prepare for 1.5.1 🚀

step-security-bot · Jun 14, 2023 · dcf1561 · dcf1561
1 parent 4023e6d
commit dcf1561
Show file tree

Hide file tree

Showing 28 changed files with 29 additions and 78 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,10 +12,17 @@
 - [BUGFIX] Custom certificate bug after the refactoring
 - [BUGFIX] Fix wrong variables in header phase (fix CORS feature too)
 - [BUGFIX] Fix UI not working in Ubuntu (python zope module)
+- [BUGFIX] Patch ModSecurity to run it after LUA code (should fix whitelist problems)
 - [PERFORMANCE] Reduce CPU usage of scheduler
+- [PERFORMANCE] Cache ngx.ctx instead of loading it each time
+- [PERFORMANCE] Use per-worker LRU cache for common RO LUA values
 - [FEATURE] Add Turnstile antibot mode
+- [FEATURE] Add more CORS headers
+- [FEATURE] Add KEEP_UPSTREAM_HEADERS to preserve headers when using reverse proxy
 - [MISC] Add LOG_LEVEL=warning for docker socket proxy in docs, examples and boilerplates
 - [MISC] Temp remove VMWare provider for Vagrant integration
+- [MISC] Remove X-Script-Name header and ABSOLUTE_URI variable when using UI
+
 
 ## v1.5.0 - 2023/05/23
 

diff --git a/README.md b/README.md
@@ -305,12 +305,13 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
 
 |      Name      | Version | Description                                                                                                                      |                                                 Link                                                  |
 | :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------: |
-|   **ClamAV**   |   1.0   | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. |     [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav)     |
-|  **CrowdSec**  |   1.0   | CrowdSec bouncer for BunkerWeb.                                                                                                  |   [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec)   |
-| **Discord** | 1.0 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
-| **Slack** | 1.0 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
-| **VirusTotal** |   1.0   | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious.          | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
-| **Coraza** |   0.1   | Inspect requests using a the Coraza WAF (alternative of ModSecurity).           | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
+|   **ClamAV**   |   1.1   | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. |     [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav)     |
+| **Coraza** |   1.1   | Inspect requests using a the Coraza WAF (alternative of ModSecurity).           | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
+|  **CrowdSec**  |   1.1   | CrowdSec bouncer for BunkerWeb.                                                                                                  |   [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec)   |
+| **Discord** | 1.1 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
+| **Slack** | 1.1 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
+| **VirusTotal** |   1.1   | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious.          | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
+| **WebHook** | 1.1 | Send security notifications to a custom HTTP endpoint using a	Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
 
 You will find more information in the [plugins section](https://docs.bunkerweb.io/1.5.1/plugins) of the documentation.
 

diff --git a/SECURITY.md b/SECURITY.md
@@ -4,7 +4,7 @@ Even though this project is focused on security, it is still prone to possible v
 
 ## Responsible disclosure
 
-If you have found a security bug, please send us an email at security \[@\] bunkerity.com with technical details so we can resolve it as soon as possible.
+If you have found a security bug, please send us an email at security \[@\] bunkerity.com (using a ProtonMail if possible) with technical details so we can resolve it as soon as possible.
 
 Here is a non-exhaustive list of issues we consider as high risk :
 - Vulnerability in the code

diff --git a/docs/plugins.md b/docs/plugins.md
@@ -8,20 +8,21 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
 
 |      Name      | Version | Description                                                                                                                      |                                                 Link                                                  |
 | :------------: | :-----: | :------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------: |
-|   **ClamAV**   |   1.0   | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. |     [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav)     |
-|  **CrowdSec**  |   1.0   | CrowdSec bouncer for BunkerWeb.                                                                                                  |   [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec)   |
-| **Discord** | 1.0 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
-| **Slack** | 1.0 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
-| **VirusTotal** |   1.0   | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious.          | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
-| **Coraza** |   0.1   | Inspect requests using a Core Rule Set and deny malicious ones.           | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
+|   **ClamAV**   |   1.1   | Automatically scans uploaded files with the ClamAV antivirus engine and denies the request when a file is detected as malicious. |     [bunkerweb-plugins/clamav](https://github.com/bunkerity/bunkerweb-plugins/tree/main/clamav)     |
+| **Coraza** |   1.1   | Inspect requests using a the Coraza WAF (alternative of ModSecurity).           | [bunkerweb-plugins/coraza](https://github.com/bunkerity/bunkerweb-plugins/tree/main/coraza) |
+|  **CrowdSec**  |   1.1   | CrowdSec bouncer for BunkerWeb.                                                                                                  |   [bunkerweb-plugins/crowdsec](https://github.com/bunkerity/bunkerweb-plugins/tree/main/crowdsec)   |
+| **Discord** | 1.1 | Send security notifications to a Discord channel using a Webhook. | [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord) |
+| **Slack** | 1.1 | Send security notifications to a Slack channel using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack) |
+| **VirusTotal** |   1.1   | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious.          | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
+| **WebHook** | 1.1 | Send security notifications to a custom HTTP endpoint using a	Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) |
 
 ## How to use a plugin
 
 ### Automatic
 
 If you want to quickly install external plugins, you can use the `EXTERNAL_PLUGIN_URLS` setting. It takes a list of URLs, separated with space, pointing to compressed (zip format) archive containing one or more plugin(s).
 
