ3YOcJdJ1EZR7qs0xJm5h+lw0Z/UINqkwiZUW3PCO8BKxfq6sfdwM8L
+5hPhyUzy2gIJ0J/4NGYEBH1ojoYODGU8OCSmyjSTY9SoVMeWDfqYP4ZTvQARAQAB
+tCVidW5rZXJpdHktcGdwIDxjb250YWN0QGJ1bmtlcml0eS5jb20+iQJUBBMBCAA+
+FiEEw78SjkcVxXCq7hStPYCAbxJgKnwFAmCEMiMCGwMFCQPCIP0FCwkIBwIGFQoJ
+CAsCBBYCAwECHgECF4AACgkQPYCAbxJgKnzvYhAAnNqGB6ce2eZzwk1EiNlNaXaA
+hFWLq/s/J1IOAP+0V5jKJxA6zTX01HyIfIIHQy6nrxxEXzYsIUHdJ+HBPCNswCqn
+2d/aDkkfoEUc1bUD0c2bXfoSCsAeIoK+eOf6iSr4IENVoIUYFQTUKFNu+Y7eDL0I
+J8Xadg53G+fkK9LE6TeYpBs3hDT4w7vlDfIwWa1NC9HoLzSmZ2fqZ7SnihLGsLmp
+98VqDrDjhRPzrz5/tVYgvPCQQU5ED/TayCCYvrGpw9gP8qmEOabIUz0ppGwEfQVs
+Wycilm1/Js/qjdbxUFMipBIzDu7bI3kMLmENhI+16Xtub9dUrvkW2SdDngYhtWj8
+IzVOe6N/XDuiRGpaYFpEuXbrnDFexe1ygZwnVHt3fukPfa7W8mhMs2kY1ishIA0O
+WElKO1Q6N0ZWEad0PwM8NCDjaDUNWQC36ZF/MS+ipHWx9joPUjImY2AXDjN+L+Si
+ABQIe4Fo6Jx6S6Bi8YvPq8idYZvaWFJjBvmaPjxdUMPbIsMRiEjvlrhvqhLuVBpE
+lGA+M4UJGw5yBl+yiiLDuws/Fppv9HwNqw6Uq1m1XaW859Om1GGBKYfphyn+fHjR
+7ftOuT7Ss4zioXT4mscOZgkfzDAqgpZiHjYhe7tLUu7iD6UEsZmey/gRV0hCxng3
+N7yaRrBu0+3sIQV4jYC5Ag0EYIQyIwEQALSurJGOx7At5mRFjvhXd4/JHuBZZOSI
+M45LSJ+mKYnAGmwsL0AneZMIf6Yc0Vcn32oqlIXN5aB8jIt91pChLre8tl/lFZZP
+xY3WIEBJhZF0FIUqSQLjg4HD0S70REii7Om1kgtZueid8V6T5F1JDcO2mDoh8oc9
+h9nRQ1Ld6dblEuwBzbFkI1K6OUk1+ec7+mQc7orHdBVgelmqwG7fGZnPiN3XfklF
+dnwSkFIX/qkAsKQmmx1VSzaGFoPLajf4wrkzZdA3iEafsHyvdEFlezZCZ7TsoHBh
+tNg1Psg6MbBVgiMfHyRHSEBJZ7r5Awj2MpFUFMOd1IPcor1I254mx0VYfCvof4Km
+Ri1F/86kHc23A77pd4HFYZWiZjaWhh12L+wz5fDL5/sSFXVGSCtSWIKx6FjysZ+v
+szk3lItHoomZhA7M+FjU/cOjq9hae9uwZeU39DQk0/npln2RcHitoqgUIzII5woO
+S3SlMSc910tHf40D2cBr1iFKC0jQICjkDexB9CtNx/N25SJmLfiimYtk6/NHlPq4
+HXdq6ZfLZ7xQmuGcyWv4f0pwA2CK3twISpsIxIKe456WYTDtQu9d1s987dvmw6F/
+qURC6m2WPGroHb8COQTKzbshjpGUmLpyR3FXki4wNXeI1KaQLL7NpZmK6yJlWviO
+1sCjh4m7VS+zABEBAAGJAjwEGAEIACYWIQTDvxKORxXFcKruFK09gIBvEmAqfAUC
+YIQyIwIbDAUJA8Ig/QAKCRA9gIBvEmAqfP2WEACqmXEhu4ARl2yT9bay0+W3F1q1
+MrLQkcVOau2ihXx3PhYsXRUoEFj72VDAar41WIlHsPJfB14WtSlYcX2XdjHLHMpC
+dL2eGhqIcHzFChR0vGjtvm2wae/rJTChWf8WXiHrRnRcfFFfhpCvkNi43fQeH4yp
+cel2a35WV+IRbnkCkaly2NG3XO0t83Siok8Ku+OJGPatUMxJmaEVQeeXVPDzVRva
+rtvyd9Sclkd9QDPBLZyWHC1vsPKGRJpi5uDZjGxhaFRkimw/SYtFHj7AUrMKAIHB
+GfEcwC3Eq4rF0FeCOPfBd2vwGGrRflx76jK9rj288ta9Oq6u6ev8PCVzt0E7jrSf
+AX88vfVRcxihNfj/9i5xmY596jpgbvNA2aJX2hAO3Q8pD6AunVXPUyc3RlFHt7jC
+tL+9Xv7Qwjz7OToWqj+9cM6T+6oZLxYNVPT72Z/KOFW+mzGb87qjcsDMb/hu2fNq
+tSWyZk2AAgHQyG1y8vCQQzsDnUDM6NIPwYG5XMP+11WAsPk5fP1ksixpUqIWgjhY
+M22YUsjLeaRtgSmhAGIkbBgecs1EHSZZ6sf2lB8gSom1wW0UCBPSifP0DwYFizS5
+SOk62kZ0lqEctwgKDe3MNQnPxt9+tU9L1pIkyXgXihcOLiCMl434K0djJXxIbiX0
+JvbFAfI3qteepvnjBQ==
+=g1tf
+-----END PGP PUBLIC KEY BLOCK-----
+```

docs/assets/extra.css

@@ -0,0 +1,19 @@
+:root {
+  --md-primary-fg-color: #125678;
+  --md-text-font: "Roboto";
+}
+
+.md-footer {
+  background-color: #125678;
+}
+
+/*
+@font-face {
+	font-family: Consolas, monaco, monospace;
+}
+
+@font-face {
+	font-family: "TitleFont";
+	src: "assets/font-title.woff";
+}
+*/

docs/concepts.md

@@ -0,0 +1,146 @@
+# Concepts
+
+<figure markdown>
+  ![Overview](assets/img/concepts.svg){ align=center, width="600" }
+</figure>
+
+## Integrations
+
+The first concept is the integration of BunkerWeb into the target environment. We prefer to use the word "integration" instead of "installation" because one of the goals of BunkerWeb is to integrate seamlessly into existing environments.
+
+The following integrations are officially supported :
+
+- [Docker](integrations.md#docker)
+- [Docker autoconf](integrations.md#docker-autoconf)
+- [Swarm](integrations.md#swarm)
+- [Kubernetes](integrations.md#kubernetes)
+- [Linux](integrations.md#linux)
+- [Ansible](integrations.md#ansible)
+- [Vagrant](integrations.md#vagrant)
+
+If you think that a new integration should be supported, do not hesitate to open a [new issue](https://github.com/bunkerity/bunkerweb/issues) on the GitHub repository.
+
+!!! info "Going further"
+
+    The technical details of all BunkerWeb integrations are available in the [integrations section](integrations.md) of the documentation.
+
+## Settings
+
+Once BunkerWeb is integrated into your environment, you will need to configure it to serve and protect your web applications.
+
+The configuration of BunkerWeb is done by using what we call the "settings" or "variables". Each setting is identified by a name such as `AUTO_LETS_ENCRYPT` or `USE_ANTIBOT`. You can assign values to the settings to configure BunkerWeb.
+
+Here is a dummy example of a BunkerWeb configuration :
+
+```conf
+SERVER_NAME=www.example.com
+AUTO_LETS_ENCRYPT=yes
+USE_ANTIBOT=captcha
+REFERRER_POLICY=no-referrer
+USE_MODSECURITY=no
+USE_GZIP=yes
+USE_BROTLI=no
+```
+
+!!! info "Going further"
+
+    The complete list of available settings with descriptions and possible values is available in the [settings section](settings.md) of the documentation.
+
+!!! info "Settings generator tool"
+
+    To help you tune BunkerWeb, we offer an easy-to-use settings generator tool available at [config.bunkerweb.io](https://config.bunkerweb.io).
+
+## Multisite mode
+
+Understanding the multisite mode is essential when utilizing BunkerWeb. As our primary focus is safeguarding web applications, our solution is intricately linked to the concept of "virtual hosts" or "vhosts" (more info [here](https://en.wikipedia.org/wiki/Virtual_hosting)). These virtual hosts enable the serving of multiple web applications from a single instance or cluster.
+
+By default, BunkerWeb has the multisite mode disabled. This means that only one web application will be served, and all settings will be applied to it. This setup is ideal when you have a single application to protect, as you don't need to concern yourself with multisite configurations.
+
+However, when the multisite mode is enabled, BunkerWeb becomes capable of serving and protecting multiple web applications. Each web application is identified by a unique server name and has its own set of settings. This mode proves beneficial when you have multiple applications to secure, and you prefer to utilize a single instance (or a cluster) of BunkerWeb.
+
+The activation of the multisite mode is controlled by the `MULTISITE` setting, which can be set to `yes` to enable it or `no` to keep it disabled (which is the default value).
+
+Each setting within BunkerWeb has a specific context that determines where it can be applied. If the context is set to "global," the setting can't be applied per server or site but is instead applied to the entire configuration as a whole. On the other hand, if the context is "multisite," the setting can be applied globally and per server. To define a multisite setting for a specific server, simply add the server name as a prefix to the setting name. For example, `app1.example.com_AUTO_LETS_ENCRYPT` or `app2.example.com_USE_ANTIBOT` are examples of setting names with server name prefixes. When a multisite setting is defined globally without a server prefix, all servers inherit that setting. However, individual servers can still override the setting if the same setting is defined with a server name prefix.
+
+Understanding the intricacies of multisite mode and its associated settings allows you to tailor BunkerWeb's behavior to suit your specific requirements, ensuring optimal protection for your web applications.
+
+Here's a dummy example of a multisite BunkerWeb configuration :
+
+```conf
+MULTISITE=yes
+SERVER_NAME=app1.example.com app2.example.com app3.example.com
+AUTO_LETS_ENCRYPT=yes
+USE_GZIP=yes
+USE_BROTLI=yes
+app1.example.com_USE_ANTIBOT=javascript
+app1.example.com_USE_MODSECURITY=no
+app2.example.com_USE_ANTIBOT=cookie
+app2.example.com_WHITELIST_COUNTRY=FR
+app3.example.com_USE_BAD_BEHAVIOR=no
+```
+
+!!! info "Going further"
+
+    You will find concrete examples of multisite mode in the [quickstart guide](quickstart-guide.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.5.3/examples) directory of the repository.
+
+## Custom configurations
+
+To address unique challenges and cater to specific use cases, BunkerWeb offers the flexibility of custom configurations. While the provided settings and [external plugins](plugins.md) cover a wide range of scenarios, there may be situations that require additional customization.
+
+BunkerWeb is built on the renowned NGINX web server, which provides a powerful configuration system. This means you can leverage NGINX's configuration capabilities to meet your specific needs. Custom NGINX configurations can be included in various [contexts](https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/#contexts) such as HTTP or server, allowing you to fine-tune the behavior of BunkerWeb according to your requirements. Whether you need to customize global settings or apply configurations to specific server blocks, BunkerWeb empowers you to optimize its behavior to align perfectly with your use case.
+
+Another integral component of BunkerWeb is the ModSecurity Web Application Firewall. With custom configurations, you have the flexibility to address false positives or add custom rules to further enhance the protection provided by ModSecurity. These custom configurations allow you to fine-tune the behavior of the firewall and ensure that it aligns with the specific requirements of your web applications.
+
+By leveraging custom configurations, you unlock a world of possibilities to tailor BunkerWeb's behavior and security measures precisely to your needs. Whether it's adjusting NGINX configurations or fine-tuning ModSecurity, BunkerWeb provides the flexibility to meet your unique challenges effectively.
+
+!!! info "Going further"
+
+    You will find concrete examples of custom configurations in the [quickstart guide](quickstart-guide.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.5.3/examples) directory of the repository.
+
+## Database
+
+BunkerWeb securely stores its current configuration in a backend database, which contains essential data for smooth operation. The following information is stored in the database:
+
+- **Settings for all services**: The database holds the defined settings for all the services provided by BunkerWeb. This ensures that your configurations and preferences are preserved and readily accessible.
+
+- **Custom configurations**: Any custom configurations you create are also stored in the backend database. This includes personalized settings and modifications tailored to your specific requirements.
+
+- **BunkerWeb instances**: Information about BunkerWeb instances, including their setup and relevant details, is stored in the database. This allows for easy management and monitoring of multiple instances if applicable.
+
+- **Metadata about job execution**: The database stores metadata related to the execution of various jobs within BunkerWeb. This includes information about scheduled tasks, maintenance processes, and other automated activities.
+
+- **Cached files**: BunkerWeb utilizes caching mechanisms for improved performance. The database holds cached files, ensuring efficient retrieval and delivery of frequently accessed resources.
+
+Under the hood, whenever you edit a setting or add a new configuration, BunkerWeb automatically stores the changes in the database, ensuring data persistence and consistency. BunkerWeb supports multiple backend database options, including SQLite, MariaDB, MySQL, and PostgreSQL.
+
+Configuring the database is straightforward using the `DATABASE_URI` setting, which follows the specified formats for each supported database:
+
+- **SQLite**: `sqlite:///var/lib/bunkerweb/db.sqlite3`
+- **MariaDB**: `mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db`
+- **MySQL**: `mysql+pymysql://bunkerweb:changeme@bw-db:3306/db`
+- **PostgreSQL**: `postgresql://bunkerweb:changeme@bw-db:5432/db`
+
+By specifying the appropriate database URI in the configuration, you can seamlessly integrate BunkerWeb with your preferred database backend, ensuring efficient and reliable storage of your configuration data.
+
+<figure markdown>
+  ![Overview](assets/img/bunkerweb_db.svg){ align=center, width="800" }
+  <figcaption>Database Schema</figcaption>
+</figure>
+
+## Scheduler
+
+For seamless coordination and automation, BunkerWeb employs a specialized service known as the scheduler. The scheduler plays a vital role in ensuring smooth operation by performing the following tasks:
+
+- **Storing settings and custom configurations**: The scheduler is responsible for storing all the settings and custom configurations within the backend database. This centralizes the configuration data, making it easily accessible and manageable.
+
+- **Executing various tasks (jobs)**: The scheduler handles the execution of various tasks, referred to as jobs. These jobs encompass a range of activities, such as periodic maintenance, scheduled updates, or any other automated tasks required by BunkerWeb.
+
+- **Generating BunkerWeb configuration**: The scheduler generates a configuration that is readily understood by BunkerWeb. This configuration is derived from the stored settings and custom configurations, ensuring that the entire system operates cohesively.
+
+- **Acting as an intermediary for other services**: The scheduler acts as an intermediary, facilitating communication and coordination between different components of BunkerWeb. It interfaces with services such as the web UI or autoconf, ensuring a seamless flow of information and data exchange.
+
+In essence, the scheduler serves as the brain of BunkerWeb, orchestrating various operations and ensuring the smooth functioning of the system.
+
+Depending on the integration approach, the execution environment of the scheduler may differ. In container-based integrations, the scheduler is executed within its dedicated container, providing isolation and flexibility. On the other hand, for Linux-based integrations, the scheduler is self-contained within the bunkerweb service, simplifying the deployment and management process.
+
+By employing the scheduler, BunkerWeb streamlines the automation and coordination of essential tasks, enabling efficient and reliable operation of the entire system.

docs/diagrams/core-order.drawio

@@ -0,0 +1 @@
+<mxfile host="app.diagrams.net" modified="2022-10-13T12:11:36.746Z" agent="5.0 (Windows)" etag="qIM9S_K3KBWfpHSqmD4a" version="20.4.0"><diagram id="C5RBs43oDa-KdzZeNtuy" name="Page-1">7Z1df6I4FIc/jZfdHxDevFSkrVuHzqjdrntHlVF20HQR2zqffkMhAglqtEJoYW4Gjrz/z3OScxJoCxjLtxvffl58gzPHa0nC7K0Fei1JkkRdR/+Flm1sAWo7ssx9dxbZxMQwcn87sVGIrRt35qwzGwYQeoH7nDVO4WrlTIOMzfZ9+Jrd7Cf0smd9tucOZRhNbY+2PrqzYBFZdUlL7LeOO1/gM4v4/pY23ji+k/XCnsHXlAmYLWD4EAbR0vLNcLzw6eHn8tjfPnqDX+rNnz/W/9kP3bux9ddVdLDrU3bZ3YLvrIKzD73a2Lf9lfFyfbUdXc2DjvjPuH8lg+jYL7a3iR9YfLPBFj9BZ4YeaLwK/WAB53Ble2Zi7fpws5o54XkEtJZsM4DwGRlFZPzXCYJt7B32JoDItAiWXvxrdM7wRIRoR+443m4NN/7UOXCbsYKB7c+d4NDjkHa6IiIcuHQCf4t29B3PDtyX7NXZsWfOd9slTx8txAKcIIaQo4XqoevtztwXtDgPFzuGYY5G+Ad0ntRvOZt3zZu+he1PPrkluT8pvechTkOJXxdu4Iye7ffH/IpiRZ6AL44fOG9nSEg/cRyA2nJ0nDj8KNHaa0KyiPFcpCjWhYIkwnh8cV5kRl6kPeqVw4tMafF42x+bg/5obKI19GyvKXH8BVw+bdbHPfqn63kG9KD/vh8QRUXVtNAOV0HKfv3+r0ACVFXIEHCF/T3NgJLDgAgKg4B+8F8Rgl135SgFgCcF+MBHmo3B0Oz0JiEVzI0B3Zh0LCsh68w2hZ3APaTtI7MoAvV29QhU60EgYCVQ4Uog3YnuDjrG3YUaoopgIO56WhXiQK8HBworBxpXDhRKjZuhOfliGAClehhoLF0A4/7BGg8nTWt/WF9Fr5y+oB5Zp9RmDHOAa9qJL/Mwbbuol5RfjhLXs0bdQe2BE9v8gatHhgtYM1zANcMFTBnuOcB1H6w7c2iZ49pBR/ZiqgBdXi+mfOjQY/W3f6dXJuHB/lDwau8tPni0to3XCoeVNRkG+gdhjXf9Dl104YnLCHLWZSRFyR4jurJ4N8IZdtfxAf/IG6uikB52xiYz/4P+t/64hn1cMpWvAv108niQfsd7gq9p8N8N6IfwcblT23sHdNYJh5CRderZ67U7zeqRjRXngu+8ucFuN7Sc2gutJTuFK2UFC5wRHq8YtPM9JeUIeX6AbR+NKaqWdUSF9K/oTqmYQh9JI1xaJscA90Qn5CD2NrXZc7jB+sAla8SAjKhmxt3RQnTIi8Y+WWmaQrKFYxnP55oogrzqJD0yY4373fuwB2rcmsYdc9tlmWavfk2X1q5cy4W7RRedt2Fava8zawMpQotU6rwNWW3iJxkWWeKnkK9zSfM7mPL+UQqVo1gZt53BwLRu9qYIZHzcuYDIECOzsRB1BAxVPxA7i8JPJgpqzNOm1MLwk7niJ1QMP4kVP670SSz0fR/en9SuDc0fD+ZofH6H5SsAydocFscj04Bhz7TYRwsbYdMq8lP2xBkRBZZRUoF2komzh8soeLkKZRSZtYyyr6NUThll97JF7IaA7EezVlEkorYByKTpQkUUmaw/KmXUUPLGbT9VhTHBYdJK6o2cKozMOcSeOUnloLErKOKyIBl5WdEgR6llsRg0qAJHGWgoeSWMBo2ip63yRUMjau9y+0w0dLL0LheDRlvggUZeEaJBo+iZrJxbDeFSrYZSTqshCjx6VEpeiaBho+gxW85skEO2pEuzsqGSzQYJ2aXYEAEPNk58s7rqbAh82WCdGsyZDfVIT4iZDTKjJ/tmn5uNE6fXNmwcYoN5Fi/ndIPwtLOn+mhkJl7UTB8+fapPPw+uUmx8jlScDPfntxtkAbegdqMt8kCDbT7VYHD/2Axb5XrznmErgN2N27CV0tTmecyPVPa8KlBSb5kojijnDlupwpGuxYWiHjlbGWglRD3MXAXQIEZ0RVY00t0BziO6CvPUYa4juoB412ZXkDwVDUAMJ8lKMWjIZMJaBhpasXnkCq6cg1yc0eFFh792w7ssZ/4CTx/WyfB+bqFQJI+EneviGR8gP7ZVxrsdGkvGV0pf5oPuWPHuxnE3Yq5AENGZtXJ9MY+hEyHrnvIZlDQEWS9ZBz785eBMIw5v6aQkNtmeO1+FroZkd5C9i+NjJ/5h6c5m7wE0L+HJ+mKroByGHHSmp1SqOa5U2EsgGp3A1E4SUSAjPl9NdLrnXD9NJL1amtDTKSbmqG6iKGK1RJEaUChN8mbpl6sKPYJcP1U08jslgLcqdM5ZP1XIRoU/K3QOVT9VBKFqqtCfqa1fY08WjfmrQr/8VTtWdLJcib+ozE0UOqWvISrkpzfxRCFeqrTpDLJ+qlBj/XidmypNDhmqIFdNliaLROmJVjVV6CyyhrAoxBdp+MtCp5GNLLtvqfGThc4jaygLFcS4y9IkknktfnGyoNXkDxtGw5bJ34cE5v8=</diagram></mxfile>

docs/diagrams/integration-kubernetes.drawio

@@ -0,0 +1 @@
+<mxfile host="app.diagrams.net" modified="2022-04-18T18:09:08.815Z" agent="5.0 (Windows)" etag="uCmxwbMvDXNNCQliGYIF" version="17.4.5"><diagram id="To2Da4PRRWEcok_Ws3eM" name="Page-1">7Vxtd6I4FP41fqyHFwP40aLOetrRbtvZmf2IEJEtEhdia/fXb4IBIYnjS8XiDJ6eCjchyM3zPCT3Blq6vVh/iZ3l/CvyYNjSFG/d0vstTVMV3SJf1PK+sQDT2Bj8OPBYpa3hKfgPZkcy6yrwYFKqiBEKcbAsG10URdDFJZsTx+itXG2GwvJZl44PBcOT64Si9Xvg4TmzqoqyLfgDBv6cndoCrGDhZJWZIZk7HnormPRBS7djhPBma7G2YUidl/llc9xwR2n+w2IY4UMOGGkTy5v/dzddjpcunPQj95+7G9YZr064Yhfc0oyQtHc7JRs+3bAn4+fHyT2p9XDfGw+ycnKivAq7QPyeeS1Gq8iD9MQqKX6bBxg+LR2Xlr4RnBDbHC9CVjwLwtBGIYrJfoQiUuk2wTF6gZmxpemqBgzTopVRhIfOIggpnmwUJSh0EmZ/Qqs4PcccYwIPDeg98o84hP6jFZK2j5AfQmcZJG0XLdICN0mrDmebVskm367sd7zCGAcEJr0w8CNShtEyd0SxT1g30epwXTCxPvoC0QLimJxWYaUdk+Hlndt/28IvZ8e8gDzVYEaHQd7P296igmwwYBwBEnU/SMaTPkGGQj3UAKRagKigDJBcYPYCpFMVQDrHAERrAHJZBakBQMAxABk3AKkWIGa3dgAxJQDhOpyMn5Z0cxbCdY+O7IgzYOSxzb5LnJkEbrnftyBROBQQRw+HBvkIUGD4uDQK5L0dOlMYPqAkwAGiVpf0OowL1e+5ClOEMTmffuuwdvIjyHf8/oO6og2y3b+ZZ9Kd/rq09872dgIOO7EP8f5xA/RKQ2wRlgXYAQnqMlsMQwcHr+WBuQyJ7AwPKCC/OEe9BkAJ9cJ4KUl7lR1VHEjzDell+phcOxu/CO2kvMiv+nSqWAJVRmN78nU0/kKsz4+94XBkC+QhyoDL1JCDXtRJAUc8UBeB59HTSDWYI+AOpbs0186goUAFbbVbwkFXVFFV7bYNTYS0DirS0e6HdZR1eyOiO0TUGwa0S34ujbWRvLJSqcA4TfK6yp6GKta8bDDSjA9+pfFBp1ZkASY3PtBPHB8A0GmrWrmtC48RVFnIpuHLlfMF1IovVvdM42lL3zEdvRRZtE8giweg5XV+G7IkpA9x5q1piNwX6sB1gH8wZ9HtlD1tDbDdLX/oTkafLe1KpGOHncK7JHPoToBc5f1MN8r81Exu0nEoPzvmnoaq5qcu8HM0fh48jnv3zYz3cjNe3VDaSvFjlFGR7X/m9FeVZSIaKW+knJPoKxtqGRY3QrK67RPFXIj9i01VLediMqiR88vLOcFUSc7VGqq5LCu0SQ1Sv21Tg0Wb4jnYuaHbN0nspkcZ/67QBjy0A6j7ifN3uD51fO72gtPzVrLT3n4b3w0evw9uC+lK2c8SzByyT05kFgH482xmaZJOP9cJWY2LQubyWgKpRIYrS1uqYjLm4mhUZg675WW23ZhN0ao8DR7/GtmDmgO0AsDo6qcDRpagqYGkHQOiKxe+M+AKaHUTIk1MkOTddNP79jyxJ+NhXXrgCm89fI9/vpJoshB/oyRXpiRWp3ZKIouG1xhDv9mQhgdMDYRIDM8K/t4Tc8uiSIdG3HZ0wa8acTs107grWlGK4DGnlRe2pDUOWeiyN5DGwgg1CaQBs9PmlgHqp6YtJW11ANdWxaE0bfdswgteM/W7W01hHEEMCYiV3sMoX3odS+6zheMEFjcxuOoXEQLTkuj5hQNvujibeISOR3n8Sq6WeMWmTUR+DKmLFCeiZS6KZoG/IF12fuCEcIYb2GSw4WL4epaQLWJGpqLneEJsqdg3nRvjTw9ptjdA7y8+nEufEDtuCHDkstPfbARwRM7NPC3nZu7LuclWvnJ39Qusrvi8xRQc5bSTM3D841mSps43bJCyVZzh9d8jAmwCSYptxYcRjB0Mc01fkT0K0WZAsF/ZBRmXsOLUNRZ6RzbZq25wIEXPx6d7jdafrPWZnh+n9WpdtB5chdbzAs1T6WClt/Y0VLHOi4uhGp2vh84bplY/YZc9pM0L+wvE7pz1RwEOnpPM835KezIp9yQn6ZplgoEmi6HO0g8pWVJWpJcIbskfvS+SH2grbUOnXy3Qp7NQWqCmZo2zdqXWtAm+ZndHw2Z6NCmXNKJyNs3i6pI/cnnsRrhY+/T1OO2XPBTTDlx6H7hdxqN0o08AeJ1YBlxEGkgi0qZsMmpVhOPd77RhCQw3h9s2mZDJiZBfGGVRjsMyCw1DKmNIEPm/4njvDBS0uOc8gXIYBa2q4kHisig7HWB8lQQHG8ZUxhh38QmEOe51JvUikqYCjkhiZNWSEIl/vPNsRPr48/xNbvWnoNkVD903RT53bvWQ6fVhydZPmzZziy0Bnww9OLFqcVlV/jZV8bT5DC8baEh3GOnUhnQffAibn3ydSjo+VgX4XGHVpBNTiH04CyIanIpXYbp2YUY6njgWTikXYfwauNTcxKqqnd+bahkZnQu/50gOF0kOK4OLu0qo7jRBzUsnrzSlnb3u+TJYIbvb9ydvlGj7Fmp98D8=</diagram></mxfile>

docs/index.md

@@ -0,0 +1,67 @@
+# Introduction
+
+## Overview
+
+<figure markdown>
+  ![Overview](assets/img/intro-overview.svg){ align=center, width="800" }
+  <figcaption>Make your web services secure by default !</figcaption>
+</figure>
+
+Introducing BunkerWeb, the **cutting-edge** and **open-source Web Application Firewall** (WAF) that will revolutionize your web security experience.
+
+With BunkerWeb, your web services are safeguarded by default, providing you with peace of mind and enhanced protection. Powered by [NGINX](https://nginx.org/), this comprehensive web server combines advanced features seamlessly, ensuring your online assets remain secure.
+
+BunkerWeb effortlessly integrates into your existing environments, whether it's [Linux](integrations.md#linux), [Docker](integrations.md#docker), [Swarm](integrations.md#swarm), [Kubernetes](integrations.md#kubernetes), or more. Its versatility allows for easy configuration to suit your specific requirements. Don't worry if you prefer a user-friendly interface—BunkerWeb offers an exceptional [web UI](web-ui.md) alongside the command-line interface (CLI), ensuring accessibility for all users.
+
+Experience the transformation in cybersecurity, where complexities and obstacles are a thing of the past. With BunkerWeb, fortifying your digital assets has never been more delightful and hassle-free.
+
+Furthermore, BunkerWeb boasts a comprehensive set of primary [security features](security-tuning.md) at its core. However, what sets it apart is its remarkable flexibility through an intuitive [plugin system](plugins.md). This ingenious design empowers you to effortlessly enhance BunkerWeb with additional security measures, ensuring a tailored and robust defense for your web applications.
+
+By seamlessly integrating new plugins into BunkerWeb, you can customize and expand its capabilities to address specific security requirements unique to your environment. Whether you need to strengthen authentication protocols, bolster threat detection, or implement specialized security measures, BunkerWeb's [plugin system](plugins.md) grants you the freedom to fortify your web infrastructure with ease.
+
+With BunkerWeb's dynamic [plugin system](plugins.md), security becomes an enjoyable journey of exploration and empowerment. Discover the endless possibilities and create a fortified web environment that perfectly aligns with your needs.
+
+
+## Why BunkerWeb ?
+
+- **Easy integration into existing environments** : Seamlessly integrate BunkerWeb into various environments such as Linux, Docker, Swarm, Kubernetes, Ansible, Vagrant, and more. Enjoy a smooth transition and hassle-free implementation.
+
+- **Highly customizable** : Tailor BunkerWeb to your specific requirements with ease. Enable, disable, and configure features effortlessly, allowing you to customize the security settings according to your unique use case.
+
+- **Secure by default** : BunkerWeb provides out-of-the-box, hassle-free minimal security for your web services. Experience peace of mind and enhanced protection right from the start.
+
+- **Awesome web UI** : Take control of BunkerWeb more efficiently with the exceptional web user interface (UI). Navigate settings and configurations effortlessly through a user-friendly graphical interface, eliminating the need for the command-line interface (CLI).
+
+- **Plugin system** : Extend the capabilities of BunkerWeb to meet your own use cases. Seamlessly integrate additional security measures and customize the functionality of BunkerWeb according to your specific requirements.
+
+- **Free as in "freedom"** : BunkerWeb is licensed under the free [AGPLv3 license](https://www.gnu.org/licenses/agpl-3.0.en.html), embracing the principles of freedom and openness. Enjoy the freedom to use, modify, and distribute the software, backed by a supportive community.
+
+## Security features
+
+Explore the impressive array of security features offered by BunkerWeb. While not exhaustive, here are some notable highlights:
+
+- **HTTPS** support with transparent **Let's Encrypt** automation : Easily secure your web services with automated Let's Encrypt integration, ensuring encrypted communication between clients and your server.
+
+- **State-of-the-art web security** : Benefit from cutting-edge web security measures, including comprehensive HTTP security headers, prevention of data leaks, and TLS hardening techniques.
+
+- Integrated **ModSecurity WAF** with the **OWASP Core Rule Set** : Enjoy enhanced protection against web application attacks with the integration of ModSecurity, fortified by the renowned OWASP Core Rule Set.
+
+- **Automatic ban** of strange behaviors based on HTTP status code : BunkerWeb intelligently identifies and blocks suspicious activities by automatically banning behaviors that trigger abnormal HTTP status codes.
+
+- Apply **connections and requests limit** for clients : Set limits on the number of connections and requests from clients, preventing resource exhaustion and ensuring fair usage of server resources.
+
+- **Block bots** with **challenge-based verification** : Keep malicious bots at bay by challenging them to solve puzzles such as cookies, JavaScript tests, captcha, hCaptcha, reCAPTCHA or Turnstile, effectively blocking unauthorized access.
+
+- **Block known bad IPs** with external blacklists and DNSBL : Utilize external blacklists and DNS-based blackhole lists (DNSBL) to proactively block known malicious IP addresses, bolstering your defense against potential threats.
+
+- **And much more...** : BunkerWeb is packed with a plethora of additional security features that go beyond this list, providing you with comprehensive protection and peace of mind.
+
+To delve deeper into the core security features, we invite you to explore the [security tuning](security-tuning.md) section of the documentation. Discover how BunkerWeb empowers you to fine-tune and optimize security measures according to your specific needs.
+
+## Demo
+
+<p align="center">
+	<iframe style="display: block;" width="560" height="315" src="https://www.youtube-nocookie.com/embed/ZhYV-QELzA4" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
+</p>
+
+A demo website protected with BunkerWeb is available at [demo.bunkerweb.io](https://demo.bunkerweb.io). Feel free to visit it and perform some security tests.

