Merge pull request bunkerity#1288 from bunkerity/dev

Merge branch "dev" into branch "staging"
DitZii · Jun 18, 2024 · 38b2473 · 38b2473
2 parents 18517b9 + c5a1d8f
commit 38b2473
Show file tree

Hide file tree

Showing 61 changed files with 424 additions and 200 deletions.
diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml
@@ -92,7 +92,7 @@ jobs:
       # Build cached image
       - name: Build image
         if: inputs.CACHE == true
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
+        uses: docker/build-push-action@c382f710d39a5bb4e430307530a720f50c2d3318 # v6.0.0
         with:
           context: .
           file: ${{ inputs.DOCKERFILE }}
@@ -105,7 +105,7 @@ jobs:
       # Build non-cached image
       - name: Build image
         if: inputs.CACHE != true
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
+        uses: docker/build-push-action@c382f710d39a5bb4e430307530a720f50c2d3318 # v6.0.0
         with:
           context: .
           file: ${{ inputs.DOCKERFILE }}
@@ -117,7 +117,7 @@ jobs:
       # Check OS vulnerabilities
       - name: Check OS vulnerabilities
         if: ${{ inputs.CACHE_SUFFIX != 'arm' }}
-        uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # v0.22.0
+        uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0
         with:
           vuln-type: os
           skip-dirs: /root/.cargo

diff --git a/.github/workflows/linux-build.yml b/.github/workflows/linux-build.yml
@@ -94,7 +94,7 @@ jobs:
       # Build testing package image
       - name: Build package image
         if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui'
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
+        uses: docker/build-push-action@c382f710d39a5bb4e430307530a720f50c2d3318 # v6.0.0
         with:
           context: .
           load: true
@@ -106,7 +106,7 @@ jobs:
       # Build non-testing package image
       - name: Build package image
         if: inputs.RELEASE != 'testing' && inputs.RELEASE != 'dev'
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
+        uses: docker/build-push-action@c382f710d39a5bb4e430307530a720f50c2d3318 # v6.0.0
         with:
           context: .
           load: true
@@ -142,7 +142,7 @@ jobs:
           images: ghcr.io/bunkerity/${{ inputs.LINUX }}-tests:${{ inputs.RELEASE }}
       - name: Build test image
         if: inputs.TEST == true
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
+        uses: docker/build-push-action@c382f710d39a5bb4e430307530a720f50c2d3318 # v6.0.0
         with:
           context: .
           file: tests/linux/Dockerfile-${{ inputs.LINUX }}

diff --git a/.github/workflows/push-docker.yml b/.github/workflows/push-docker.yml
@@ -70,7 +70,7 @@ jobs:
           images: bunkerity/${{ inputs.IMAGE }}
       # Build and push
       - name: Build and push
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
+        uses: docker/build-push-action@c382f710d39a5bb4e430307530a720f50c2d3318 # v6.0.0
         with:
           context: .
           file: ${{ inputs.DOCKERFILE }}

diff --git a/.github/workflows/push-packagecloud.yml b/.github/workflows/push-packagecloud.yml
@@ -42,7 +42,7 @@ jobs:
       - name: Check out repository code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Install ruby
-        uses: ruby/setup-ruby@ff740bc00a01b3a50fffc55a1071b1060eeae9dc # v1.180.0
+        uses: ruby/setup-ruby@3783f195e29b74ae398d7caca108814bbafde90e # v1.180.1
         with:
           ruby-version: "3.0"
       - name: Install packagecloud

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,7 @@
 - [FEATURE] Add failover logic in case the NGINX configuration is not valid to fallback to the previous configuration and log the error to prevent the service from being stopped
 - [UI] Force HTTPS on setup wizard
 - [UI] Fallback to self-signed certificate when UI is installed with setup wizard and let's encrypt is not used
+- [UI] Force HTTPS even if UI is installed in advanced mode
 - [UI] Add OVERRIDE_ADMIN_CREDS environment variable to allow overriding the default admin credentials even if an admin user already exists
 - [UI] Optimize the way the UI handles the requests and the responses
 - [AUTOCONF] Refactor Autoconf config parsing and saving logic so that it doesn't override the scheduler or UI config every time

diff --git a/README.md b/README.md
@@ -86,6 +86,19 @@ Learn more about the core security features in the [security tuning](https://doc
 
 A demo website protected with BunkerWeb is available at [demo.bunkerweb.io](https://demo.bunkerweb.io/?utm_campaign=self&utm_source=github). Feel free to visit it and perform some security tests.
 
