From c05668e2d944593c8d7f49b7aa43fd20e47cb873 Mon Sep 17 00:00:00 2001
From: florian <fpitance@bunkerity.com>
Date: Mon, 17 Jun 2024 22:33:14 +0200
Subject: [PATCH] ui - force HTTPS everytime

---
 CHANGELOG.md               |  1 +
 README.md                  | 13 +++++++++++++
 docs/index.md              | 13 +++++++++++++
 docs/web-ui.md             | 17 ++++++++++++-----
 src/common/core/order.json |  2 +-
 src/common/core/ui/ui.lua  | 19 +++++++++++++++++++
 6 files changed, 59 insertions(+), 6 deletions(-)
 create mode 100644 src/common/core/ui/ui.lua

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 279ba39e3..6291b273b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@
 - [FEATURE] Add failover logic in case the NGINX configuration is not valid to fallback to the previous configuration and log the error to prevent the service from being stopped
 - [UI] Force HTTPS on setup wizard
 - [UI] Fallback to self-signed certificate when UI is installed with setup wizard and let's encrypt is not used
+- [UI] Force HTTPS even if UI is installed in advanced mode
 - [UI] Add OVERRIDE_ADMIN_CREDS environment variable to allow overriding the default admin credentials even if an admin user already exists
 - [UI] Optimize the way the UI handles the requests and the responses
 - [AUTOCONF] Refactor Autoconf config parsing and saving logic so that it doesn't override the scheduler or UI config every time
diff --git a/README.md b/README.md
index f1ecc32b7..614fb87fb 100644
--- a/README.md
+++ b/README.md
@@ -86,6 +86,19 @@ Learn more about the core security features in the [security tuning](https://doc
 
 A demo website protected with BunkerWeb is available at [demo.bunkerweb.io](https://demo.bunkerweb.io/?utm_campaign=self&utm_source=github). Feel free to visit it and perform some security tests.
 
+## BunkerWeb Cloud
+
+Don't want to self-host and manage your own BunkerWeb instance(s) ? You might be interested into BunkerWeb Cloud, our fully managed SaaS offer for BunkerWeb.
+
+Try our [BunkerWeb Cloud beta offer for free](https://panel.bunkerweb.io/order/bunkerweb-cloud/14?utm_source=github&utm_campaign=self) and get access to :
+
+- Fully managed BunkerWeb instance hosted in our cloud
+- All BunkerWeb features including PRO ones
+- Monitoring platform including dashboards and alerts
+- Technical support to assist you in the configuration
+
+You will find more information about BunkerWeb Cloud in the [FAQ page](https://panel.bunkerweb.io/knowledgebase/55/BunkerWeb-Cloud?utm_source=github&utm_campaign=self) of the BunkerWeb panel.
+
 ## PRO version
 
 When using BunkerWeb you have the choice of the version you want to use : open-source or PRO.
diff --git a/docs/index.md b/docs/index.md
index e41dea161..585110533 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -59,6 +59,19 @@ To delve deeper into the core security features, we invite you to explore the [s
 
 A demo website protected with BunkerWeb is available at [demo.bunkerweb.io](https://demo.bunkerweb.io/?utm_campaign=self&utm_source=doc). Feel free to visit it and perform some security tests.
 
+## BunkerWeb Cloud
+
+Don't want to self-host and manage your own BunkerWeb instance(s) ? You might be interested into BunkerWeb Cloud, our fully managed SaaS offer for BunkerWeb.
+
+Try our [BunkerWeb Cloud beta offer for free](https://panel.bunkerweb.io/order/bunkerweb-cloud/14?utm_source=doc&utm_campaign=self) and get access to :
+
+- Fully managed BunkerWeb instance hosted in our cloud
+- All BunkerWeb features including PRO ones
+- Monitoring platform including dashboards and alerts
+- Technical support to assist you in the configuration
+
+You will find more information about BunkerWeb Cloud in the [FAQ page](https://panel.bunkerweb.io/knowledgebase/55/BunkerWeb-Cloud?utm_source=doc&utm_campaign=self) of the BunkerWeb panel.
+
 ## PRO version
 
 When using BunkerWeb you have the choice of the version you want to use : open-source or PRO.
diff --git a/docs/web-ui.md b/docs/web-ui.md
index 65f65f809..677e25a19 100644
--- a/docs/web-ui.md
+++ b/docs/web-ui.md
@@ -31,6 +31,8 @@ Because the web UI is a web application, the recommended installation procedure
     * Do not open the web UI on the Internet without any further restrictions
     * Apply settings listed in the [security tuning section](security-tuning.md) of the documentation
 
+    **Please note that using HTTPS in front the web UI is mandatory since version 1.5.8 of BunkerWeb.**
+
 !!! info "Multisite mode"
 
     The usage of the web UI implies enabling the [multisite mode](concepts.md#multisite-mode).
@@ -39,7 +41,7 @@ Because the web UI is a web application, the recommended installation procedure
 
 !!! info "Wizard"
 
-    The setup wizard is a feature that helps you to **configure** and **install the web UI** using a **user-friendly interface**. You will need to set the `UI_HOST` setting (`https://hostname-of-web-ui:7000`) and browse the `/setup` URI of your server to access the setup wizard.
+    The setup wizard is a feature that helps you to **configure** and **install the web UI** using a **user-friendly interface**. You will need to set the `UI_HOST` setting (`http://hostname-of-web-ui:7000`) and browse the `/setup` URI of your server to access the setup wizard.
 