docs/json2md.py

@@ -0,0 +1,89 @@
+#!/usr/bin/python3
+
+from io import StringIO
+from json import loads
+from glob import glob
+from pathlib import Path
+from pytablewriter import MarkdownTableWriter
+
+
+def print_md_table(settings) -> MarkdownTableWriter:
+    writer = MarkdownTableWriter(
+        headers=["Setting", "Default", "Context", "Multiple", "Description"],
+        value_matrix=[
+            [
+                f"`{setting}`",
+                "" if data["default"] == "" else f"`{data['default']}`",
+                data["context"],
+                "no" if "multiple" not in data else "yes",
+                data["help"],
+            ]
+            for setting, data in settings.items()
+        ],
+    )
+    return writer
+
+
+def stream_support(support) -> str:
+    md = "STREAM support "
+    if support == "no":
+        md += ":x:"
+    elif support == "yes":
+        md += ":white_check_mark:"
+    else:
+        md += ":warning:"
+    return md
+
+
+doc = StringIO()
+
+print("# Settings\n", file=doc)
+print(
+    '!!! info "Settings generator tool"\n\n    To help you tune BunkerWeb, we have made an easy-to-use settings generator tool available at [config.bunkerweb.io](https://config.bunkerweb.io).\n',
+    file=doc,
+)
+print(
+    "This section contains the full list of settings supported by BunkerWeb."
+    + " If you are not yet familiar with BunkerWeb, you should first read the [concepts](concepts.md) section of the documentation."
+    + " Please follow the instructions for your own [integration](integrations.md) on how to apply the settings.\n",
+    file=doc,
+)
+print(
+    "As a general rule when multisite mode is enabled, if you want to apply settings with multisite context to a specific server, you will need to add the primary"
+    + " (first) server name as a prefix like `www.example.com_USE_ANTIBOT=captcha` or `myapp.example.com_USE_GZIP=yes` for example.\n",
+    file=doc,
+)
+print(
+    'When settings are considered as "multiple", it means that you can have multiple groups of settings for the same feature by adding numbers as suffix like `REVERSE_PROXY_URL_1=/subdir`,'
+    + " `REVERSE_PROXY_HOST_1=http://myhost1`, `REVERSE_PROXY_URL_2=/anotherdir`, `REVERSE_PROXY_HOST_2=http://myhost2`, ... for example.\n",
+    file=doc,
+)
+
+# Print global settings
+print("## Global settings\n", file=doc)
+print(f"\n{stream_support('partial')}\n", file=doc)
+with open("src/common/settings.json", "r") as f:
+    print(print_md_table(loads(f.read())), file=doc)
+    print(file=doc)
+
+# Print core settings
+print("## Core settings\n", file=doc)
+core_settings = {}
+for core in glob("src/common/core/*/plugin.json"):
+    with open(core, "r") as f:
+        core_plugin = loads(f.read())
+        if len(core_plugin["settings"]) > 0:
+            core_settings[core_plugin["name"]] = core_plugin
+
+for name, data in dict(sorted(core_settings.items())).items():
+    print(f"### {data['name']}\n", file=doc)
+    print(f"{stream_support(data['stream'])}\n", file=doc)
+    print(f"{data['description']}\n", file=doc)
+    print(print_md_table(data["settings"]), file=doc)
+
+doc.seek(0)
+content = doc.read()
+doc = StringIO(content.replace("\\|", "|"))
+doc.seek(0)
+
+Path("docs", "settings.md").write_text(doc.read(), encoding="utf-8")

docs/migrating.md

@@ -0,0 +1,41 @@
+# Migrating from 1.4.X
+
+!!! warning "Read this if you were a 1.4.X user"
+
+    A lot of things changed since the 1.4.X releases. Container-based integrations stacks contain more services but, trust us, fundamental principles of BunkerWeb are still there. You will find ready to use boilerplates for various integrations in the [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.5.3/misc/integrations) folder of the repository.
+
+## Scheduler
+
+Back to the 1.4.X releases, jobs (like Let's Encrypt certificate generation/renewal or blacklists download) **were executed in the same container as BunkerWeb**. For the purpose of [separation of concerns](https://en.wikipedia.org/wiki/Separation_of_concerns), we decided to create a **separate service** which is now responsible for managing jobs.
+
+Called **Scheduler**, this service also generates the final configuration used by BunkerWeb and acts as an intermediary between autoconf and BunkerWeb. In other words, the scheduler is the **brain of the BunkerWeb 1.5.X stack**.
+
+You will find more information about the scheduler [here](concepts.md#scheduler).
+
+## Database
+
+BunkerWeb configuration is **no more stored in a plain file** (located at `/etc/nginx/variables.env` if you didn't know it). That's it, we now support a **fully-featured database as a backend** to store settings, cache, custom configs, ... 🥳
+
+Using a real database offers many advantages :
+
+- Backup of the current configuration
+- Usage with multiple services (scheduler, web UI, ...)
+- Upgrade to a new BunkerWeb version
+
+Please note that we actually support, **SQLite**, **MySQL**, **MariaDB** and **PostgreSQL** as backends.
+
+You will find more information about the database [here](concepts.md#database).
+
+## Redis
+
+When BunkerWeb 1.4.X was used in cluster mode (Swarm or Kubernetes integrations), **data were not shared among the nodes**. For example, if an attacker was banned via the "bad behavior" feature on a specific node, **he could still connect to the other nodes**.
+
+Security is not the only reason to have a shared data store for clustered integrations, **caching** is also another one. We can now **store results** of time-consuming operations like (reverse) dns lookups so they are **available for other nodes**.
+
+We actually support **Redis** as a backend for the shared data store.
+
+See the list of [redis settings](settings.md#redis) and the corresponding documentation of your integration for more information.
+
+## Default values and new settings
+
+The default value of some settings have changed and we have added many other settings, we recommend you read the [security tuning](security-tuning.md) and [settings](settings.md) sections of the documentation.

docs/misc/pdf.js

@@ -0,0 +1,49 @@
+const puppeteer = require('puppeteer');
+var args = process.argv.slice(2);
+var url = args[0];
+var pdfPath = args[1];
+var title = args[2];
+
+console.log('Saving', url, 'to', pdfPath);
+
+// date –  formatted print date
+// title – document title
+// url  – document location
+// pageNumber – current page number
+// totalPages – total pages in the document
+headerHtml = `
+<div style="font-size: 10px; text-align: center; width: 100%;">
+    <span>${title}</span>
+</div>`;
+
+footerHtml = `<div style="font-size: 10px; text-align: center; width: 100%;"><span class="pageNumber"></span> / <span class="totalPages"></span></div>`;
+
+
+(async() => {
+    const browser = await puppeteer.launch({
+        headless: true,
+        executablePath: process.env.CHROME_BIN || null,
+        args: ['--no-sandbox', '--headless', '--disable-gpu', '--disable-dev-shm-usage']
+    });
+
+    const page = await browser.newPage();
+    await page.goto(url, { waitUntil: 'networkidle2' });
+    await page.pdf({
+        path: pdfPath, // path to save pdf file
+        format: 'A4', // page format
+        displayHeaderFooter: true, // display header and footer (in this example, required!)
+        printBackground: true, // print background
+        landscape: false, // use horizontal page layout
+        headerTemplate: headerHtml, // indicate html template for header
+        footerTemplate: footerHtml,
+        scale: 1, //Scale amount must be between 0.1 and 2
+        margin: { // increase margins (in this example, required!)
+            top: 80,
+            bottom: 80,
+            left: 30,
+            right: 30
+        }
+    });
+
+    await browser.close();
+})();

docs/overrides/main.html

@@ -0,0 +1,22 @@
+{% extends "base.html" %}
+
+{% block outdated %}
+  You're not viewing the documentation of the latest version.
+  <a href="{{ '../' ~ base_url }}">
+    <strong>Click here to view latest.</strong>
+  </a>
+{% endblock %}
+
+{% block announce %}
+  📢 Looking for tailored support, consulting or development for BunkerWeb ?
+  Contact us at <a href="mailto:contact@bunkerity.com" style="color: #3f6ec6; text-decoration: underline">contact@bunkerity.com</a> for enterprise offers !
+{% endblock %}
+
+{% block libs %}
+<script
+  async
+  defer
+  data-domain="docs.bunkerweb.io"
+  src="https://data.bunkerity.com/js/script.js"
+></script>
+{% endblock %}

docs/package.json

@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "puppeteer": "^21.3.6"
+  }
+}

docs/plugins.md

@@ -0,0 +1,557 @@
+# Plugins
+
+BunkerWeb comes with a plugin system making it possible to easily add new features. Once a plugin is installed, you can manage it using additional settings defined by the plugin.
+
+## Official plugins
+
+Here is the list of "official" plugins that we maintain (see the [bunkerweb-plugins](https://github.com/bunkerity/bunkerweb-plugins) repository for more information) :
+
+|      Name      | Version | Description                                                                                                                      |                                                 Link                                                  |
+| :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------: |
+|   **ClamAV**   |   1.2   | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. |     [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav)     |
+| **Coraza** |   1.2   | Inspect requests using a the Coraza WAF (alternative of ModSecurity).           | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
+|  **CrowdSec**  |   1.2   | CrowdSec bouncer for BunkerWeb.                                                                                                  |   [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec)   |
+| **Discord** | 1.2 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
+| **Slack** | 1.2 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
+| **VirusTotal** |   1.2   | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious.          | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
+| **WebHook** | 1.2 | Send security notifications to a custom HTTP endpoint using a	Webhook. | [bunkerweb-plugins/webhook](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
+
+## How to use a plugin
+
+### Automatic
+
+If you want to quickly install external plugins, you can use the `EXTERNAL_PLUGIN_URLS` setting. It takes a list of URLs, separated with space, pointing to compressed (zip format) archive containing one or more plugin(s).
+
+You can use the following value if you want to automatically install the official plugins : `EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.2.zip`
+
+### Manual
+
+The first step is to install the plugin by putting the plugin files inside the corresponding `plugins` data folder, the procedure depends on your integration :
+
+=== "Docker"
+
+    When using the [Docker integration](integrations.md#docker), plugins must be written to the volume mounted on `/data/plugins` into the scheduler container.
+
+    The first thing to do is to create the plugins folder :
+
+    ```shell
+    mkdir -p ./bw-data/plugins
+    ```
+
+    Then, you can drop the plugins of your choice into that folder :
+
+    ```shell
+    git clone https://github.com/bunkerity/bunkerweb-plugins && \
+    cp -rp ./bunkerweb-plugins/* ./bw-data/plugins
+    ```
+
+    Because the scheduler runs as an unprivileged user with UID and GID 101, you will need to edit the permissions :
+
+    ```shell
+    chown -R 101:101 ./bw-data
+    ```
+
+    Then you can mount the volume when starting your Docker stack :
+
+    ```yaml
+    version: '3.5'
+    services:
+    ...
+      bw-scheduler:
+        image: bunkerity/bunkerweb-scheduler:1.5.3
+        volumes:
+          - ./bw-data:/data
+    ...
+    ```
+
+=== "Docker autoconf"
+
+    When using the [Docker autoconf integration](integrations.md#docker-autoconf), plugins must be written to the volume mounted on `/data/plugins` into the scheduler container.
+
+
+    The first thing to do is to create the plugins folder :
+
+    ```shell
+    mkdir -p ./bw-data/plugins
+    ```
+
+    Then, you can drop the plugins of your choice into that folder :
+
+    ```shell
+    git clone https://github.com/bunkerity/bunkerweb-plugins && \
+    cp -rp ./bunkerweb-plugins/* ./bw-data/plugins
+    ```
+
+    Because the scheduler runs as an unprivileged user with UID and GID 101, you will need to edit the permissions :
+
+    ```shell
+    chown -R 101:101 ./bw-data
+    ```
+
+    Then you can mount the volume when starting your Docker stack :
+
+    ```yaml
+    version: '3.5'
+    services:
+    ...
+      bw-scheduler:
+        image: bunkerity/bunkerweb-scheduler:1.5.3
+        volumes:
+          - ./bw-data:/data
+    ...
+    ```
+
+=== "Swarm"
+
+    When using the [Swarm integration](integrations.md#swarm), plugins must be written to the volume mounted on `/data/plugins` into the scheduler container.
+
+    !!! info "Swarm volume"
+        Configuring a Swarm volume that will persist when the scheduler service is running on different nodes is not covered is in this documentation. We will assume that you have a shared folder mounted on `/shared` across all nodes.
+
+    The first thing to do is to create the plugins folder :
+
+    ```shell
+    mkdir -p /shared/bw-plugins
+    ```
+
+    Then, you can drop the plugins of your choice into that folder :
+
+    ```shell
+    git clone https://github.com/bunkerity/bunkerweb-plugins && \
+    cp -rp ./bunkerweb-plugins/* /shared/bw-plugins
+    ```
+
+    Because the scheduler runs as an unprivileged user with UID and GID 101, you will need to edit the permissions :
+
+    ```shell
+    chown -R 101:101 /shared/bw-plugins
+    ```
+
+    Then you can mount the volume when starting your Swarm stack :
+
+    ```yaml
+    version: '3.5'
+    services:
+    ...
+      bw-scheduler:
+        image: bunkerity/bunkerweb-scheduler:1.5.3
+        volumes:
+          - /shared/bw-plugins:/data/plugins
+    ...
+    ```
+
+=== "Kubernetes"
+
+    When using the [Kubernetes integration](integrations.md#kubernetes), plugins must be written to the volume mounted on `/data/plugins` into the scheduler container.
+
+    The fist thing to do is to declare a [PersistentVolumeClaim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) that will contain our plugins data :
+
+    ```yaml
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: pvc-bunkerweb-plugins
+    spec:
+      accessModes:
+        - ReadWriteOnce
+    resources:
+      requests:
+        storage: 5Gi
+    ```
+
+    You can now add the volume mount and an init containers to automatically provision the volume :
+
+    ```yaml
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: bunkerweb-scheduler
+    spec:
+      replicas: 1
+      strategy:
+        type: Recreate
+      selector:
+        matchLabels:
+          app: bunkerweb-scheduler
+      template:
+        metadata:
+          labels:
+            app: bunkerweb-scheduler
+        spec:
+          serviceAccountName: sa-bunkerweb
+          containers:
+            - name: bunkerweb-scheduler
+              image: bunkerity/bunkerweb-scheduler:1.5.3
+              imagePullPolicy: Always
+              env:
+                - name: KUBERNETES_MODE
+                  value: "yes"
+                - name: "DATABASE_URI"
+                  value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db"
+              volumeMounts:
+                - mountPath: "/data/plugins"
+                  name: vol-plugins
+          initContainers:
+            - name: bunkerweb-scheduler-init
+              image: alpine/git
+              command: ["/bin/sh", "-c"]
+              args: ["git clone https://github.com/bunkerity/bunkerweb-plugins /data/plugins && chown -R 101:101 /data/plugins"]
+              volumeMounts:
+                - mountPath: "/data/plugins"
+                  name: vol-plugins
+          volumes:
+            - name: vol-plugins
+              persistentVolumeClaim:
+                claimName: pvc-bunkerweb-plugins
+    ```
+
+=== "Linux"
+
+    When using the [Linux integration](integrations.md#linux), plugins must be written to the `/etc/bunkerweb/plugins` folder :
+
+    ```shell
+    git clone https://github.com/bunkerity/bunkerweb-plugins && \
+    cp -rp ./bunkerweb-plugins/* /etc/bunkerweb/plugins && \
+    chown -R nginx:nginx /etc/bunkerweb/plugins
+    ```
+
+=== "Ansible"
+
+    When using the [Ansible integration](integrations.md#ansible), you can use the `plugins` variable to set a local folder containing your plugins that will be copied to your BunkerWeb instances.
+
+    Let's assume that you have plugins inside the `bunkerweb-plugins` folder :
+
+    ```shell
+    git clone https://github.com/bunkerity/bunkerweb-plugins
+    ```
+
+    In your Ansible inventory, you can use the `plugins` variable to set the path of plugins folder :
+
+    ```ini
+    [mybunkers]
+    192.168.0.42 ... custom_plugins="{{ playbook_dir }}/bunkerweb-plugins"
+    ```
+
+    Or alternatively, in your playbook file :
+
+    ```yaml
+    - hosts: all
+      become: true
+      vars:
+      - custom_plugins: "{{ playbook_dir }}/bunkerweb-plugins"
+      roles:
+      - bunkerity.bunkerweb
+    ```
+
+    Run the playbook :
+
+    ```shell
+    ansible-playbook -i inventory.yml playbook.yml
+    ```
+
+=== "Vagrant"
+
+    When using the [Vagrant integration](integrations.md#vagrant), plugins must be written to the `/etc/bunkerweb/plugins` folder (you will need to do a `vagrant ssh` first) :
+
+    ```shell
+    git clone https://github.com/bunkerity/bunkerweb-plugins && \
+    cp -rp ./bunkerweb-plugins/* /etc/bunkerweb/plugins
+    ```
+
+## Writing a plugin
+
+!!! tip "Existing plugins"
+
+    If the documentation is not enough, you can have a look at the existing source code of [official plugins](https://github.com/bunkerity/bunkerweb-plugins) and the [core plugins](https://github.com/bunkerity/bunkerweb/tree/v1.5.3/src/common/core) (already included in BunkerWeb but they are plugins, technically speaking).
+
+The first step is to create a folder that will contain the plugin :
+
+```shell
+mkdir myplugin && \
+cd myplugin
+```
+
+### Metadata
+
+A file named **plugin.json** and written at the root of the plugin folder must contain metadata about the plugin. Here is an example :
+
+```json
+{
+  "id": "myplugin",
+  "name": "My Plugin",
+  "description": "Just an example plugin.",
+  "version": "1.0",
+  "stream": "partial",
+  "settings": {
+    "DUMMY_SETTING": {
+      "context": "multisite",
+      "default": "1234",
+      "help": "Here is the help of the setting.",
+      "id": "dummy-id",
+      "label": "Dummy setting",
+      "regex": "^.*$",
+      "type": "text"
+    }
+  },
+  "jobs": [
+    {
+      "name": "my-job",
+      "file": "my-job.py",
+      "every": "hour"
+    }
+  ]
+}
+```
+
+Here are the details of the fields :
+
+|     Field     | Mandatory |  Type  | Description                                                                                                                                                                                        |
+| :-----------: | :-------: | :----: | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+|     `id`      |    yes    | string | Internal ID for the plugin : must be unique among other plugins (including "core" ones) and contain only lowercase chars.                                                                          |
+|    `name`     |    yes    | string | Name of your plugin.                                                                                                                                                                               |
+| `description` |    yes    | string | Description of your plugin.                                                                                                                                                                        |
+|   `version`   |    yes    | string | Version of your plugin.                                                                                                                                                                            |
+|   `stream`    |    yes    | string | Information about stream support : `no`, `yes` or `partial`.
+|  `settings`   |    yes    |  dict  | List of the settings of your plugin.                                                                                                                                                               |
+|    `jobs`     |    no     |  list  | List of the jobs of your plugin.                                                                                                                                                                   |
+
+Each setting has the following fields (the key is the ID of the settings used in a configuration) :
+
+|   Field    | Mandatory |  Type  | Description                                                  |
+| :--------: | :-------: | :----: | :----------------------------------------------------------- |
+| `context`  |    yes    | string | Context of the setting : `multisite` or `global`.            |
+| `default`  |    yes    | string | The default value of the setting.                            |
+|   `help`   |    yes    | string | Help text about the plugin (shown in web UI).                |
+|    `id`    |    yes    | string | Internal ID used by the web UI for HTML elements.            |
+|  `label`   |    yes    | string | Label shown by the web UI.                                   |
+|  `regex`   |    yes    | string | The regex used to validate the value provided by the user.   |
+|   `type`   |    yes    | string | The type of the field : `text`, `check`, `select` or `password`.         |
+| `multiple` |    no     | string | Unique ID to group multiple settings with numbers as suffix. |
+|  `select`  |    no     |  list  | List of possible string values when `type` is `select`.      |
+
+Each job has the following fields :
+
+|  Field  | Mandatory |  Type  | Description                                                                                                                             |
+| :-----: | :-------: | :----: | :-------------------------------------------------------------------------------------------------------------------------------------- |
+| `name`  |    yes    | string | Name of the job.                                                                                                                        |
+| `file`  |    yes    | string | Name of the file inside the jobs folder.                                                                                                |
+| `every` |    yes    | string | Job scheduling frequency : `minute`, `hour`, `day`, `week` or `once` (no frequency, only once before (re)generating the configuration). |
+
+### Configurations
+
+You can add custom NGINX configurations by adding a folder named **confs** with content similar to the [custom configurations](quickstart-guide.md#custom-configurations). Each subfolder inside the **confs** will contain [jinja2](https://jinja.palletsprojects.com) templates that will be generated and loaded at the corresponding context (`http`, `server-http`, `default-server-http`, `stream` and `server-stream`).
+
+Here is an example for a configuration template file inside the **confs/server-http** folder named **example.conf** :
+
+```conf
+location /setting {
+	default_type 'text/plain';
+    content_by_lua_block {
+        ngx.say('{{ DUMMY_SETTING }}')
+    }
+}
+```
+
+`{{ DUMMY_SETTING }}` will be replaced by the value of the `DUMMY_SETTING` chosen by the user of the plugin.
+
+### LUA
+
+#### Main script
+
+Under the hood, BunkerWeb is using the [NGINX LUA module](https://github.com/openresty/lua-nginx-module) to execute code within NGINX. Plugins that need to execute code must provide a lua file at the root directory of the plugin folder using the `id` value of **plugin.json** as its name. Here is an example named **myplugin.lua** :
+
+```lua
+local class     = require "middleclass"
+local plugin    = require "bunkerweb.plugin"
+local utils     = require "bunkerweb.utils"
+
+
+local myplugin = class("myplugin", plugin)
+
+
+function myplugin:initialize()
+    plugin.initialize(self, "myplugin")
+    self.dummy = "dummy"
+end
+
+function myplugin:init()
+    self.logger:log(ngx.NOTICE, "init called")
+    return self:ret(true, "success")
+end
+
+function myplugin:set()
+    self.logger:log(ngx.NOTICE, "set called")
+    return self:ret(true, "success")
+end
+
+function myplugin:access()
+    self.logger:log(ngx.NOTICE, "access called")
+    return self:ret(true, "success")
+end
+
+function myplugin:log()
+    self.logger:log(ngx.NOTICE, "log called")
+    return self:ret(true, "success")
+end
+
+function myplugin:log_default()
+    self.logger:log(ngx.NOTICE, "log_default called")
+    return self:ret(true, "success")
+end
+
+function myplugin:preread()
+    self.logger:log(ngx.NOTICE, "preread called")
+    return self:ret(true, "success")
+end
+
+function myplugin:log_stream()
+    self.logger:log(ngx.NOTICE, "log_stream called")
+    return self:ret(true, "success")
+end
+
+return myplugin
+```
+
+The declared functions are automatically called during specific contexts. Here are the details of each function :
+
+| Function |                                   Context                                    | Description                                                                                                                                               | Return value                                                                                                                                                                                                                                                                                                                            |
+| :------: | :--------------------------------------------------------------------------: | :-------------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+|  `init`  |   [init_by_lua](https://github.com/openresty/lua-nginx-module#init_by_lua)   | Called when NGINX just started or received a reload order. the typical use case is to prepare any data that will be used by your plugin.                  | `ret`, `msg`<ul><li>`ret` (boolean) : true if no error or else false</li><li>`msg` (string) : success or error message</li></ul>|
+|  `set`  |   [set_by_lua](https://github.com/openresty/lua-nginx-module#set_by_lua)   | Called before each request received by the server.The typical use case is for computing before access phase.                 | `ret`, `msg`<ul><li>`ret` (boolean) : true if no error or else false</li><li>`msg` (string) : success or error message</li></ul>|
+| `access` | [access_by_lua](https://github.com/openresty/lua-nginx-module#access_by_lua) | Called on each request received by the server. The typical use case is to do the security checks here and deny the request if needed.                     | `ret`, `msg`,`status`,`redirect`<ul><li>`ret` (boolean) : true if no error or else false</li><li>`msg` (string) : success or error message</li><li>`status` (number) : interrupt current process and return [HTTP status](https://github.com/openresty/lua-nginx-module#http-status-constants)</li><li>`redirect` (URL) : if set will redirect to given URL</li></ul> |
+|  `log`   |    [log_by_lua](https://github.com/openresty/lua-nginx-module#log_by_lua)    | Called when a request has finished (and before it gets logged to the access logs). The typical use case is to make stats or compute counters for example. | `ret`, `msg`<ul><li>`ret` (boolean) : true if no error or else false</li><li>`msg` (string) : success or error message</li></ul>                                                                                                                                                                                                           |
+|  `log_default`   |    [log_by_lua](https://github.com/openresty/lua-nginx-module#log_by_lua)    | Same as `log` but only called on the default server. | `ret`, `msg`<ul><li>`ret` (boolean) : true if no error or else false</li><li>`msg` (string) : success or error message</li></ul>                                                                                                                                                                                                           |
+| `preread` | [preread_by_lua](https://github.com/openresty/stream-lua-nginx-module#preread_by_lua_block) | Similar to the `access` function but for stream mode. | `ret`, `msg`,`status`<ul><li>`ret` (boolean) : true if no error or else false</li><li>`msg` (string) : success or error message</li><li>`status` (number) : interrupt current process and return [status](https://github.com/openresty/lua-nginx-module#http-status-constants)</li></ul> |
+| `log_stream` | [log_by_lua](https://github.com/openresty/stream-lua-nginx-module#log_by_lua_block) | Similar to the `log` function but for stream mode. | `ret`, `msg`<ul><li>`ret` (boolean) : true if no error or else false</li><li>`msg` (string) : success or error message</li></ul> |
+
+#### Libraries
+
+All directives from [NGINX LUA module](https://github.com/openresty/lua-nginx-module) and are available and [NGINX stream LUA module](https://github.com/openresty/stream-lua-nginx-module). On top of that, you can use the LUA libraries included within BunkerWeb : see [this script](https://github.com/bunkerity/bunkerweb/blobsrc/deps/clone.sh) for the complete list.
+
+If you need additional libraries, you can put them in the root folder of the plugin and access them by prefixing them with your plugin ID. Here is an example file named **mylibrary.lua** :
+
+```lua
+local _M = {}
+
+_M.dummy = function ()
+	return "dummy"
+end
+
+return _M
+```
+
+And here is how you can use it from the **myplugin.lua** file :
+
+```lua
+local mylibrary = require "myplugin.mylibrary"
+
+...
+
+mylibrary.dummy()
+
+...
+```
+
+#### Helpers
+
+Some helpers modules provide common helpful helpers :
+
+- `self.variables` : allows to access and store plugins' attributes
+- `self.logger` : print logs
+- `bunkerweb.utils` : various useful functions
+- `bunkerweb.datastore` : access the global shared data on one instance (key/value store)
+- `bunkerweb.clusterstore` : access a Redis data store shared between BunkerWeb instances (key/value store)
+
+To access the functions, you first need to **require** the modules :
+
+```lua
+local utils       = require "bunkerweb.utils"
+local datastore   = require "bunkerweb.datastore"
+local clustestore = require "bunkerweb.clustertore"
+```
+
+Retrieve a setting value :
+
+```lua
+local myvar = self.variables["DUMMY_SETTING"]
+if not myvar then
+    self.logger:log(ngx.ERR, "can't retrieve setting DUMMY_SETTING")
+else
+    self.logger:log(ngx.NOTICE, "DUMMY_SETTING = " .. value)
+end
+```
+
+Store something in the local cache :
+
+```lua
+local ok, err = self.datastore:set("plugin_myplugin_something", "somevalue")
+if not ok then
+    self.logger:log(ngx.ERR, "can't save plugin_myplugin_something into datastore : " .. err)
+else
+    self.logger:log(ngx.NOTICE, "successfully saved plugin_myplugin_something into datastore")
+end
+```
+
+Check if an IP address is global :
+
+```lua
+local ret, err = utils.ip_is_global(ngx.ctx.bw.remote_addr)
+if ret == nil then
+    self.logger:log(ngx.ERR, "error while checking if IP " .. ngx.ctx.bw.remote_addr .. " is global or not : " .. err)
+elseif not ret then
+    self.logger:log(ngx.NOTICE, "IP " .. ngx.ctx.bw.remote_addr .. " is not global")
+else
+    self.logger:log(ngx.NOTICE, "IP " .. ngx.ctx.bw.remote_addr .. " is global")
+end
+```
+
+!!! tip "More examples"
+
+    If you want to see the full list of available functions, you can have a look at the files present in the [lua directory](https://github.com/bunkerity/bunkerweb/tree/v1.5.3/src/bw/lua/bunkerweb) of the repository.
+
+### Jobs
+
+BunkerWeb uses an internal job scheduler for periodic tasks like renewing certificates with certbot, downloading blacklists, downloading MMDB files, ... You can add tasks of your choice by putting them inside a subfolder named **jobs** and listing them in the **plugin.json** metadata file. Don't forget to add the execution permissions for everyone to avoid any problems when a user is cloning and installing your plugin.
+
+### Plugin page
+
+Plugin pages are used to display information about your plugin and interact with the user inside the plugins section of the [web UI](web-ui.md).
+
+Everything related to the web UI is located inside a subfolder named **ui** at the root directory of your plugin. A template file named **template.html** and located inside the **ui** subfolder contains the client code and logic to display your page. Another file named **actions.py** and also located inside the **ui** subfolder contains code that will be executed when the user is interacting with your page (filling a form for example).
+
+!!! info "Jinja 2 template"
+    The **template.html** file is a Jinja2 template, please refer to the [Jinja2 documentation](https://jinja.palletsprojects.com) if needed.
+
+A plugin page can have a form that is used to submit data to the plugin. To get the values of the form, you need to put a **actions.py** file in the **ui** folder. Inside the file, **you must define a function that has the same name as the plugin**. This function will be called when the form is submitted. You can then use the **request** object (from the [Flask library](https://flask.palletsprojects.com)) to get the values of the form. The form's action must finish with **/plugins/<*plugin_id*>**. The helper function `url_for` will generate for you the prefix of the URL : `{{ url_for('plugins') }}/plugin_id`.
+
+If you want to display variables generated from your **actions.py** in your template file, you can return a dictionary with variables name as keys and variables value as values. Here is dummy example where we return a single variable :
+
+```python
+def myplugin() :
+	return {"foo": "bar"}
+```
+
+And we display it in the **template.html** file :
+```html
+{% if foo %}
+Content of foo is : {{ foo }}.
+{% endif %}
+```
+
+Please note that every form submission is protected via a CSRF token, you will need to include the following snippet into your forms :
+```html
+<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+```
+
+Retrieving user submitted data is pretty simple, thanks to the request module provided by Flask :
+
+```python
+from flask import request
+
+def myplugin() :
+	my_form_value = request.form["my_form_input"]
+```
+
+!!! info "Python libraries"
+    You can use Python libraries that are already available like :
+    `Flask`, `Flask-Login`, `Flask-WTF`, `beautifulsoup4`, `docker`, `Jinja2`, `python-magic` and `requests`. To see the full list, you can have a look at the Web UI [requirements.txt](https://github.com/bunkerity/bunkerweb/blobsrc/ui/requirements.txt). If you need external libraries, you can install them inside the **ui** folder of your plugin and then use the classical **import** directive.