+## BunkerWeb Cloud
+
+Don't want to self-host and manage your own BunkerWeb instance(s) ? You might be interested into BunkerWeb Cloud, our fully managed SaaS offer for BunkerWeb.
+
+Try our [BunkerWeb Cloud beta offer for free](https://panel.bunkerweb.io/order/bunkerweb-cloud/14?utm_source=github&utm_campaign=self) and get access to :
+
+- Fully managed BunkerWeb instance hosted in our cloud
+- All BunkerWeb features including PRO ones
+- Monitoring platform including dashboards and alerts
+- Technical support to assist you in the configuration
+
+You will find more information about BunkerWeb Cloud in the [FAQ page](https://panel.bunkerweb.io/knowledgebase/55/BunkerWeb-Cloud?utm_source=github&utm_campaign=self) of the BunkerWeb panel.
+
 ## PRO version
 
 When using BunkerWeb you have the choice of the version you want to use : open-source or PRO.

diff --git a/docs/index.md b/docs/index.md
@@ -59,6 +59,19 @@ To delve deeper into the core security features, we invite you to explore the [s
 
 A demo website protected with BunkerWeb is available at [demo.bunkerweb.io](https://demo.bunkerweb.io/?utm_campaign=self&utm_source=doc). Feel free to visit it and perform some security tests.
 
+## BunkerWeb Cloud
+
+Don't want to self-host and manage your own BunkerWeb instance(s) ? You might be interested into BunkerWeb Cloud, our fully managed SaaS offer for BunkerWeb.
+
+Try our [BunkerWeb Cloud beta offer for free](https://panel.bunkerweb.io/order/bunkerweb-cloud/14?utm_source=doc&utm_campaign=self) and get access to :
+
+- Fully managed BunkerWeb instance hosted in our cloud
+- All BunkerWeb features including PRO ones
+- Monitoring platform including dashboards and alerts
+- Technical support to assist you in the configuration
+
+You will find more information about BunkerWeb Cloud in the [FAQ page](https://panel.bunkerweb.io/knowledgebase/55/BunkerWeb-Cloud?utm_source=doc&utm_campaign=self) of the BunkerWeb panel.
+
 ## PRO version
 
 When using BunkerWeb you have the choice of the version you want to use : open-source or PRO.

diff --git a/docs/requirements.in b/docs/requirements.in
@@ -1,4 +1,4 @@
 mike==2.1.1
-mkdocs-material[imaging]==9.5.26
+mkdocs-material[imaging]==9.5.27
 mkdocs-print-site-plugin==2.5.0
 pytablewriter==1.2.0
diff --git a/docs/requirements.txt b/docs/requirements.txt
@@ -317,9 +317,9 @@ mkdocs-get-deps==0.2.0 \
     --hash=sha256:162b3d129c7fad9b19abfdcb9c1458a651628e4b1dea628ac68790fb3061c60c \
     --hash=sha256:2bf11d0b133e77a0dd036abeeb06dec8775e46efa526dc70667d8863eefc6134
     # via mkdocs
-mkdocs-material==9.5.26 \
-    --hash=sha256:56aeb91d94cffa43b6296fa4fbf0eb7c840136e563eecfd12c2d9e92e50ba326 \
-    --hash=sha256:5d01fb0aa1c7946a1e3ae8689aa2b11a030621ecb54894e35aabb74c21016312
+mkdocs-material==9.5.27 \
+    --hash=sha256:a7d4a35f6d4a62b0c43a0cfe7e987da0980c13587b5bc3c26e690ad494427ec0 \
+    --hash=sha256:af8cc263fafa98bb79e9e15a8c966204abf15164987569bd1175fd66a7705182
     # via
     #   -r requirements.in
     #   mkdocs-print-site-plugin
@@ -637,9 +637,9 @@ typepy==1.3.2 \
     #   dataproperty
     #   pytablewriter
     #   tabledata
-urllib3==2.2.1 \
-    --hash=sha256:450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d \
-    --hash=sha256:d0570876c61ab9e520d776c38acbbb5b05a776d3f9ff98a5c8fd5162a444cf19
+urllib3==2.2.2 \
+    --hash=sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472 \
+    --hash=sha256:dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168
     # via requests
 verspec==0.1.0 \
     --hash=sha256:741877d5633cc9464c45a469ae2a31e801e6dbbaa85b9675d481cda100f11c31 \

diff --git a/docs/web-ui.md b/docs/web-ui.md
@@ -31,6 +31,8 @@ Because the web UI is a web application, the recommended installation procedure
     * Do not open the web UI on the Internet without any further restrictions
     * Apply settings listed in the [security tuning section](security-tuning.md) of the documentation
 
+    **Please note that using HTTPS in front the web UI is mandatory since version 1.5.8 of BunkerWeb.**
+
 !!! info "Multisite mode"
 
     The usage of the web UI implies enabling the [multisite mode](concepts.md#multisite-mode).
@@ -39,7 +41,7 @@ Because the web UI is a web application, the recommended installation procedure
 
 !!! info "Wizard"
 
-    The setup wizard is a feature that helps you to **configure** and **install the web UI** using a **user-friendly interface**. You will need to set the `UI_HOST` setting (`https://hostname-of-web-ui:7000`) and browse the `/setup` URI of your server to access the setup wizard.
+    The setup wizard is a feature that helps you to **configure** and **install the web UI** using a **user-friendly interface**. You will need to set the `UI_HOST` setting (`http://hostname-of-web-ui:7000`) and browse the `/setup` URI of your server to access the setup wizard.
 
