Merge pull request #824 from bunkerity/dev

Merge branch "dev" into branch "ui"

.github/workflows/codeql.yml

@@ -35,12 +35,12 @@ jobs:
           python -m pip install --no-cache-dir --require-hashes -r src/common/db/requirements.txt
           echo "CODEQL_PYTHON=$(which python)" >> $GITHUB_ENV
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11
+        uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql.yml
           setup-python-dependencies: false
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11
+        uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/doc-to-pdf.yml

@@ -23,7 +23,7 @@ jobs:
       - name: Install chromium
         run: sudo apt install chromium-browser
       - name: Install node
-        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
         with:
           node-version: 18
       - name: Install puppeteer

.github/workflows/push-packagecloud.yml

@@ -42,7 +42,7 @@ jobs:
       - name: Check out repository code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Install ruby
-        uses: ruby/setup-ruby@af848b40be8bb463a751551a1180d74782ba8a72 # v1.162.0
+        uses: ruby/setup-ruby@b256bd96bb4867e7d23e92e087d9bb697270b725 # v1.163.0
         with:
           ruby-version: "3.0"
       - name: Install packagecloud

.github/workflows/scorecards-analysis.yml

@@ -25,6 +25,6 @@ jobs:
           results_format: sarif
           publish_results: true
       - name: "Upload SARIF results to code scanning"
-        uses: github/codeql-action/upload-sarif@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11
+        uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
         with:
           sarif_file: results.sarif

CHANGELOG.md

@@ -3,8 +3,11 @@
 ## v1.5.5 - YYYY/MM/DD
 
 - [BUGFIX] Fix issues with the database when upgrading from version 1.5.3 and 1.5.4 to the most recent version
+- [BUGFIX] Fix ModSecurity-nginx to make it work with brotli
 - [FEATURE] Add Anonymous reporting feature
 - [FEATURE] Add support for fallback Referrer-Policies
+- [MISC] Fallback to default HTTPS certificate to prevent errors
+- [MISC] Updated Python Docker image to 3.12.1-alpine3.18 in Dockerfiles
 - [DEPS] Updated ModSecurity to v3.0.11
 
 ## v1.5.4 - 2023/12/04

docs/requirements.in

@@ -1,5 +1,5 @@
 mike==2.0.0
 mkdocs==1.5.3
-mkdocs-material[imaging]==9.5.2
+mkdocs-material[imaging]==9.5.3
 mkdocs-print-site-plugin==2.3.6
 pytablewriter==1.2.0

src/bw/lua/bunkerweb/ctx.lua

@@ -0,0 +1,108 @@
+-- A module for sharing ngx.ctx between subrequests.
+-- Original work by Alex Zhang (openresty/lua-nginx-module/issues/1057)
+-- updated by 3scale/apicast.
+--
+-- Copyright (c) 2016 3scale Inc.
+-- Licensed under the Apache License, Version 2.0.
+-- License text: See LICENSE
+--
+-- Modifications by Kong Inc.
+--   * updated module functions signatures
+--   * made module function idempotent
+--   * replaced thrown errors with warn logs
+--   * allow passing of context
+--   * updated to work with new 1.19.x apis
+
+local ffi = require "ffi"
+local base = require "resty.core.base"
+require "resty.core.ctx"
+
+
+local C = ffi.C
+local ngx = ngx
+local var = ngx.var
+local ngx_log = ngx.log
+local ngx_WARN = ngx.WARN
+local tonumber = tonumber
+local registry = debug.getregistry()
+local subsystem = ngx.config.subsystem
+local get_request = base.get_request
+
+-- BW edits
+local logger = require "bunkerweb.logger":new("CTX")
+local ngx_ERR = ngx.ERR
+
+local ngx_lua_ffi_get_ctx_ref
+if subsystem == "http" then
+  ngx_lua_ffi_get_ctx_ref = C.ngx_http_lua_ffi_get_ctx_ref
+elseif subsystem == "stream" then
+  ngx_lua_ffi_get_ctx_ref = C.ngx_stream_lua_ffi_get_ctx_ref
+end
+
+
+local in_ssl_phase = ffi.new("int[1]")
+local ssl_ctx_ref = ffi.new("int[1]")
+
+
+local FFI_NO_REQ_CTX = base.FFI_NO_REQ_CTX
+
+
+local _M = {}
+
+
+function _M.stash_ref(ctx)
+  local r = get_request()
+  if not r then
+    logger:log(ngx_ERR, "could not stash ngx.ctx ref: no request found")
+    return
+  end
+
+  do
+    local ctx_ref = var.ctx_ref
+    if not ctx_ref or ctx_ref ~= "" then
+      return
+    end
+
+    if not ctx then
+      local _ = ngx.ctx -- load context if not previously loaded
+    end
+  end
+  local ctx_ref = ngx_lua_ffi_get_ctx_ref(r, in_ssl_phase, ssl_ctx_ref)
+  if ctx_ref == FFI_NO_REQ_CTX then
+    logger:log(ngx_ERR, "could not stash ngx.ctx ref: no ctx found")
+    return
+  end
+
+  var.ctx_ref = ctx_ref
+end
+
+
+function _M.apply_ref()
+  local r = get_request()
+  if not r then
+    logger:log(ngx_ERR, "could not apply ngx.ctx: no request found")
+    return
+  end
+
+  local ctx_ref = var.ctx_ref
+  if not ctx_ref or ctx_ref == "" then
+    return
+  end
+
+  ctx_ref = tonumber(ctx_ref)
+  if not ctx_ref then
+    return
+  end
+
+  local orig_ctx = registry.ngx_lua_ctx_tables[ctx_ref]
+  if not orig_ctx then
+    logger:log(ngx_ERR, "could not apply ngx.ctx: no ctx found")
+    return
+  end
+
+  ngx.ctx = orig_ctx
+  var.ctx_ref = ""
+end
+
+
+return _M

