Add new templating feature to allow to quickly override the default v…

…alues of settings and custom configurations. You can also precise steps to follow in the UI to help the user configure services.

CHANGELOG.md

@@ -8,6 +8,7 @@
 - [FEATURE] Add new `REVERSE_PROXY_PASS_REQUEST_BODY` setting to control if the request body should be passed to the upstream server (default is yes)
 - [FEATURE] Jobs now have an history which the size can be controlled via the `DATABASE_MAX_JOBS_RUNS` setting (default is 10000) and it will be possible to see it in the web UI in a future release
 - [FEATURE] Add support for HTTP/3 connections limiting via the `HTTP3_CONNECTIONS_LIMIT` setting (default is 100) in the `limit` plugin
+- [FEATURE] Add new templating feature to allow to quickly override the default values of settings and custom configurations. You can also precise steps to follow in the UI to help the user configure services.
 - [SCHEDULER] Refactor the scheduler to use the `BUNKERWEB_INSTANCES` (previously known as `OVERRIDE_INSTANCES`) environment variable instead of an integration specific system
 - [AUTOCONF] Add new `NAMESPACES` environment variable to allow setting the namespaces to watch for the autoconf feature which makes it possible to use multiple autoconf instances in the same cluster while keeping the configuration separated
 - [UI] Start refactoring the UI to make it more modular and easier to maintain with migration from Jinja to Vue.js

src/autoconf/Config.py

@@ -50,9 +50,10 @@ def __get_full_env(self) -> dict:
             for variable, value in service.items():
                 if variable == "NAMESPACE" or variable.startswith("CUSTOM_CONF") or not variable.isupper():
                     continue
-                if not self._db.is_setting(variable, multisite=True):
-                    if variable in service:
-                        self.__logger.warning(f"Variable {variable}: {value} is not a valid multisite setting, ignoring it")
+
+                success, err = self._db.is_valid_setting(variable, value=value, multisite=True)
+                if not success:
+                    self.__logger.warning(f"Variable {variable}: {value} is not a valid autoconf setting ({err}), ignoring it")
                     continue
                 config[f"{server_name}_{variable}"] = value
             config["SERVER_NAME"] += f" {server_name}"

src/common/core/securitytxt/confs/server-http/securitytxt.conf

@@ -1,7 +1,7 @@
 {% if USE_SECURITYTXT == "yes" and SECURITYTXT_CONTACT != "" +%}
 location = {{ SECURITYTXT_URI }} {
 	default_type 'text/plain; charset=utf-8';
-	root /usr/share/bunkerweb/core/securitytxt/templates;
+	root /usr/share/bunkerweb/core/securitytxt/files;
 	content_by_lua_block {
 		local logger   = require "bunkerweb.logger":new("SECURITYTXT")
 		local helpers  = require "bunkerweb.helpers"

src/common/core/templates/plugin.json

@@ -0,0 +1,8 @@
+{
+  "id": "templates",
+  "name": "Templates",
+  "description": "Fake core plugin for internal templates.",
+  "version": "1.0",
+  "stream": "yes",
+  "settings": {}
+}