 <figure markdown>
   ![Overview](assets/img/ui-wizard-account.webp){ align=center, width="350" }
@@ -70,7 +72,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th
 
     !!! tip "Accessing the setup wizard"
 
-        You can access the setup wizard by browsing the `https://your-ip-address/setup` URI of your server.
+        You can access the setup wizard by browsing the `https://your-ip-address-or-fqdn/setup` URI of your server.
 
 
     Here is the docker-compose boilerplate that you can use (don't forget to edit the `changeme` data) :
@@ -162,7 +164,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th
 
     !!! tip "Accessing the setup wizard"
 
-        You can access the setup wizard by browsing the `https://your-ip-address/setup` URI of your server.
+        You can access the setup wizard by browsing the `https://your-ip-address-or-fqdn/setup` URI of your server.
 
     Here is the docker-compose boilerplate that you can use (don't forget to edit the `changeme` data) :
 
@@ -269,7 +271,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th
 
     !!! tip "Accessing the setup wizard"
 
-        You can access the setup wizard by browsing the `https://your-ip-address/setup` URI of your server.
+        You can access the setup wizard by browsing the `https://your-ip-address-or-fqdn/setup` URI of your server.
 
     Here is the stack boilerplate that you can use (don't forget to edit the `changeme` data) :
 
@@ -399,7 +401,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th
 
     !!! tip "Accessing the setup wizard"
 
-        You can access the setup wizard by browsing the `https://your-ip-address/setup` URI of your server.
+        You can access the setup wizard by browsing the `https://your-ip-address-or-fqdn/setup` URI of your server.
 
     Here is the yaml boilerplate that you can use (don't forget to edit the `changeme` data) :
 
@@ -832,6 +834,7 @@ After a successful login/password combination, you will be prompted to enter you
 
     - `ADMIN_USERNAME` : username to access the web UI
     - `ADMIN_PASSWORD` : password to access the web UI
+    - `OVERRIDE_ADMIN_CREDS` : force override the admin credentials even if we already have a user in the database (default = `no`)
 
     Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
 
@@ -953,6 +956,7 @@ After a successful login/password combination, you will be prompted to enter you
 
     - `ADMIN_USERNAME` : username to access the web UI
     - `ADMIN_PASSWORD` : password to access the web UI
+    - `OVERRIDE_ADMIN_CREDS` : force override the admin credentials even if we already have a user in the database (default = `no`)
 
     Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler and autoconf) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
 
@@ -1088,6 +1092,7 @@ After a successful login/password combination, you will be prompted to enter you
 
     - `ADMIN_USERNAME` : username to access the web UI
     - `ADMIN_PASSWORD` : password to access the web UI
+    - `OVERRIDE_ADMIN_CREDS` : force override the admin credentials even if we already have a user in the database (default = `no`)
 
     Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler and autoconf) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
 
@@ -1236,6 +1241,7 @@ After a successful login/password combination, you will be prompted to enter you
 
     - `ADMIN_USERNAME` : username to access the web UI
     - `ADMIN_PASSWORD` : password to access the web UI
+    - `OVERRIDE_ADMIN_CREDS` : force override the admin credentials even if we already have a user in the database (default = `no`)
 
     Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). Network segmentation between web UI and web services is not covered in this documentation. Please note that the web UI container is listening on the `7000` port.
 
@@ -1590,6 +1596,7 @@ After a successful login/password combination, you will be prompted to enter you
     ```conf
     ADMIN_USERNAME=changeme
     ADMIN_PASSWORD=changeme
+    OVERRIDE_ADMIN_CREDS=no
     ```
 
     Each time you edit the `/etc/bunkerweb/ui.env` file, you will need to restart the service :

diff --git a/src/common/core/order.json b/src/common/core/order.json
@@ -15,7 +15,7 @@
     "letsencrypt",
     "selfsigned"
   ],
-  "set": ["sessions", "whitelist", "letsencrypt", "customcert", "selfsigned"],
+  "set": ["sessions", "whitelist", "letsencrypt", "customcert", "selfsigned", "ui"],
   "ssl_certificate": ["customcert", "letsencrypt", "selfsigned"],
   "access": [
     "whitelist",