docs/requirements.in

@@ -0,0 +1,5 @@
+mike==2.0.0
+mkdocs==1.5.3
+mkdocs-material==9.4.8
+mkdocs-print-site-plugin==2.3.6
+pytablewriter==1.2.0

docs/requirements.txt

@@ -0,0 +1,527 @@
+#
+# This file is autogenerated by pip-compile with Python 3.9
+# by the following command:
+#
+#    pip-compile --allow-unsafe --generate-hashes --strip-extras requirements.in
+#
+babel==2.13.1 \
+    --hash=sha256:33e0952d7dd6374af8dbf6768cc4ddf3ccfefc244f9986d4074704f2fbd18900 \
+    --hash=sha256:7077a4984b02b6727ac10f1f7294484f737443d7e2e66c5e4380e41a3ae0b4ed
+    # via mkdocs-material
+certifi==2023.7.22 \
+    --hash=sha256:539cc1d13202e33ca466e88b2807e29f4c13049d6d87031a3c110744495cb082 \
+    --hash=sha256:92d6037539857d8206b8f6ae472e8b77db8058fec5937a1ef3f54304089edbb9
+    # via requests
+chardet==5.2.0 \
+    --hash=sha256:1b3b6ff479a8c414bc3fa2c0852995695c4a026dcd6d0633b2dd092ca39c1cf7 \
+    --hash=sha256:e1cf59446890a00105fe7b7912492ea04b6e6f06d4b742b2c788469e34c82970
+    # via mbstrdecoder
+charset-normalizer==3.3.2 \
+    --hash=sha256:06435b539f889b1f6f4ac1758871aae42dc3a8c0e24ac9e60c2384973ad73027 \
+    --hash=sha256:06a81e93cd441c56a9b65d8e1d043daeb97a3d0856d177d5c90ba85acb3db087 \
+    --hash=sha256:0a55554a2fa0d408816b3b5cedf0045f4b8e1a6065aec45849de2d6f3f8e9786 \
+    --hash=sha256:0b2b64d2bb6d3fb9112bafa732def486049e63de9618b5843bcdd081d8144cd8 \
+    --hash=sha256:10955842570876604d404661fbccbc9c7e684caf432c09c715ec38fbae45ae09 \
+    --hash=sha256:122c7fa62b130ed55f8f285bfd56d5f4b4a5b503609d181f9ad85e55c89f4185 \
+    --hash=sha256:1ceae2f17a9c33cb48e3263960dc5fc8005351ee19db217e9b1bb15d28c02574 \
+    --hash=sha256:1d3193f4a680c64b4b6a9115943538edb896edc190f0b222e73761716519268e \
+    --hash=sha256:1f79682fbe303db92bc2b1136016a38a42e835d932bab5b3b1bfcfbf0640e519 \
+    --hash=sha256:2127566c664442652f024c837091890cb1942c30937add288223dc895793f898 \
+    --hash=sha256:22afcb9f253dac0696b5a4be4a1c0f8762f8239e21b99680099abd9b2b1b2269 \
+    --hash=sha256:25baf083bf6f6b341f4121c2f3c548875ee6f5339300e08be3f2b2ba1721cdd3 \
+    --hash=sha256:2e81c7b9c8979ce92ed306c249d46894776a909505d8f5a4ba55b14206e3222f \
+    --hash=sha256:3287761bc4ee9e33561a7e058c72ac0938c4f57fe49a09eae428fd88aafe7bb6 \
+    --hash=sha256:34d1c8da1e78d2e001f363791c98a272bb734000fcef47a491c1e3b0505657a8 \
+    --hash=sha256:37e55c8e51c236f95b033f6fb391d7d7970ba5fe7ff453dad675e88cf303377a \
+    --hash=sha256:3d47fa203a7bd9c5b6cee4736ee84ca03b8ef23193c0d1ca99b5089f72645c73 \
+    --hash=sha256:3e4d1f6587322d2788836a99c69062fbb091331ec940e02d12d179c1d53e25fc \
+    --hash=sha256:42cb296636fcc8b0644486d15c12376cb9fa75443e00fb25de0b8602e64c1714 \
+    --hash=sha256:45485e01ff4d3630ec0d9617310448a8702f70e9c01906b0d0118bdf9d124cf2 \
+    --hash=sha256:4a78b2b446bd7c934f5dcedc588903fb2f5eec172f3d29e52a9096a43722adfc \
+    --hash=sha256:4ab2fe47fae9e0f9dee8c04187ce5d09f48eabe611be8259444906793ab7cbce \
+    --hash=sha256:4d0d1650369165a14e14e1e47b372cfcb31d6ab44e6e33cb2d4e57265290044d \
+    --hash=sha256:549a3a73da901d5bc3ce8d24e0600d1fa85524c10287f6004fbab87672bf3e1e \
+    --hash=sha256:55086ee1064215781fff39a1af09518bc9255b50d6333f2e4c74ca09fac6a8f6 \
+    --hash=sha256:572c3763a264ba47b3cf708a44ce965d98555f618ca42c926a9c1616d8f34269 \
+    --hash=sha256:573f6eac48f4769d667c4442081b1794f52919e7edada77495aaed9236d13a96 \
+    --hash=sha256:5b4c145409bef602a690e7cfad0a15a55c13320ff7a3ad7ca59c13bb8ba4d45d \
+    --hash=sha256:6463effa3186ea09411d50efc7d85360b38d5f09b870c48e4600f63af490e56a \
+    --hash=sha256:65f6f63034100ead094b8744b3b97965785388f308a64cf8d7c34f2f2e5be0c4 \
+    --hash=sha256:663946639d296df6a2bb2aa51b60a2454ca1cb29835324c640dafb5ff2131a77 \
+    --hash=sha256:6897af51655e3691ff853668779c7bad41579facacf5fd7253b0133308cf000d \
+    --hash=sha256:68d1f8a9e9e37c1223b656399be5d6b448dea850bed7d0f87a8311f1ff3dabb0 \
+    --hash=sha256:6ac7ffc7ad6d040517be39eb591cac5ff87416c2537df6ba3cba3bae290c0fed \
+    --hash=sha256:6b3251890fff30ee142c44144871185dbe13b11bab478a88887a639655be1068 \
+    --hash=sha256:6c4caeef8fa63d06bd437cd4bdcf3ffefe6738fb1b25951440d80dc7df8c03ac \
+    --hash=sha256:6ef1d82a3af9d3eecdba2321dc1b3c238245d890843e040e41e470ffa64c3e25 \
+    --hash=sha256:753f10e867343b4511128c6ed8c82f7bec3bd026875576dfd88483c5c73b2fd8 \
+    --hash=sha256:7cd13a2e3ddeed6913a65e66e94b51d80a041145a026c27e6bb76c31a853c6ab \
+    --hash=sha256:7ed9e526742851e8d5cc9e6cf41427dfc6068d4f5a3bb03659444b4cabf6bc26 \
+    --hash=sha256:7f04c839ed0b6b98b1a7501a002144b76c18fb1c1850c8b98d458ac269e26ed2 \
+    --hash=sha256:802fe99cca7457642125a8a88a084cef28ff0cf9407060f7b93dca5aa25480db \
+    --hash=sha256:80402cd6ee291dcb72644d6eac93785fe2c8b9cb30893c1af5b8fdd753b9d40f \
+    --hash=sha256:8465322196c8b4d7ab6d1e049e4c5cb460d0394da4a27d23cc242fbf0034b6b5 \
+    --hash=sha256:86216b5cee4b06df986d214f664305142d9c76df9b6512be2738aa72a2048f99 \
+    --hash=sha256:87d1351268731db79e0f8e745d92493ee2841c974128ef629dc518b937d9194c \
+    --hash=sha256:8bdb58ff7ba23002a4c5808d608e4e6c687175724f54a5dade5fa8c67b604e4d \
+    --hash=sha256:8c622a5fe39a48f78944a87d4fb8a53ee07344641b0562c540d840748571b811 \
+    --hash=sha256:8d756e44e94489e49571086ef83b2bb8ce311e730092d2c34ca8f7d925cb20aa \
+    --hash=sha256:8f4a014bc36d3c57402e2977dada34f9c12300af536839dc38c0beab8878f38a \
+    --hash=sha256:9063e24fdb1e498ab71cb7419e24622516c4a04476b17a2dab57e8baa30d6e03 \
+    --hash=sha256:90d558489962fd4918143277a773316e56c72da56ec7aa3dc3dbbe20fdfed15b \
+    --hash=sha256:923c0c831b7cfcb071580d3f46c4baf50f174be571576556269530f4bbd79d04 \
+    --hash=sha256:95f2a5796329323b8f0512e09dbb7a1860c46a39da62ecb2324f116fa8fdc85c \
+    --hash=sha256:96b02a3dc4381e5494fad39be677abcb5e6634bf7b4fa83a6dd3112607547001 \
+    --hash=sha256:9f96df6923e21816da7e0ad3fd47dd8f94b2a5ce594e00677c0013018b813458 \
+    --hash=sha256:a10af20b82360ab00827f916a6058451b723b4e65030c5a18577c8b2de5b3389 \
+    --hash=sha256:a50aebfa173e157099939b17f18600f72f84eed3049e743b68ad15bd69b6bf99 \
+    --hash=sha256:a981a536974bbc7a512cf44ed14938cf01030a99e9b3a06dd59578882f06f985 \
+    --hash=sha256:a9a8e9031d613fd2009c182b69c7b2c1ef8239a0efb1df3f7c8da66d5dd3d537 \
+    --hash=sha256:ae5f4161f18c61806f411a13b0310bea87f987c7d2ecdbdaad0e94eb2e404238 \
+    --hash=sha256:aed38f6e4fb3f5d6bf81bfa990a07806be9d83cf7bacef998ab1a9bd660a581f \
+    --hash=sha256:b01b88d45a6fcb69667cd6d2f7a9aeb4bf53760d7fc536bf679ec94fe9f3ff3d \
+    --hash=sha256:b261ccdec7821281dade748d088bb6e9b69e6d15b30652b74cbbac25e280b796 \
+    --hash=sha256:b2b0a0c0517616b6869869f8c581d4eb2dd83a4d79e0ebcb7d373ef9956aeb0a \
+    --hash=sha256:b4a23f61ce87adf89be746c8a8974fe1c823c891d8f86eb218bb957c924bb143 \
+    --hash=sha256:bd8f7df7d12c2db9fab40bdd87a7c09b1530128315d047a086fa3ae3435cb3a8 \
+    --hash=sha256:beb58fe5cdb101e3a055192ac291b7a21e3b7ef4f67fa1d74e331a7f2124341c \
+    --hash=sha256:c002b4ffc0be611f0d9da932eb0f704fe2602a9a949d1f738e4c34c75b0863d5 \
+    --hash=sha256:c083af607d2515612056a31f0a8d9e0fcb5876b7bfc0abad3ecd275bc4ebc2d5 \
+    --hash=sha256:c180f51afb394e165eafe4ac2936a14bee3eb10debc9d9e4db8958fe36afe711 \
+    --hash=sha256:c235ebd9baae02f1b77bcea61bce332cb4331dc3617d254df3323aa01ab47bd4 \
+    --hash=sha256:cd70574b12bb8a4d2aaa0094515df2463cb429d8536cfb6c7ce983246983e5a6 \
+    --hash=sha256:d0eccceffcb53201b5bfebb52600a5fb483a20b61da9dbc885f8b103cbe7598c \
+    --hash=sha256:d965bba47ddeec8cd560687584e88cf699fd28f192ceb452d1d7ee807c5597b7 \
+    --hash=sha256:db364eca23f876da6f9e16c9da0df51aa4f104a972735574842618b8c6d999d4 \
+    --hash=sha256:ddbb2551d7e0102e7252db79ba445cdab71b26640817ab1e3e3648dad515003b \
+    --hash=sha256:deb6be0ac38ece9ba87dea880e438f25ca3eddfac8b002a2ec3d9183a454e8ae \
+    --hash=sha256:e06ed3eb3218bc64786f7db41917d4e686cc4856944f53d5bdf83a6884432e12 \
+    --hash=sha256:e27ad930a842b4c5eb8ac0016b0a54f5aebbe679340c26101df33424142c143c \
+    --hash=sha256:e537484df0d8f426ce2afb2d0f8e1c3d0b114b83f8850e5f2fbea0e797bd82ae \
+    --hash=sha256:eb00ed941194665c332bf8e078baf037d6c35d7c4f3102ea2d4f16ca94a26dc8 \
+    --hash=sha256:eb6904c354526e758fda7167b33005998fb68c46fbc10e013ca97f21ca5c8887 \
+    --hash=sha256:eb8821e09e916165e160797a6c17edda0679379a4be5c716c260e836e122f54b \
+    --hash=sha256:efcb3f6676480691518c177e3b465bcddf57cea040302f9f4e6e191af91174d4 \
+    --hash=sha256:f27273b60488abe721a075bcca6d7f3964f9f6f067c8c4c605743023d7d3944f \
+    --hash=sha256:f30c3cb33b24454a82faecaf01b19c18562b1e89558fb6c56de4d9118a032fd5 \
+    --hash=sha256:fb69256e180cb6c8a894fee62b3afebae785babc1ee98b81cdf68bbca1987f33 \
+    --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \
+    --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561
+    # via requests
+click==8.1.7 \
+    --hash=sha256:ae74fb96c20a0277a1d615f1e4d73c8414f5a98db8b799a7931d1582f3390c28 \
+    --hash=sha256:ca9853ad459e787e2192211578cc907e7594e294c7ccc834310722b41b9ca6de
+    # via mkdocs
+colorama==0.4.6 \
+    --hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \
+    --hash=sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6
+    # via mkdocs-material
+dataproperty==1.0.1 \
+    --hash=sha256:0b8b07d4fb6453fcf975b53d35dea41f3cfd69c9d79b5010c3cf224ff0407a7a \
+    --hash=sha256:723e5729fa6e885e127a771a983ee1e0e34bb141aca4ffe1f0bfa7cde34650a4
+    # via
+    #   pytablewriter
+    #   tabledata
+ghp-import==2.1.0 \
+    --hash=sha256:8337dd7b50877f163d4c0289bc1f1c7f127550241988d568c1db512c4324a619 \
+    --hash=sha256:9c535c4c61193c2df8871222567d7fd7e5014d835f97dc7b7439069e2413d343
+    # via mkdocs
+idna==3.4 \
+    --hash=sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4 \
+    --hash=sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2
+    # via requests
+importlib-metadata==6.8.0 \
+    --hash=sha256:3ebb78df84a805d7698245025b975d9d67053cd94c79245ba4b3eb694abe68bb \
+    --hash=sha256:dbace7892d8c0c4ac1ad096662232f831d4e64f4c4545bd53016a3e9d4654743
+    # via
+    #   markdown
+    #   mike
+    #   mkdocs
+importlib-resources==6.1.1 \
+    --hash=sha256:3893a00122eafde6894c59914446a512f728a0c1a45f9bb9b63721b6bacf0b4a \
+    --hash=sha256:e8bf90d8213b486f428c9c39714b920041cb02c184686a3dee24905aaa8105d6
+    # via mike
+jinja2==3.1.2 \
+    --hash=sha256:31351a702a408a9e7595a8fc6150fc3f43bb6bf7e319770cbc0db9df9437e852 \
+    --hash=sha256:6088930bfe239f0e6710546ab9c19c9ef35e29792895fed6e6e31a023a182a61
+    # via
+    #   mike
+    #   mkdocs
+    #   mkdocs-material
+markdown==3.5.1 \
+    --hash=sha256:5874b47d4ee3f0b14d764324d2c94c03ea66bee56f2d929da9f2508d65e722dc \
+    --hash=sha256:b65d7beb248dc22f2e8a31fb706d93798093c308dc1aba295aedeb9d41a813bd
+    # via
+    #   mkdocs
+    #   mkdocs-material
+    #   pymdown-extensions
+markupsafe==2.1.3 \
+    --hash=sha256:05fb21170423db021895e1ea1e1f3ab3adb85d1c2333cbc2310f2a26bc77272e \
+    --hash=sha256:0a4e4a1aff6c7ac4cd55792abf96c915634c2b97e3cc1c7129578aa68ebd754e \
+    --hash=sha256:10bbfe99883db80bdbaff2dcf681dfc6533a614f700da1287707e8a5d78a8431 \
+    --hash=sha256:134da1eca9ec0ae528110ccc9e48041e0828d79f24121a1a146161103c76e686 \
+    --hash=sha256:14ff806850827afd6b07a5f32bd917fb7f45b046ba40c57abdb636674a8b559c \
+    --hash=sha256:1577735524cdad32f9f694208aa75e422adba74f1baee7551620e43a3141f559 \
+    --hash=sha256:1b40069d487e7edb2676d3fbdb2b0829ffa2cd63a2ec26c4938b2d34391b4ecc \
+    --hash=sha256:1b8dd8c3fd14349433c79fa8abeb573a55fc0fdd769133baac1f5e07abf54aeb \
+    --hash=sha256:1f67c7038d560d92149c060157d623c542173016c4babc0c1913cca0564b9939 \
+    --hash=sha256:282c2cb35b5b673bbcadb33a585408104df04f14b2d9b01d4c345a3b92861c2c \
+    --hash=sha256:2c1b19b3aaacc6e57b7e25710ff571c24d6c3613a45e905b1fde04d691b98ee0 \
+    --hash=sha256:2ef12179d3a291be237280175b542c07a36e7f60718296278d8593d21ca937d4 \
+    --hash=sha256:338ae27d6b8745585f87218a3f23f1512dbf52c26c28e322dbe54bcede54ccb9 \
+    --hash=sha256:3c0fae6c3be832a0a0473ac912810b2877c8cb9d76ca48de1ed31e1c68386575 \
+    --hash=sha256:3fd4abcb888d15a94f32b75d8fd18ee162ca0c064f35b11134be77050296d6ba \
+    --hash=sha256:42de32b22b6b804f42c5d98be4f7e5e977ecdd9ee9b660fda1a3edf03b11792d \
+    --hash=sha256:47d4f1c5f80fc62fdd7777d0d40a2e9dda0a05883ab11374334f6c4de38adffd \
+    --hash=sha256:504b320cd4b7eff6f968eddf81127112db685e81f7e36e75f9f84f0df46041c3 \
+    --hash=sha256:525808b8019e36eb524b8c68acdd63a37e75714eac50e988180b169d64480a00 \
+    --hash=sha256:56d9f2ecac662ca1611d183feb03a3fa4406469dafe241673d521dd5ae92a155 \
+    --hash=sha256:5bbe06f8eeafd38e5d0a4894ffec89378b6c6a625ff57e3028921f8ff59318ac \
+    --hash=sha256:65c1a9bcdadc6c28eecee2c119465aebff8f7a584dd719facdd9e825ec61ab52 \
+    --hash=sha256:68e78619a61ecf91e76aa3e6e8e33fc4894a2bebe93410754bd28fce0a8a4f9f \
+    --hash=sha256:69c0f17e9f5a7afdf2cc9fb2d1ce6aabdb3bafb7f38017c0b77862bcec2bbad8 \
+    --hash=sha256:6b2b56950d93e41f33b4223ead100ea0fe11f8e6ee5f641eb753ce4b77a7042b \
+    --hash=sha256:715d3562f79d540f251b99ebd6d8baa547118974341db04f5ad06d5ea3eb8007 \
+    --hash=sha256:787003c0ddb00500e49a10f2844fac87aa6ce977b90b0feaaf9de23c22508b24 \
+    --hash=sha256:7ef3cb2ebbf91e330e3bb937efada0edd9003683db6b57bb108c4001f37a02ea \
+    --hash=sha256:8023faf4e01efadfa183e863fefde0046de576c6f14659e8782065bcece22198 \
+    --hash=sha256:8758846a7e80910096950b67071243da3e5a20ed2546e6392603c096778d48e0 \
+    --hash=sha256:8afafd99945ead6e075b973fefa56379c5b5c53fd8937dad92c662da5d8fd5ee \
+    --hash=sha256:8c41976a29d078bb235fea9b2ecd3da465df42a562910f9022f1a03107bd02be \
+    --hash=sha256:8e254ae696c88d98da6555f5ace2279cf7cd5b3f52be2b5cf97feafe883b58d2 \
+    --hash=sha256:8f9293864fe09b8149f0cc42ce56e3f0e54de883a9de90cd427f191c346eb2e1 \
+    --hash=sha256:9402b03f1a1b4dc4c19845e5c749e3ab82d5078d16a2a4c2cd2df62d57bb0707 \
+    --hash=sha256:962f82a3086483f5e5f64dbad880d31038b698494799b097bc59c2edf392fce6 \
+    --hash=sha256:9aad3c1755095ce347e26488214ef77e0485a3c34a50c5a5e2471dff60b9dd9c \
+    --hash=sha256:9dcdfd0eaf283af041973bff14a2e143b8bd64e069f4c383416ecd79a81aab58 \
+    --hash=sha256:aa57bd9cf8ae831a362185ee444e15a93ecb2e344c8e52e4d721ea3ab6ef1823 \
+    --hash=sha256:aa7bd130efab1c280bed0f45501b7c8795f9fdbeb02e965371bbef3523627779 \
+    --hash=sha256:ab4a0df41e7c16a1392727727e7998a467472d0ad65f3ad5e6e765015df08636 \
+    --hash=sha256:ad9e82fb8f09ade1c3e1b996a6337afac2b8b9e365f926f5a61aacc71adc5b3c \
+    --hash=sha256:af598ed32d6ae86f1b747b82783958b1a4ab8f617b06fe68795c7f026abbdcad \
+    --hash=sha256:b076b6226fb84157e3f7c971a47ff3a679d837cf338547532ab866c57930dbee \
+    --hash=sha256:b7ff0f54cb4ff66dd38bebd335a38e2c22c41a8ee45aa608efc890ac3e3931bc \
+    --hash=sha256:bfce63a9e7834b12b87c64d6b155fdd9b3b96191b6bd334bf37db7ff1fe457f2 \
+    --hash=sha256:c011a4149cfbcf9f03994ec2edffcb8b1dc2d2aede7ca243746df97a5d41ce48 \
+    --hash=sha256:c9c804664ebe8f83a211cace637506669e7890fec1b4195b505c214e50dd4eb7 \
+    --hash=sha256:ca379055a47383d02a5400cb0d110cef0a776fc644cda797db0c5696cfd7e18e \
+    --hash=sha256:cb0932dc158471523c9637e807d9bfb93e06a95cbf010f1a38b98623b929ef2b \
+    --hash=sha256:cd0f502fe016460680cd20aaa5a76d241d6f35a1c3350c474bac1273803893fa \
+    --hash=sha256:ceb01949af7121f9fc39f7d27f91be8546f3fb112c608bc4029aef0bab86a2a5 \
+    --hash=sha256:d080e0a5eb2529460b30190fcfcc4199bd7f827663f858a226a81bc27beaa97e \
+    --hash=sha256:dd15ff04ffd7e05ffcb7fe79f1b98041b8ea30ae9234aed2a9168b5797c3effb \
+    --hash=sha256:df0be2b576a7abbf737b1575f048c23fb1d769f267ec4358296f31c2479db8f9 \
+    --hash=sha256:e09031c87a1e51556fdcb46e5bd4f59dfb743061cf93c4d6831bf894f125eb57 \
+    --hash=sha256:e4dd52d80b8c83fdce44e12478ad2e85c64ea965e75d66dbeafb0a3e77308fcc \
+    --hash=sha256:f698de3fd0c4e6972b92290a45bd9b1536bffe8c6759c62471efaa8acb4c37bc \
+    --hash=sha256:fec21693218efe39aa7f8599346e90c705afa52c5b31ae019b2e57e8f6542bb2 \
+    --hash=sha256:ffcc3f7c66b5f5b7931a5aa68fc9cecc51e685ef90282f4a82f0f5e9b704ad11
+    # via
+    #   jinja2
+    #   mkdocs
+mbstrdecoder==1.1.3 \
+    --hash=sha256:d66c1ed3f2dc4e7c5d87cd44a75be10bc5af4250f95b38bbaedd7851308ce938 \
+    --hash=sha256:dcfd2c759322eb44fe193a9e0b1b86c5b87f3ec5ea8e1bb43b3e9ae423f1e8fe
+    # via
+    #   dataproperty
+    #   pytablewriter
+    #   typepy
+mergedeep==1.3.4 \
+    --hash=sha256:0096d52e9dad9939c3d975a774666af186eda617e6ca84df4c94dec30004f2a8 \
+    --hash=sha256:70775750742b25c0d8f36c55aed03d24c3384d17c951b3175d898bd778ef0307
+    # via mkdocs
+mike==2.0.0 \
+    --hash=sha256:566f1cab1a58cc50b106fb79ea2f1f56e7bfc8b25a051e95e6eaee9fba0922de \
+    --hash=sha256:87f496a65900f93ba92d72940242b65c86f3f2f82871bc60ebdcffc91fad1d9e
+    # via -r requirements.in
+mkdocs==1.5.3 \
+    --hash=sha256:3b3a78e736b31158d64dbb2f8ba29bd46a379d0c6e324c2246c3bc3d2189cfc1 \
+    --hash=sha256:eb7c99214dcb945313ba30426c2451b735992c73c2e10838f76d09e39ff4d0e2
+    # via
+    #   -r requirements.in
+    #   mike
+    #   mkdocs-material
+mkdocs-material==9.4.8 \
+    --hash=sha256:8b20f6851bddeef37dced903893cd176cf13a21a482e97705a103c45f06ce9b9 \
+    --hash=sha256:f0c101453e8bc12b040e8b64ca39a405d950d8402609b1378cc2b98976e74b5f
+    # via
+    #   -r requirements.in
+    #   mkdocs-print-site-plugin
+mkdocs-material-extensions==1.3 \
+    --hash=sha256:0297cc48ba68a9fdd1ef3780a3b41b534b0d0df1d1181a44676fda5f464eeadc \
+    --hash=sha256:f0446091503acb110a7cab9349cbc90eeac51b58d1caa92a704a81ca1e24ddbd
+    # via mkdocs-material
+mkdocs-print-site-plugin==2.3.6 \
+    --hash=sha256:01ccb1ceccc87f29e1612bebb77c3bf9980809fbce750fc2113f9d6acea589d4 \
+    --hash=sha256:82e5cabcfb7fe3074daecea018f28ccb4bff086f965e3103fe91019a76752f22
+    # via -r requirements.in
+packaging==23.2 \
+    --hash=sha256:048fb0e9405036518eaaf48a55953c750c11e1a1b68e0dd1a9d62ed0c092cfc5 \
+    --hash=sha256:8c491190033a9af7e1d931d0b5dacc2ef47509b34dd0de67ed209b5203fc88c7
+    # via
+    #   mkdocs
+    #   typepy
+paginate==0.5.6 \
+    --hash=sha256:5e6007b6a9398177a7e1648d04fdd9f8c9766a1a945bceac82f1929e8c78af2d
+    # via mkdocs-material
+pathspec==0.11.2 \
+    --hash=sha256:1d6ed233af05e679efb96b1851550ea95bbb64b7c490b0f5aa52996c11e92a20 \
+    --hash=sha256:e0d8d0ac2f12da61956eb2306b69f9469b42f4deb0f3cb6ed47b9cce9996ced3
+    # via mkdocs
+pathvalidate==3.2.0 \
