Comments (2)
KWardOrbiner
commented on May 25, 2024
Hello again.
For people that struggle with implementing websocket in their bunkerweb multiple application in autoconf setup.
After lot of trials and errors, I have managed to find a configuration that sets up the right headers.
Here's a snippets of bunkerweb autoconf docker-compose:
bunkerweb: image: bunkerity/bunkerweb:1.5.5 ports: - 80:8080 - 443:8443 labels: - "bunkerweb.INSTANCE=yes" environment: - SERVER_NAME=app.myapp.com - DATABASE_URI=mariadb+pymysql://bwUser:bwPassword@bunkerweb-mariadb:3306/bwDB - USE_REVERSE_PROXY=yes - AUTOCONF_MODE=yes - MULTISITE=yes - AUTO_LETS_ENCRYPT=yes - [email protected] - USE_LETS_ENCRYPT_STAGING=no - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24 - MAX_CLIENT_SIZE=100m networks: - bw-universe - bw-services
Here's the issue is that we should not add the tag : REVERSE_PROXY_WS=yes in this configuration.
And for my app docker-compose
`version: '3.8'
services:
frontend:
build:
context: ./client
dockerfile: Dockerfile
args:
customAPP Arguments
networks:
- bw-services
labels:
- "bunkerweb.SERVER_NAME=app.myapp.com"
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_URL=/"
- "bunkerweb.REVERSE_PROXY_HOST=http://frontend:80"
- "bunkerweb.REVERSE_PROXY_WS=yes"
backend:
build:
context: ./server
dockerfile: Dockerfile
env_file:
myapp envfile
environment:
#myapp database host
volumes:
#my app volumes
networks:
- myapp-network
- bw-services
labels:
- "bunkerweb.SERVER_NAME=app.myapp.com"
- "bunkerweb.USE_REVERSE_PROXY=yes"
- "bunkerweb.REVERSE_PROXY_HOST_1=http://backend:7000"
- "bunkerweb.REVERSE_PROXY_URL_1=/api/"
- "bunkerweb.REVERSE_PROXY_HOST_2=http://backend:7000"
- "bunkerweb.REVERSE_PROXY_URL_2=/socket.io/"
- "bunkerweb.REVERSE_PROXY_WS_2=yes"
- "bunkerweb.REVERSE_PROXY_URL_3=/files/"
- "bunkerweb.REVERSE_PROXY_HOST_3=http://backend:7000"'
The nginx autoconf is generated appropriately.
But my issue with websocket implementation (using socket.io) is still producing 403 (forbidden) on the post, 429 (too many requests) and then the badbehavior kicks in and bans the client IP.
It comes from how socket.io works.
The post gets banned by the implementation of ModSecurity from bunkerweb:
The warning generated by ModSecurity indicates that the text/plain content type sent by the Socket.IO client does not match the allowed list of content types configured in the policy.
I'll need to tweak the ModSecurity to make it work with my socket.io implementation
from bunkerweb.
KWardOrbiner
commented on May 25, 2024
Hello.
To finish this topic for others.
Modsecurity blocks http request in plain text because of security measures but that's how it is done in socket.io.
So I have added an exception to ModSecurity using Custom Configuration with files.
I set-up a file:
SecRule REQUEST_FILENAME "@beginswith /socket.io/"
"id:900000,
phase:1,
pass,
nolog,
ctl:ruleRemoveById=920420"
Then I have added a greater rate limit for my socket.io:
' - "bunkerweb.REVERSE_PROXY_HOST_2=http://backend:7000"
- "bunkerweb.REVERSE_PROXY_URL_2=/socket.io/"
- "bunkerweb.REVERSE_PROXY_WS_2=yes"
- "bunkerweb.LIMIT_REQ_URL_2=/socket.io/"
- "bunkerweb.LIMIT_REQ_RATE_2=30r/s" '
Not straight forward implementation.
from bunkerweb.
Related Issues (20)
- [BUG] upgrade 1.5.5 -> 1.5.6 SQL Errors HOT 10
- [BUG] Infinite page loading when using Chrome browser in developer mode HOT 4
- [BUG] exception while running mmdb-country.py HOT 3
- [BUG] changes are not saved HOT 7
- 1.5.6 virustotal plugin error HOT 1
- [license] is it ok to redistribute the maxmind mmdb files? HOT 2
- [FEATURE] Ability to export and import config via the Web UI
- [BUG] REVERSE_PROXY_WS not working in KUBERNETES_MODE HOT 6
- [BUG] Web UI unavailable after fresh install, Ubuntu 24.04, Linux Integration HOT 9
- How to use bunker with services in different hosts without weakening security HOT 7
- [BUG] 500 error when accessing Web Bans page HOT 4
- [HELP] Custom certificates producing exceptions HOT 3
- [BUG] I'm testing this in a new instance and seems like lets encrypt does not work? HOT 1
- [DOC] nextcloud examples are out of date (compose)
- [FEATURE] Is there a way to deploy 2 services as reverse proxy where leaving a one without any protections and just bypassing everything HOT 4
- [FEATURE] hardened security on the 401 pages HOT 3
- [BUG] Incorrect nginx dependency for Ubuntu Noble package HOT 1
- [BUG] Do I still need to add a crowdsec container? Why can't crowdsec start and there are no logs HOT 1
- [BUG] Certs for non-autoconf sites are not applied HOT 2
- [FEATURE] Bunkerweb has lua dependencies checked into the repo
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bunkerweb.