src/common/core/templates/templates/high.json

@@ -0,0 +1 @@
+{} // TODO

src/common/core/templates/templates/low.json

@@ -0,0 +1,144 @@
+{
+  "name": "Basic security level",
+  "settings": {
+    "SERVER_NAME": "www.example.com",
+    "USE_REVERSE_PROXY": "yes",
+    "REVERSE_PROXY_HOST": "http://upstream-server:8080",
+    "REVERSE_PROXY_URL": "/",
+    "REVERSE_PROXY_CUSTOM_HOST": "",
+    "REVERSE_PROXY_SSL_SNI": "no",
+    "REVERSE_PROXY_SSL_SNI_NAME": "",
+    "REVERSE_PROXY_WS": "no",
+    "REVERSE_PROXY_KEEPALIVE": "no",
+    "AUTO_LETS_ENCRYPT": "yes",
+    "USE_LETS_ENCRYPT_STAGING": "no",
+    "ALLOWED_METHODS": "GET|POST|HEAD|OPTIONS|PUT|DELETE|PATCH",
+    "MAX_CLIENT_SIZE": "100m",
+    "HTTP2": "yes",
+    "HTTP3": "yes",
+    "SSL_PROTOCOLS": "TLSv1.2 TLSv1.3",
+    "COOKIE_FLAGS": "* SameSite=Lax",
+    "CONTENT_SECURITY_POLICY": "",
+    "PERMISSIONS_POLICY": "",
+    "KEEP_UPSTREAM_HEADERS": "*",
+    "REFERRER_POLICY": "no-referrer-when-downgrade",
+    "USE_CORS": "yes",
+    "CORS_ALLOW_ORIGIN": "*",
+    "USE_BAD_BEHAVIOR": "yes",
+    "BAD_BEHAVIOR_STATUS_CODES": "400 401 403 404 405 429 444",
+    "BAD_BEHAVIOR_BAN_TIME": "3600",
+    "BAD_BEHAVIOR_THRESHOLD": "30",
+    "BAD_BEHAVIOR_COUNT_TIME": "60",
+    "USE_ANTIBOT": "no",
+    "ANTIBOT_URI": "/challenge",
+    "ANTIBOT_RECAPTCHA_SCORE": "0.7",
+    "ANTIBOT_RECAPTCHA_SITEKEY": "",
+    "ANTIBOT_RECAPTCHA_SECRET": "",
+    "ANTIBOT_HCAPTCHA_SITEKEY": "",
+    "ANTIBOT_HCAPTCHA_SECRET": "",
+    "ANTIBOT_TURNSTILE_SITEKEY": "",
+    "ANTIBOT_TURNSTILE_SECRET": "",
+    "USE_BLACKLIST": "yes",
+    "USE_DNSBL": "no",
+    "USE_LIMIT_CONN": "yes",
+    "LIMIT_CONN_MAX_HTTP1": "25",
+    "LIMIT_CONN_MAX_HTTP2": "200",
+    "USE_LIMIT_REQ": "yes",
+    "LIMIT_REQ_URL": "/",
+    "LIMIT_REQ_RATE": "5r/s"
+  },
+  "configs": ["modsec/anomaly_score.conf"],
+  "steps": [
+    {
+      "title": "Web service - Front service",
+      "subtitle": "Configure your web service facing your clients",
+      "settings": [
+        "SERVER_NAME",
+        "AUTO_LETS_ENCRYPT",
+        "USE_LETS_ENCRYPT_STAGING"
+      ]
+    },
+    {
+      "title": "Web service - Upstream server",
+      "subtitle": "Configure the upstream server to be protected by BunkerWeb",
+      "settings": [
+        "USE_REVERSE_PROXY",
+        "REVERSE_PROXY_HOST",
+        "REVERSE_PROXY_URL",
+        "REVERSE_PROXY_CUSTOM_HOST",
+        "REVERSE_PROXY_SSL_SNI",
+        "REVERSE_PROXY_SSL_SNI_NAME",
+        "REVERSE_PROXY_WS",
+        "REVERSE_PROXY_KEEPALIVE"
+      ]
+    },
+    {
+      "title": "HTTP - General",
+      "subtitle": "Configure the settings related to the HTTP(S) protocol",
+      "settings": [
+        "MAX_CLIENT_SIZE",
+        "ALLOWED_METHODS",
+        "HTTP2",
+        "HTTP3",
+        "SSL_PROTOCOLS"
+      ]
+    },
+    {
+      "title": "HTTP - Headers",
+      "subtitle": "Configure the settings related to the HTTP headers",
+      "settings": [
+        "COOKIE_FLAGS",
+        "CONTENT_SECURITY_POLICY",
+        "PERMISSIONS_POLICY",
+        "USE_CORS",
+        "CORS_ALLOW_ORIGIN",
+        "KEEP_UPSTREAM_HEADERS",
+        "REFERRER_POLICY"
+      ]
+    },
+    {
+      "title": "Security - Bad behavior",
+      "subtitle": "Configure the settings related to the automatic ban when a bad behavior is detected.",
+      "settings": [
+        "USE_BAD_BEHAVIOR",
+        "BAD_BEHAVIOR_STATUS_CODES",
+        "BAD_BEHAVIOR_BAN_TIME",
+        "BAD_BEHAVIOR_THRESHOLD",
+        "BAD_BEHAVIOR_COUNT_TIME"
+      ]
+    },
+    {
+      "title": "Security - Blacklisting",
+      "subtitle": "Configure the settings related to the external blacklists.",
+      "settings": ["USE_BLACKLIST", "USE_DNSBL"]
+    },
+    {
+      "title": "Security - Limiting",
+      "subtitle": "Configure the settings related to limiting requests and connections.",
+      "settings": [
+        "USE_LIMIT_CONN",
+        "LIMIT_CONN_MAX_HTTP1",
+        "LIMIT_CONN_MAX_HTTP2",
+        "LIMIT_CONN_MAX_HTTP3",
+        "USE_LIMIT_REQ",
+        "LIMIT_REQ_URL",
+        "LIMIT_REQ_RATE"
+      ]
+    },
+    {
+      "title": "Security - Antibot",
+      "subtitle": "Configure the settings about bot detection",
+      "settings": [
+        "USE_ANTIBOT",
+        "ANTIBOT_URI",
+        "ANTIBOT_RECAPTCHA_SCORE",
+        "ANTIBOT_RECAPTCHA_SITEKEY",
+        "ANTIBOT_RECAPTCHA_SECRET",
+        "ANTIBOT_HCAPTCHA_SITEKEY",
+        "ANTIBOT_HCAPTCHA_SECRET",
+        "ANTIBOT_TURNSTILE_SITEKEY",
+        "ANTIBOT_TURNSTILE_SECRET"
+      ]
+    }
+  ]
+}

src/common/core/templates/templates/low/configs/modsec/anomaly_score.conf

@@ -0,0 +1,9 @@
+SecAction \
+  "id:900110,\
+  phase:1,\
+  pass,\
+  t:none,\
+  nolog,\
+  tag:'OWASP_CRS',\
+  setvar:tx.inbound_anomaly_score_threshold=6,\
+  setvar:tx.outbound_anomaly_score_threshold=5"

src/common/core/templates/templates/medium.json

@@ -0,0 +1 @@
+{} // TODO