+    --hash=sha256:5e8378cf6712bff67fbe7a8307d99fa8c1a0cb28aa477056f8fc374f0dff24ad \
+    --hash=sha256:cc593caa6299b22b37f228148257997e2fa850eea2daf7e4cc9205cef6908dee
+    # via pytablewriter
+platformdirs==4.0.0 \
+    --hash=sha256:118c954d7e949b35437270383a3f2531e99dd93cf7ce4dc8340d3356d30f173b \
+    --hash=sha256:cb633b2bcf10c51af60beb0ab06d2f1d69064b43abf4c185ca6b28865f3f9731
+    # via mkdocs
+pygments==2.16.1 \
+    --hash=sha256:13fc09fa63bc8d8671a6d247e1eb303c4b343eaee81d861f3404db2935653692 \
+    --hash=sha256:1daff0494820c69bc8941e407aa20f577374ee88364ee10a98fdbe0aece96e29
+    # via mkdocs-material
+pymdown-extensions==10.4 \
+    --hash=sha256:bc46f11749ecd4d6b71cf62396104b4a200bad3498cb0f5dad1b8502fe461a35 \
+    --hash=sha256:cfc28d6a09d19448bcbf8eee3ce098c7d17ff99f7bd3069db4819af181212037
+    # via mkdocs-material
+pyparsing==3.1.1 \
+    --hash=sha256:32c7c0b711493c72ff18a981d24f28aaf9c1fb7ed5e9667c9e84e3db623bdbfb \
+    --hash=sha256:ede28a1a32462f5a9705e07aea48001a08f7cf81a021585011deba701581a0db
+    # via mike
+pytablewriter==1.2.0 \
+    --hash=sha256:0204a4bb684a22140d640f2599f09e137bcdc18b3dd49426f4a555016e246b46 \
+    --hash=sha256:4a30e2bb4bf5bc1069b1d2b2bc41947577c4517ab0875b23a5b194d296f543d8
+    # via -r requirements.in
+python-dateutil==2.8.2 \
+    --hash=sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86 \
+    --hash=sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9
+    # via
+    #   ghp-import
+    #   typepy
+pytz==2023.3.post1 \
+    --hash=sha256:7b4fddbeb94a1eba4b557da24f19fdf9db575192544270a9101d8509f9f43d7b \
+    --hash=sha256:ce42d816b81b68506614c11e8937d3aa9e41007ceb50bfdcb0749b921bf646c7
+    # via typepy
+pyyaml==6.0.1 \
+    --hash=sha256:04ac92ad1925b2cff1db0cfebffb6ffc43457495c9b3c39d3fcae417d7125dc5 \
+    --hash=sha256:062582fca9fabdd2c8b54a3ef1c978d786e0f6b3a1510e0ac93ef59e0ddae2bc \
+    --hash=sha256:0d3304d8c0adc42be59c5f8a4d9e3d7379e6955ad754aa9d6ab7a398b59dd1df \
+    --hash=sha256:1635fd110e8d85d55237ab316b5b011de701ea0f29d07611174a1b42f1444741 \
+    --hash=sha256:184c5108a2aca3c5b3d3bf9395d50893a7ab82a38004c8f61c258d4428e80206 \
+    --hash=sha256:18aeb1bf9a78867dc38b259769503436b7c72f7a1f1f4c93ff9a17de54319b27 \
+    --hash=sha256:1d4c7e777c441b20e32f52bd377e0c409713e8bb1386e1099c2415f26e479595 \
+    --hash=sha256:1e2722cc9fbb45d9b87631ac70924c11d3a401b2d7f410cc0e3bbf249f2dca62 \
+    --hash=sha256:1fe35611261b29bd1de0070f0b2f47cb6ff71fa6595c077e42bd0c419fa27b98 \
+    --hash=sha256:28c119d996beec18c05208a8bd78cbe4007878c6dd15091efb73a30e90539696 \
+    --hash=sha256:326c013efe8048858a6d312ddd31d56e468118ad4cdeda36c719bf5bb6192290 \
+    --hash=sha256:40df9b996c2b73138957fe23a16a4f0ba614f4c0efce1e9406a184b6d07fa3a9 \
+    --hash=sha256:42f8152b8dbc4fe7d96729ec2b99c7097d656dc1213a3229ca5383f973a5ed6d \
+    --hash=sha256:49a183be227561de579b4a36efbb21b3eab9651dd81b1858589f796549873dd6 \
+    --hash=sha256:4fb147e7a67ef577a588a0e2c17b6db51dda102c71de36f8549b6816a96e1867 \
+    --hash=sha256:50550eb667afee136e9a77d6dc71ae76a44df8b3e51e41b77f6de2932bfe0f47 \
+    --hash=sha256:510c9deebc5c0225e8c96813043e62b680ba2f9c50a08d3724c7f28a747d1486 \
+    --hash=sha256:5773183b6446b2c99bb77e77595dd486303b4faab2b086e7b17bc6bef28865f6 \
+    --hash=sha256:596106435fa6ad000c2991a98fa58eeb8656ef2325d7e158344fb33864ed87e3 \
+    --hash=sha256:6965a7bc3cf88e5a1c3bd2e0b5c22f8d677dc88a455344035f03399034eb3007 \
+    --hash=sha256:69b023b2b4daa7548bcfbd4aa3da05b3a74b772db9e23b982788168117739938 \
+    --hash=sha256:6c22bec3fbe2524cde73d7ada88f6566758a8f7227bfbf93a408a9d86bcc12a0 \
+    --hash=sha256:704219a11b772aea0d8ecd7058d0082713c3562b4e271b849ad7dc4a5c90c13c \
+    --hash=sha256:7e07cbde391ba96ab58e532ff4803f79c4129397514e1413a7dc761ccd755735 \
+    --hash=sha256:81e0b275a9ecc9c0c0c07b4b90ba548307583c125f54d5b6946cfee6360c733d \
+    --hash=sha256:855fb52b0dc35af121542a76b9a84f8d1cd886ea97c84703eaa6d88e37a2ad28 \
+    --hash=sha256:8d4e9c88387b0f5c7d5f281e55304de64cf7f9c0021a3525bd3b1c542da3b0e4 \
+    --hash=sha256:9046c58c4395dff28dd494285c82ba00b546adfc7ef001486fbf0324bc174fba \
+    --hash=sha256:9eb6caa9a297fc2c2fb8862bc5370d0303ddba53ba97e71f08023b6cd73d16a8 \
+    --hash=sha256:a0cd17c15d3bb3fa06978b4e8958dcdc6e0174ccea823003a106c7d4d7899ac5 \
+    --hash=sha256:afd7e57eddb1a54f0f1a974bc4391af8bcce0b444685d936840f125cf046d5bd \
+    --hash=sha256:b1275ad35a5d18c62a7220633c913e1b42d44b46ee12554e5fd39c70a243d6a3 \
+    --hash=sha256:b786eecbdf8499b9ca1d697215862083bd6d2a99965554781d0d8d1ad31e13a0 \
+    --hash=sha256:ba336e390cd8e4d1739f42dfe9bb83a3cc2e80f567d8805e11b46f4a943f5515 \
+    --hash=sha256:baa90d3f661d43131ca170712d903e6295d1f7a0f595074f151c0aed377c9b9c \
+    --hash=sha256:bc1bf2925a1ecd43da378f4db9e4f799775d6367bdb94671027b73b393a7c42c \
+    --hash=sha256:bd4af7373a854424dabd882decdc5579653d7868b8fb26dc7d0e99f823aa5924 \
+    --hash=sha256:bf07ee2fef7014951eeb99f56f39c9bb4af143d8aa3c21b1677805985307da34 \
+    --hash=sha256:bfdf460b1736c775f2ba9f6a92bca30bc2095067b8a9d77876d1fad6cc3b4a43 \
+    --hash=sha256:c8098ddcc2a85b61647b2590f825f3db38891662cfc2fc776415143f599bb859 \
+    --hash=sha256:d2b04aac4d386b172d5b9692e2d2da8de7bfb6c387fa4f801fbf6fb2e6ba4673 \
+    --hash=sha256:d483d2cdf104e7c9fa60c544d92981f12ad66a457afae824d146093b8c294c54 \
+    --hash=sha256:d858aa552c999bc8a8d57426ed01e40bef403cd8ccdd0fc5f6f04a00414cac2a \
+    --hash=sha256:e7d73685e87afe9f3b36c799222440d6cf362062f78be1013661b00c5c6f678b \
+    --hash=sha256:f003ed9ad21d6a4713f0a9b5a7a0a79e08dd0f221aff4525a2be4c346ee60aab \
+    --hash=sha256:f22ac1c3cac4dbc50079e965eba2c1058622631e526bd9afd45fedd49ba781fa \
+    --hash=sha256:faca3bdcf85b2fc05d06ff3fbc1f83e1391b3e724afa3feba7d13eeab355484c \
+    --hash=sha256:fca0e3a251908a499833aa292323f32437106001d436eca0e6e7833256674585 \
+    --hash=sha256:fd1592b3fdf65fff2ad0004b5e363300ef59ced41c2e6b3a99d4089fa8c5435d \
+    --hash=sha256:fd66fc5d0da6d9815ba2cebeb4205f95818ff4b79c3ebe268e75d961704af52f
+    # via
+    #   mike
+    #   mkdocs
+    #   pymdown-extensions
+    #   pyyaml-env-tag
+pyyaml-env-tag==0.1 \
+    --hash=sha256:70092675bda14fdec33b31ba77e7543de9ddc88f2e5b99160396572d11525bdb \
+    --hash=sha256:af31106dec8a4d68c60207c1886031cbf839b68aa7abccdb19868200532c2069
+    # via mkdocs
+regex==2023.10.3 \
+    --hash=sha256:00ba3c9818e33f1fa974693fb55d24cdc8ebafcb2e4207680669d8f8d7cca79a \
+    --hash=sha256:00e871d83a45eee2f8688d7e6849609c2ca2a04a6d48fba3dff4deef35d14f07 \
+    --hash=sha256:06e9abc0e4c9ab4779c74ad99c3fc10d3967d03114449acc2c2762ad4472b8ca \
+    --hash=sha256:0b9ac09853b2a3e0d0082104036579809679e7715671cfbf89d83c1cb2a30f58 \
+    --hash=sha256:0d47840dc05e0ba04fe2e26f15126de7c755496d5a8aae4a08bda4dd8d646c54 \
+    --hash=sha256:0f649fa32fe734c4abdfd4edbb8381c74abf5f34bc0b3271ce687b23729299ed \
+    --hash=sha256:107ac60d1bfdc3edb53be75e2a52aff7481b92817cfdddd9b4519ccf0e54a6ff \
+    --hash=sha256:11175910f62b2b8c055f2b089e0fedd694fe2be3941b3e2633653bc51064c528 \
+    --hash=sha256:12bd4bc2c632742c7ce20db48e0d99afdc05e03f0b4c1af90542e05b809a03d9 \
+    --hash=sha256:16f8740eb6dbacc7113e3097b0a36065a02e37b47c936b551805d40340fb9971 \
+    --hash=sha256:1c0e8fae5b27caa34177bdfa5a960c46ff2f78ee2d45c6db15ae3f64ecadde14 \
+    --hash=sha256:2c54e23836650bdf2c18222c87f6f840d4943944146ca479858404fedeb9f9af \
+    --hash=sha256:3367007ad1951fde612bf65b0dffc8fd681a4ab98ac86957d16491400d661302 \
+    --hash=sha256:36362386b813fa6c9146da6149a001b7bd063dabc4d49522a1f7aa65b725c7ec \
+    --hash=sha256:39807cbcbe406efca2a233884e169d056c35aa7e9f343d4e78665246a332f597 \
+    --hash=sha256:39cdf8d141d6d44e8d5a12a8569d5a227f645c87df4f92179bd06e2e2705e76b \
+    --hash=sha256:3b2c3502603fab52d7619b882c25a6850b766ebd1b18de3df23b2f939360e1bd \
+    --hash=sha256:3ccf2716add72f80714b9a63899b67fa711b654be3fcdd34fa391d2d274ce767 \
+    --hash=sha256:3fef4f844d2290ee0ba57addcec17eec9e3df73f10a2748485dfd6a3a188cc0f \
+    --hash=sha256:4023e2efc35a30e66e938de5aef42b520c20e7eda7bb5fb12c35e5d09a4c43f6 \
+    --hash=sha256:4a3ee019a9befe84fa3e917a2dd378807e423d013377a884c1970a3c2792d293 \
+    --hash=sha256:4a8bf76e3182797c6b1afa5b822d1d5802ff30284abe4599e1247be4fd6b03be \
+    --hash=sha256:4a992f702c9be9c72fa46f01ca6e18d131906a7180950958f766c2aa294d4b41 \
+    --hash=sha256:4c34d4f73ea738223a094d8e0ffd6d2c1a1b4c175da34d6b0de3d8d69bee6bcc \
+    --hash=sha256:4cd1bccf99d3ef1ab6ba835308ad85be040e6a11b0977ef7ea8c8005f01a3c29 \
+    --hash=sha256:4ef80829117a8061f974b2fda8ec799717242353bff55f8a29411794d635d964 \
+    --hash=sha256:58837f9d221744d4c92d2cf7201c6acd19623b50c643b56992cbd2b745485d3d \
+    --hash=sha256:5a8f91c64f390ecee09ff793319f30a0f32492e99f5dc1c72bc361f23ccd0a9a \
+    --hash=sha256:5addc9d0209a9afca5fc070f93b726bf7003bd63a427f65ef797a931782e7edc \
+    --hash=sha256:6239d4e2e0b52c8bd38c51b760cd870069f0bdf99700a62cd509d7a031749a55 \
+    --hash=sha256:66e2fe786ef28da2b28e222c89502b2af984858091675044d93cb50e6f46d7af \
+    --hash=sha256:69c0771ca5653c7d4b65203cbfc5e66db9375f1078689459fe196fe08b7b4930 \
+    --hash=sha256:6ac965a998e1388e6ff2e9781f499ad1eaa41e962a40d11c7823c9952c77123e \
+    --hash=sha256:6c56c3d47da04f921b73ff9415fbaa939f684d47293f071aa9cbb13c94afc17d \
+    --hash=sha256:6f85739e80d13644b981a88f529d79c5bdf646b460ba190bffcaf6d57b2a9863 \
+    --hash=sha256:706e7b739fdd17cb89e1fbf712d9dc21311fc2333f6d435eac2d4ee81985098c \
+    --hash=sha256:741ba2f511cc9626b7561a440f87d658aabb3d6b744a86a3c025f866b4d19e7f \
+    --hash=sha256:7434a61b158be563c1362d9071358f8ab91b8d928728cd2882af060481244c9e \
+    --hash=sha256:76066d7ff61ba6bf3cb5efe2428fc82aac91802844c022d849a1f0f53820502d \
+    --hash=sha256:7979b834ec7a33aafae34a90aad9f914c41fd6eaa8474e66953f3f6f7cbd4368 \
+    --hash=sha256:7eece6fbd3eae4a92d7c748ae825cbc1ee41a89bb1c3db05b5578ed3cfcfd7cb \
+    --hash=sha256:7ef1e014eed78ab650bef9a6a9cbe50b052c0aebe553fb2881e0453717573f52 \
+    --hash=sha256:81dce2ddc9f6e8f543d94b05d56e70d03a0774d32f6cca53e978dc01e4fc75b8 \
+    --hash=sha256:82fcc1f1cc3ff1ab8a57ba619b149b907072e750815c5ba63e7aa2e1163384a4 \
+    --hash=sha256:8d1f21af4c1539051049796a0f50aa342f9a27cde57318f2fc41ed50b0dbc4ac \
+    --hash=sha256:90a79bce019c442604662d17bf69df99090e24cdc6ad95b18b6725c2988a490e \
+    --hash=sha256:9145f092b5d1977ec8c0ab46e7b3381b2fd069957b9862a43bd383e5c01d18c2 \
+    --hash=sha256:91dc1d531f80c862441d7b66c4505cd6ea9d312f01fb2f4654f40c6fdf5cc37a \
+    --hash=sha256:979c24cbefaf2420c4e377ecd1f165ea08cc3d1fbb44bdc51bccbbf7c66a2cb4 \
+    --hash=sha256:994645a46c6a740ee8ce8df7911d4aee458d9b1bc5639bc968226763d07f00fa \
+    --hash=sha256:9b98b7681a9437262947f41c7fac567c7e1f6eddd94b0483596d320092004533 \
+    --hash=sha256:9c6b4d23c04831e3ab61717a707a5d763b300213db49ca680edf8bf13ab5d91b \
+    --hash=sha256:9c6d0ced3c06d0f183b73d3c5920727268d2201aa0fe6d55c60d68c792ff3588 \
+    --hash=sha256:9fd88f373cb71e6b59b7fa597e47e518282455c2734fd4306a05ca219a1991b0 \
+    --hash=sha256:a8f4e49fc3ce020f65411432183e6775f24e02dff617281094ba6ab079ef0915 \
+    --hash=sha256:a9e908ef5889cda4de038892b9accc36d33d72fb3e12c747e2799a0e806ec841 \
+    --hash=sha256:ad08a69728ff3c79866d729b095872afe1e0557251da4abb2c5faff15a91d19a \
+    --hash=sha256:adbccd17dcaff65704c856bd29951c58a1bd4b2b0f8ad6b826dbd543fe740988 \
+    --hash=sha256:b0c7d2f698e83f15228ba41c135501cfe7d5740181d5903e250e47f617eb4292 \
+    --hash=sha256:b3ab05a182c7937fb374f7e946f04fb23a0c0699c0450e9fb02ef567412d2fa3 \
+    --hash=sha256:b6104f9a46bd8743e4f738afef69b153c4b8b592d35ae46db07fc28ae3d5fb7c \
+    --hash=sha256:ba7cd6dc4d585ea544c1412019921570ebd8a597fabf475acc4528210d7c4a6f \
+    --hash=sha256:bc72c231f5449d86d6c7d9cc7cd819b6eb30134bb770b8cfdc0765e48ef9c420 \
+    --hash=sha256:bce8814b076f0ce5766dc87d5a056b0e9437b8e0cd351b9a6c4e1134a7dfbda9 \
+    --hash=sha256:be5e22bbb67924dea15039c3282fa4cc6cdfbe0cbbd1c0515f9223186fc2ec5f \
+    --hash=sha256:be6b7b8d42d3090b6c80793524fa66c57ad7ee3fe9722b258aec6d0672543fd0 \
+    --hash=sha256:bfe50b61bab1b1ec260fa7cd91106fa9fece57e6beba05630afe27c71259c59b \
+    --hash=sha256:bff507ae210371d4b1fe316d03433ac099f184d570a1a611e541923f78f05037 \
+    --hash=sha256:c148bec483cc4b421562b4bcedb8e28a3b84fcc8f0aa4418e10898f3c2c0eb9b \
+    --hash=sha256:c15ad0aee158a15e17e0495e1e18741573d04eb6da06d8b84af726cfc1ed02ee \
+    --hash=sha256:c2169b2dcabf4e608416f7f9468737583ce5f0a6e8677c4efbf795ce81109d7c \
+    --hash=sha256:c55853684fe08d4897c37dfc5faeff70607a5f1806c8be148f1695be4a63414b \
+    --hash=sha256:c65a3b5330b54103e7d21cac3f6bf3900d46f6d50138d73343d9e5b2900b2353 \
+    --hash=sha256:c7964c2183c3e6cce3f497e3a9f49d182e969f2dc3aeeadfa18945ff7bdd7051 \
+    --hash=sha256:cc3f1c053b73f20c7ad88b0d1d23be7e7b3901229ce89f5000a8399746a6e039 \
+    --hash=sha256:ce615c92d90df8373d9e13acddd154152645c0dc060871abf6bd43809673d20a \
+    --hash=sha256:d29338556a59423d9ff7b6eb0cb89ead2b0875e08fe522f3e068b955c3e7b59b \
+    --hash=sha256:d8a993c0a0ffd5f2d3bda23d0cd75e7086736f8f8268de8a82fbc4bd0ac6791e \
+    --hash=sha256:d9c727bbcf0065cbb20f39d2b4f932f8fa1631c3e01fcedc979bd4f51fe051c5 \
+    --hash=sha256:dac37cf08fcf2094159922edc7a2784cfcc5c70f8354469f79ed085f0328ebdf \
+    --hash=sha256:dd829712de97753367153ed84f2de752b86cd1f7a88b55a3a775eb52eafe8a94 \
+    --hash=sha256:e54ddd0bb8fb626aa1f9ba7b36629564544954fff9669b15da3610c22b9a0991 \
+    --hash=sha256:e77c90ab5997e85901da85131fd36acd0ed2221368199b65f0d11bca44549711 \
+    --hash=sha256:ebedc192abbc7fd13c5ee800e83a6df252bec691eb2c4bedc9f8b2e2903f5e2a \
+    --hash=sha256:ef71561f82a89af6cfcbee47f0fabfdb6e63788a9258e913955d89fdd96902ab \
+    --hash=sha256:f0a47efb1dbef13af9c9a54a94a0b814902e547b7f21acb29434504d18f36e3a \
+    --hash=sha256:f4f2ca6df64cbdd27f27b34f35adb640b5d2d77264228554e68deda54456eb11 \
+    --hash=sha256:fb02e4257376ae25c6dd95a5aec377f9b18c09be6ebdefa7ad209b9137b73d48
+    # via mkdocs-material
+requests==2.31.0 \
+    --hash=sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f \
+    --hash=sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1
+    # via
+    #   importlib-metadata
+    #   importlib-resources
+
+# The following packages are considered to be unsafe in a requirements file:
+setuptools==68.2.2 \
+    --hash=sha256:4ac1475276d2f1c48684874089fefcd83bd7162ddaafb81fac866ba0db282a87 \
+    --hash=sha256:b454a35605876da60632df1a60f736524eb73cc47bbc9f3f1ef1b644de74fd2a
+    # via mkdocs-material
+six==1.16.0 \
+    --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \
+    --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254
+    # via python-dateutil
+tabledata==1.3.3 \
+    --hash=sha256:4abad1c996d8607e23b045b44dc0c5f061668f3c37585302c5f6c84c93a89962 \
+    --hash=sha256:c90daaba9a408e4397934b3ff2f6c06797d5289676420bf520c741ad43e6ff91
+    # via pytablewriter
+tcolorpy==0.1.4 \
+    --hash=sha256:d0926480aa5012f34877d69fc3b670f207dc165674e68ad07458fa6ee5b12724 \
+    --hash=sha256:f0dceb1cb95e554cee63024b3cd2fd8d4628c568773de2d1e6b4f0478461901c
+    # via pytablewriter
+typepy==1.3.2 \
+    --hash=sha256:b69fd48b9f50cdb3809906eef36b855b3134ff66c8893a4f8580abddb0b39517 \
+    --hash=sha256:d5d1022a424132622993800f1d2cd16cfdb691ac4e3b9c325f0fcb37799db1ae
+    # via
+    #   dataproperty
+    #   pytablewriter
+    #   tabledata
+    #   typepy
+urllib3==2.0.7 \
+    --hash=sha256:c97dfde1f7bd43a71c8d2a58e369e9b2bf692d1334ea9f9cae55add7d0dd0f84 \
+    --hash=sha256:fdb6d215c776278489906c2f8916e6e7d4f5a9b602ccbcfdf7f016fc8da0596e
+    # via requests
+verspec==0.1.0 \
+    --hash=sha256:741877d5633cc9464c45a469ae2a31e801e6dbbaa85b9675d481cda100f11c31 \
+    --hash=sha256:c4504ca697b2056cdb4bfa7121461f5a0e81809255b41c03dda4ba823637c01e
+    # via mike
+watchdog==3.0.0 \
+    --hash=sha256:0e06ab8858a76e1219e68c7573dfeba9dd1c0219476c5a44d5333b01d7e1743a \
+    --hash=sha256:13bbbb462ee42ec3c5723e1205be8ced776f05b100e4737518c67c8325cf6100 \
+    --hash=sha256:233b5817932685d39a7896b1090353fc8efc1ef99c9c054e46c8002561252fb8 \
+    --hash=sha256:25f70b4aa53bd743729c7475d7ec41093a580528b100e9a8c5b5efe8899592fc \
+    --hash=sha256:2b57a1e730af3156d13b7fdddfc23dea6487fceca29fc75c5a868beed29177ae \
+    --hash=sha256:336adfc6f5cc4e037d52db31194f7581ff744b67382eb6021c868322e32eef41 \
+    --hash=sha256:3aa7f6a12e831ddfe78cdd4f8996af9cf334fd6346531b16cec61c3b3c0d8da0 \
+    --hash=sha256:3ed7c71a9dccfe838c2f0b6314ed0d9b22e77d268c67e015450a29036a81f60f \
+    --hash=sha256:4c9956d27be0bb08fc5f30d9d0179a855436e655f046d288e2bcc11adfae893c \
+    --hash=sha256:4d98a320595da7a7c5a18fc48cb633c2e73cda78f93cac2ef42d42bf609a33f9 \
+    --hash=sha256:4f94069eb16657d2c6faada4624c39464f65c05606af50bb7902e036e3219be3 \
+    --hash=sha256:5113334cf8cf0ac8cd45e1f8309a603291b614191c9add34d33075727a967709 \
+    --hash=sha256:51f90f73b4697bac9c9a78394c3acbbd331ccd3655c11be1a15ae6fe289a8c83 \
+    --hash=sha256:5d9f3a10e02d7371cd929b5d8f11e87d4bad890212ed3901f9b4d68767bee759 \
+    --hash=sha256:7ade88d0d778b1b222adebcc0927428f883db07017618a5e684fd03b83342bd9 \
+    --hash=sha256:7c5f84b5194c24dd573fa6472685b2a27cc5a17fe5f7b6fd40345378ca6812e3 \
+    --hash=sha256:7e447d172af52ad204d19982739aa2346245cc5ba6f579d16dac4bfec226d2e7 \
+    --hash=sha256:8ae9cda41fa114e28faf86cb137d751a17ffd0316d1c34ccf2235e8a84365c7f \
+    --hash=sha256:8f3ceecd20d71067c7fd4c9e832d4e22584318983cabc013dbf3f70ea95de346 \
+    --hash=sha256:9fac43a7466eb73e64a9940ac9ed6369baa39b3bf221ae23493a9ec4d0022674 \
+    --hash=sha256:a70a8dcde91be523c35b2bf96196edc5730edb347e374c7de7cd20c43ed95397 \
+    --hash=sha256:adfdeab2da79ea2f76f87eb42a3ab1966a5313e5a69a0213a3cc06ef692b0e96 \
+    --hash=sha256:ba07e92756c97e3aca0912b5cbc4e5ad802f4557212788e72a72a47ff376950d \
+    --hash=sha256:c07253088265c363d1ddf4b3cdb808d59a0468ecd017770ed716991620b8f77a \
+    --hash=sha256:c9d8c8ec7efb887333cf71e328e39cffbf771d8f8f95d308ea4125bf5f90ba64 \
+    --hash=sha256:d00e6be486affb5781468457b21a6cbe848c33ef43f9ea4a73b4882e5f188a44 \
+    --hash=sha256:d429c2430c93b7903914e4db9a966c7f2b068dd2ebdd2fa9b9ce094c7d459f33
+    # via mkdocs
+zipp==3.17.0 \
+    --hash=sha256:0e923e726174922dce09c53c59ad483ff7bbb8e572e00c7f7c46b88556409f31 \
+    --hash=sha256:84e64a1c28cf7e91ed2078bb8cc8c259cb19b76942096c8d7b84947690cabaf0
+    # via pytablewriter