 <figure markdown>
   ![Overview](assets/img/ui-wizard-account.webp){ align=center, width="350" }
@@ -70,7 +72,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th
 
     !!! tip "Accessing the setup wizard"
 
-        You can access the setup wizard by browsing the `https://your-ip-address/setup` URI of your server.
+        You can access the setup wizard by browsing the `https://your-ip-address-or-fqdn/setup` URI of your server.
 
 
     Here is the docker-compose boilerplate that you can use (don't forget to edit the `changeme` data) :
@@ -162,7 +164,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th
 
     !!! tip "Accessing the setup wizard"
 
-        You can access the setup wizard by browsing the `https://your-ip-address/setup` URI of your server.
+        You can access the setup wizard by browsing the `https://your-ip-address-or-fqdn/setup` URI of your server.
 
     Here is the docker-compose boilerplate that you can use (don't forget to edit the `changeme` data) :
 
@@ -269,7 +271,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th
 
     !!! tip "Accessing the setup wizard"
 
-        You can access the setup wizard by browsing the `https://your-ip-address/setup` URI of your server.
+        You can access the setup wizard by browsing the `https://your-ip-address-or-fqdn/setup` URI of your server.
 
     Here is the stack boilerplate that you can use (don't forget to edit the `changeme` data) :
 
@@ -399,7 +401,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th
 
     !!! tip "Accessing the setup wizard"
 
-        You can access the setup wizard by browsing the `https://your-ip-address/setup` URI of your server.
+        You can access the setup wizard by browsing the `https://your-ip-address-or-fqdn/setup` URI of your server.
 
     Here is the yaml boilerplate that you can use (don't forget to edit the `changeme` data) :
 
@@ -832,6 +834,7 @@ After a successful login/password combination, you will be prompted to enter you
 
     - `ADMIN_USERNAME` : username to access the web UI
     - `ADMIN_PASSWORD` : password to access the web UI
+    - `OVERRIDE_ADMIN_CREDS` : force override the admin credentials even if we already have a user in the database (default = `no`)
 
     Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
 
@@ -953,6 +956,7 @@ After a successful login/password combination, you will be prompted to enter you
 
     - `ADMIN_USERNAME` : username to access the web UI
     - `ADMIN_PASSWORD` : password to access the web UI
+    - `OVERRIDE_ADMIN_CREDS` : force override the admin credentials even if we already have a user in the database (default = `no`)
 
     Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler and autoconf) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
 
@@ -1088,6 +1092,7 @@ After a successful login/password combination, you will be prompted to enter you
 
     - `ADMIN_USERNAME` : username to access the web UI
     - `ADMIN_PASSWORD` : password to access the web UI
+    - `OVERRIDE_ADMIN_CREDS` : force override the admin credentials even if we already have a user in the database (default = `no`)
 
     Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler and autoconf) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
 
@@ -1236,6 +1241,7 @@ After a successful login/password combination, you will be prompted to enter you
 
     - `ADMIN_USERNAME` : username to access the web UI
     - `ADMIN_PASSWORD` : password to access the web UI
+    - `OVERRIDE_ADMIN_CREDS` : force override the admin credentials even if we already have a user in the database (default = `no`)
 
     Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). Network segmentation between web UI and web services is not covered in this documentation. Please note that the web UI container is listening on the `7000` port.
 
@@ -1590,6 +1596,7 @@ After a successful login/password combination, you will be prompted to enter you
     ```conf
     ADMIN_USERNAME=changeme
     ADMIN_PASSWORD=changeme
+    OVERRIDE_ADMIN_CREDS=no
     ```
 
     Each time you edit the `/etc/bunkerweb/ui.env` file, you will need to restart the service :
diff --git a/src/common/core/order.json b/src/common/core/order.json
index 60244af55..ea2abc8dc 100644
--- a/src/common/core/order.json
+++ b/src/common/core/order.json
@@ -15,7 +15,7 @@
     "letsencrypt",
     "selfsigned"
   ],
-  "set": ["sessions", "whitelist", "letsencrypt", "customcert", "selfsigned"],
+  "set": ["sessions", "whitelist", "letsencrypt", "customcert", "selfsigned", "ui"],
   "ssl_certificate": ["customcert", "letsencrypt", "selfsigned"],
   "access": [
     "whitelist",
diff --git a/src/common/core/ui/ui.lua b/src/common/core/ui/ui.lua
new file mode 100644
index 000000000..e7de46c57
--- /dev/null
+++ b/src/common/core/ui/ui.lua
@@ -0,0 +1,19 @@
+local class = require "middleclass"
+local plugin = require "bunkerweb.plugin"
+
+local ui = class("ui", plugin)
+
+function ui:initialize(ctx)
+	-- Call parent initialize
+	plugin.initialize(self, "ui", ctx)
+end
+
+function ui:set()
+	local https_configured = self.variables["USE_UI"]
+	if https_configured == "yes" then
+		self.ctx.bw.https_configured = "yes"
+	end
+	return self:ret(true, "set https_configured to " .. https_configured)
+end
+
+return ui
\ No newline at end of file