diff --git a/src/common/core/ui/confs/default-server-http/ui.conf b/src/common/core/ui/confs/default-server-http/ui.conf
@@ -38,7 +38,27 @@ location /setup/check {
     add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
     default_type 'text/plain';
     content_by_lua_block {
-        ngx.say("ok")
+        local logger = require "bunkerweb.logger":new("UI")
+        local args, err = ngx.req.get_uri_args(1)
+        if err == "truncated" or not args["server_name"] or args["server_name"] == "" then
+            logger:log(ngx.NOTICE, "Received standard server name check")
+            ngx.print("ok")
+        else
+            logger:log(ngx.NOTICE, "Received remote server name check for " .. args["server_name"])
+            local http = require "resty.http".new()
+            local res, err = http:request_uri("https://" .. args["server_name"] .. "/setup/check", {ssl_verify = false})
+            if not res then
+                ngx.print("ko")
+                logger:log(ngx.ERR, "Server name check failed : " .. err)
+                return
+            end
+            if res.status == 200 and res.body == "ok" then
+                ngx.print("ok")
+                return
+            end
+            logger:log(ngx.ERR, "Server name check failed : status = " .. tostring(res.status) .. " and body != ok")
+            ngx.print("ko")
+        end
     }
 }
 

diff --git a/src/common/core/ui/ui.lua b/src/common/core/ui/ui.lua
@@ -0,0 +1,19 @@
+local class = require "middleclass"
+local plugin = require "bunkerweb.plugin"
+
+local ui = class("ui", plugin)
+
+function ui:initialize(ctx)
+	-- Call parent initialize
+	plugin.initialize(self, "ui", ctx)
+end
+
+function ui:set()
+	local https_configured = self.variables["USE_UI"]
+	if https_configured == "yes" then
+		self.ctx.bw.https_configured = "yes"
+	end
+	return self:ret(true, "set https_configured to " .. https_configured)
+end
+
+return ui
diff --git a/src/common/db/Database.py b/src/common/db/Database.py
@@ -1272,6 +1272,9 @@ def save_config(self, config: Dict[str, Any], method: str, changed: Optional[boo
                         session.query(Services_settings).filter(Services_settings.service_id.in_(missing_ids)).delete()
                         session.query(Custom_configs).filter(Custom_configs.service_id.in_(missing_ids)).delete()
                         session.query(Jobs_cache).filter(Jobs_cache.service_id.in_(missing_ids)).delete()
+                        session.query(Metadata).filter_by(id=1).update(
+                            {Metadata.custom_configs_changed: True, Metadata.last_custom_configs_change: datetime.now()}
+                        )
                         changed_services = True
 
                 drafts = {service for service in services if config.pop(f"{service}_IS_DRAFT", "no") == "yes"}

diff --git a/src/common/gen/requirements.txt b/src/common/gen/requirements.txt
@@ -294,9 +294,9 @@ six==1.16.0 \
     # via
     #   kubernetes
     #   python-dateutil
-urllib3==2.2.1 \
-    --hash=sha256:450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d \
-    --hash=sha256:d0570876c61ab9e520d776c38acbbb5b05a776d3f9ff98a5c8fd5162a444cf19
+urllib3==2.2.2 \
+    --hash=sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472 \
+    --hash=sha256:dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168
     # via
     #   docker
     #   kubernetes

diff --git a/src/deps/requirements-deps.txt b/src/deps/requirements-deps.txt
@@ -182,9 +182,9 @@ toposort==1.10 \
     --hash=sha256:bfbb479c53d0a696ea7402601f4e693c97b0367837c8898bc6471adfca37a6bd \
     --hash=sha256:cbdbc0d0bee4d2695ab2ceec97fe0679e9c10eab4b2a87a9372b929e70563a87
     # via pip-compile-multi
-urllib3==2.2.1 \
-    --hash=sha256:450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d \
-    --hash=sha256:d0570876c61ab9e520d776c38acbbb5b05a776d3f9ff98a5c8fd5162a444cf19
+urllib3==2.2.2 \
+    --hash=sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472 \
+    --hash=sha256:dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168
     # via requests
 wheel==0.43.0 \
     --hash=sha256:465ef92c69fa5c5da2d1cf8ac40559a8c940886afcef87dcf14b9470862f1d85 \

diff --git a/src/scheduler/requirements.txt b/src/scheduler/requirements.txt
@@ -350,9 +350,9 @@ six==1.16.0 \
     --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \
     --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254
     # via configobj
-urllib3==2.2.1 \
-    --hash=sha256:450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d \
-    --hash=sha256:d0570876c61ab9e520d776c38acbbb5b05a776d3f9ff98a5c8fd5162a444cf19
+urllib3==2.2.2 \
+    --hash=sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472 \
+    --hash=sha256:dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168
     # via requests
 zipp==3.19.2 \
     --hash=sha256:bf1dcf6450f873a13e952a29504887c89e6de7506209e5b1bcc3460135d4de19 \