docs/robots.txt

@@ -0,0 +1,4 @@
+User-agent: *
+Allow: /latest/
+
+Sitemap: https://docs.bunkerweb.io/latest/sitemap.xml

docs/security-tuning.md

@@ -0,0 +1,495 @@
+# Security tuning
+
+BunkerWeb offers many security features that you can configure with [settings](settings.md). Even if the default values of settings ensure a minimal "security by default", we strongly recommend you tune them. By doing so you will be able to ensure the security level of your choice but also manage false positives.
+
+!!! tip "Other settings"
+    This section only focuses on security tuning, see the [settings section](settings.md) of the documentation for other settings.
+
+<figure markdown>
+  ![Overview](assets/img/core-order.svg){ align=center }
+  <figcaption>Overview and order of the core security plugins</figcaption>
+</figure>
+
+## HTTP protocol
+
+### Deny status code
+
+STREAM support :warning:
+
+The first thing to define is the kind of action to do when a client access is denied. You can control the action with the `DENY_HTTP_STATUS` setting which allows the following values :
+
+- `403` : send a "classical" Forbidden HTTP status code (a web page or custom content will be displayed)
+- `444` : close the connection (no web page or custom content will be displayed)
+
+The default value is `403` and we suggest you set it to `444` only if you already fixed a lot of false positive, you are familiar with BunkerWeb and want a higher level of security.
+
+When using stream mode, value is ignored and always set to `444` with effect of closing the connection.
+
+### Default server
+
+STREAM support :x:
+
+In the HTTP protocol, the Host header is used to determine which server the client wants to send the request to. That header is facultative and may be missing from the request or can be set as an unknown value. This is a common case, a lot of bots are scanning the Internet and are trying to exploit services or simply doing some fingerprinting.
+
+You can disable any request containing undefined or unknown Host value by setting `DISABLE_DEFAULT_SERVER` to `yes` (default : `no`). Please note that clients won't even receive a response, the TCP connection will be closed (using the special 444 status code of NGINX).
+
+### Allowed methods
+
+STREAM support :x:
+
+You can control the allowed HTTP methods by listing them (separated with "|") in the `ALLOWED_METHODS` setting (default : `GET|POST|HEAD`). Clients sending a method which is not listed will get a "405 - Method Not Allowed".
+
+### Max sizes
+
+STREAM support :x:
+
+You can control the maximum body size with the `MAX_CLIENT_SIZE` setting (default : `10m`). See [here](https://nginx.org/en/docs/syntax.html) for accepted values. You can use the special value `0` to allow a body of infinite size (not recommended).
+
+### Serve files
+
+STREAM support :x:
+
+To disable serving files from the www folder, you can set `SERVE_FILES` to `no` (default : `yes`). The value `no` is recommended if you use BunkerWeb as a reverse proxy.
+
+### Headers
+
+STREAM support :x:
+
+Headers are very important when it comes to HTTP security. While some of them might be too verbose, others' verbosity will need to be increased, especially on the client-side.
+
+#### Remove headers
+
+STREAM support :x:
+
+You can automatically remove verbose headers in the HTTP responses by using the `REMOVE_HEADERS` setting (default : `Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version`).
+
+#### Keep upstream headers
+
+STREAM support :x:
+
+You can automatically keep headers from upstream servers and prevent BunkerWeb from overriding them in the HTTP responses by using the `KEEP_UPSTREAM_HEADERS` setting (default : `Content-Security-Policy Permissions-Policy Feature-Policy X-Frame-Options`). A special value `*` is available to keep all headers. List of headers to keep must be separated with a space. Note that if the header is not present in the upstream response, it will be added by BunkerWeb.
+
+#### Cookies
+
+STREAM support :x:
+
+When it comes to cookies security, we can use the following flags :
+
+- HttpOnly : disable any access to the cookie from Javascript using document.cookie
+- SameSite : policy when requests come from third-party websites
+- Secure : only send cookies on HTTPS request
+
+Cookie flags can be overridden with values of your choice by using the `COOKIE_FLAGS` setting (default : `* HttpOnly SameSite=Lax`). See [here](https://github.com/AirisX/nginx_cookie_flag_module) for accepted values.
+
+The Secure flag can be automatically added if HTTPS is used by using the `COOKIE_AUTO_SECURE_FLAG` setting (default : `yes`). The value `no` is not recommended unless you know what you're doing.
+
+#### Security headers
+
+STREAM support :x:
+
+Various security headers are available and most of them can be set using BunkerWeb settings. Here is the list of headers, the corresponding setting and default value :
+
+|           Header            | Setting                     |                                                                                                                                                                                                                                                                                                                                                            Default                                                                                                                                                                                                                                                                                                                                                            |
+| :-------------------------: | :-------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: |
+|  `Content-Security-Policy`  | `CONTENT_SECURITY_POLICY`   |                                                                                                                                                                                                                                                                                                             `object-src 'none'; frame-src 'self'; child-src 'self'; form-action 'self'; frame-ancestors 'self';`                                                                                                                                                                                                                                                                                                              |
+| `Strict-Transport-Security` | `STRICT_TRANSPORT_SECURITY` |                                                                                                                                                                                                                                                                                                                                                      `max-age=31536000`                                                                                                                                                                                                                                                                                                                                                       |
+|      `Referrer-Policy`      | `REFERRER_POLICY`           |                                                                                                                                                                                                                                                                                                                                               `strict-origin-when-cross-origin`                                                                                                                                                                                                                                                                                                                                               |
+|    `Permissions-Policy`     | `PERMISSIONS_POLICY`        |                                                                                              `accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), web-share=(), xr-spatial-tracking=()`                                                                                               |
+|      `Feature-Policy`       | `FEATURE_POLICY`            | `accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; fullscreen 'none'; 'none'; geolocation 'none'; gyroscope 'none'; layout-animation 'none'; legacy-image-formats 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; navigation-override 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; speaker-selection 'none'; sync-xhr 'none'; unoptimized-images 'none'; unsized-media 'none'; usb 'none'; screen-wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none';` |
+|      `X-Frame-Options`      | `X_FRAME_OPTIONS`           |                                                                                                                                                                                                                                                                                                                                                         `SAMEORIGIN`                                                                                                                                                                                                                                                                                                                                                          |
+|  `X-Content-Type-Options`   | `X_CONTENT_TYPE_OPTIONS`    |                                                                                                                                                                                                                                                                                                                                                           `nosniff`                                                                                                                                                                                                                                                                                                                                                           |
+|     `X-XSS-Protection`      | `X_XSS_PROTECTION`          |                                                                                                                                                                                                                                                                                                                                                        `1; mode=block`                                                                                                                                                                                                                                                                                                                                                        |
+
+#### CORS
+
+STREAM support :x:
+
+[Cross-Origin Resource Sharing](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) lets you manage how your service can be contacted from different origins. Please note that you will have to allow the `OPTIONS` HTTP method using the `ALLOWED_METHODS` if you want to enable it (more info [here](#allowed-methods)). Here is the list of settings related to CORS :
+
+|        Setting         |                                      Default                                       | Context |Multiple|                            Description                            |
+|------------------------|------------------------------------------------------------------------------------|---------|--------|-------------------------------------------------------------------|
+|`USE_CORS`              |`no`                                                                                |multisite|no      |Use CORS                                                           |
+|`CORS_ALLOW_ORIGIN`     |`*`                                                                                 |multisite|no      |Allowed origins to make CORS requests : PCRE regex or *.           |
+|`CORS_EXPOSE_HEADERS`   |`Content-Length,Content-Range`                                                      |multisite|no      |Value of the Access-Control-Expose-Headers header.                 |
+|`CORS_MAX_AGE`          |`86400`                                                                             |multisite|no      |Value of the Access-Control-Max-Age header.                        |
+|`CORS_ALLOW_CREDENTIALS`|`no`                                                                                |multisite|no      |Send the Access-Control-Allow-Credentials header.                  |
+|`CORS_ALLOW_METHODS`    |`GET, POST, OPTIONS`                                                                |multisite|no      |Value of the Access-Control-Allow-Methods header.                  |
+|`CORS_ALLOW_HEADERS`    |`DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range`|multisite|no      |Value of the Access-Control-Allow-Headers header.                  |
+|`CORS_DENY_REQUEST`     |`yes`                                                                               |multisite|no      |Deny request and don't send it to backend if Origin is not allowed.|
+
+Here is some examples of possible values for `CORS_ALLOW_ORIGIN` setting :
+
+- `*` will allow all origin
+- `^https://www\.example\.com$` will allow `https://www.example.com`
+- `^https://.+\.example.com$` will allow any origins when domain ends with `.example.com`
+- `^https://(www\.example1\.com|www\.example2\.com)$` will allow both `https://www.example1.com` and `https://www.example2.com`
+- `^https?://www\.example\.com$` will allow both `https://www.example.com` and `http://www.example.com`
+
+## HTTPS / SSL/TLS
+
+Besides the HTTPS / SSL/TLS configuration, the following settings related to HTTPS / SSL/TLS can be set :
+
+|            Setting            |      Default      | Description                                                                                                  |
+| :---------------------------: | :---------------: | :----------------------------------------------------------------------------------------------------------- |
+|   `REDIRECT_HTTP_TO_HTTPS`    |       `no`        | When set to `yes`, will redirect every HTTP request to HTTPS even if BunkerWeb is not configured with HTTPS. |
+| `AUTO_REDIRECT_HTTP_TO_HTTPS` |       `yes`       | When set to `yes`, will redirect every HTTP request to HTTPS only if BunkerWeb is configured with HTTPS.     |
+|       `SSL_PROTOCOLS`       | `TLSv1.2 TLSv1.3` | List of supported SSL/TLS protocols when SSL is enabled.                                                   |
+|            `HTTP2`            |       `yes`       | When set to `yes`, will enable HTTP2 protocol support when using HTTPS.                                      |
+|         `LISTEN_HTTP`         |       `yes`       | When set to `no`, BunkerWeb will not listen for HTTP requests. Useful if you want HTTPS only for example.    |
+
+### Let's Encrypt
+
+STREAM support :white_check_mark:
+
+BunkerWeb comes with automatic Let's Encrypt certificate generation and renewal. This is the easiest way of getting HTTPS / SSL/TLS working out of the box for public-facing web applications. Please note that you will need to set up proper DNS A record(s) for each of your domains pointing to your public IP(s) where BunkerWeb is accessible.
+
+Here is the list of related settings :
+
+|          Setting           |         Default          | Description                                                                                                                                                        |
+| :------------------------: | :----------------------: | :----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+|    `AUTO_LETS_ENCRYPT`     |           `no`           | When set to `yes`, HTTPS / SSL/TLS will be enabled with automatic certificate generation and renewal from Let's Encrypt.                                                     |
+|    `EMAIL_LETS_ENCRYPT`    | `contact@{FIRST_SERVER}` | Email to use when generating certificates. Let's Encrypt will send notifications to that email like certificate expiration.                                        |
+| `USE_LETS_ENCRYPT_STAGING` |           `no`           | When set to `yes`, the staging server of Let's Encrypt will be used instead of the production one. Useful when doing tests to avoid being "blocked" due to limits. |
+
+Full Let's Encrypt automation is fully working with stream mode as long as you open the `80/tcp` port from the outside. Please note that you will need to use the `LISTEN_STREAM_PORT_SSL` setting in order to choose your listening SSL/TLS port.
+
+### Custom certificate
+
+STREAM support :white_check_mark:
+
+If you want to use your own certificates, here is the list of related settings :
+
+|     Setting     |Default| Context |Multiple|                                  Description                                   |
+|-----------------|-------|---------|--------|--------------------------------------------------------------------------------|
+|`USE_CUSTOM_SSL` |`no`   |multisite|no      |Use custom HTTPS / SSL/TLS certificate.                                                   |
+|`CUSTOM_SSL_CERT`|       |multisite|no      |Full path of the certificate or bundle file (must be readable by the scheduler).|
+|`CUSTOM_SSL_KEY` |       |multisite|no      |Full path of the key file (must be readable by the scheduler).                  |
+
+
+When `USE_CUSTOM_SSL` is set to `yes`, BunkerWeb will check every day if the custom certificate specified in `CUSTOM_SSL_CERT` is modified and will reload NGINX if that's the case.
+
+When using stream mode, you will need to use the `LISTEN_STREAM_PORT_SSL` setting in order to choose your listening SSL/TLS port.
+
+### Self-signed
+
+STREAM support :white_check_mark:
+
+If you want to quickly test HTTPS / SSL/TLS for staging/dev environment you can configure BunkerWeb to generate self-signed certificates, here is the list of related settings :
+
+|          Setting           |        Default         | Description                                                                                                                |
+| :------------------------: | :--------------------: | :------------------------------------------------------------------------------------------------------------------------- |
+| `GENERATE_SELF_SIGNED_SSL` |          `no`          | When set to `yes`, HTTPS / SSL/TLS will be enabled with automatic self-signed certificate generation and renewal from Let's Encrypt. |
+|  `SELF_SIGNED_SSL_EXPIRY`  |         `365`          | Number of days for the certificate expiration (**-days** value used with **openssl**).                                     |
+|   `SELF_SIGNED_SSL_SUBJ`   | `/CN=www.example.com/` | Certificate subject to use (**-subj** value used with **openssl**).                                                        |
+
+When using stream mode, you will need to use the `LISTEN_STREAM_PORT_SSL` setting in order to choose your listening SSL/TLS port.
+
+## ModSecurity
+
+STREAM support :x:
+
+ModSecurity is integrated and enabled by default alongside the OWASP Core Rule Set within BunkerWeb. Here is the list of related settings :
+
+|        Setting        | Default | Description                                                                                           |
+| :-------------------: | :-----: | :---------------------------------------------------------------------------------------------------- |
+|   `USE_MODSECURITY`   |  `yes`  | When set to `yes`, ModSecurity will be enabled.                                                       |
+| `USE_MODSECURITY_CRS` |  `yes`  | When set to `yes` and `USE_MODSECURITY` is also set to `yes`, the OWASP Core Rule Set will be loaded. |
+
+We strongly recommend keeping both ModSecurity and the OWASP Core Rule Set enabled. The only downsides are the false positives that may occur. But they can be fixed with some efforts and the CRS team maintains a list of exclusions for common applications (e.g., WordPress, Nextcloud, Drupal, Cpanel, ...).
+
+Tuning ModSecurity and the CRS can be done using [custom configurations](quickstart-guide.md#custom-configurations) :
+
+- modsec-crs : before the OWASP Core Rule Set is loaded
+- modsec : after the OWASP Core Rule Set is loaded (also used if CRS is not loaded)
+
+For example, you can add a custom configuration with type `modsec-crs` to add CRS exclusions :
+
+```conf
+SecAction \
+ "id:900130,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:tx.crs_exclusions_wordpress=1"
+```
+
+You can also add a custom configuration with type `modsec` to update loaded CRS rules :
+
+```conf
+SecRule REQUEST_FILENAME "/wp-admin/admin-ajax.php" "id:1,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-rce"
+SecRule REQUEST_FILENAME "/wp-admin/options.php" "id:2,ctl:ruleRemoveByTag=attack-xss"
+SecRule REQUEST_FILENAME "^/wp-json/yoast" "id:3,ctl:ruleRemoveById=930120"
+```
+
+## Bad behavior
+
+STREAM support :white_check_mark:
+
+When attackers search for and/or exploit vulnerabilities they might generate some "suspicious" HTTP status codes that a "regular" user won’t generate within a period of time. If we detect that kind of behavior we can ban the offending IP address and force the attacker to come up with a new one.
+
+That kind of security measure is implemented and enabled by default in BunkerWeb and is called "Bad behavior". Here is the list of the related settings :
+
+|           Setting           |            Default            | Description                                                                  |
+| :-------------------------: | :---------------------------: | :--------------------------------------------------------------------------- |
+|     `USE_BAD_BEHAVIOR`      |             `yes`             | When set to `yes`, the Bad behavior feature will be enabled.                 |
+| `BAD_BEHAVIOR_STATUS_CODES` | `400 401 403 404 405 429 444` | List of HTTP status codes considered as "suspicious".                        |
+|   `BAD_BEHAVIOR_BAN_TIME`   |            `86400`            | The duration time (in seconds) of a ban when a client reached the threshold. |
+|  `BAD_BEHAVIOR_THRESHOLD`   |             `10`              | Maximum number of "suspicious" HTTP status codes within the time period.     |
+|  `BAD_BEHAVIOR_COUNT_TIME`  |             `60`              | Period of time during which we count "suspicious" HTTP status codes.                |
+
+In other words, with the default values, if a client generates more than `10` status codes from the list `400 401 403 404 405 429 444` within `60` seconds their IP address will be banned for `86400` seconds.
+
+When using stream mode, only the `444` status code will count as "bad".
+
+## Antibot
+
+STREAM support :x:
+
+Attackers will certainly use automated tools to exploit/find some vulnerabilities in your web applications. One countermeasure is to challenge the users to detect if they look like a bot. If the challenge is solved, we consider the client as "legitimate" and they can access the web application.
+
+That kind of security is implemented but not enabled by default in BunkerWeb and is called "Antibot". Here is the list of supported challenges :
+
+- **Cookie** : send a cookie to the client, we expect to get the cookie back on other requests
+- **Javascript** : force a client to solve a computation challenge using Javascript
+- **Captcha** : force the client to solve a classical captcha (no external dependencies)
+- **hCaptcha** : force the client to solve a captcha from hCaptcha
+- **reCAPTCHA** : force the client to get a minimum score with Google reCAPTCHA
+- **Turnstile** : enforce rate limiting and access control for APIs and web applications using various mechanisms with Coudflare Turnstile
+
+Here is the list of related settings :
+
+|          Setting          |  Default   | Context |Multiple|                                                         Description                                                          |
+|---------------------------|------------|---------|--------|------------------------------------------------------------------------------------------------------------------------------|
+|`USE_ANTIBOT`              |`no`        |multisite|no      |Activate antibot feature.                                                                                                     |
+|`ANTIBOT_URI`              |`/challenge`|multisite|no      |Unused URI that clients will be redirected to to solve the challenge.                                                         |
+|`ANTIBOT_RECAPTCHA_SCORE`  |`0.7`       |multisite|no      |Minimum score required for reCAPTCHA challenge.                                                                               |
+|`ANTIBOT_RECAPTCHA_SITEKEY`|            |multisite|no      |Sitekey for reCAPTCHA challenge.                                                                                              |
+|`ANTIBOT_RECAPTCHA_SECRET` |            |multisite|no      |Secret for reCAPTCHA challenge.                                                                                               |
+|`ANTIBOT_HCAPTCHA_SITEKEY` |            |multisite|no      |Sitekey for hCaptcha challenge.                                                                                               |
+|`ANTIBOT_HCAPTCHA_SECRET`  |            |multisite|no      |Secret for hCaptcha challenge.                                                                                                |
+|`ANTIBOT_TURNSTILE_SITEKEY`|            |multisite|no      |Sitekey for Turnstile challenge.                                                                                              |
+|`ANTIBOT_TURNSTILE_SECRET` |            |multisite|no      |Secret for Turnstile challenge.                                                                                               |
+|`ANTIBOT_TIME_RESOLVE`     |`60`        |multisite|no      |Maximum time (in seconds) clients have to resolve the challenge. Once this time has passed, a new challenge will be generated.|
+|`ANTIBOT_TIME_VALID`       |`86400`     |multisite|no      |Maximum validity time of solved challenges. Once this time has passed, clients will need to resolve a new one.                |
+
+Please note that antibot feature is using a cookie to maintain a session with clients. If you are using BunkerWeb in a clustered environment, you will need to set the `SESSIONS_SECRET` and `SESSIONS_NAME` settings to another value than the default one (which is `random`). You will find more info about sessions [here](settings.md#sessions).
+
+## Blacklisting, whitelisting and greylisting
+
+The blacklisting security feature is very easy to understand : if a specific criteria is met, the client will be banned. As for the whitelisting, it's the exact opposite : if a specific criteria is met, the client will be allowed and no additional security check will be done. Whereas for the greylisting :  if a specific criteria is met, the client will be allowed but additional security checks will be done.
+
+You can configure blacklisting, whitelisting and greylisting at the same time. If that's the case, note that whitelisting is executed before blacklisting and greylisting : even if a criteria is true for all of them, the client will be whitelisted.
+
+### Blacklisting
+
+STREAM support :warning:
+
+You can use the following settings to set up blacklisting :
+
+|             Setting              |                                                           Default                                                            | Context |Multiple|                                          Description                                           |
+|----------------------------------|------------------------------------------------------------------------------------------------------------------------------|---------|--------|------------------------------------------------------------------------------------------------|
+|`USE_BLACKLIST`                   |`yes`                                                                                                                         |multisite|no      |Activate blacklist feature.                                                                     |
+|`BLACKLIST_IP`                    |                                                                                                                              |multisite|no      |List of IP/network, separated with spaces, to block.                                            |
+|`BLACKLIST_IP_URLS`               |`https://www.dan.me.uk/torlist/?exit`                                                                                         |global   |no      |List of URLs, separated with spaces, containing bad IP/network to block.                        |
+|`BLACKLIST_RDNS_GLOBAL`           |`yes`                                                                                                                         |multisite|no      |Only perform RDNS blacklist checks on global IP addresses.                                      |
+|`BLACKLIST_RDNS`                  |`.shodan.io .censys.io`                                                                                                       |multisite|no      |List of reverse DNS suffixes, separated with spaces, to block.                                  |
+|`BLACKLIST_RDNS_URLS`             |                                                                                                                              |global   |no      |List of URLs, separated with spaces, containing reverse DNS suffixes to block.                  |
+|`BLACKLIST_ASN`                   |                                                                                                                              |multisite|no      |List of ASN numbers, separated with spaces, to block.                                           |
+|`BLACKLIST_ASN_URLS`              |                                                                                                                              |global   |no      |List of URLs, separated with spaces, containing ASN to block.                                   |
+|`BLACKLIST_USER_AGENT`            |                                                                                                                              |multisite|no      |List of User-Agent (PCRE regex), separated with spaces, to block.                               |
+|`BLACKLIST_USER_AGENT_URLS`       |`https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list`|global   |no      |List of URLs, separated with spaces, containing bad User-Agent to block.                        |
+|`BLACKLIST_URI`                   |                                                                                                                              |multisite|no      |List of URI (PCRE regex), separated with spaces, to block.                                      |
+|`BLACKLIST_URI_URLS`              |                                                                                                                              |global   |no      |List of URLs, separated with spaces, containing bad URI to block.                               |
+|`BLACKLIST_IGNORE_IP`             |                                                                                                                              |multisite|no      |List of IP/network, separated with spaces, to ignore in the blacklist.                          |
+|`BLACKLIST_IGNORE_IP_URLS`        |                                                                                                                              |global   |no      |List of URLs, separated with spaces, containing IP/network to ignore in the blacklist.          |
+|`BLACKLIST_IGNORE_RDNS`           |                                                                                                                              |multisite|no      |List of reverse DNS suffixes, separated with spaces, to ignore in the blacklist.                |
+|`BLACKLIST_IGNORE_RDNS_URLS`      |                                                                                                                              |global   |no      |List of URLs, separated with spaces, containing reverse DNS suffixes to ignore in the blacklist.|
+|`BLACKLIST_IGNORE_ASN`            |                                                                                                                              |multisite|no      |List of ASN numbers, separated with spaces, to ignore in the blacklist.                         |
+|`BLACKLIST_IGNORE_ASN_URLS`       |                                                                                                                              |global   |no      |List of URLs, separated with spaces, containing ASN to ignore in the blacklist.                 |
+|`BLACKLIST_IGNORE_USER_AGENT`     |                                                                                                                              |multisite|no      |List of User-Agent (PCRE regex), separated with spaces, to ignore in the blacklist.             |
+|`BLACKLIST_IGNORE_USER_AGENT_URLS`|                                                                                                                              |global   |no      |List of URLs, separated with spaces, containing User-Agent to ignore in the blacklist.          |
+|`BLACKLIST_IGNORE_URI`            |                                                                                                                              |multisite|no      |List of URI (PCRE regex), separated with spaces, to ignore in the blacklist.                    |
+|`BLACKLIST_IGNORE_URI_URLS`       |                                                                                                                              |global   |no      |List of URLs, separated with spaces, containing URI to ignore in the blacklist.                 |
+
+When using stream mode, only IP, RDNS and ASN checks will be done.
+
+### Greylisting
+
+STREAM support :warning:
+
+You can use the following settings to set up greylisting :
+
+|         Setting          |Default| Context |Multiple|                                         Description                                          |
+|--------------------------|-------|---------|--------|----------------------------------------------------------------------------------------------|
+|`USE_GREYLIST`            |`no`   |multisite|no      |Activate greylist feature.                                                                    |
+|`GREYLIST_IP`             |       |multisite|no      |List of IP/network, separated with spaces, to put into the greylist.                          |
+|`GREYLIST_IP_URLS`        |       |global   |no      |List of URLs, separated with spaces, containing good IP/network to put into the greylist.     |
+|`GREYLIST_RDNS_GLOBAL`    |`yes`  |multisite|no      |Only perform RDNS greylist checks on global IP addresses.                                     |
+|`GREYLIST_RDNS`           |       |multisite|no      |List of reverse DNS suffixes, separated with spaces, to put into the greylist.                |
+|`GREYLIST_RDNS_URLS`      |       |global   |no      |List of URLs, separated with spaces, containing reverse DNS suffixes to put into the greylist.|
+|`GREYLIST_ASN`            |       |multisite|no      |List of ASN numbers, separated with spaces, to put into the greylist.                         |
+|`GREYLIST_ASN_URLS`       |       |global   |no      |List of URLs, separated with spaces, containing ASN to put into the greylist.                 |
+|`GREYLIST_USER_AGENT`     |       |multisite|no      |List of User-Agent (PCRE regex), separated with spaces, to put into the greylist.             |
+|`GREYLIST_USER_AGENT_URLS`|       |global   |no      |List of URLs, separated with spaces, containing good User-Agent to put into the greylist.     |
+|`GREYLIST_URI`            |       |multisite|no      |List of URI (PCRE regex), separated with spaces, to put into the greylist.                    |
+|`GREYLIST_URI_URLS`       |       |global   |no      |List of URLs, separated with spaces, containing bad URI to put into the greylist.             |
+
+When using stream mode, only IP, RDNS and ASN checks will be done.
+
+### Whitelisting
+
+STREAM support :warning:
+
+You can use the following settings to set up whitelisting :
+
+|          Setting          |                                                                                          Default                                                                                           | Context |Multiple|                                   Description                                    |
+|---------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------|
+|`USE_WHITELIST`            |`yes`                                                                                                                                                                                       |multisite|no      |Activate whitelist feature.                                                       |
+|`WHITELIST_IP`             |`20.191.45.212 40.88.21.235 40.76.173.151 40.76.163.7 20.185.79.47 52.142.26.175 20.185.79.15 52.142.24.149 40.76.162.208 40.76.163.23 40.76.162.191 40.76.162.247 54.208.102.37 107.21.1.8`|multisite|no      |List of IP/network, separated with spaces, to put into the whitelist.             |
+|`WHITELIST_IP_URLS`        |                                                                                                                                                                                            |global   |no      |List of URLs, separated with spaces, containing good IP/network to whitelist.     |
+|`WHITELIST_RDNS_GLOBAL`    |`yes`                                                                                                                                                                                       |multisite|no      |Only perform RDNS whitelist checks on global IP addresses.                        |
+|`WHITELIST_RDNS`           |`.google.com .googlebot.com .yandex.ru .yandex.net .yandex.com .search.msn.com .baidu.com .baidu.jp .crawl.yahoo.net .fwd.linkedin.com .twitter.com .twttr.com .discord.com`                |multisite|no      |List of reverse DNS suffixes, separated with spaces, to whitelist.                |
+|`WHITELIST_RDNS_URLS`      |                                                                                                                                                                                            |global   |no      |List of URLs, separated with spaces, containing reverse DNS suffixes to whitelist.|
+|`WHITELIST_ASN`            |`32934`                                                                                                                                                                                     |multisite|no      |List of ASN numbers, separated with spaces, to whitelist.                         |
+|`WHITELIST_ASN_URLS`       |                                                                                                                                                                                            |global   |no      |List of URLs, separated with spaces, containing ASN to whitelist.                 |
+|`WHITELIST_USER_AGENT`     |                                                                                                                                                                                            |multisite|no      |List of User-Agent (PCRE regex), separated with spaces, to whitelist.             |
+|`WHITELIST_USER_AGENT_URLS`|                                                                                                                                                                                            |global   |no      |List of URLs, separated with spaces, containing good User-Agent to whitelist.     |
+|`WHITELIST_URI`            |                                                                                                                                                                                            |multisite|no      |List of URI (PCRE regex), separated with spaces, to whitelist.                    |
+|`WHITELIST_URI_URLS`       |                                                                                                                                                                                            |global   |no      |List of URLs, separated with spaces, containing bad URI to whitelist.             |
+
+When using stream mode, only IP, RDNS and ASN checks will be done.
+
+## Reverse scan
+
+STREAM support :white_check_mark:
+
+Reverse scan is a feature designed to detect open ports by establishing TCP connections with clients' IP addresses.
+Consider adding this feature if you want to detect possible open proxies or connections from servers.
+
+We provide a list of suspicious ports by default but it can be modified to fit your needs. Be mindful, adding too many ports to the list can significantly slow down clients' connections due to the network checks. If a listed port is open, the client's access will be denied.
+
+Please be aware, this feature is new and further improvements will be added soon.
+
+Here is the list of settings related to reverse scan :
+
+|   Setting    |                                   Default                                    | Description                                    |
+| :----------: | :--------------------------------------------------------------------------: | :--------------------------------------------- |
+| `USE_REVERSE_SCAN`  |                                    `no`                                     | When set to `yes`, will enable ReverseScan. |
+| `REVERSE_SCAN_PORTS` | `22 80 443 3128 8000 8080`                                                 | List of suspicious ports to scan.                  |
+| `REVERSE_SCAN_TIMEOUT` | `500`                                                                    | Specify the maximum timeout (in ms) when scanning a port.                |
+
+## BunkerNet
+
+STREAM support :white_check_mark:
+
+BunkerNet is a crowdsourced database of malicious requests shared between all BunkerWeb instances over the world.
+
+If you enable BunkerNet, malicious requests will be sent to a remote server and will be analyzed by our systems. By doing so, we can extract malicious data from everyone's reports and give back the results to each BunkerWeb instances participating into BunkerNet.
+
+At the moment, that feature should be considered in "beta". We only extract malicious IP and we are very strict about how we do it to avoid any "poisoning". We strongly recommend activating it (which is the default) because the more instances participate, the more data we have to improve the algorithm.
+
+The setting used to enable or disable BunkerNet is `USE_BUNKERNET` (default : `yes`).
+
+## DNSBL
+
+STREAM support :white_check_mark:
+
+DNSBL or "DNS BlackList" is an external list of malicious IPs that you query using the DNS protocol. Automatic querying of that kind of blacklist is supported by BunkerWeb. If a remote DNSBL server of your choice says that the IP address of the client is in the blacklist, it will be banned.
+
+Here is the list of settings related to DNSBL :
+
+|   Setting    |                                   Default                                    | Description                                    |
+| :----------: | :--------------------------------------------------------------------------: | :--------------------------------------------- |
+| `USE_DNSBL`  |                                    `yes`                                     | When set to `yes`, will enable DNSBL checking. |
+| `DNSBL_LIST` | `bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org` | List of DNSBL servers to ask.                  |
+
+## Limiting
+
+BunkerWeb supports applying a limit policy to :
+
+- Number of connections per IP
+- Number of requests per IP and URL within a time period
+
+Please note that it should not be considered as an effective solution against DoS or DDoS but rather as an anti-bruteforce measure or rate limit policy for API.
+
+In both cases (connections or requests) if the limit is reached, the client will receive the HTTP status "429 - Too Many Requests".
+
+### Connections
+
+STREAM support :white_check_mark:
+
+The following settings are related to the Limiting connections feature :
+
+|        Setting         | Default | Description                                                                                |
+| :--------------------: | :-----: | :----------------------------------------------------------------------------------------- |
+|    `USE_LIMIT_CONN`    |  `yes`  | When set to `yes`, will limit the maximum number of concurrent connections for a given IP. |
+| `LIMIT_CONN_MAX_HTTP1` |  `10`   | Maximum number of concurrent connections when using HTTP1 protocol.                        |
+| `LIMIT_CONN_MAX_HTTP2` |  `100`  | Maximum number of concurrent streams when using HTTP2 protocol.                            |
+| `LIMIT_CONN_MAX_STREAM`|  `10`  | Maximum number of connections per IP when using stream.                                     |
+
+### Requests
+
+STREAM support :x:
+
+The following settings are related to the Limiting requests feature :
+
+|        Setting        |Default| Context |Multiple|                                         Description                                         |
+|-----------------------|-------|---------|--------|---------------------------------------------------------------------------------------------|
+|`USE_LIMIT_REQ`        |`yes`  |multisite|no      |Activate limit requests feature.                                                             |
+|`LIMIT_REQ_URL`        |`/`    |multisite|yes     |URL (PCRE regex) where the limit request will be applied or special value / for all requests.|
+|`LIMIT_REQ_RATE`       |`2r/s` |multisite|yes     |Rate to apply to the URL (s for second, m for minute, h for hour and d for day).             |
+|`USE_LIMIT_CONN`       |`yes`  |multisite|no      |Activate limit connections feature.                                                          |
+|`LIMIT_CONN_MAX_HTTP1` |`10`   |multisite|no      |Maximum number of connections per IP when using HTTP/1.X protocol.                           |
+|`LIMIT_CONN_MAX_HTTP2` |`100`  |multisite|no      |Maximum number of streams per IP when using HTTP/2 protocol.                                 |
+|`LIMIT_CONN_MAX_STREAM`|`10`   |multisite|no      |Maximum number of connections per IP when using stream.                                      |
+
+Please note that you can add different rates for different URLs by adding a number as a suffix to the settings for example : `LIMIT_REQ_URL_1=^/url1$`, `LIMIT_REQ_RATE_1=5r/d`, `LIMIT_REQ_URL_2=^/url2/subdir/.*$`, `LIMIT_REQ_RATE_2=1r/m`, ...
+
+Another important thing to note is that `LIMIT_REQ_URL` values are PCRE regex.
+
+## Country
+
+STREAM support :white_check_mark:
+
+The country security feature allows you to apply policy based on the country of the IP address of clients :
+
+- Deny any access if the country is in a blacklist
+- Only allow access if the country is in a whitelist (other security checks will still be executed)
+
+Here is the list of related settings :
+
+|       Setting       | Default | Description                                  |
+| :-----------------: | :-----: | :------------------------------------------- |
+| `BLACKLIST_COUNTRY` |         | List of 2 letters country code to blacklist. |
+| `WHITELIST_COUNTRY` |         | List of 2 letters country code to whitelist. |
+
+Using both country blacklist and whitelist at the same time makes no sense. If you do, please note that only the whitelist will be executed.
+
+## Authentication
+
+### Auth basic
+
+STREAM support :x:
+
+You can quickly protect sensitive resources like the admin area for example, by requiring HTTP basic authentication. Here is the list of related settings :
+
+|          Setting          |      Default      | Description                                                                                  |
+| :-----------------------: | :---------------: | :------------------------------------------------------------------------------------------- |
+|     `USE_AUTH_BASIC`      |       `no`        | When set to `yes` HTTP auth basic will be enabled.                                           |
+|   `AUTH_BASIC_LOCATION`   |    `sitewide`     | Location (URL) of the sensitive resource. Use special value `sitewide` to enable everywhere. |
+|   `AUTH_BASIC_USER`   |    `changeme`     | The username required.                                                                       |
+| `AUTH_BASIC_PASSWORD` |    `changeme`     | The password required.                                                                       |
+|   `AUTH_BASIC_TEXT`   | `Restricted area` | Text to display in the auth prompt.                                                          |
+
+### Auth request
+
+You can deploy complex authentication (e.g. SSO), by using the auth request settings (see [here](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/) for more information on the feature). Please note that you will find [Authelia](https://www.authelia.com/) and [Authentik](https://goauthentik.io/) examples in the [repository](https://github.com/bunkerity/bunkerweb/tree/v1.5.3/examples).
+
+**Auth request settings are related to reverse proxy rules.**
+
+|                Setting                |             Default              | Context |Multiple|                                                    Description                                                     |
+|---------------------------------------|----------------------------------|---------|--------|--------------------------------------------------------------------------------------------------------------------|
+|`REVERSE_PROXY_AUTH_REQUEST`           |                                  |multisite|yes     |Enable authentication using an external provider (value of auth_request directive).                                 |
+|`REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL`|                                  |multisite|yes     |Redirect clients to sign-in URL when using REVERSE_PROXY_AUTH_REQUEST (used when auth_request call returned 401).    |
+|`REVERSE_PROXY_AUTH_REQUEST_SET`       |                                  |multisite|yes     |List of variables to set from the authentication provider, separated with ; (values of auth_request_set directives).|