-You can use the following value if you want to automatically install the official plugins : `EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.0.zip`
+You can use the following value if you want to automatically install the official plugins : `EXTERNAL_PLUGIN_URLS=https://github.com/bunkerity/bunkerweb-plugins/archive/refs/tags/v1.1.zip`
 
 ### Manual
 

diff --git a/docs/settings.md b/docs/settings.md
@@ -65,7 +65,6 @@ Bot detection by using a challenge.
 |`ANTIBOT_RECAPTCHA_SCORE`  |`0.7`       |multisite|no      |Minimum score required for reCAPTCHA challenge.                                                                               |
 |`ANTIBOT_RECAPTCHA_SITEKEY`|            |multisite|no      |Sitekey for reCAPTCHA challenge.                                                                                              |
 |`ANTIBOT_RECAPTCHA_SECRET` |            |multisite|no      |Secret for reCAPTCHA challenge.                                                                                               |
-|`ANTIBOT_HCAPTCHA_PASSIVE` |`no`        |multisite|no      |Use hCaptcha in passive mode.                                                                                                 |
 |`ANTIBOT_HCAPTCHA_SITEKEY` |            |multisite|no      |Sitekey for hCaptcha challenge.                                                                                               |
 |`ANTIBOT_HCAPTCHA_SECRET`  |            |multisite|no      |Secret for hCaptcha challenge.                                                                                                |
 |`ANTIBOT_TURNSTILE_SITEKEY`|            |multisite|no      |Sitekey for Turnstile challenge.                                                                                              |

diff --git a/docs/web-ui.md b/docs/web-ui.md
@@ -55,7 +55,6 @@ Because the web UI is a web application, the recommended installation procedure
 
     - `ADMIN_USERNAME` : username to access the web UI
     - `ADMIN_PASSWORD` : password to access the web UI
-    - `ABSOLUTE_URI` : full URI of your web UI instance (like `http://www.example.com/foo/`)
 
     Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
 
@@ -88,7 +87,6 @@ Because the web UI is a web application, the recommended installation procedure
           - www.example.com_USE_REVERSE_PROXY=yes
           - www.example.com_REVERSE_PROXY_URL=/changeme/
           - www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
-          - www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
           - www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
         networks:
           - bw-universe
@@ -125,7 +123,6 @@ Because the web UI is a web application, the recommended installation procedure
           - DOCKER_HOST=tcp://bw-docker:2375
           - ADMIN_USERNAME=changeme
           - ADMIN_PASSWORD=changeme # Remember to set a stronger password for the changeme user
-          - ABSOLUTE_URI=http://www.example.com/changeme/
         networks:
           - bw-universe
           - bw-docker
@@ -178,7 +175,6 @@ Because the web UI is a web application, the recommended installation procedure
 
     - `ADMIN_USERNAME` : username to access the web UI
     - `ADMIN_PASSWORD` : password to access the web UI
-    - `ABSOLUTE_URI` : full URI of your web UI instance (like `http://www.example.com/foo/`)
 
     Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler and autoconf) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
 
@@ -270,14 +266,12 @@ Because the web UI is a web application, the recommended installation procedure
           - AUTOCONF_MODE=yes
           - ADMIN_USERNAME=admin
           - ADMIN_PASSWORD=changeme
-          - ABSOLUTE_URI=http://www.example.com/changeme/
         labels:
           - "bunkerweb.SERVER_NAME=www.example.com"
           - "bunkerweb.USE_UI=yes"
           - "bunkerweb.USE_REVERSE_PROXY=yes"
           - "bunkerweb.REVERSE_PROXY_URL=/changeme/"
           - "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
-          - "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
           - "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
 
     volumes:
@@ -316,7 +310,6 @@ Because the web UI is a web application, the recommended installation procedure
 
     - `ADMIN_USERNAME` : username to access the web UI
     - `ADMIN_PASSWORD` : password to access the web UI
-    - `ABSOLUTE_URI` : full URI of your web UI instance (like `http://www.example.com/foo/`)
 
     Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). We recommend you to connect BunkerWeb and web UI using a dedicated network (like `bw-universe` also used by the scheduler and autoconf) so it won't be on the same network of your web services for obvious security reasons. Please note that the web UI container is listening on the `7000` port.
 