src/bw/lua/bunkerweb/helpers.lua

@@ -1,5 +1,7 @@
 local cjson = require "cjson"
 local utils = require "bunkerweb.utils"
+local bwctx = require "bunkerweb.ctx"
+local base 	= require "resty.core.base"
 
 local helpers = {}
 
@@ -148,6 +150,10 @@ end
 helpers.fill_ctx = function()
 	-- Return errors as table
 	local errors = {}
+	-- Try to load saved ctx
+	if base.get_request() then
+		bwctx.apply_ref()
+	end
 	local ctx = ngx.ctx
 	-- Check if ctx is already filled
 	if not ctx.bw then
@@ -200,6 +206,12 @@ helpers.fill_ctx = function()
 	return true, "ctx filled", errors, ctx
 end
 
+helpers.save_ctx = function(ctx)
+	if base.get_request() then
+		bwctx.stash_ref(ctx)
+	end
+end
+
 function helpers.load_variables(all_variables, plugins)
 	-- Extract settings from plugins and global ones
 	local all_settings = {}

src/common/confs/server-http/access-lua.conf

@@ -36,6 +36,8 @@ access_by_lua_block {
 		if banned == nil then
 			logger:log(ngx.ERR, "can't check if IP " .. ctx.bw.remote_addr .. " is banned : " .. reason)
 		elseif banned then
+			ctx.bw.is_banned = true
+			helpers.save_ctx(ctx)
 			logger:log(ngx.WARN,
 				"IP " .. ctx.bw.remote_addr .. " is banned with reason " .. reason .. " (" .. tostring(ttl) .. "s remaining)")
 			return ngx.exit(utils.get_deny_status(ctx))
@@ -101,7 +103,7 @@ access_by_lua_block {
 	logger:log(ngx.INFO, "called access() methods of plugins")
 
 	-- Save ctx
-	ngx.ctx = ctx
+	helpers.save_ctx(ctx)
 
 	logger:log(ngx.INFO, "access phase ended")
 

src/common/confs/server-http/header-lua.conf

@@ -63,7 +63,7 @@ header_filter_by_lua_block {
 	logger:log(ngx.INFO, "called header() methods of plugins")
 
 	-- Save ctx
-	ngx.ctx = ctx
+	helpers.save_ctx(ctx)
 
 	return true
 }

src/common/confs/server-http/log-lua.conf

@@ -63,12 +63,9 @@ log_by_lua_block {
 	logger:log(ngx.INFO, "called log() methods of plugins")
 
 	-- Display reason at info level
-	if ctx.reason then
-		logger:log(ngx.INFO, "client was denied with reason : " .. ctx.reason)
+	if ctx.bw.reason then
+		logger:log(ngx.INFO, "client was denied with reason : " .. ctx.bw.reason)
 	end
 