docs/settings.md

@@ -0,0 +1,541 @@
+# Settings
+
+!!! info "Settings generator tool"
+
+    To help you tune BunkerWeb, we have made an easy-to-use settings generator tool available at [config.bunkerweb.io](https://config.bunkerweb.io).
+
+This section contains the full list of settings supported by BunkerWeb. If you are not yet familiar with BunkerWeb, you should first read the [concepts](concepts.md) section of the documentation. Please follow the instructions for your own [integration](integrations.md) on how to apply the settings.
+
+As a general rule when multisite mode is enabled, if you want to apply settings with multisite context to a specific server, you will need to add the primary (first) server name as a prefix like `www.example.com_USE_ANTIBOT=captcha` or `myapp.example.com_USE_GZIP=yes` for example.
+
+When settings are considered as "multiple", it means that you can have multiple groups of settings for the same feature by adding numbers as suffix like `REVERSE_PROXY_URL_1=/subdir`, `REVERSE_PROXY_HOST_1=http://myhost1`, `REVERSE_PROXY_URL_2=/anotherdir`, `REVERSE_PROXY_HOST_2=http://myhost2`, ... for example.
+
+## Global settings
+
+
+STREAM support :warning:
+
+|           Setting            |                                                        Default                                                         | Context |Multiple|                   Description                    |
+|------------------------------|------------------------------------------------------------------------------------------------------------------------|---------|--------|--------------------------------------------------|
+|`IS_LOADING`                  |`no`                                                                                                                    |global   |no      |Internal use : set to yes when BW is loading.     |
+|`NGINX_PREFIX`                |`/etc/nginx/`                                                                                                           |global   |no      |Where nginx will search for configurations.       |
+|`HTTP_PORT`                   |`8080`                                                                                                                  |global   |no      |HTTP port number which bunkerweb binds to.        |
+|`HTTPS_PORT`                  |`8443`                                                                                                                  |global   |no      |HTTPS port number which bunkerweb binds to.       |
+|`MULTISITE`                   |`no`                                                                                                                    |global   |no      |Multi site activation.                            |
+|`SERVER_NAME`                 |`www.example.com`                                                                                                       |multisite|no      |List of the virtual hosts served by bunkerweb.    |
+|`WORKER_PROCESSES`            |`auto`                                                                                                                  |global   |no      |Number of worker processes.                       |
+|`WORKER_RLIMIT_NOFILE`        |`2048`                                                                                                                  |global   |no      |Maximum number of open files for worker processes.|
+|`WORKER_CONNECTIONS`          |`1024`                                                                                                                  |global   |no      |Maximum number of connections per worker.         |
+|`LOG_FORMAT`                  |`$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"`|global   |no      |The format to use for access logs.                |
+|`LOG_LEVEL`                   |`notice`                                                                                                                |global   |no      |The level to use for error logs.                  |
+|`DNS_RESOLVERS`               |`127.0.0.11`                                                                                                            |global   |no      |DNS addresses of resolvers to use.                |
+|`DATASTORE_MEMORY_SIZE`       |`64m`                                                                                                                   |global   |no      |Size of the internal datastore.                   |
+|`CACHESTORE_MEMORY_SIZE`      |`64m`                                                                                                                   |global   |no      |Size of the internal cachestore.                  |
+|`CACHESTORE_IPC_MEMORY_SIZE`  |`16m`                                                                                                                   |global   |no      |Size of the internal cachestore (ipc).            |
+|`CACHESTORE_MISS_MEMORY_SIZE` |`16m`                                                                                                                   |global   |no      |Size of the internal cachestore (miss).           |
+|`CACHESTORE_LOCKS_MEMORY_SIZE`|`16m`                                                                                                                   |global   |no      |Size of the internal cachestore (locks).          |
+|`USE_API`                     |`yes`                                                                                                                   |global   |no      |Activate the API to control BunkerWeb.            |
+|`API_HTTP_PORT`               |`5000`                                                                                                                  |global   |no      |Listen port number for the API.                   |
+|`API_LISTEN_IP`               |`0.0.0.0`                                                                                                               |global   |no      |Listen IP address for the API.                    |
+|`API_SERVER_NAME`             |`bwapi`                                                                                                                 |global   |no      |Server name (virtual host) for the API.           |
+|`API_WHITELIST_IP`            |`127.0.0.0/8`                                                                                                           |global   |no      |List of IP/network allowed to contact the API.    |
+|`AUTOCONF_MODE`               |`no`                                                                                                                    |global   |no      |Enable Autoconf Docker integration.               |
+|`SWARM_MODE`                  |`no`                                                                                                                    |global   |no      |Enable Docker Swarm integration.                  |
+|`KUBERNETES_MODE`             |`no`                                                                                                                    |global   |no      |Enable Kubernetes integration.                    |
+|`SERVER_TYPE`                 |`http`                                                                                                                  |multisite|no      |Server type : http or stream.                     |
+|`LISTEN_STREAM`               |`yes`                                                                                                                   |multisite|no      |Enable listening for non-ssl (passthrough).       |
+|`LISTEN_STREAM_PORT`          |`1337`                                                                                                                  |multisite|no      |Listening port for non-ssl (passthrough).         |
+|`LISTEN_STREAM_PORT_SSL`      |`4242`                                                                                                                  |multisite|no      |Listening port for ssl (passthrough).             |
+|`USE_UDP`                     |`no`                                                                                                                    |multisite|no      |UDP listen instead of TCP (stream).               |
+|`USE_IPV6`                    |`no`                                                                                                                    |global   |no      |Enable IPv6 connectivity.                         |
+
+
+## Core settings
+
+### Antibot
+
+STREAM support :x:
+
+Bot detection by using a challenge.
+
+|          Setting          |  Default   | Context |Multiple|                                                         Description                                                          |
+|---------------------------|------------|---------|--------|------------------------------------------------------------------------------------------------------------------------------|
+|`USE_ANTIBOT`              |`no`        |multisite|no      |Activate antibot feature.                                                                                                     |
+|`ANTIBOT_URI`              |`/challenge`|multisite|no      |Unused URI that clients will be redirected to to solve the challenge.                                                         |
+|`ANTIBOT_RECAPTCHA_SCORE`  |`0.7`       |multisite|no      |Minimum score required for reCAPTCHA challenge.                                                                               |
+|`ANTIBOT_RECAPTCHA_SITEKEY`|            |multisite|no      |Sitekey for reCAPTCHA challenge.                                                                                              |
+|`ANTIBOT_RECAPTCHA_SECRET` |            |multisite|no      |Secret for reCAPTCHA challenge.                                                                                               |
+|`ANTIBOT_HCAPTCHA_SITEKEY` |            |multisite|no      |Sitekey for hCaptcha challenge.                                                                                               |
+|`ANTIBOT_HCAPTCHA_SECRET`  |            |multisite|no      |Secret for hCaptcha challenge.                                                                                                |
+|`ANTIBOT_TURNSTILE_SITEKEY`|            |multisite|no      |Sitekey for Turnstile challenge.                                                                                              |
+|`ANTIBOT_TURNSTILE_SECRET` |            |multisite|no      |Secret for Turnstile challenge.                                                                                               |
+|`ANTIBOT_TIME_RESOLVE`     |`60`        |multisite|no      |Maximum time (in seconds) clients have to resolve the challenge. Once this time has passed, a new challenge will be generated.|
+|`ANTIBOT_TIME_VALID`       |`86400`     |multisite|no      |Maximum validity time of solved challenges. Once this time has passed, clients will need to resolve a new one.                |
+
+### Auth basic
+
+STREAM support :x:
+
+Enforce login before accessing a resource or the whole site using HTTP basic auth method.
+
+|       Setting       |     Default     | Context |Multiple|                  Description                   |
+|---------------------|-----------------|---------|--------|------------------------------------------------|
+|`USE_AUTH_BASIC`     |`no`             |multisite|no      |Use HTTP basic auth                             |
+|`AUTH_BASIC_LOCATION`|`sitewide`       |multisite|no      |URL of the protected resource or sitewide value.|
+|`AUTH_BASIC_USER`    |`changeme`       |multisite|no      |Username                                        |
+|`AUTH_BASIC_PASSWORD`|`changeme`       |multisite|no      |Password                                        |
+|`AUTH_BASIC_TEXT`    |`Restricted area`|multisite|no      |Text to display                                 |
+
+### Bad behavior
+
+STREAM support :white_check_mark:
+
+Ban IP generating too much 'bad' HTTP status code in a period of time.
+
+|          Setting          |           Default           | Context |Multiple|                                        Description                                         |
+|---------------------------|-----------------------------|---------|--------|--------------------------------------------------------------------------------------------|
+|`USE_BAD_BEHAVIOR`         |`yes`                        |multisite|no      |Activate Bad behavior feature.                                                              |
+|`BAD_BEHAVIOR_STATUS_CODES`|`400 401 403 404 405 429 444`|multisite|no      |List of HTTP status codes considered as 'bad'.                                              |
+|`BAD_BEHAVIOR_BAN_TIME`    |`86400`                      |multisite|no      |The duration time (in seconds) of a ban when the corresponding IP has reached the threshold.|
+|`BAD_BEHAVIOR_THRESHOLD`   |`10`                         |multisite|no      |Maximum number of 'bad' HTTP status codes within the period of time before IP is banned.    |
+|`BAD_BEHAVIOR_COUNT_TIME`  |`60`                         |multisite|no      |Period of time (in seconds) during which we count 'bad' HTTP status codes.                  |
+
+### Blacklist
+
+STREAM support :warning:
+
+Deny access based on internal and external IP/network/rDNS/ASN blacklists.
+
+|             Setting              |                                                           Default                                                            | Context |Multiple|                                          Description                                           |
+|----------------------------------|------------------------------------------------------------------------------------------------------------------------------|---------|--------|------------------------------------------------------------------------------------------------|
+|`USE_BLACKLIST`                   |`yes`                                                                                                                         |multisite|no      |Activate blacklist feature.                                                                     |
+|`BLACKLIST_IP`                    |                                                                                                                              |multisite|no      |List of IP/network, separated with spaces, to block.                                            |
+|`BLACKLIST_IP_URLS`               |`https://www.dan.me.uk/torlist/?exit`                                                                                         |global   |no      |List of URLs, separated with spaces, containing bad IP/network to block.                        |
+|`BLACKLIST_RDNS_GLOBAL`           |`yes`                                                                                                                         |multisite|no      |Only perform RDNS blacklist checks on global IP addresses.                                      |
+|`BLACKLIST_RDNS`                  |`.shodan.io .censys.io`                                                                                                       |multisite|no      |List of reverse DNS suffixes, separated with spaces, to block.                                  |
+|`BLACKLIST_RDNS_URLS`             |                                                                                                                              |global   |no      |List of URLs, separated with spaces, containing reverse DNS suffixes to block.                  |
+|`BLACKLIST_ASN`                   |                                                                                                                              |multisite|no      |List of ASN numbers, separated with spaces, to block.                                           |
+|`BLACKLIST_ASN_URLS`              |                                                                                                                              |global   |no      |List of URLs, separated with spaces, containing ASN to block.                                   |
+|`BLACKLIST_USER_AGENT`            |                                                                                                                              |multisite|no      |List of User-Agent (PCRE regex), separated with spaces, to block.                               |
+|`BLACKLIST_USER_AGENT_URLS`       |`https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list`|global   |no      |List of URLs, separated with spaces, containing bad User-Agent to block.                        |
+|`BLACKLIST_URI`                   |                                                                                                                              |multisite|no      |List of URI (PCRE regex), separated with spaces, to block.                                      |
+|`BLACKLIST_URI_URLS`              |                                                                                                                              |global   |no      |List of URLs, separated with spaces, containing bad URI to block.                               |
+|`BLACKLIST_IGNORE_IP`             |                                                                                                                              |multisite|no      |List of IP/network, separated with spaces, to ignore in the blacklist.                          |
+|`BLACKLIST_IGNORE_IP_URLS`        |                                                                                                                              |global   |no      |List of URLs, separated with spaces, containing IP/network to ignore in the blacklist.          |
+|`BLACKLIST_IGNORE_RDNS`           |                                                                                                                              |multisite|no      |List of reverse DNS suffixes, separated with spaces, to ignore in the blacklist.                |
+|`BLACKLIST_IGNORE_RDNS_URLS`      |                                                                                                                              |global   |no      |List of URLs, separated with spaces, containing reverse DNS suffixes to ignore in the blacklist.|
+|`BLACKLIST_IGNORE_ASN`            |                                                                                                                              |multisite|no      |List of ASN numbers, separated with spaces, to ignore in the blacklist.                         |
+|`BLACKLIST_IGNORE_ASN_URLS`       |                                                                                                                              |global   |no      |List of URLs, separated with spaces, containing ASN to ignore in the blacklist.                 |
+|`BLACKLIST_IGNORE_USER_AGENT`     |                                                                                                                              |multisite|no      |List of User-Agent (PCRE regex), separated with spaces, to ignore in the blacklist.             |
+|`BLACKLIST_IGNORE_USER_AGENT_URLS`|                                                                                                                              |global   |no      |List of URLs, separated with spaces, containing User-Agent to ignore in the blacklist.          |
+|`BLACKLIST_IGNORE_URI`            |                                                                                                                              |multisite|no      |List of URI (PCRE regex), separated with spaces, to ignore in the blacklist.                    |
+|`BLACKLIST_IGNORE_URI_URLS`       |                                                                                                                              |global   |no      |List of URLs, separated with spaces, containing URI to ignore in the blacklist.                 |
+
+### Brotli
+
+STREAM support :x:
+
+Compress HTTP requests with the brotli algorithm.
+
+|      Setting      |                                                                                                                                                                                                            Default                                                                                                                                                                                                             | Context |Multiple|                      Description                      |
+|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|-------------------------------------------------------|
+|`USE_BROTLI`       |`no`                                                                                                                                                                                                                                                                                                                                                                                                                            |multisite|no      |Use brotli                                             |
+|`BROTLI_TYPES`     |`application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml`|multisite|no      |List of MIME types that will be compressed with brotli.|
+|`BROTLI_MIN_LENGTH`|`1000`                                                                                                                                                                                                                                                                                                                                                                                                                          |multisite|no      |Minimum length for brotli compression.                 |
+|`BROTLI_COMP_LEVEL`|`6`                                                                                                                                                                                                                                                                                                                                                                                                                             |multisite|no      |The compression level of the brotli algorithm.         |
+
+### BunkerNet
+
+STREAM support :white_check_mark:
+
+Share threat data with other BunkerWeb instances via BunkerNet.
+
+|     Setting      |         Default          | Context |Multiple|         Description         |
+|------------------|--------------------------|---------|--------|-----------------------------|
+|`USE_BUNKERNET`   |`yes`                     |multisite|no      |Activate BunkerNet feature.  |
+|`BUNKERNET_SERVER`|`https://api.bunkerweb.io`|global   |no      |Address of the BunkerNet API.|
+
+### CORS
+
+STREAM support :x:
+
+Cross-Origin Resource Sharing.
+
+|           Setting            |                                      Default                                       | Context |Multiple|                            Description                            |
+|------------------------------|------------------------------------------------------------------------------------|---------|--------|-------------------------------------------------------------------|
+|`USE_CORS`                    |`no`                                                                                |multisite|no      |Use CORS                                                           |
+|`CORS_ALLOW_ORIGIN`           |`*`                                                                                 |multisite|no      |Allowed origins to make CORS requests : PCRE regex or *.           |
+|`CORS_EXPOSE_HEADERS`         |`Content-Length,Content-Range`                                                      |multisite|no      |Value of the Access-Control-Expose-Headers header.                 |
+|`CROSS_ORIGIN_OPENER_POLICY`  |                                                                                    |multisite|no      |Value for the Cross-Origin-Opener-Policy header.                   |
+|`CROSS_ORIGIN_EMBEDDER_POLICY`|                                                                                    |multisite|no      |Value for the Cross-Origin-Embedder-Policy header.                 |
+|`CROSS_ORIGIN_RESOURCE_POLICY`|                                                                                    |multisite|no      |Value for the Cross-Origin-Resource-Policy header.                 |
+|`CORS_MAX_AGE`                |`86400`                                                                             |multisite|no      |Value of the Access-Control-Max-Age header.                        |
+|`CORS_ALLOW_CREDENTIALS`      |`no`                                                                                |multisite|no      |Send the Access-Control-Allow-Credentials header.                  |
+|`CORS_ALLOW_METHODS`          |`GET, POST, OPTIONS`                                                                |multisite|no      |Value of the Access-Control-Allow-Methods header.                  |
+|`CORS_ALLOW_HEADERS`          |`DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range`|multisite|no      |Value of the Access-Control-Allow-Headers header.                  |
+|`CORS_DENY_REQUEST`           |`yes`                                                                               |multisite|no      |Deny request and don't send it to backend if Origin is not allowed.|
+
+### Client cache
+
+STREAM support :x:
+
+Manage caching for clients.
+
+|         Setting         |                          Default                           | Context |Multiple|                            Description                             |
+|-------------------------|------------------------------------------------------------|---------|--------|--------------------------------------------------------------------|
+|`USE_CLIENT_CACHE`       |`no`                                                        |multisite|no      |Tell client to store locally static files.                          |
+|`CLIENT_CACHE_EXTENSIONS`|`jpg|jpeg|png|bmp|ico|svg|tif|css|js|otf|ttf|eot|woff|woff2`|global   |no      |List of file extensions, separated with pipes that should be cached.|
+|`CLIENT_CACHE_ETAG`      |`yes`                                                       |multisite|no      |Send the HTTP ETag header for static resources.                     |
+|`CLIENT_CACHE_CONTROL`   |`public, max-age=15552000`                                  |multisite|no      |Value of the Cache-Control HTTP header.                             |
+
+### Country
+
+STREAM support :white_check_mark:
+
+Deny access based on the country of the client IP.
+
+|      Setting      |Default| Context |Multiple|                                 Description                                 |
+|-------------------|-------|---------|--------|-----------------------------------------------------------------------------|
+|`BLACKLIST_COUNTRY`|       |multisite|no      |Deny access if the country of the client is in the list (2 letters code).    |
+|`WHITELIST_COUNTRY`|       |multisite|no      |Deny access if the country of the client is not in the list (2 letters code).|
+
+### Custom HTTPS certificate
+
+STREAM support :white_check_mark:
+
+Choose custom certificate for HTTPS.
+
+|     Setting     |Default| Context |Multiple|                                  Description                                   |
+|-----------------|-------|---------|--------|--------------------------------------------------------------------------------|
+|`USE_CUSTOM_SSL` |`no`   |multisite|no      |Use custom HTTPS certificate.                                                   |
+|`CUSTOM_SSL_CERT`|       |multisite|no      |Full path of the certificate or bundle file (must be readable by the scheduler).|
+|`CUSTOM_SSL_KEY` |       |multisite|no      |Full path of the key file (must be readable by the scheduler).                  |
+
+### DB
+
+STREAM support :white_check_mark:
+
+Integrate easily the Database.
+
+|   Setting    |                 Default                 |Context|Multiple|                   Description                    |
+|--------------|-----------------------------------------|-------|--------|--------------------------------------------------|
+|`DATABASE_URI`|`sqlite:////var/lib/bunkerweb/db.sqlite3`|global |no      |The database URI, following the sqlalchemy format.|
+
+### DNSBL
+
+STREAM support :white_check_mark:
+
+Deny access based on external DNSBL servers.
+
+|  Setting   |                                  Default                                   | Context |Multiple|      Description      |
+|------------|----------------------------------------------------------------------------|---------|--------|-----------------------|
+|`USE_DNSBL` |`yes`                                                                       |multisite|no      |Activate DNSBL feature.|
+|`DNSBL_LIST`|`bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org`|global   |no      |List of DNSBL servers. |
+
+### Errors
+
+STREAM support :x:
+
+Manage default error pages
+
+|         Setting         |                     Default                     | Context |Multiple|                                                      Description                                                       |
+|-------------------------|-------------------------------------------------|---------|--------|------------------------------------------------------------------------------------------------------------------------|
+|`ERRORS`                 |                                                 |multisite|no      |List of HTTP error code and corresponding error pages, separated with spaces (404=/my404.html 403=/errors/403.html ...).|
+|`INTERCEPTED_ERROR_CODES`|`400 401 403 404 405 413 429 500 501 502 503 504`|multisite|no      |List of HTTP error code intercepted by Bunkerweb                                                                        |
+
+### Greylist
+
+STREAM support :warning:
+
+Allow access while keeping security features based on internal and external IP/network/rDNS/ASN greylists.
+
+|         Setting          |Default| Context |Multiple|                                         Description                                          |
+|--------------------------|-------|---------|--------|----------------------------------------------------------------------------------------------|
+|`USE_GREYLIST`            |`no`   |multisite|no      |Activate greylist feature.                                                                    |
+|`GREYLIST_IP`             |       |multisite|no      |List of IP/network, separated with spaces, to put into the greylist.                          |
+|`GREYLIST_IP_URLS`        |       |global   |no      |List of URLs, separated with spaces, containing good IP/network to put into the greylist.     |
+|`GREYLIST_RDNS_GLOBAL`    |`yes`  |multisite|no      |Only perform RDNS greylist checks on global IP addresses.                                     |
+|`GREYLIST_RDNS`           |       |multisite|no      |List of reverse DNS suffixes, separated with spaces, to put into the greylist.                |
+|`GREYLIST_RDNS_URLS`      |       |global   |no      |List of URLs, separated with spaces, containing reverse DNS suffixes to put into the greylist.|
+|`GREYLIST_ASN`            |       |multisite|no      |List of ASN numbers, separated with spaces, to put into the greylist.                         |
+|`GREYLIST_ASN_URLS`       |       |global   |no      |List of URLs, separated with spaces, containing ASN to put into the greylist.                 |
+|`GREYLIST_USER_AGENT`     |       |multisite|no      |List of User-Agent (PCRE regex), separated with spaces, to put into the greylist.             |
+|`GREYLIST_USER_AGENT_URLS`|       |global   |no      |List of URLs, separated with spaces, containing good User-Agent to put into the greylist.     |
+|`GREYLIST_URI`            |       |multisite|no      |List of URI (PCRE regex), separated with spaces, to put into the greylist.                    |
+|`GREYLIST_URI_URLS`       |       |global   |no      |List of URLs, separated with spaces, containing bad URI to put into the greylist.             |
+
+### Gzip
+
+STREAM support :x:
+
+Compress HTTP requests with the gzip algorithm.
+
+|     Setting     |                                                                                                                                                                                                            Default                                                                                                                                                                                                             | Context |Multiple|                     Description                     |
+|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|-----------------------------------------------------|
+|`USE_GZIP`       |`no`                                                                                                                                                                                                                                                                                                                                                                                                                            |multisite|no      |Use gzip                                             |
+|`GZIP_TYPES`     |`application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml`|multisite|no      |List of MIME types that will be compressed with gzip.|
+|`GZIP_MIN_LENGTH`|`1000`                                                                                                                                                                                                                                                                                                                                                                                                                          |multisite|no      |Minimum length for gzip compression.                 |
+|`GZIP_COMP_LEVEL`|`5`                                                                                                                                                                                                                                                                                                                                                                                                                             |multisite|no      |The compression level of the gzip algorithm.         |
+
+### HTML injection
+
+STREAM support :x:
+
+Inject custom HTML code before the </body> tag.
+
+|   Setting   |Default| Context |Multiple|      Description       |
+|-------------|-------|---------|--------|------------------------|
+|`INJECT_BODY`|       |multisite|no      |The HTML code to inject.|
+
+### Headers
+
+STREAM support :x:
+
+Manage HTTP headers sent to clients.
+
+|               Setting               |                                                                                                                                                                                                                                                                                                                                                       Default                                                                                                                                                                                                                                                                                                                                                       | Context |Multiple|                                         Description                                          |
+|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------------------|
+|`CUSTOM_HEADER`                      |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |multisite|yes     |Custom header to add (HeaderName: HeaderValue).                                               |
+|`REMOVE_HEADERS`                     |`Server Expect-CT X-Powered-By X-AspNet-Version X-AspNetMvc-Version`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |multisite|no      |Headers to remove (Header1 Header2 Header3 ...)                                               |
+|`KEEP_UPSTREAM_HEADERS`              |`Content-Security-Policy Permissions-Policy Feature-Policy X-Frame-Options`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |multisite|no      |Headers to keep from upstream (Header1 Header2 Header3 ... or * for all).                     |
+|`STRICT_TRANSPORT_SECURITY`          |`max-age=31536000`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |multisite|no      |Value for the Strict-Transport-Security header.                                               |
+|`COOKIE_FLAGS`                       |`* HttpOnly SameSite=Lax`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |multisite|yes     |Cookie flags automatically added to all cookies (value accepted for nginx_cookie_flag_module).|
+|`COOKIE_AUTO_SECURE_FLAG`            |`yes`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |multisite|no      |Automatically add the Secure flag to all cookies.                                             |
+|`CONTENT_SECURITY_POLICY`            |`object-src 'none'; form-action 'self'; frame-ancestors 'self';`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |multisite|no      |Value for the Content-Security-Policy header.                                                 |
+|`CONTENT_SECURITY_POLICY_REPORT_ONLY`|`no`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |multisite|no      |Send reports for violations of the Content-Security-Policy header instead of blocking them.   |
+|`REFERRER_POLICY`                    |`strict-origin-when-cross-origin`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |multisite|no      |Value for the Referrer-Policy header.                                                         |
+|`PERMISSIONS_POLICY`                 |`accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), web-share=(), xr-spatial-tracking=()`                                                                                                                                                                                   |multisite|no      |Value for the Permissions-Policy header.                                                      |
+|`FEATURE_POLICY`                     |`accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; layout-animation 'none'; legacy-image-formats 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; navigation-override 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; speaker-selection 'none'; sync-xhr 'none'; unoptimized-images 'none'; unsized-media 'none'; usb 'none'; screen-wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none';`|multisite|no      |Value for the Feature-Policy header.                                                          |
+|`X_FRAME_OPTIONS`                    |`SAMEORIGIN`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |multisite|no      |Value for the X-Frame-Options header.                                                         |
+|`X_CONTENT_TYPE_OPTIONS`             |`nosniff`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |multisite|no      |Value for the X-Content-Type-Options header.                                                  |
+|`X_XSS_PROTECTION`                   |`1; mode=block`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |multisite|no      |Value for the X-XSS-Protection header.                                                        |
+
+### Let's Encrypt
+
+STREAM support :white_check_mark:
+
+Automatic creation, renewal and configuration of Let's Encrypt certificates.
+
+|         Setting          |Default| Context |Multiple|                                                                                 Description                                                                                 |
+|--------------------------|-------|---------|--------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|`AUTO_LETS_ENCRYPT`       |`no`   |multisite|no      |Activate automatic Let's Encrypt mode.                                                                                                                                       |
+|`EMAIL_LETS_ENCRYPT`      |       |multisite|no      |Email used for Let's Encrypt notification and in certificate.                                                                                                                |
+|`USE_LETS_ENCRYPT_STAGING`|`no`   |multisite|no      |Use the staging environment for Let’s Encrypt certificate generation. Useful when you are testing your deployments to avoid being rate limited in the production environment.|
+
+### Limit
+
+STREAM support :warning:
+
+Limit maximum number of requests and connections.
+
+|        Setting        |Default| Context |Multiple|                                         Description                                         |
+|-----------------------|-------|---------|--------|---------------------------------------------------------------------------------------------|
+|`USE_LIMIT_REQ`        |`yes`  |multisite|no      |Activate limit requests feature.                                                             |
+|`LIMIT_REQ_URL`        |`/`    |multisite|yes     |URL (PCRE regex) where the limit request will be applied or special value / for all requests.|
+|`LIMIT_REQ_RATE`       |`2r/s` |multisite|yes     |Rate to apply to the URL (s for second, m for minute, h for hour and d for day).             |
+|`USE_LIMIT_CONN`       |`yes`  |multisite|no      |Activate limit connections feature.                                                          |
+|`LIMIT_CONN_MAX_HTTP1` |`10`   |multisite|no      |Maximum number of connections per IP when using HTTP/1.X protocol.                           |
+|`LIMIT_CONN_MAX_HTTP2` |`100`  |multisite|no      |Maximum number of streams per IP when using HTTP/2 protocol.                                 |
+|`LIMIT_CONN_MAX_STREAM`|`10`   |multisite|no      |Maximum number of connections per IP when using stream.                                      |
+
+### Miscellaneous
+
+STREAM support :warning:
+
+Miscellaneous settings.
+
+|           Setting           |        Default        | Context |Multiple|                                                         Description                                                         |
+|-----------------------------|-----------------------|---------|--------|-----------------------------------------------------------------------------------------------------------------------------|
+|`DISABLE_DEFAULT_SERVER`     |`no`                   |global   |no      |Close connection if the request vhost is unknown.                                                                            |
+|`REDIRECT_HTTP_TO_HTTPS`     |`no`                   |multisite|no      |Redirect all HTTP request to HTTPS.                                                                                          |
+|`AUTO_REDIRECT_HTTP_TO_HTTPS`|`yes`                  |multisite|no      |Try to detect if HTTPS is used and activate HTTP to HTTPS redirection if that's the case.                                    |
+|`ALLOWED_METHODS`            |`GET|POST|HEAD`        |multisite|no      |Allowed HTTP and WebDAV methods, separated with pipes to be sent by clients.                                                 |
+|`MAX_CLIENT_SIZE`            |`10m`                  |multisite|no      |Maximum body size (0 for infinite).                                                                                          |
+|`SERVE_FILES`                |`yes`                  |multisite|no      |Serve files from the local folder.                                                                                           |
+|`ROOT_FOLDER`                |                       |multisite|no      |Root folder containing files to serve (/var/www/html/{server_name} if unset).                                                |
+|`SSL_PROTOCOLS`              |`TLSv1.2 TLSv1.3`      |multisite|no      |The supported version of TLS. We recommend the default value TLSv1.2 TLSv1.3 for compatibility reasons.                      |
+|`HTTP2`                      |`yes`                  |multisite|no      |Support HTTP2 protocol when HTTPS is enabled.                                                                                |
+|`LISTEN_HTTP`                |`yes`                  |multisite|no      |Respond to (insecure) HTTP requests.                                                                                         |
+|`USE_OPEN_FILE_CACHE`        |`no`                   |multisite|no      |Enable open file cache feature                                                                                               |
+|`OPEN_FILE_CACHE`            |`max=1000 inactive=20s`|multisite|no      |Open file cache directive                                                                                                    |
+|`OPEN_FILE_CACHE_ERRORS`     |`yes`                  |multisite|no      |Enable open file cache for errors                                                                                            |
+|`OPEN_FILE_CACHE_MIN_USES`   |`2`                    |multisite|no      |Enable open file cache minimum uses                                                                                          |
+|`OPEN_FILE_CACHE_VALID`      |`30s`                  |multisite|no      |Open file cache valid time                                                                                                   |
+|`EXTERNAL_PLUGIN_URLS`       |                       |global   |no      |List of external plugins URLs (direct download to .zip or .tar file) to download and install (URLs are separated with space).|
+|`DENY_HTTP_STATUS`           |`403`                  |global   |no      |HTTP status code to send when the request is denied (403 or 444). When using 444, BunkerWeb will close the connection.       |
+
+### ModSecurity
+
+STREAM support :x:
+
+Management of the ModSecurity WAF.
+
+|             Setting             |   Default    | Context |Multiple|               Description                |
+|---------------------------------|--------------|---------|--------|------------------------------------------|
+|`USE_MODSECURITY`                |`yes`         |multisite|no      |Enable ModSecurity WAF.                   |
+|`USE_MODSECURITY_CRS`            |`yes`         |multisite|no      |Enable OWASP Core Rule Set.               |
+|`MODSECURITY_SEC_AUDIT_ENGINE`   |`RelevantOnly`|multisite|no      |SecAuditEngine directive of ModSecurity.  |
+|`MODSECURITY_SEC_RULE_ENGINE`    |`On`          |multisite|no      |SecRuleEngine directive of ModSecurity.   |
+|`MODSECURITY_SEC_AUDIT_LOG_PARTS`|`ABCFHZ`      |multisite|no      |SecAuditLogParts directive of ModSecurity.|
+
+### PHP
+
+STREAM support :x:
+
+Manage local or remote PHP-FPM.
+
+|     Setting     |Default| Context |Multiple|                        Description                         |
+|-----------------|-------|---------|--------|------------------------------------------------------------|
+|`REMOTE_PHP`     |       |multisite|no      |Hostname of the remote PHP-FPM instance.                    |
+|`REMOTE_PHP_PATH`|       |multisite|no      |Root folder containing files in the remote PHP-FPM instance.|
+|`LOCAL_PHP`      |       |multisite|no      |Path to the PHP-FPM socket file.                            |
+|`LOCAL_PHP_PATH` |       |multisite|no      |Root folder containing files in the local PHP-FPM instance. |
+
+### Real IP
+
+STREAM support :warning:
+
+Get real IP of clients when BunkerWeb is behind a reverse proxy / load balancer.
+
+|      Setting       |                 Default                 | Context |Multiple|                                              Description                                               |
+|--------------------|-----------------------------------------|---------|--------|--------------------------------------------------------------------------------------------------------|
+|`USE_REAL_IP`       |`no`                                     |multisite|no      |Retrieve the real IP of client.                                                                         |
+|`USE_PROXY_PROTOCOL`|`no`                                     |multisite|no      |Enable PROXY protocol communication.                                                                    |
+|`REAL_IP_FROM`      |`192.168.0.0/16 172.16.0.0/12 10.0.0.0/8`|multisite|no      |List of trusted IPs / networks, separated with spaces, where proxied requests come from.                |
+|`REAL_IP_FROM_URLS` |                                         |global   |no      |List of URLs containing trusted IPs / networks, separated with spaces, where proxied requests come from.|
+|`REAL_IP_HEADER`    |`X-Forwarded-For`                        |multisite|no      |HTTP header containing the real IP or special value proxy_protocol for PROXY protocol.                  |
+|`REAL_IP_RECURSIVE` |`yes`                                    |multisite|no      |Perform a recursive search in the header container IP address.                                          |
+
+### Redirect
+
+STREAM support :x:
+
+Manage HTTP redirects.
+
+|         Setting         |Default| Context |Multiple|                   Description                   |
+|-------------------------|-------|---------|--------|-------------------------------------------------|
+|`REDIRECT_TO`            |       |multisite|no      |Redirect a whole site to another one.            |
+|`REDIRECT_TO_REQUEST_URI`|`no`   |multisite|no      |Append the requested URI to the redirect address.|
+|`REDIRECT_TO_STATUS_CODE`|`301`  |multisite|no      |Status code to send to client when redirecting.  |
+
+### Redis
+
+STREAM support :white_check_mark:
+
+Redis server configuration when using BunkerWeb in cluster mode.
+
+|       Setting        |Default|Context|Multiple|                           Description                            |
+|----------------------|-------|-------|--------|------------------------------------------------------------------|
+|`USE_REDIS`           |`no`   |global |no      |Activate Redis.                                                   |
+|`REDIS_HOST`          |       |global |no      |Redis server IP or hostname.                                      |
+|`REDIS_PORT`          |`6379` |global |no      |Redis server port.                                                |
+|`REDIS_DATABASE`      |`0`    |global |no      |Redis database number.                                            |
+|`REDIS_SSL`           |`no`   |global |no      |Use SSL/TLS connection with Redis server.                         |
+|`REDIS_TIMEOUT`       |`1000` |global |no      |Redis server timeout (in ms) for connect, read and write.         |
+|`REDIS_KEEPALIVE_IDLE`|`30000`|global |no      |Max idle time (in ms) before closing redis connection in the pool.|
+|`REDIS_KEEPALIVE_POOL`|`10`   |global |no      |Max number of redis connection(s) kept in the pool.               |
+
+### Reverse proxy
+
+STREAM support :warning:
+
+Manage reverse proxy configurations.
+
+|                Setting                |             Default              | Context |Multiple|                                                         Description                                                         |
+|---------------------------------------|----------------------------------|---------|--------|-----------------------------------------------------------------------------------------------------------------------------|
+|`USE_REVERSE_PROXY`                    |`no`                              |multisite|no      |Activate reverse proxy mode.                                                                                                 |
+|`REVERSE_PROXY_INTERCEPT_ERRORS`       |`yes`                             |multisite|no      |Intercept and rewrite errors.                                                                                                |
+|`REVERSE_PROXY_HOST`                   |                                  |multisite|yes     |Full URL of the proxied resource (proxy_pass).                                                                               |
+|`REVERSE_PROXY_URL`                    |                                  |multisite|yes     |Location URL that will be proxied.                                                                                           |
+|`REVERSE_PROXY_WS`                     |`no`                              |multisite|yes     |Enable websocket on the proxied resource.                                                                                    |
+|`REVERSE_PROXY_HEADERS`                |                                  |multisite|yes     |List of HTTP headers to send to proxied resource separated with semicolons (values for proxy_set_header directive).          |
+|`REVERSE_PROXY_HEADERS_CLIENT`         |                                  |multisite|yes     |List of HTTP headers to send to client separated with semicolons (values for add_header directive).                          |
+|`REVERSE_PROXY_BUFFERING`              |`yes`                             |multisite|yes     |Enable or disable buffering of responses from proxied resource.                                                              |
+|`REVERSE_PROXY_KEEPALIVE`              |`no`                              |multisite|yes     |Enable or disable keepalive connections with the proxied resource.                                                           |
+|`REVERSE_PROXY_AUTH_REQUEST`           |                                  |multisite|yes     |Enable authentication using an external provider (value of auth_request directive).                                          |
+|`REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL`|                                  |multisite|yes     |Redirect clients to sign-in URL when using REVERSE_PROXY_AUTH_REQUEST (used when auth_request call returned 401).            |
+|`REVERSE_PROXY_AUTH_REQUEST_SET`       |                                  |multisite|yes     |List of variables to set from the authentication provider, separated with semicolons (values of auth_request_set directives).|
+|`USE_PROXY_CACHE`                      |`no`                              |multisite|no      |Enable or disable caching of the proxied resources.                                                                          |
+|`PROXY_CACHE_PATH_LEVELS`              |`1:2`                             |global   |no      |Hierarchy levels of the cache.                                                                                               |
+|`PROXY_CACHE_PATH_ZONE_SIZE`           |`10m`                             |global   |no      |Maximum size of cached metadata when caching proxied resources.                                                              |
+|`PROXY_CACHE_PATH_PARAMS`              |`max_size=100m`                   |global   |no      |Additional parameters to add to the proxy_cache directive.                                                                   |
+|`PROXY_CACHE_METHODS`                  |`GET HEAD`                        |multisite|no      |HTTP methods that should trigger a cache operation.                                                                          |
+|`PROXY_CACHE_MIN_USES`                 |`2`                               |multisite|no      |The minimum number of requests before a response is cached.                                                                  |
+|`PROXY_CACHE_KEY`                      |`$scheme$host$request_uri`        |multisite|no      |The key used to uniquely identify a cached response.                                                                         |
+|`PROXY_CACHE_VALID`                    |`200=24h 301=1h 302=24h`          |multisite|no      |Define the caching time depending on the HTTP status code (list of status=time), separated with spaces.                      |
+|`PROXY_NO_CACHE`                       |`$http_pragma $http_authorization`|multisite|no      |Conditions to disable caching of responses.                                                                                  |
+|`PROXY_CACHE_BYPASS`                   |`0`                               |multisite|no      |Conditions to bypass caching of responses.                                                                                   |
+|`REVERSE_PROXY_CONNECT_TIMEOUT`        |`60s`                             |multisite|yes     |Timeout when connecting to the proxied resource.                                                                             |
+|`REVERSE_PROXY_READ_TIMEOUT`           |`60s`                             |multisite|yes     |Timeout when reading from the proxied resource.                                                                              |
+|`REVERSE_PROXY_SEND_TIMEOUT`           |`60s`                             |multisite|yes     |Timeout when sending to the proxied resource.                                                                                |
+
+### Reverse scan
+
+STREAM support :white_check_mark:
+
+Scan clients ports to detect proxies or servers.
+
+|       Setting        |         Default          | Context |Multiple|                           Description                            |
+|----------------------|--------------------------|---------|--------|------------------------------------------------------------------|
+|`USE_REVERSE_SCAN`    |`no`                      |multisite|no      |Enable scanning of clients ports and deny access if one is opened.|
+|`REVERSE_SCAN_PORTS`  |`22 80 443 3128 8000 8080`|multisite|no      |List of port to scan when using reverse scan feature.             |
+|`REVERSE_SCAN_TIMEOUT`|`500`                     |multisite|no      |Specify the maximum timeout (in ms) when scanning a port.         |
+
+### Self-signed certificate
+
+STREAM support :white_check_mark:
+
+Generate self-signed certificate.
+
+|         Setting          |       Default        | Context |Multiple|               Description               |
+|--------------------------|----------------------|---------|--------|-----------------------------------------|
+|`GENERATE_SELF_SIGNED_SSL`|`no`                  |multisite|no      |Generate and use self-signed certificate.|
+|`SELF_SIGNED_SSL_EXPIRY`  |`365`                 |multisite|no      |Self-signed certificate expiry in days.  |
+|`SELF_SIGNED_SSL_SUBJ`    |`/CN=www.example.com/`|multisite|no      |Self-signed certificate subject.         |
+
+### Sessions
+
+STREAM support :white_check_mark:
+
+Management of session used by other plugins.
+
+|          Setting          |Default |Context|Multiple|                                   Description                                   |
+|---------------------------|--------|-------|--------|---------------------------------------------------------------------------------|
+|`SESSIONS_SECRET`          |`random`|global |no      |Secret used to encrypt sessions variables for storing data related to challenges.|
+|`SESSIONS_NAME`            |`random`|global |no      |Name of the cookie given to clients.                                             |
+|`SESSIONS_IDLING_TIMEOUT`  |`1800`  |global |no      |Maximum time (in seconds) of inactivity before the session is invalidated.       |
+|`SESSIONS_ROLLING_TIMEOUT` |`3600`  |global |no      |Maximum time (in seconds) before a session must be renewed.                      |
+|`SESSIONS_ABSOLUTE_TIMEOUT`|`86400` |global |no      |Maximum time (in seconds) before a session is destroyed.                         |
+|`SESSIONS_CHECK_IP`        |`yes`   |global |no      |Destroy session if IP address is different than original one.                    |
+|`SESSIONS_CHECK_USER_AGENT`|`yes`   |global |no      |Destroy session if User-Agent is different than original one.                    |
+
+### UI
+
+STREAM support :x:
+
+Integrate easily the BunkerWeb UI.
+
+|Setting |Default| Context |Multiple|Description|
+|--------|-------|---------|--------|-----------|
+|`USE_UI`|`no`   |multisite|no      |Use UI     |
+
+### Whitelist
+
+STREAM support :warning:
+
+Allow access based on internal and external IP/network/rDNS/ASN whitelists.
+
+|          Setting          |                                                                                  Default                                                                                   | Context |Multiple|                                   Description                                    |
+|---------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|--------|----------------------------------------------------------------------------------|
+|`USE_WHITELIST`            |`yes`                                                                                                                                                                       |multisite|no      |Activate whitelist feature.                                                       |
+|`WHITELIST_IP`             |`20.191.45.212 40.88.21.235 40.76.173.151 40.76.163.7 20.185.79.47 52.142.26.175 20.185.79.15 52.142.24.149 40.76.162.208 40.76.163.23 40.76.162.191 40.76.162.247`         |multisite|no      |List of IP/network, separated with spaces, to put into the whitelist.             |
+|`WHITELIST_IP_URLS`        |                                                                                                                                                                            |global   |no      |List of URLs, separated with spaces, containing good IP/network to whitelist.     |
+|`WHITELIST_RDNS_GLOBAL`    |`yes`                                                                                                                                                                       |multisite|no      |Only perform RDNS whitelist checks on global IP addresses.                        |
+|`WHITELIST_RDNS`           |`.google.com .googlebot.com .yandex.ru .yandex.net .yandex.com .search.msn.com .baidu.com .baidu.jp .crawl.yahoo.net .fwd.linkedin.com .twitter.com .twttr.com .discord.com`|multisite|no      |List of reverse DNS suffixes, separated with spaces, to whitelist.                |
+|`WHITELIST_RDNS_URLS`      |                                                                                                                                                                            |global   |no      |List of URLs, separated with spaces, containing reverse DNS suffixes to whitelist.|
+|`WHITELIST_ASN`            |`32934`                                                                                                                                                                     |multisite|no      |List of ASN numbers, separated with spaces, to whitelist.                         |
+|`WHITELIST_ASN_URLS`       |                                                                                                                                                                            |global   |no      |List of URLs, separated with spaces, containing ASN to whitelist.                 |
+|`WHITELIST_USER_AGENT`     |                                                                                                                                                                            |multisite|no      |List of User-Agent (PCRE regex), separated with spaces, to whitelist.             |
+|`WHITELIST_USER_AGENT_URLS`|                                                                                                                                                                            |global   |no      |List of URLs, separated with spaces, containing good User-Agent to whitelist.     |
+|`WHITELIST_URI`            |                                                                                                                                                                            |multisite|no      |List of URI (PCRE regex), separated with spaces, to whitelist.                    |
+|`WHITELIST_URI_URLS`       |                                                                                                                                                                            |global   |no      |List of URLs, separated with spaces, containing bad URI to whitelist.             |