@@ -422,7 +415,6 @@ Because the web UI is a web application, the recommended installation procedure
           - DOCKER_HOST=tcp://bw-docker:2375
           - ADMIN_USERNAME=changeme
           - ADMIN_PASSWORD=changeme # Remember to set a stronger password for the changeme user
-          - ABSOLUTE_URI=http://www.example.com/changeme/
         networks:
           - bw-universe
           - bw-docker
@@ -433,9 +425,8 @@ Because the web UI is a web application, the recommended installation procedure
             - "bunkerweb.USE_REVERSE_PROXY=yes"
             - "bunkerweb.REVERSE_PROXY_URL=/changeme/"
             - "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
-            - "bunkerweb.REVERSE_PROXY_HEADERS=X-Script-Name /changeme"
             - "bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no"
-            - "INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
+            - "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
 
     volumes:
       bw-data:
@@ -466,7 +457,6 @@ Because the web UI is a web application, the recommended installation procedure
 
     - `ADMIN_USERNAME` : username to access the web UI
     - `ADMIN_PASSWORD` : password to access the web UI
-    - `ABSOLUTE_URI` : full URI of your web UI instance (like `http://www.example.com/foo/`)
 
     Accessing the web UI through BunkerWeb is a classical [reverse proxy setup](quickstart-guide.md#protect-http-applications). Network segmentation between web UI and web services is not covered in this documentation. Please note that the web UI container is listening on the `7000` port.
 
@@ -715,8 +705,6 @@ Because the web UI is a web application, the recommended installation procedure
                   value: "changeme"
                 - name: "ADMIN_PASSWORD"
                   value: "changeme"
-                - name: "ABSOLUTE_URI"
-                  value: "http://www.example.com/changeme/"
                 - name: KUBERNETES_MODE
                   value: "YES"
                 - name: "DATABASE_URI"
@@ -791,8 +779,8 @@ Because the web UI is a web application, the recommended installation procedure
       name: ingress
       annotations:
         bunkerweb.io/www.example.com_USE_UI: "yes"
-        bunkerweb.io/www.example.com_REVERSE_PROXY_HEADERS_1: "X-Script-Name /changeme"
         bunkerweb.io/www.example.com_REVERSE_PROXY_INTERCEPT_ERRORS: "no"
+        bunkerweb.io/www.example.com_INTERCEPTED_ERROR_CODES: '400 404 405 413 429 500 501 502 503 504'
     spec:
       rules:
         - host: www.example.com
@@ -822,7 +810,6 @@ Because the web UI is a web application, the recommended installation procedure
     ```conf
     ADMIN_USERNAME=changeme
     ADMIN_PASSWORD=changeme
-    ABSOLUTE_URI=http://www.example.com/changeme/
     ```
 
     Each time you edit the `/etc/bunkerweb/ui.env` file, you will need to restart the service :
@@ -846,7 +833,6 @@ Because the web UI is a web application, the recommended installation procedure
     www.example.com_USE_REVERSE_PROXY=yes
     www.example.com_REVERSE_PROXY_URL=/changeme/
     www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
-    www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
     www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
     ```
 
@@ -865,7 +851,6 @@ Because the web UI is a web application, the recommended installation procedure
     ```conf
     ADMIN_USERNAME=changeme
     ADMIN_PASSWORD=changeme
-    ABSOLUTE_URI=http://www.example.com/changeme/
     ```
 
     Here is the `my_variables.env` boilerplate you can use :
@@ -880,7 +865,6 @@ Because the web UI is a web application, the recommended installation procedure
     www.example.com_USE_REVERSE_PROXY=yes
     www.example.com_REVERSE_PROXY_URL=/changeme/
     www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
-    www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
     www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
     ```
 
@@ -932,7 +916,6 @@ Because the web UI is a web application, the recommended installation procedure
     ```conf
     ADMIN_USERNAME=changeme
     ADMIN_PASSWORD=changeme
-    ABSOLUTE_URI=http://www.example.com/changeme/
     ```
 
     Each time you edit the `/etc/bunkerweb/ui.env` file, you will need to restart the service :
@@ -955,7 +938,6 @@ Because the web UI is a web application, the recommended installation procedure
     www.example.com_USE_REVERSE_PROXY=yes
     www.example.com_REVERSE_PROXY_URL=/changeme/
     www.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:7000
-    www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme
     www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
     ```
 

diff --git a/examples/web-ui/docker-compose.yml b/examples/web-ui/docker-compose.yml
@@ -19,9 +19,7 @@ services:
       - www.example.com_USE_REVERSE_PROXY=yes
       - www.example.com_REVERSE_PROXY_URL=/changeme/ # replace with another url
       - www.example.com_REVERSE_PROXY_HOST=http://bw-ui:7000
-      - www.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /changeme # replace with another url
       - www.example.com_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
-      - www.example.com_SECURITY_POLICY=object-src 'none'; frame-ancestors 'self';
     labels:
       - "bunkerweb.INSTANCE"
     networks:
@@ -45,7 +43,6 @@ services:
     depends_on:
       - bw-docker-proxy
     environment:
-      - ABSOLUTE_URI=https://www.example.com/changeme/ # replace with another url
       - DOCKER_HOST=tcp://bw-docker-proxy:2375
       - ADMIN_USERNAME=changeme
       - ADMIN_PASSWORD=changeme # replace with a stronger password