-	-- Save ctx
-	ngx.ctx = ctx
-
 	logger:log(ngx.INFO, "log phase ended")
 }

src/common/confs/server-http/server.conf

@@ -18,8 +18,9 @@ server {
 	include /etc/bunkerweb/configs/server-http/{{ SERVER_NAME.split(" ")[0] }}/*.conf;
 {% endif %}
 
-	# reason variable
+	# variables
 	set $reason '';
+	set $ctx_ref '';
 
 	# include LUA files
 	include {{ NGINX_PREFIX }}set-lua.conf;

src/common/confs/server-http/set-lua.conf

@@ -78,7 +78,7 @@ set_by_lua_block $dummy_set {
 	logger:log(ngx.INFO, "called set() methods of plugins")
 
 	-- Save ctx
-	ngx.ctx = ctx
+	helpers.save_ctx(ctx)
 
 	return true
 }

src/common/confs/server-http/ssl-certificate-lua.conf

@@ -1,3 +1,22 @@
+ssl_certificate /var/cache/bunkerweb/default-server-cert/cert.pem;
+ssl_certificate_key /var/cache/bunkerweb/default-server-cert/cert.key;
+ssl_protocols {{ SSL_PROTOCOLS }};
+ssl_prefer_server_ciphers on;
+ssl_session_tickets off;
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;
+{% if "TLSv1.2" in SSL_PROTOCOLS +%}
+ssl_dhparam /etc/nginx/dhparam;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+{% endif %}
+
+{% if AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_SSL == "yes" or GENERATE_SELF_SIGNED_SSL == "yes" %}
+listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
+{% if USE_IPV6 == "yes" +%}
+listen [::]:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %} {% if USE_PROXY_PROTOCOL == "yes" %}proxy_protocol{% endif %};
+{% endif %}
+{% endif %}
+
 ssl_certificate_by_lua_block {
 	local class         = require "middleclass"
 	local clogger       = require "bunkerweb.logger"

src/common/confs/server-stream/log-stream-lua.conf

@@ -63,12 +63,9 @@ log_by_lua_block {
 	logger:log(ngx.INFO, "called log_stream() methods of plugins")
 
 	-- Display reason at info level
-	if ctx.reason then
-		logger:log(ngx.INFO, "client was denied with reason : " .. ctx.reason)
+	if ctx.bw.reason then
+		logger:log(ngx.INFO, "client was denied with reason : " .. ctx.bw.reason)
 	end
 
-	-- Save ctx
-	ngx.ctx = ctx
-
 	logger:log(ngx.INFO, "log phase ended")
 }

src/common/confs/server-stream/preread-stream-lua.conf

@@ -31,9 +31,11 @@ preread_by_lua_block {
 		if banned == nil then
 			logger:log(ngx.ERR, "can't check if IP " .. ctx.bw.remote_addr .. " is banned : " .. reason)
 		elseif banned then
+			ctx.bw.is_banned = true
+			helpers.save_ctx(ctx)
 			logger:log(ngx.WARN,
 				"IP " .. ctx.bw.remote_addr .. " is banned with reason " .. reason .. " (" .. tostring(ttl) .. "s remaining)")
-			return ngx.exit(utils.get_deny_status())
+			return ngx.exit(utils.get_deny_status(ctx))
 		else
 			logger:log(ngx.INFO, "IP " .. ctx.bw.remote_addr .. " is not banned")
 		end
@@ -91,7 +93,7 @@ preread_by_lua_block {
 	logger:log(ngx.INFO, "called preread() methods of plugins")
 
 	-- Save ctx
-	ngx.ctx = ctx
+	helpers.save_ctx(ctx)
 
 	logger:log(ngx.INFO, "preread phase ended")
 

src/common/confs/server-stream/server-stream.conf

@@ -14,13 +14,13 @@ server {
 	include /etc/bunkerweb/configs/server-stream/{{ SERVER_NAME.split(" ")[0] }}/*.conf;
 {% endif %}
 
-	# reason variable
+	# variables
 	set $reason '';
-
-	# server_name variable
+	set $ctx_ref '';
 	set $server_name '{{ SERVER_NAME.split(" ")[0] }}';
 
 	# include LUA files
+	include {{ NGINX_PREFIX }}ssl-certificate-stream-lua.conf;
 	include {{ NGINX_PREFIX }}preread-stream-lua.conf;
 	include {{ NGINX_PREFIX }}log-stream-lua.conf;