docs/troubleshooting.md

@@ -0,0 +1,287 @@
+# Troubleshooting
+
+## Logs
+
+When troubleshooting, logs are your best friends. We try our best to provide user-friendly logs to help you understand what's happening.
+
+Please note that you can set `LOG_LEVEL` setting to `info` (default : `notice`) to increase the verbosity of BunkerWeb.
+
+Here is how you can access the logs, depending on your integration :
+
+=== "Docker"
+
+    !!! tip "List containers"
+    	To list the running containers, you can use the following command :
+    	```shell
+    	docker ps
+    	```
+
+    You can use the `docker logs` command (replace `mybunker` with the name of your container) :
+    ```shell
+    docker logs mybunker
+    ```
+
+    Here is the docker-compose equivalent (replace `mybunker` with the name of the services declared in the docker-compose.yml file) :
+    ```shell
+    docker-compose logs mybunker
+    ```
+
+=== "Docker autoconf"
+
+    !!! tip "List containers"
+    	To list the running containers, you can use the following command :
+    	```shell
+    	docker ps
+    	```
+
+    You can use the `docker logs` command (replace `mybunker` and `myautoconf` with the name of your containers) :
+    ```shell
+    docker logs mybunker
+    docker logs myautoconf
+    ```
+
+    Here is the docker-compose equivalent (replace `mybunker` and `myautoconf` with the name of the services declared in the docker-compose.yml file) :
+    ```shell
+    docker-compose logs mybunker
+    docker-compose logs myautoconf
+    ```
+
+=== "Swarm"
+
+    !!! tip "List services"
+    	To list the services, you can use the following command :
+    	```shell
+    	docker service ls
+    	```
+
+    You can use the `docker service logs` command (replace `mybunker` and `myautoconf` with the name of your services) :
+    ```shell
+    docker service logs mybunker
+    docker service logs myautoconf
+    ```
+
+=== "Kubernetes"
+
+    !!! tip "List pods"
+    	To list the pods, you can use the following command :
+    	```shell
+    	kubectl get pods
+    	```
+    You can use the `kubectl logs` command (replace `mybunker` and `myautoconf` with the name of your pods) :
+    ```shell
+    kubectl logs mybunker
+    kubectl logs myautoconf
+    ```
+
+=== "Linux"
+
+    For errors related to BunkerWeb services (e.g. not starting), you can use `journalctl` :
+    ```shell
+    journalctl -u bunkerweb --no-pager
+    ```
+
+    Common logs are located inside the `/var/log/bunkerweb` directory :
+    ```shell
+    cat /var/log/bunkerweb/error.log
+    cat /var/log/bunkerweb/access.log
+    ```
+
+=== "Ansible"
+
+    For errors related to BunkerWeb services (e.g. not starting), you can use `journalctl` :
+    ```shell
+    ansible -i inventory.yml all -a "journalctl -u bunkerweb --no-pager" --become
+    ```
+
+    Common logs are located inside the `/var/log/bunkerweb` directory :
+    ```shell
+    ansible -i inventory.yml all -a "cat /var/log/bunkerweb/error.log" --become
+    ansible -i inventory.yml all -a "cat /var/log/bunkerweb/access.log" --become
+    ```
+
+=== "Vagrant"
+
+    For errors related to BunkerWeb services (e.g. not starting), you can use `journalctl` :
+    ```shell
+    journalctl -u bunkerweb --no-pager
+    ```
+
+    Common logs are located inside the `/var/log/bunkerweb` directory :
+    ```shell
+    cat /var/log/bunkerweb/error.log
+    cat /var/log/bunkerweb/access.log
+    ```
+
+## Permissions
+
+Don't forget that BunkerWeb runs as an unprivileged user for obvious security reasons. Double-check the permissions of files and folders used by BunkerWeb, especially if you use custom configurations (more info [here](quickstart-guide.md#custom-configurations)). You will need to set at least **RW** rights on files and **_RWX_** on folders.
+
+## ModSecurity
+
+The default BunkerWeb configuration of ModSecurity is to load the Core Rule Set in anomaly scoring mode with a paranoia level (PL) of 1 :
+
+- Each matched rule will increase an anomaly score (so many rules can match a single request)
+- PL1 includes rules with fewer chances of false positives (but less security than PL4)
+- the default threshold for anomaly score is 5 for requests and 4 for responses
+
+Let's take the following logs as an example of ModSecurity detection using default configuration (formatted for better readability) :
+
+```log
+2022/04/26 12:01:10 [warn] 85#85: *11 ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS:id' (Value: `/etc/passwd' )
+	[file "/usr/share/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"]
+	[line "78"]
+	[id "930120"]
+	[rev ""]
+	[msg "OS File Access Attempt"]
+	[data "Matched Data: etc/passwd found within ARGS:id: /etc/passwd"]
+	[severity "2"]
+	[ver "OWASP_CRS/3.3.2"]
+	[maturity "0"]
+	[accuracy "0"]
+	[tag "application-multi"]
+	[tag "language-multi"]
+	[tag "platform-multi"]
+	[tag "attack-lfi"]
+	[tag "paranoia-level/1"]
+	[tag "OWASP_CRS"]
+	[tag "capec/1000/255/153/126"]
+	[tag "PCI/6.5.4"]
+	[hostname "172.17.0.2"]
+	[uri "/"]
+	[unique_id "165097447014.179282"]
+	[ref "o1,10v9,11t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase"],
+	client: 172.17.0.1, server: localhost, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
+2022/04/26 12:01:10 [warn] 85#85: *11 ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:id' (Value: `/etc/passwd' )
+	[file "/usr/share/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"]
+	[line "480"]
+	[id "932160"]
+	[rev ""]
+	[msg "Remote Command Execution: Unix Shell Code Found"]
+	[data "Matched Data: etc/passwd found within ARGS:id: /etc/passwd"]
+	[severity "2"]
+	[ver "OWASP_CRS/3.3.2"]
+	[maturity "0"]
+	[accuracy "0"]
+	[tag "application-multi"]
+	[tag "language-shell"]
+	[tag "platform-unix"]
+	[tag "attack-rce"]
+	[tag "paranoia-level/1"]
+	[tag "OWASP_CRS"]
+	[tag "capec/1000/152/248/88"]
+	[tag "PCI/6.5.2"]
+	[hostname "172.17.0.2"]
+	[uri "/"]
+	[unique_id "165097447014.179282"]
+	[ref "o1,10v9,11t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"],
+	client: 172.17.0.1, server: localhost, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
+2022/04/26 12:01:10 [error] 85#85: *11 [client 172.17.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `10' )
+	[file "/usr/share/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
+	[line "80"]
+	[id "949110"]
+	[rev ""]
+	[msg "Inbound Anomaly Score Exceeded (Total Score: 10)"]
+	[data ""]
+	[severity "2"]
+	[ver "OWASP_CRS/3.3.2"]
+	[maturity "0"]
+	[accuracy "0"]
+	[tag "application-multi"]
+	[tag "language-multi"]
+	[tag "platform-multi"]
+	[tag "attack-generic"]
+	[hostname "172.17.0.2"]
+	[uri "/"]
+	[unique_id "165097447014.179282"]
+	[ref ""],
+	client: 172.17.0.1, server: localhost, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
+```
+
+As we can see, there are 3 different logs :
+
+1. Rule **930120** matched
+2. Rule **932160** matched
+3. Access denied (rule **949110**)
+
+One important thing to understand is that rule **949110** is not a "real" one : it's the one that will deny the request because the anomaly threshold is reached (which is **10** in this example). You should never remove the **949110** rule !
+
+If it's a false-positive, you should then focus on both **930120** and **932160** rules. ModSecurity and/or CRS tuning is out of the scope of this documentation but don't forget that you can apply custom configurations before and after the CRS is loaded (more info [here](quickstart-guide.md#custom-configurations)).
+
+## Bad Behavior
+
+A common false-positive case is when the client is banned because of the "bad behavior" feature which means that too many suspicious HTTP status codes were generated within a time period (more info [here](security-tuning.md#bad-behavior)). You should start by reviewing the settings and then edit them according to your web application(s) like removing a suspicious HTTP code, decreasing the count time, increasing the threshold, ...
+
+## IP unban
+
+You can manually unban an IP which can be useful when doing some tests but it needs the setting `USE_API` set to `yes` (which is not the default) so you can contact the internal API of BunkerWeb (replace `1.2.3.4` with the IP address to unban) :
+
+=== "Docker"
+
+    You can use the `docker exec` command (replace `mybunker` with the name of your container) :
+    ```shell
+    docker exec mybunker bwcli unban 1.2.3.4
+    ```
+
+    Here is the docker-compose equivalent (replace `mybunker` with the name of the services declared in the docker-compose.yml file) :
+    ```shell
+    docker-compose exec mybunker bwcli unban 1.2.3.4
+    ```
+
+=== "Docker autoconf"
+
+    You can use the `docker exec` command (replace `myautoconf` with the name of your container) :
+    ```shell
+    docker exec myautoconf bwcli unban 1.2.3.4
+    ```
+
+    Here is the docker-compose equivalent (replace `myautoconf` with the name of the services declared in the docker-compose.yml file) :
+    ```shell
+    docker-compose exec myautoconf bwcli unban 1.2.3.4
+    ```
+
+=== "Swarm"
+
+    You can use the `docker exec` command (replace `myautoconf` with the name of your service) :
+    ```shell
+    docker exec $(docker ps -q -f name=myautoconf) bwcli unban 1.2.3.4
+    ```
+
+=== "Kubernetes"
+
+    You can use the `kubectl exec` command (replace `myautoconf` with the name of your pod) :
+    ```shell
+    kubectl exec myautoconf bwcli unban 1.2.3.4
+    ```
+
+=== "Linux"
+
+    You can use the `bwcli` command (as root) :
+    ```shell
+    sudo bwcli unban 1.2.3.4
+    ```
+
+=== "Ansible"
+
+    You can use the `bwcli` command :
+    ```shell
+	ansible -i inventory.yml all -a "bwcli unban 1.2.3.4" --become
+    ```
+
+=== "Vagrant"
+
+    You can use the `bwcli` command (as root) :
+    ```shell
+    sudo bwcli unban 1.2.3.4
+    ```
+
+## Whitelisting
+
+If you have bots that need to access your website, the recommended way to avoid any false positive is to whitelist them using the [whitelisting feature](security-tuning.md#blacklisting-and-whitelisting). We don't recommend using the `WHITELIST_URI*` or `WHITELIST_USER_AGENT*` settings unless they are set to secret and unpredictable values. Common use cases are :
+
+- Healthcheck / status bot
+- Callback like IPN or webhook
+- Social media crawler
+
+## Timezone
+
+When using container-based integrations, the timezone of the container may not match the one of the host machine. To resolve that, you can set the `TZ` environment variable to the timezone of your choice on your containers (e.g. `TZ=Europe/Paris`). You will find the list of timezone identifiers [here](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List).

docs/web-ui.md

@@ -0,0 +1,950 @@
+# Web UI
+
+## Overview
+
+<p align="center">
+	<iframe style="display: block;" width="560" height="315" src="https://www.youtube-nocookie.com/embed/Ao20SfvQyr4" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
+</p>
+
+The "Web UI" is a web application that helps you manage your BunkerWeb instance using a user-friendly interface instead of the command-line one.
+
+## Features
+
+- Start, stop, restart and reload your BunkerWeb instance
+- Add, edit and delete settings for your web applications
+- Add, edit and delete custom configurations for NGINX and ModSecurity
+- Install and uninstall external plugins
+- Explore the cached files
+- Monitor jobs execution
+- View the logs and search pattern
+
+## Installation
+
+Because the web UI is a web application, the recommended installation procedure is to use BunkerWeb in front of it as a reverse proxy.
+
+!!! warning "Security considerations"
+
+    The security of the web UI is really important. If someone manages to gain access to the application, not only he will be able to edit your configurations but he could execute some code in the context of BunkerWeb (with a custom configuration containing LUA code for example). We highly recommend you to follow minimal security best practices like :
+
+    * Choose a strong password for the login (**at least 8 chars with 1 lower case letter, 1 upper case letter, 1 digit and 1 special char is required**)
+    * Put the web UI under a "hard to guess" URI
+    * Do not open the web UI on the Internet without any further restrictions
+    * Apply settings listed in the [security tuning section](security-tuning.md) of the documentation
+
+!!! info "Multisite mode"
+
+    The usage of the web UI implies enabling the [multisite mode](concepts.md#multisite-mode).
+
+=== "Docker"
+
+    The web UI can be deployed using a dedicated container which is available on [Docker Hub](https://hub.docker.com/r/bunkerity/bunkerweb-ui) :
+
+    ```shell
+    docker pull bunkerity/bunkerweb-ui
+    ```
+
+    Alternatively, you can also build it yourself :
+
+    ```shell
+    git clone https://github.com/bunkerity/bunkerweb.git && \
+    cd bunkerweb && \
+    docker build -t my-bunkerweb-ui -f src/ui/Dockerfile .
+    ```
+
+    The following environment variables are used to configure the web UI container :
+
+    - `ADMIN_USERNAME` : username to access the web UI
+    - `ADMIN_PASSWORD` : password to access the web UI
+
+    Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
+
+    !!! info "Database backend"
+
+        If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.3/misc/integrations) of the repository.
+
+    Here is the docker-compose boilerplate that you can use (don't forget to edit the `changeme` data) :
+
+    ```yaml
+    version: "3.5"
+
+    services:
+      bunkerweb:
+        image: bunkerity/bunkerweb:1.5.3
+        ports:
+          - 80:8080
+          - 443:8443
+        labels:
+          - "bunkerweb.INSTANCE=yes"
+        environment:
+          - SERVER_NAME=www.example.com
+          - MULTISITE=yes
+          - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
+          - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
+          - DISABLE_DEFAULT_SERVER=yes
+          - USE_CLIENT_CACHE=yes
+          - USE_GZIP=yes
+          - www.example.com_USE_UI=yes
+          - www.example.com_USE_REVERSE_PROXY=yes
+          - www.example.com_REVERSE_PROXY_URL=/changeme
+          - www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
+          - www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
+        networks:
+          - bw-universe
+          - bw-services
+
+      bw-scheduler:
+        image: bunkerity/bunkerweb-scheduler:1.5.3
+        depends_on:
+          - bunkerweb
+          - bw-docker
+        environment:
+          - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
+          - DOCKER_HOST=tcp://bw-docker:2375
+        networks:
+          - bw-universe
+          - bw-docker
+
+      bw-docker:
+        image: tecnativa/docker-socket-proxy:nightly
+        volumes:
+          - /var/run/docker.sock:/var/run/docker.sock:ro
+        environment:
+          - CONTAINERS=1
+          - LOG_LEVEL=warning
+        networks:
+          - bw-docker
+
+      bw-ui:
+        image: bunkerity/bunkerweb-ui:1.5.3
+        depends_on:
+          - bw-docker
+        environment:
+          - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
+          - DOCKER_HOST=tcp://bw-docker:2375
+          - ADMIN_USERNAME=changeme
+          - ADMIN_PASSWORD=changeme # Remember to set a stronger password for the changeme user
+        networks:
+          - bw-universe
+          - bw-docker
+
+      bw-db:
+        image: mariadb:10.10
+        environment:
+          - MYSQL_RANDOM_ROOT_PASSWORD=yes
+          - MYSQL_DATABASE=db
+          - MYSQL_USER=bunkerweb
+          - MYSQL_PASSWORD=changeme # Remember to set a stronger password for the database
+        volumes:
+          - bw-data:/var/lib/mysql
+        networks:
+          - bw-docker
+
+    volumes:
+      bw-data:
+
+    networks:
+      bw-universe:
+        name: bw-universe
+        ipam:
+          driver: default
+          config:
+            - subnet: 10.20.30.0/24
+      bw-services:
+        name: bw-services
+      bw-docker:
+        name: bw-docker
+    ```
+
+=== "Docker autoconf"
+
+    The web UI can be deployed using a dedicated container which is available on [Docker Hub](https://hub.docker.com/r/bunkerity/bunkerweb-ui) :
+
+    ```shell
+    docker pull bunkerity/bunkerweb-ui
+    ```
+
+    Alternatively, you can also build it yourself :
+
+    ```shell
+    git clone https://github.com/bunkerity/bunkerweb.git && \
+    cd bunkerweb && \
+    docker build -t my-bunkerweb-ui -f src/ui/Dockerfile .
+    ```
+
+    The following environment variables are used to configure the web UI container :
+
+    - `ADMIN_USERNAME` : username to access the web UI
+    - `ADMIN_PASSWORD` : password to access the web UI
+
+    Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler and autoconf) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
+
+    !!! info "Database backend"
+
+        If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.3/misc/integrations) of the repository.
+
+    Here is the docker-compose boilerplate that you can use (don't forget to edit the `changeme` data) :
+
+    ```yaml
+    version: "3.5"
+
+    services:
+      bunkerweb:
+        image: bunkerity/bunkerweb:1.5.3
+        ports:
+          - 80:8080
+          - 443:8443
+        labels:
+          - "bunkerweb.INSTANCE=yes"
+        environment:
+          - SERVER_NAME=
+          - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
+          - AUTOCONF_MODE=yes
+          - MULTISITE=yes
+          - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
+        networks:
+          - bw-universe
+          - bw-services
+
+      bw-autoconf:
+        image: bunkerity/bunkerweb-autoconf:1.5.3
+        depends_on:
+          - bunkerweb
+          - bw-docker
+        environment:
+          - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
+          - AUTOCONF_MODE=yes
+          - DOCKER_HOST=tcp://bw-docker:2375
+        networks:
+          - bw-universe
+          - bw-docker
+
+      bw-scheduler:
+        image: bunkerity/bunkerweb-scheduler:1.5.3
+        depends_on:
+          - bunkerweb
+          - bw-docker
+        environment:
+          - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
+          - DOCKER_HOST=tcp://bw-docker:2375
+          - AUTOCONF_MODE=yes
+        networks:
+          - bw-universe
+          - bw-docker
+
+      bw-docker:
+        image: tecnativa/docker-socket-proxy:nightly
+        volumes:
+          - /var/run/docker.sock:/var/run/docker.sock:ro
+        environment:
+          - CONTAINERS=1
+          - LOG_LEVEL=warning
+        networks:
+          - bw-docker
+
+      bw-db:
+        image: mariadb:10.10
+        environment:
+          - MYSQL_RANDOM_ROOT_PASSWORD=yes
+          - MYSQL_DATABASE=db
+          - MYSQL_USER=bunkerweb
+          - MYSQL_PASSWORD=changeme
+        volumes:
+          - bw-data:/var/lib/mysql
+        networks:
+          - bw-docker
+
+      bw-ui:
+        image: bunkerity/bunkerweb-ui:1.5.3
+        networks:
+          bw-docker:
+          bw-universe:
+            aliases:
+              - bw-ui
+        environment:
+          - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
+          - DOCKER_HOST=tcp://bw-docker:2375
+          - AUTOCONF_MODE=yes
+          - ADMIN_USERNAME=admin
+          - ADMIN_PASSWORD=changeme
+        labels:
+          - "bunkerweb.SERVER_NAME=www.example.com"
+          - "bunkerweb.USE_UI=yes"
+          - "bunkerweb.USE_REVERSE_PROXY=yes"
+          - "bunkerweb.REVERSE_PROXY_URL=/changeme"
+          - "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
+          - "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
+
+    volumes:
+      bw-data:
+
+    networks:
+      bw-universe:
+        name: bw-universe
+        ipam:
+          driver: default
+          config:
+            - subnet: 10.20.30.0/24
+      bw-services:
+        name: bw-services
+      bw-docker:
+        name: bw-docker
+    ```
+
+=== "Swarm"
+
+    The web UI can be deployed using a dedicated container which is available on [Docker Hub](https://hub.docker.com/r/bunkerity/bunkerweb-ui) :
+
+    ```shell
+    docker pull bunkerity/bunkerweb-ui
+    ```
+
+    Alternatively, you can also build it yourself :
+
+    ```shell
+    git clone https://github.com/bunkerity/bunkerweb.git && \
+    cd bunkerweb && \
+    docker build -t my-bunkerweb-ui -f src/ui/Dockerfile .
+    ```
+
+    The following environment variables are used to configure the web UI container :
+
+    - `ADMIN_USERNAME` : username to access the web UI
+    - `ADMIN_PASSWORD` : password to access the web UI
+
+    Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler and autoconf) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
+
+    !!! info "Database backend"
+
+        If you want another Database backend than MariaDB please refer to the stack files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.3/misc/integrations) of the repository.
+
+    Here is the stack boilerplate that you can use (don't forget to edit the `changeme` data) :
+
+    ```yaml
+    version: "3.5"
+
+    services:
+      bunkerweb:
+        image: bunkerity/bunkerweb:1.5.3
+        ports:
+          - published: 80
+            target: 8080
+            mode: host
+            protocol: tcp
+          - published: 443
+            target: 8443
+            mode: host
+            protocol: tcp
+        environment:
+          - SERVER_NAME=
+          - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
+          - SWARM_MODE=yes
+          - MULTISITE=yes
+          - USE_REDIS=yes
+          - REDIS_HOST=bw-redis
+          - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
+        networks:
+          - bw-universe
+          - bw-services
+        deploy:
+          mode: global
+          placement:
+            constraints:
+              - "node.role == worker"
+          labels:
+            - "bunkerweb.INSTANCE=yes"
+
+      bw-autoconf:
+        image: bunkerity/bunkerweb-autoconf:1.5.3
+        environment:
+          - SWARM_MODE=yes
+          - DOCKER_HOST=tcp://bw-docker:2375
+          - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
+        networks:
+          - bw-universe
+          - bw-docker
+
+      bw-docker:
+        image: tecnativa/docker-socket-proxy:nightly
+        volumes:
+          - /var/run/docker.sock:/var/run/docker.sock:ro
+        environment:
+          - CONFIGS=1
+          - CONTAINERS=1
+          - SERVICES=1
+          - SWARM=1
+          - TASKS=1
+          - LOG_LEVEL=warning
+        networks:
+          - bw-docker
+        deploy:
+          placement:
+            constraints:
+              - "node.role == manager"
+
+      bw-scheduler:
+        image: bunkerity/bunkerweb-scheduler:1.5.3
+        environment:
+          - SWARM_MODE=yes
+          - DOCKER_HOST=tcp://bw-docker:2375
+          - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db
+        networks:
+          - bw-universe
+          - bw-docker
+
+      bw-db:
+        image: mariadb:10.10
+        environment:
+          - MYSQL_RANDOM_ROOT_PASSWORD=yes
+          - MYSQL_DATABASE=db
+          - MYSQL_USER=bunkerweb
+          - MYSQL_PASSWORD=changeme
+        volumes:
+          - bw-data:/var/lib/mysql
+        networks:
+          - bw-docker
+
+      bw-redis:
+        image: redis:7-alpine
+        networks:
+          - bw-universe
+
+      bw-ui:
+        image: bunkerity/bunkerweb-ui:1.5.3
+        environment:
+          - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
+          - DOCKER_HOST=tcp://bw-docker:2375
+          - ADMIN_USERNAME=changeme
+          - ADMIN_PASSWORD=changeme # Remember to set a stronger password for the changeme user
+        networks:
+          - bw-universe
+          - bw-docker
+        deploy:
+          labels:
+            - "bunkerweb.SERVER_NAME=www.example.com"
+            - "bunkerweb.USE_UI=yes"
+            - "bunkerweb.USE_REVERSE_PROXY=yes"
+            - "bunkerweb.REVERSE_PROXY_URL=/changeme"
+            - "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
+            - "bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no"
+            - "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
+
+    volumes:
+      bw-data:
+
+    networks:
+      bw-universe:
+        name: bw-universe
+        driver: overlay
+        attachable: true
+        ipam:
+          config:
+            - subnet: 10.20.30.0/24
+      bw-services:
+        name: bw-services
+        driver: overlay
+        attachable: true
+      bw-docker:
+        name: bw-docker
+        driver: overlay
+        attachable: true
+    ```
+
+=== "Kubernetes"
+
+    The web UI can be deployed using a dedicated container which is available on [Docker Hub](https://hub.docker.com/r/bunkerity/bunkerweb-ui) as a standard [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/).
+
+    The following environment variables are used to configure the web UI container :
+
+    - `ADMIN_USERNAME` : username to access the web UI
+    - `ADMIN_PASSWORD` : password to access the web UI
+
+    Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). Network segmentation between web UI and web services is not covered in this documentation. Please note that the web UI container is listening on the `7000` port.
+
+    !!! info "Database backend"
+
+        If you want another Database backend than MariaDB please refer to the yaml files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.3/misc/integrations) of the repository.
+
+    Here is the yaml boilerplate that you can use (don't forget to edit the `changeme` data) :
+
+    ```yaml
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRole
+    metadata:
+      name: cr-bunkerweb
+    rules:
+      - apiGroups: [""]
+        resources: ["services", "pods", "configmaps"]
+        verbs: ["get", "watch", "list"]
+      - apiGroups: ["networking.k8s.io"]
+        resources: ["ingresses"]
+        verbs: ["get", "watch", "list"]
+    ---
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: sa-bunkerweb
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      name: crb-bunkerweb
+    subjects:
+      - kind: ServiceAccount
+        name: sa-bunkerweb
+        namespace: default
+        apiGroup: ""
+    roleRef:
+      kind: ClusterRole
+      name: cr-bunkerweb
+      apiGroup: rbac.authorization.k8s.io
+    ---
+    apiVersion: apps/v1
+    kind: DaemonSet
+    metadata:
+      name: bunkerweb
+    spec:
+      selector:
+        matchLabels:
+          app: bunkerweb
+      template:
+        metadata:
+          labels:
+            app: bunkerweb
+          # mandatory annotation
+          annotations:
+            bunkerweb.io/INSTANCE: "yes"
+        spec:
+          containers:
+            # using bunkerweb as name is mandatory
+            - name: bunkerweb
+              image: bunkerity/bunkerweb:1.5.3
+              imagePullPolicy: Always
+              securityContext:
+                runAsUser: 101
+                runAsGroup: 101
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
+              ports:
+                - containerPort: 8080
+                  hostPort: 80
+                - containerPort: 8443
+                  hostPort: 443
+              env:
+                - name: KUBERNETES_MODE
+                  value: "yes"
+                # replace with your DNS resolvers
+                # e.g. : kube-dns.kube-system.svc.cluster.local
+                - name: DNS_RESOLVERS
+                  value: "coredns.kube-system.svc.cluster.local"
+                - name: USE_API
+                  value: "yes"
+                # 10.0.0.0/8 is the cluster internal subnet
+                - name: API_WHITELIST_IP
+                  value: "127.0.0.0/8 10.0.0.0/8"
+                - name: SERVER_NAME
+                  value: ""
+                - name: MULTISITE
+                  value: "yes"
+                - name: USE_REDIS
+                  value: "yes"
+                - name: REDIS_HOST
+                  value: "svc-bunkerweb-redis.default.svc.cluster.local"
+              livenessProbe:
+                exec:
+                  command:
+                    - /usr/share/bunkerweb/helpers/healthcheck.sh
+                initialDelaySeconds: 30
+                periodSeconds: 5
+                timeoutSeconds: 1
+                failureThreshold: 3
+              readinessProbe:
+                exec:
+                  command:
+                    - /usr/share/bunkerweb/helpers/healthcheck.sh
+                initialDelaySeconds: 30
+                periodSeconds: 1
+                timeoutSeconds: 1
+                failureThreshold: 3
+    ---
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: bunkerweb-controller
+    spec:
+      replicas: 1
+      strategy:
+        type: Recreate
+      selector:
+        matchLabels:
+          app: bunkerweb-controller
+      template:
+        metadata:
+          labels:
+            app: bunkerweb-controller
+        spec:
+          serviceAccountName: sa-bunkerweb
+          containers:
+            - name: bunkerweb-controller
+              image: bunkerity/bunkerweb-autoconf:1.5.3
+              imagePullPolicy: Always
+              env:
+                - name: KUBERNETES_MODE
+                  value: "yes"
+                - name: "DATABASE_URI"
+                  value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db"
+    ---
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: bunkerweb-scheduler
+    spec:
+      replicas: 1
+      strategy:
+        type: Recreate
+      selector:
+        matchLabels:
+          app: bunkerweb-scheduler
+      template:
+        metadata:
+          labels:
+            app: bunkerweb-scheduler
+        spec:
+          serviceAccountName: sa-bunkerweb
+          containers:
+            - name: bunkerweb-scheduler
+              image: bunkerity/bunkerweb-scheduler:1.5.3
+              imagePullPolicy: Always
+              env:
+                - name: KUBERNETES_MODE
+                  value: "yes"
+                - name: "DATABASE_URI"
+                  value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db"
+    ---
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: bunkerweb-redis
+    spec:
+      replicas: 1
+      strategy:
+        type: Recreate
+      selector:
+        matchLabels:
+          app: bunkerweb-redis
+      template:
+        metadata:
+          labels:
+            app: bunkerweb-redis
+        spec:
+          containers:
+            - name: bunkerweb-redis
+              image: redis:7-alpine
+              imagePullPolicy: Always
+    ---
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: bunkerweb-db
+    spec:
+      replicas: 1
+      strategy:
+        type: Recreate
+      selector:
+        matchLabels:
+          app: bunkerweb-db
+      template:
+        metadata:
+          labels:
+            app: bunkerweb-db
+        spec:
+          containers:
+            - name: bunkerweb-db
+              image: mariadb:10.10
+              imagePullPolicy: Always
+              env:
+                - name: MYSQL_RANDOM_ROOT_PASSWORD
+                  value: "yes"
+                - name: "MYSQL_DATABASE"
+                  value: "db"
+                - name: "MYSQL_USER"
+                  value: "bunkerweb"
+                - name: "MYSQL_PASSWORD"
+                  value: "changeme"
+              volumeMounts:
+                - mountPath: "/var/lib/mysql"
+                  name: vol-db
+          volumes:
+            - name: vol-db
+              persistentVolumeClaim:
+                claimName: pvc-bunkerweb
+    ---
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: bunkerweb-ui
+    spec:
+      replicas: 1
+      strategy:
+        type: Recreate
+      selector:
+        matchLabels:
+          app: bunkerweb-ui
+      template:
+        metadata:
+          labels:
+            app: bunkerweb-ui
+        spec:
+          containers:
+            - name: bunkerweb-ui
+              image: bunkerity/bunkerweb-ui:1.5.3
+              imagePullPolicy: Always
+              env:
+                - name: ADMIN_USERNAME
+                  value: "changeme"
+                - name: "ADMIN_PASSWORD"
+                  value: "changeme"
+                - name: KUBERNETES_MODE
+                  value: "YES"
+                - name: "DATABASE_URI"
+                  value: "mariadb+pymysql://bunkerweb:testor@svc-bunkerweb-db:3306/db"
+    ---
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: svc-bunkerweb
+    spec:
+      clusterIP: None
+      selector:
+        app: bunkerweb
+    ---
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: svc-bunkerweb-db
+    spec:
+      type: ClusterIP
+      selector:
+        app: bunkerweb-db
+      ports:
+        - name: sql
+          protocol: TCP
+          port: 3306
+          targetPort: 3306
+    ---
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: svc-bunkerweb-redis
+    spec:
+      type: ClusterIP
+      selector:
+        app: bunkerweb-redis
+      ports:
+        - name: redis
+          protocol: TCP
+          port: 6379
+          targetPort: 6379
+    ---
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: svc-bunkerweb-ui
+    spec:
+      type: ClusterIP
+      selector:
+        app: bunkerweb-ui
+      ports:
+        - name: http
+          protocol: TCP
+          port: 7000
+          targetPort: 7000
+    ---
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: pvc-bunkerweb
+    spec:
+      accessModes:
+        - ReadWriteOnce
+      resources:
+        requests:
+          storage: 5Gi
+      volumeName: pv-bunkerweb
+    ---
+    apiVersion: networking.k8s.io/v1
+    kind: Ingress
+    metadata:
+      name: ingress
+      annotations:
+        bunkerweb.io/www.example.com_USE_UI: "yes"
+        bunkerweb.io/www.example.com_REVERSE_PROXY_INTERCEPT_ERRORS: "no"
+        bunkerweb.io/www.example.com_INTERCEPTED_ERROR_CODES: '400 404 405 413 429 500 501 502 503 504'
+    spec:
+      rules:
+        - host: www.example.com
+          http:
+            paths:
+              - path: /changeme
+                pathType: Prefix
+                backend:
+                  service:
+                    name: svc-bunkerweb-ui
+                    port:
+                      number: 7000
+    ```
+
+=== "Linux"
+
+    The installation of the web UI using the [Linux integration](integrations.md#linux) is pretty straightforward because it is installed with BunkerWeb.
+
+    The web UI comes as systemd service named `bunkerweb-ui` which is not enabled by default. If you want to start the web UI when on startup you can run the following command :
+
+    ```shell
+    systemctl enable bunkerweb
+    ```
+
+    A dedicated environment file located at `/etc/bunkerweb/ui.env` is used to configure the web UI :
+
+    ```conf
+    ADMIN_USERNAME=changeme
+    ADMIN_PASSWORD=changeme
+    ```
+
+    Each time you edit the `/etc/bunkerweb/ui.env` file, you will need to restart the service :
+
+    ```shell
+    systemctl restart bunkerweb-ui
+    ```
+
+    Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). Please note that the web UI is listening on the `7000` port and only on the loopback interface.
+
+    Here is the `/etc/bunkerweb/variables.env` boilerplate you can use :
+
+    ```conf
+    HTTP_PORT=80
+    HTTPS_PORT=443
+    DNS_RESOLVERS=8.8.8.8 8.8.4.4
+    API_LISTEN_IP=127.0.0.1
+    SERVER_NAME=www.example.com
+    MULTISITE=yes
+    www.example.com_USE_UI=yes
+    www.example.com_USE_REVERSE_PROXY=yes
+    www.example.com_REVERSE_PROXY_URL=/changeme
+    www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
+    www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
+    ```
+
+    Don't forget to restart the `bunkerweb` service :
+
+    ```shell
+    systemctl restart bunkerweb
+    ```
+
+=== "Ansible"
+
+    The installation of the web UI using the [Vagrant integration](integrations.md#linux) is pretty straightforward because it is installed with BunkerWeb.
+
+    Create a `my_ui.env` filed used to configure the web UI :
+
+    ```conf
+    ADMIN_USERNAME=changeme
+    ADMIN_PASSWORD=changeme
+    ```
+
+    Here is the `my_variables.env` boilerplate you can use :
+
+    ```conf
+    HTTP_PORT=80
+    HTTPS_PORT=443
+    DNS_RESOLVERS=8.8.8.8 8.8.4.4
+    API_LISTEN_IP=127.0.0.1
+    SERVER_NAME=www.example.com
+    MULTISITE=yes
+    www.example.com_USE_UI=yes
+    www.example.com_USE_REVERSE_PROXY=yes
+    www.example.com_REVERSE_PROXY_URL=/changeme
+    www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
+    www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
+    ```
+
+    The variable `enable_ui` can be set to `true` in order to activate the web UI service and the variable `custom_ui` can be used to specify the configuration file for the web UI :
+
+    ```ini
+    [mybunkers]
+    192.168.0.42 variables_env="{{ playbook_dir }}/my_variables.env" enable_ui=true custom_ui="{{ playbook_dir }}/my_ui.env"
+    ```
+
+    Or alternatively, in your playbook file :
+
+    ```yaml
+    - hosts: all
+      become: true
+      vars:
+      - variables_env: "{{ playbook_dir }}/my_variables.env"
+      - enable_ui: true
+      - custom_ui: "{{ playbook_dir }}/my_ui.env"
+      roles:
+      - bunkerity.bunkerweb
+    ```
+
+
+    You can now run the playbook and be able to access the web UI :
+
+    ```shell
+    ansible-playbook -i inventory.yml playbook.yml
+    ```
+
+=== "Vagrant"
+
+    The installation of the web UI using the [Vagrant integration](integrations.md#vagrant) is pretty straightforward because it is installed with BunkerWeb.
+
+    First of all, you will need to get a shell on your Vagrant box :
+
+    ```shell
+    vagrant ssh
+    ```
+
+    The web UI comes as systemd service named `bunkerweb-ui` which is not enabled by default. If you want to start the web UI when on startup you can run the following command :
+
+    ```shell
+    systemctl enable bunkerweb
+    ```
+
+    A dedicated environment file located at `/etc/bunkerweb/ui.env` is used to configure the web UI :
+
+    ```conf
+    ADMIN_USERNAME=changeme
+    ADMIN_PASSWORD=changeme
+    ```
+
+    Each time you edit the `/etc/bunkerweb/ui.env` file, you will need to restart the service :
+
+    ```shell
+    systemctl restart bunkerweb-ui
+    ```
+
+    Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). Please note that the web UI is listening on the `7000` port and only on the loopback interface.
+
+    Here is the `/etc/bunkerweb/variables.env` boilerplate you can use :
+
+    ```conf
+    HTTP_PORT=80
+    HTTPS_PORT=443
+    DNS_RESOLVERS=8.8.8.8 8.8.4.4
+    API_LISTEN_IP=127.0.0.1
+    SERVER_NAME=www.example.com
+    MULTISITE=yes
+    www.example.com_USE_UI=yes
+    www.example.com_USE_REVERSE_PROXY=yes
+    www.example.com_REVERSE_PROXY_URL=/changeme
+    www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
+    www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
+    ```
+
+    Don't forget to restart the `bunkerweb` service :
+
+    ```shell
+    systemctl restart bunkerweb
+    ```

examples/authelia/authelia/configuration.yml

@@ -0,0 +1,78 @@
+---
+###############################################################
+#                   Authelia configuration                    #
+###############################################################
+
+jwt_secret: a_very_important_secret
+default_redirection_url: https://auth.example.com
+
+ntp:
+  disable_failure: true
+
+server:
+  host: 0.0.0.0
+  port: 9091
+
+log:
+  level: debug
+# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
+
+totp:
+  issuer: authelia.com
+
+# duo_api:
+#  hostname: api-123456789.example.com
+#  integration_key: ABCDEF
+#  # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
+#  secret_key: 1234567890abcdefghifjkl
+
+authentication_backend:
+  file:
+    path: /config/users_database.yml
+
+access_control:
+  default_policy: deny
+  rules:
+    # Rules applied to everyone
+    - domain: auth.example.com
+      policy: bypass
+    - domain: app1.example.com
+      policy: one_factor
+    - domain: app2.example.com
+      policy: two_factor
+
+session:
+  name: authelia_session
+  # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
+  secret: unsecure_session_secret
+  expiration: 3600 # 1 hour
+  inactivity: 300 # 5 minutes
+  domain: example.com # Should match whatever your root protected domain is
+
+  redis:
+    host: redis
+    port: 6379
+    # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
+    # password: authelia
+
+regulation:
+  max_retries: 3
+  find_time: 120
+  ban_time: 300
+
+storage:
+  encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
+  local:
+    path: /config/db.sqlite3
+
+notifier:
+  filesystem:
+    filename: /config/notification.txt
+#notifier:
+#  smtp:
+#    username: test
+# This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
+#    password: password
+#    host: mail.example.com
+#    port: 25
+#    sender: admin@example.com

examples/authelia/authelia/users_database.yml

@@ -0,0 +1,17 @@
+---
+###############################################################
+#                         Users Database                      #
+###############################################################
+
+# This file can be used if you do not have an LDAP set up.
+
+# List of users
+users:
+  authelia:
+    displayname: "Authelia User"
+    # Password is authelia
+    password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/" # yamllint disable-line rule:line-length
+    email: authelia@authelia.com
+    groups:
+      - admins
+      - dev

examples/authelia/autoconf.yml

@@ -0,0 +1,81 @@
+version: "3"
+
+services:
+  # APPLICATIONS
+  app1:
+    image: tutum/hello-world
+    networks:
+      bw-services:
+        aliases:
+          - app1
+    labels:
+      - bunkerweb.SERVER_NAME=app1.example.com
+      - bunkerweb.USE_REVERSE_PROXY=yes
+      - bunkerweb.REVERSE_PROXY_URL=/
+      - bunkerweb.REVERSE_PROXY_HOST=http://app1
+      - bunkerweb.REVERSE_PROXY_AUTH_REQUEST=/authelia
+      - bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
+      - bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
+      - bunkerweb.REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
+      - bunkerweb.REVERSE_PROXY_URL_999=/authelia
+      - bunkerweb.REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify
+      - bunkerweb.REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
+
+  app2:
+    image: tutum/hello-world
+    networks:
+      bw-services:
+        aliases:
+          - app2
+    labels:
+      - bunkerweb.SERVER_NAME=app2.example.com
+      - bunkerweb.USE_REVERSE_PROXY=yes
+      - bunkerweb.REVERSE_PROXY_URL=/
+      - bunkerweb.REVERSE_PROXY_HOST=http://app2
+      - bunkerweb.REVERSE_PROXY_AUTH_REQUEST=/authelia
+      - bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
+      - bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
+      - bunkerweb.REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
+      - bunkerweb.REVERSE_PROXY_URL_999=/authelia
+      - bunkerweb.REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify
+      - bunkerweb.REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
+
+  # AUTHELIA
+  authelia:
+    image: authelia/authelia:4
+    networks:
+      bw-services:
+        aliases:
+          - authelia
+    volumes:
+      - ./authelia:/config
+    restart: unless-stopped
+    healthcheck:
+      disable: true
+    environment:
+      - TZ=Europe/Paris
+    labels:
+      - bunkerweb.SERVER_NAME=auth.example.com
+      - bunkerweb.USE_REVERSE_PROXY=yes
+      - bunkerweb.REVERSE_PROXY_URL=/
+      - bunkerweb.REVERSE_PROXY_HOST=http://authelia:9091
+      - bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no
+
+  redis:
+    image: redis:7-alpine
+    networks:
+      bw-services:
+        aliases:
+          - redis
+    volumes:
+      - ./redis:/data
+    expose:
+      - 6379
+    restart: unless-stopped
+    environment:
+      - TZ=Europe/Paris
+
+networks:
+  bw-services:
+    external: true
+    name: bw-services

examples/authelia/docker-compose.yml

@@ -0,0 +1,116 @@
+version: "3.4"
+
+services:
+  mybunker:
+    image: bunkerity/bunkerweb:1.5.3
+    ports:
+      - 80:8080
+      - 443:8443
+    labels:
+      - "bunkerweb.INSTANCE=yes"
+    networks:
+      - bw-universe
+      - bw-services
+    environment:
+      - MULTISITE=yes
+      - SERVER_NAME=auth.example.com app1.example.com app2.example.com # replace with your domains
+      - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
+      - SERVE_FILES=no
+      - DISABLE_DEFAULT_SERVER=yes
+      - AUTO_LETS_ENCRYPT=yes
+      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_REVERSE_PROXY=yes
+      # Proxy to auth_request URI
+      - REVERSE_PROXY_URL_999=/authelia
+      - REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify
+      - REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
+      # Authelia
+      - auth.example.com_REVERSE_PROXY_URL=/
+      - auth.example.com_REVERSE_PROXY_HOST=http://authelia:9091
+      - auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
+      # Applications
+      - app1.example.com_REVERSE_PROXY_URL=/
+      - app1.example.com_REVERSE_PROXY_HOST=http://app1
+      - app1.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia
+      - app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
+      - app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
+      - app1.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
+      - app2.example.com_REVERSE_PROXY_URL=/
+      - app2.example.com_REVERSE_PROXY_HOST=http://app2
+      - app2.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia
+      - app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
+      - app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
+      - app2.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
+
+  bw-scheduler:
+    image: bunkerity/bunkerweb-scheduler:1.5.3
+    depends_on:
+      - mybunker
+    environment:
+      - DOCKER_HOST=tcp://bw-docker-proxy:2375
+    networks:
+      - bw-universe
+      - bw-docker
+    volumes:
+      - bw-data:/data
+
+  bw-docker-proxy:
+    image: tecnativa/docker-socket-proxy:nightly
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      - CONTAINERS=1
+      - LOG_LEVEL=warning
+    networks:
+      - bw-docker
+
+  # APPLICATIONS
+  app1:
+    image: tutum/hello-world
+    networks:
+      - bw-services
+  app2:
+    image: tutum/hello-world
+    networks:
+      - bw-services
+
+  # AUTHELIA
+  authelia:
+    image: authelia/authelia:4
+    container_name: authelia
+    networks:
+      - bw-services
+    volumes:
+      - ./authelia:/config
+    restart: unless-stopped
+    healthcheck:
+      disable: true
+    environment:
+      - TZ=Europe/Paris
+
+  redis:
+    image: redis:7-alpine
+    container_name: redis
+    networks:
+      - bw-services
+    volumes:
+      - ./redis:/data
+    expose:
+      - 6379
+    restart: unless-stopped
+    environment:
+      - TZ=Europe/Paris
+
+volumes:
+  bw-data:
+
+networks:
+  bw-universe:
+    name: bw-universe
+    ipam:
+      driver: default
+      config:
+        - subnet: 10.20.30.0/24
+  bw-services:
+  bw-docker:

examples/authelia/kubernetes.yml

@@ -0,0 +1,303 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress
+  annotations:
+    bunkerweb.io/AUTO_LETS_ENCRYPT: "yes"
+    bunkerweb.io/app1.example.com_REVERSE_PROXY_AUTH_REQUEST: "/authelia"
+    bunkerweb.io/app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL: "https://auth.example.com/?rd=$scheme%3A%2F%2F$host$request_uri"
+    bunkerweb.io/app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET: "$user $upstream_http_remote_user;$groups $upstream_http_remote_groups;$name $upstream_http_remote_name;$email $upstream_http_remote_email"
+    bunkerweb.io/app1.example.com_REVERSE_PROXY_HEADERS: "Remote-User $user;Remote-Groups $groups;Remote-Name $name;Remote-Email $email"
+    bunkerweb.io/app1.example.com_REVERSE_PROXY_URL_999: "/authelia"
+    bunkerweb.io/app1.example.com_REVERSE_PROXY_HOST_999: "http://authelia:9091/api/verify"
+    bunkerweb.io/app1.example.com_REVERSE_PROXY_HEADERS_999: "X-Original-URL $scheme://$http_host$request_uri;Content-Length ''"
+    bunkerweb.io/app2.example.com_REVERSE_PROXY_AUTH_REQUEST: "/authelia"
+    bunkerweb.io/app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL: "https://auth.example.com/?rd=$scheme%3A%2F%2F$host$request_uri"
+    bunkerweb.io/app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET: "$user $upstream_http_remote_user;$groups $upstream_http_remote_groups;$name $upstream_http_remote_name;$email $upstream_http_remote_email"
+    bunkerweb.io/app2.example.com_REVERSE_PROXY_HEADERS: "Remote-User $user;Remote-Groups $groups;Remote-Name $name;Remote-Email $email"
+    bunkerweb.io/app2.example.com_REVERSE_PROXY_URL_999: "/authelia"
+    bunkerweb.io/app2.example.com_REVERSE_PROXY_HOST_999: "http://authelia:9091/api/verify"
+    bunkerweb.io/app2.example.com_REVERSE_PROXY_HEADERS_999: "X-Original-URL $scheme://$http_host$request_uri;Content-Length ''"
+    bunkerweb.io/auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS: "no"
+spec:
+  rules:
+    - host: app1.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: svc-app1
+                port:
+                  number: 80
+    - host: app2.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: svc-app2
+                port:
+                  number: 80
+    - host: auth.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: svc-authelia
+                port:
+                  number: 9091
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: app1
+  labels:
+    app: app1
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: app1
+  template:
+    metadata:
+      labels:
+        app: app1
+    spec:
+      containers:
+        - name: app1
+          image: tutum/hello-world
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: svc-app1
+spec:
+  selector:
+    app: app1
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: app2
+  labels:
+    app: app2
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: app2
+  template:
+    metadata:
+      labels:
+        app: app2
+    spec:
+      containers:
+        - name: app2
+          image: tutum/hello-world
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: svc-app2
+spec:
+  selector:
+    app: app2
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cfg-authelia
+data:
+  configuration.yml: |
+    ---
+    ###############################################################
+    #                   Authelia configuration                    #
+    ###############################################################
+
+    jwt_secret: a_very_important_secret
+    default_redirection_url: https://auth.example.com
+
+    ntp:
+      disable_failure: true
+
+    server:
+      host: 0.0.0.0
+      port: 9091
+
+    log:
+      level: debug
+    # This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
+
+    totp:
+      issuer: authelia.com
+
+    # duo_api:
+    #  hostname: api-123456789.example.com
+    #  integration_key: ABCDEF
+    #  # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
+    #  secret_key: 1234567890abcdefghifjkl
+
+    authentication_backend:
+      file:
+        path: /config/users_database.yml
+
+    access_control:
+      default_policy: deny
+      rules:
+        # Rules applied to everyone
+        - domain: auth.example.com
+          policy: bypass
+        - domain: app1.example.com
+          policy: one_factor
+        - domain: app2.example.com
+          policy: two_factor
+
+    session:
+      name: authelia_session
+      # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
+      secret: unsecure_session_secret
+      expiration: 3600  # 1 hour
+      inactivity: 300  # 5 minutes
+      domain: example.com  # Should match whatever your root protected domain is
+
+      redis:
+        host: svc-redis
+        port: 6379
+        # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
+        # password: authelia
+
+    regulation:
+      max_retries: 3
+      find_time: 120
+      ban_time: 300
+
+    storage:
+      encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
+      local:
+        path: /config/db.sqlite3
+
+    notifier:
+      filesystem:
+        filename: /config/notification.txt
+    #notifier:
+    #  smtp:
+    #    username: test
+        # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
+    #    password: password
+    #    host: mail.example.com
+    #    port: 25
+    #    sender: admin@example.com
+    ...
+  users_database.yml: |
+    ---
+    ###############################################################
+    #                         Users Database                      #
+    ###############################################################
+
+    # This file can be used if you do not have an LDAP set up.
+
+    # List of users
+    users:
+      authelia:
+        displayname: "Authelia User"
+        # Password is authelia
+        password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/"  # yamllint disable-line rule:line-length
+        email: authelia@authelia.com
+        groups:
+          - admins
+          - dev
+    ...
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: authelia
+  labels:
+    app: authelia
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: authelia
+  template:
+    metadata:
+      labels:
+        app: authelia
+    spec:
+      containers:
+        - name: authelia
+          image: authelia/authelia
+          env:
+            - name: TZ
+              value: "Europe/Paris"
+          volumeMounts:
+            - name: config
+              mountPath: /config/configuration.yml
+              subPath: configuration.yml
+            - name: config
+              mountPath: /config/users_database.yml
+              subPath: users_database.yml
+      volumes:
+        - name: config
+          configMap:
+            name: cfg-authelia
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: svc-authelia
+spec:
+  selector:
+    app: authelia
+  ports:
+    - protocol: TCP
+      port: 9091
+      targetPort: 9091
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: redis
+  labels:
+    app: redis
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+        - name: redis
+          image: redis:alpine
+          env:
+            - name: TZ
+              value: "Europe/Paris"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: svc-redis
+spec:
+  selector:
+    app: redis
+  ports:
+    - protocol: TCP
+      port: 6379
+      targetPort: 6379

examples/authelia/setup-linux.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+if [ "$(id -u)" -ne 0 ] ; then
+	echo "❌ Run me as root"
+	exit 1
+fi
+
+curl https://github.com/authelia/authelia/releases/download/v4.36.2/authelia-v4.36.2-linux-amd64.tar.gz -Lo /tmp/authelia.tar.gz
+tar -xzf /tmp/authelia.tar.gz -C /tmp
+mv /tmp/authelia-linux-amd64 /usr/bin/authelia
+mv /tmp/authelia.service /etc/systemd/system
+mkdir /etc/authelia
+cp ./authelia/* /etc/authelia
+sed -i "s@/config/@/etc/authelia/@g" /etc/authelia/configuration.yml
+sed -i "s@redis:@@g" /etc/authelia/configuration.yml
+sed -i "s@host: redis@@g" /etc/authelia/configuration.yml
+sed -i "s@port: 6379@@g" /etc/authelia/configuration.yml
+systemctl daemon-reload
+systemctl start authelia

examples/authelia/swarm.yml

@@ -0,0 +1,103 @@
+version: "3"
+
+services:
+  # APPLICATIONS
+  app1:
+    image: tutum/hello-world
+    networks:
+      - bw-services
+    deploy:
+      placement:
+        constraints:
+          - "node.role==worker"
+      labels:
+        - bunkerweb.SERVER_NAME=app1.example.com
+        - bunkerweb.USE_REVERSE_PROXY=yes
+        - bunkerweb.REVERSE_PROXY_URL=/
+        - bunkerweb.REVERSE_PROXY_HOST=http://app1
+        - bunkerweb.REVERSE_PROXY_AUTH_REQUEST=/authelia
+        - bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
+        - bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
+        - bunkerweb.REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
+        - bunkerweb.REVERSE_PROXY_URL_999=/authelia
+        - bunkerweb.REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify
+        - bunkerweb.REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
+
+  app2:
+    image: tutum/hello-world
+    networks:
+      - bw-services
+    deploy:
+      placement:
+        constraints:
+          - "node.role==worker"
+      labels:
+        - bunkerweb.SERVER_NAME=app2.example.com
+        - bunkerweb.USE_REVERSE_PROXY=yes
+        - bunkerweb.REVERSE_PROXY_URL=/
+        - bunkerweb.REVERSE_PROXY_HOST=http://app2
+        - bunkerweb.REVERSE_PROXY_AUTH_REQUEST=/authelia
+        - bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
+        - bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
+        - bunkerweb.REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
+        - bunkerweb.REVERSE_PROXY_URL_999=/authelia
+        - bunkerweb.REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify
+        - bunkerweb.REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
+
+  # AUTHELIA
+  authelia:
+    image: authelia/authelia:4
+    networks:
+      - bw-services
+    configs:
+      - source: config_authelia_configuration
+        target: /config/configuration.yml
+        uid: "0"
+        gid: "0"
+        mode: 0444
+      - source: config_authelia_users_database
+        target: /config/users_database.yml
+        uid: "0"
+        gid: "0"
+        mode: 0444
+    healthcheck:
+      disable: true
+    environment:
+      - TZ=Europe/Paris
+    deploy:
+      placement:
+        constraints:
+          - "node.role==worker"
+      labels:
+        - bunkerweb.SERVER_NAME=auth.example.com
+        - bunkerweb.USE_REVERSE_PROXY=yes
+        - bunkerweb.REVERSE_PROXY_URL=/
+        - bunkerweb.REVERSE_PROXY_HOST=http://authelia:9091
+        - bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no
+
+  redis:
+    image: redis:7-alpine
+    networks:
+      - bw-services
+    volumes:
+      - redis:/data
+    environment:
+      - TZ=Europe/Paris
+    deploy:
+      placement:
+        constraints:
+          - "node.role==worker"
+
+networks:
+  bw-services:
+    external: true
+    name: bw-services
+
+volumes:
+  redis:
+
+configs:
+  config_authelia_configuration:
+    file: ./authelia/configuration.yml
+  config_authelia_users_database:
+    file: ./authelia/users_database.yml

examples/authelia/tests.json

@@ -0,0 +1,18 @@
+{
+  "name": "authelia",
+  "kinds": ["docker", "autoconf", "swarm", "linux"],
+  "timeout": 120,
+  "delay": 60,
+  "tests": [
+    {
+      "type": "string",
+      "url": "https://app1.example.com",
+      "string": "authelia"
+    },
+    {
+      "type": "string",
+      "url": "https://app2.example.com",
+      "string": "authelia"
+    }
+  ]
+}

examples/authelia/variables.env

@@ -0,0 +1,34 @@
+HTTP_PORT=80
+HTTPS_PORT=443
+DNS_RESOLVERS=8.8.8.8 8.8.4.4
+API_LISTEN_IP=127.0.0.1
+MULTISITE=yes
+# Replace with your domains
+SERVER_NAME=auth.example.com app1.example.com app2.example.com
+SERVE_FILES=no
+DISABLE_DEFAULT_SERVER=yes
+AUTO_LETS_ENCRYPT=yes
+USE_CLIENT_CACHE=yes
+USE_GZIP=yes
+USE_REVERSE_PROXY=yes
+# Proxy to auth_request URI
+REVERSE_PROXY_URL_999=/authelia
+REVERSE_PROXY_HOST_999=http://127.0.0.1:9091/api/verify
+REVERSE_PROXY_HEADERS_999=X-Original-URL $scheme://$http_host$request_uri;Content-Length ""
+# Authelia
+auth.example.com_REVERSE_PROXY_URL=/
+auth.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:9091
+auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
+# Applications
+app1.example.com_REVERSE_PROXY_URL=/
+app1.example.com_REVERSE_PROXY_HOST=http://app1.example.com
+app1.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia
+app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$scheme%3A%2F%2F$host$request_uri
+app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$user $upstream_http_remote_user;$groups $upstream_http_remote_groups;$name $upstream_http_remote_name;$email $upstream_http_remote_email
+app1.example.com_REVERSE_PROXY_HEADERS=Remote-User $user;Remote-Groups $groups;Remote-Name $name;Remote-Email $email
+app2.example.com_REVERSE_PROXY_URL=/
+app2.example.com_REVERSE_PROXY_HOST=http://app2.example.com
+app2.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia
+app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$scheme%3A%2F%2F$host$request_uri
+app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$user $upstream_http_remote_user;$groups $upstream_http_remote_groups;$name $upstream_http_remote_name;$email $upstream_http_remote_email
+app2.example.com_REVERSE_PROXY_HEADERS=Remote-User $user;Remote-Groups $groups;Remote-Name $name;Remote-Email $email

examples/authentik/.env

@@ -0,0 +1,5 @@
+PG_PASS=changeme
+AUTHENTIK_SECRET_KEY=changeme
+AUTHENTIK_COOKIE_DOMAIN=example.com
+AUTHENTIK_BOOTSTRAP_PASSWORD=changeme
+AUTHENTIK_BOOTSTRAP_TOKEN=changeme

examples/authentik/README.md

@@ -0,0 +1,3 @@
+We assume that you are already familiar with [Authentik](https://goauthentik.io/).
+
+This example has been tested with a Proxy in Forward auth (domain level) mode (see [here](https://goauthentik.io/docs/providers/proxy/forward_auth) for more information).

examples/authentik/docker-compose.yml

@@ -0,0 +1,194 @@
+version: "3.4"
+
+services:
+  mybunker:
+    image: bunkerity/bunkerweb:1.5.3
+    ports:
+      - 80:8080
+      - 443:8443
+    labels:
+      - "bunkerweb.INSTANCE=yes"
+    networks:
+      - bw-universe
+      - bw-services
+    environment:
+      - MULTISITE=yes
+      - SERVER_NAME=auth.example.com app1.example.com app2.example.com # replace with your domains
+      - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
+      - SERVE_FILES=no
+      - DISABLE_DEFAULT_SERVER=yes
+      - AUTO_LETS_ENCRYPT=yes
+      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_REVERSE_PROXY=yes
+      # Proxy to outpost
+      - REVERSE_PROXY_URL_999=/outpost.goauthentik.io
+      - REVERSE_PROXY_HOST_999=http://server:9000
+      - REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
+      - REVERSE_PROXY_HEADERS_CLIENT_999=Set-Cookie $$auth_cookie
+      - REVERSE_PROXY_AUTH_REQUEST_SET_999=$$auth_cookie $$upstream_http_set_cookie
+      # Authentik
+      - auth.example.com_REVERSE_PROXY_URL=/
+      - auth.example.com_REVERSE_PROXY_HOST=http://server:9000
+      - auth.example.com_REVERSE_PROXY_WS=yes
+      - auth.example.com_LIMIT_REQ_URL_1=^/api/
+      - auth.example.com_LIMIT_REQ_RATE_1=5r/s
+      - auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
+      - auth.example.com_ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE|PATCH
+      - auth.example.com_COOKIE_FLAGS=* SameSite=Lax
+      # Applications
+      - app1.example.com_REVERSE_PROXY_URL=/
+      - app1.example.com_REVERSE_PROXY_HOST=http://app1
+      - app1.example.com_REVERSE_PROXY_AUTH_REQUEST=/outpost.goauthentik.io/auth/nginx
+      - app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/outpost.goauthentik.io/start?rd=$$scheme%3A%2F%2F$$host$$request_uri
+      - app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$auth_cookie $$upstream_http_set_cookie;$$authentik_username $$upstream_http_x_authentik_username;$$authentik_groups $$upstream_http_x_authentik_groups;$$authentik_email $$upstream_http_x_authentik_email;$$authentik_name $$upstream_http_x_authentik_name;$$authentik_uid $$upstream_http_x_authentik_uid
+      - app1.example.com_REVERSE_PROXY_HEADERS_CLIENT=Set-Cookie $$auth_cookie
+      - app1.example.com_REVERSE_PROXY_HEADERS=X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid
+      - app2.example.com_REVERSE_PROXY_URL=/
+      - app2.example.com_REVERSE_PROXY_HOST=http://app2
+      - app2.example.com_REVERSE_PROXY_AUTH_REQUEST=/outpost.goauthentik.io/auth/nginx
+      - app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/outpost.goauthentik.io/start?rd=$$scheme%3A%2F%2F$$host$$request_uri
+      - app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$auth_cookie $$upstream_http_set_cookie;$$authentik_username $$upstream_http_x_authentik_username;$$authentik_groups $$upstream_http_x_authentik_groups;$$authentik_email $$upstream_http_x_authentik_email;$$authentik_name $$upstream_http_x_authentik_name;$$authentik_uid $$upstream_http_x_authentik_uid
+      - app2.example.com_REVERSE_PROXY_HEADERS_CLIENT=Set-Cookie $$auth_cookie
+      - app2.example.com_REVERSE_PROXY_HEADERS=X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid
+
+  bw-scheduler:
+    image: bunkerity/bunkerweb-scheduler:1.5.3
+    depends_on:
+      - mybunker
+    environment:
+      - DOCKER_HOST=tcp://bw-docker-proxy:2375
+    networks:
+      - bw-universe
+      - bw-docker
+    volumes:
+      - bw-data:/data
+
+  bw-docker-proxy:
+    image: tecnativa/docker-socket-proxy:nightly
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      - CONTAINERS=1
+      - LOG_LEVEL=warning
+    networks:
+      - bw-docker
+
+  # APPLICATIONS
+  app1:
+    image: tutum/hello-world
+    networks:
+      - bw-services
+  app2:
+    image: tutum/hello-world
+    networks:
+      - bw-services
+
+  # AUTHENTIK SERVICES
+  postgresql:
+    image: docker.io/library/postgres:12-alpine
+    restart: unless-stopped
+    networks:
+      - bw-services
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - database:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD=${PG_PASS:?database password required}
+      - POSTGRES_USER=${PG_USER:-authentik}
+      - POSTGRES_DB=${PG_DB:-authentik}
+    env_file:
+      - .env
+  redis:
+    image: docker.io/library/redis:alpine
+    command: --save 60 1 --loglevel warning
+    restart: unless-stopped
+    networks:
+      - bw-services
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - redis:/data
+  server:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.11.2}
+    restart: unless-stopped
+    networks:
+      - bw-services
+    command: server
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+      # AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
+    volumes:
+      - ./media:/media
+      - ./custom-templates:/templates
+      - geoip:/geoip
+    env_file:
+      - .env
+    # ports:
+    # - "0.0.0.0:${AUTHENTIK_PORT_HTTP:-9000}:9000"
+    # - "0.0.0.0:${AUTHENTIK_PORT_HTTPS:-9443}:9443"
+  worker:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.11.2}
+    restart: unless-stopped
+    networks:
+      - bw-services
+    command: worker
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+      # AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
+      # This is optional, and can be removed. If you remove this, the following will happen
+      # - The permissions for the /media folders aren't fixed, so make sure they are 1000:1000
+      # - The docker socket can't be accessed anymore
+    user: root
+    volumes:
+      - ./media:/media
+      - ./certs:/certs
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./custom-templates:/templates
+      - geoip:/geoip
+    env_file:
+      - .env
+  geoipupdate:
+    image: "maxmindinc/geoipupdate:latest"
+    networks:
+      - bw-services
+    volumes:
+      - "geoip:/usr/share/GeoIP"
+    environment:
+      GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
+      GEOIPUPDATE_FREQUENCY: "8"
+    env_file:
+      - .env
+
+volumes:
+  bw-data:
+  database:
+  redis:
+  geoip:
+
+networks:
+  bw-universe:
+    name: bw-universe
+    ipam:
+      driver: default
+      config:
+        - subnet: 10.20.30.0/24
+  bw-services:
+  bw-docker: