Date: Mon, 01 Jun 2026 17:39:16 +0000 From: Jochen Neumeister <joneum@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: da044629d7cc - main - www/bunkerweb: add new port Message-ID: <6a1dc3c4.1a0ee.39585333@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by joneum: URL: https://cgit.FreeBSD.org/ports/commit/?id=da044629d7cc8ad3c6746884f31d716f7476475c commit da044629d7cc8ad3c6746884f31d716f7476475c Author: Jochen Neumeister <joneum@FreeBSD.org> AuthorDate: 2026-05-14 11:09:11 +0000 Commit: Jochen Neumeister <joneum@FreeBSD.org> CommitDate: 2026-06-01 17:27:52 +0000 www/bunkerweb: add new port BunkerWeb is an open-source next-generation web application firewall (WAF) and security platform designed to protect and manage web services. It provides integrated security features such as request filtering, rate limiting, TLS management, GeoIP support and a web management interface. As this is a newly introduced port, users are encouraged to validate their deployment before using it in production environments. WWW: https://github.com/bunkerity/bunkerweb Sponsored by: Netzkommune GmbH --- GIDs | 3 + UIDs | 3 + www/Makefile | 1 + www/bunkerweb/Makefile | 83 + www/bunkerweb/distinfo | 3 + www/bunkerweb/files/bunkerweb.in | 50 + www/bunkerweb/files/bunkerweb_api.in | 33 + www/bunkerweb/files/bunkerweb_scheduler.in | 58 + www/bunkerweb/files/bunkerweb_ui.in | 29 + www/bunkerweb/files/patch-src_api_app_config.py | 13 + .../patch-src_api_app_models_api__database.py | 11 + .../files/patch-src_api_app_rate__limit.py | 31 + .../patch-src_api_app_yaml__base__settings.py | 11 + .../files/patch-src_api_utils_gunicorn.conf.py | 38 + .../files/patch-src_bw_lua_bunkerweb_helpers.lua | 20 + .../files/patch-src_common_confs_api.conf | 10 + ...patch-src_common_confs_default-server-http.conf | 47 + .../files/patch-src_common_confs_http.conf | 67 + .../files/patch-src_common_confs_init-lua.conf | 29 + .../patch-src_common_confs_init-stream-lua.conf | 29 + .../patch-src_common_confs_init-worker-lua.conf | 11 + .../files/patch-src_common_confs_nginx.conf | 61 + .../patch-src_common_confs_server-http_server.conf | 14 + ...mmon_confs_server-http_ssl-certificate-lua.conf | 11 + ...c_common_confs_server-stream_server-stream.conf | 14 + ...s_server-stream_ssl-certificate-stream-lua.conf | 11 + .../files/patch-src_common_confs_stream.conf | 15 + ...re_errors_confs_default-server-http_errors.conf | 10 + ...ommon_core_errors_confs_server-http_errors.conf | 18 + ...rc_common_core_grpc_confs_server-http_grpc.conf | 10 + ...mon_core_headers_confs_server-http_cookies.conf | 11 + ...src_common_core_limit_confs_http_limitconn.conf | 23 + ...rc_common_core_misc_confs_http_max-headers.conf | 5 + ...on_core_modsecurity_confs_http_modsecurity.conf | 7 + ..._modsecurity_confs_server-http_modsecurity.conf | 13 + .../files/patch-src_common_gen_Templator.py | 10 + www/bunkerweb/files/patch-src_common_gen_main.py | 43 + .../files/patch-src_common_gen_save__config.py | 20 + www/bunkerweb/files/patch-src_common_settings.json | 20 + .../files/patch-src_common_utils_common__utils.py | 11 + .../patch-src_deps_src_luajit-geoip_geoip_mmdb.lua | 11 + www/bunkerweb/files/patch-src_scheduler_main.py | 112 + .../files/patch-src_ui_app_models_config.py | 11 + .../files/patch-src_ui_utils_gunicorn.conf.py | 38 + .../files/patch-src_ui_utils_tmp-gunicorn.conf.py | 38 + www/bunkerweb/pkg-descr | 10 + www/bunkerweb/pkg-message | 30 + www/bunkerweb/pkg-plist | 9522 ++++++++++++++++++++ 48 files changed, 10679 insertions(+) diff --git a/GIDs b/GIDs index d1686ae6cd70..8a705eadd442 100644 --- a/GIDs +++ b/GIDs @@ -331,6 +331,9 @@ zoraxy:*:386: goimapnotify:*:387: autopulse:*:388: ldap:*:389: +bunkerweb:*:390: +autopulse:*:388: +ldap:*:389: # free: 390 # free: 391 # free: 392 diff --git a/UIDs b/UIDs index f7d9ca583863..c6a24329f39a 100644 --- a/UIDs +++ b/UIDs @@ -336,6 +336,9 @@ zoraxy:*:386:386::0:0:Zoraxy Service:/nonexistent:/usr/sbin/nologin goimapnotify:*:387:387::0:0:Goimapnotify Daemon:/nonexistent:/usr/sbin/nologin autopulse:*:388:388::0:0:Autopulse Daemon:/nonexistent:/usr/sbin/nologin ldap:*:389:389::0:0:OpenLDAP Server:/nonexistent:/usr/sbin/nologin +bunkerweb:*:390:390::0:0:Bunkerweb Service:/nonexistent:/usr/sbin/nologin +autopulse:*:388:388::0:0:Autopulse Daemon:/nonexistent:/usr/sbin/nologin +ldap:*:389:389::0:0:OpenLDAP Server:/nonexistent:/usr/sbin/nologin # free: 390 # free: 391 # free: 392 diff --git a/www/Makefile b/www/Makefile index 1f069e8cbe55..b782be4a1763 100644 --- a/www/Makefile +++ b/www/Makefile @@ -90,6 +90,7 @@ SUBDIR += browsh SUBDIR += bugzilla2atom SUBDIR += buku + SUBDIR += bunkerweb SUBDIR += butterfly SUBDIR += c-icap SUBDIR += c-icap-modules diff --git a/www/bunkerweb/Makefile b/www/bunkerweb/Makefile new file mode 100644 index 000000000000..0842c5420b79 --- /dev/null +++ b/www/bunkerweb/Makefile @@ -0,0 +1,83 @@ +PORTNAME= bunkerweb +DISTVERSION= 1.6.11 +CATEGORIES= www security + +MAINTAINER= joneum@FreeBSD.org +COMMENT= Self-hosted web application firewall and security platform +WWW= https://github.com/bunkerity/bunkerweb + +LICENSE= AGPLv3 +LICENSE_FILE= ${WRKSRC}/LICENSE.md + +USES= lua:51 python:3.11+,run shebangfix +USE_GITHUB= yes +GH_ACCOUNT= bunkerity +GH_PROJECT= bunkerweb +GH_TAGNAME= v${DISTVERSION} + +RUN_DEPENDS= openresty:www/openresty \ + ${PYTHON_PKGNAMEPREFIX}Jinja2>0:devel/py-Jinja2@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}pydantic-settings>0:devel/py-pydantic-settings@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}schedule>0:devel/py-schedule@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}user_agents>0:devel/py-user_agents@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}sqlalchemy20>0:databases/py-sqlalchemy20@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}sqlite3>0:databases/py-sqlite3@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}pymysql>0:databases/py-pymysql@${PY_FLAVOR} \ + ${LUA_MODLIBDIR}/cjson.so:devel/lua-cjson@${LUA_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}bcrypt>0:security/py-bcrypt@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}biscuit-auth>0:security/py-biscuit-auth \ + ${PYTHON_PKGNAMEPREFIX}passlib>0:security/py-passlib@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}docker>0:sysutils/py-docker@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}kubernetes>0:sysutils/py-kubernetes@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}psutil>0:sysutils/py-psutil@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}defusedcsv>=3.0.0:devel/py-defusedcsv@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}openpyxl>0:textproc/py-openpyxl@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}qrcode>0:textproc/py-qrcode@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}regex>0:textproc/py-regex@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}cachelib>0:www/py-cachelib@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}fastapi>0:www/py-fastapi@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}flask>0:www/py-flask@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}Flask-Login>0:www/py-flask-login@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}flask-session>0:www/py-flask-session@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}flask_wtf>0:www/py-flask-wtf@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}gunicorn>0:www/py-gunicorn@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}requests>0:www/py-requests@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}slowapi>0:www/py-slowapi@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}uvicorn>0:www/py-uvicorn@${PY_FLAVOR} + +LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb + +USE_RC_SUBR= bunkerweb \ + bunkerweb_api \ + bunkerweb_scheduler \ + bunkerweb_ui + +SHEBANG_GLOB= *.py *.sh + +USERS= bunkerweb +GROUPS= bunkerweb + +NO_ARCH= yes +NO_BUILD= yes + +DATADIR= ${PREFIX}/share/${PORTNAME} + +do-install: + ${MKDIR} ${STAGEDIR}${DATADIR} + (cd ${WRKSRC}/src && ${COPYTREE_SHARE} . ${STAGEDIR}${DATADIR}) + + ${MKDIR} ${STAGEDIR}${PREFIX}/etc/${PORTNAME} + ${MKDIR} ${STAGEDIR}${PREFIX}/etc/${PORTNAME}/plugins + ${MKDIR} ${STAGEDIR}${PREFIX}/etc/${PORTNAME}/pro/plugins + + ${MKDIR} ${STAGEDIR}/var/cache/${PORTNAME} + ${MKDIR} ${STAGEDIR}/var/cache/${PORTNAME}/bunkernet + ${MKDIR} ${STAGEDIR}/var/lib/${PORTNAME} + ${MKDIR} ${STAGEDIR}/var/log/${PORTNAME} + +post-install: + ${FIND} ${STAGEDIR}${DATADIR} -type f -name '*.sh' -exec ${CHMOD} 0755 {} \; + ${CHMOD} 0755 ${STAGEDIR}${DATADIR}/common/gen/main.py + ${CHMOD} 0755 ${STAGEDIR}${DATADIR}/common/gen/save_config.py + +.include <bsd.port.mk> diff --git a/www/bunkerweb/distinfo b/www/bunkerweb/distinfo new file mode 100644 index 000000000000..543d72a8d1c5 --- /dev/null +++ b/www/bunkerweb/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1779892628 +SHA256 (bunkerity-bunkerweb-1.6.11-v1.6.11_GH0.tar.gz) = 23f48c8911e256bfe0624272cbfe1074bf925fee56bb10b8b61b1300a9e16f84 +SIZE (bunkerity-bunkerweb-1.6.11-v1.6.11_GH0.tar.gz) = 102075464 diff --git a/www/bunkerweb/files/bunkerweb.in b/www/bunkerweb/files/bunkerweb.in new file mode 100644 index 000000000000..de5f51c9009d --- /dev/null +++ b/www/bunkerweb/files/bunkerweb.in @@ -0,0 +1,50 @@ +#!/bin/sh + +# PROVIDE: bunkerweb +# REQUIRE: NETWORKING bunkerweb_scheduler +# KEYWORD: shutdown + +. /etc/rc.subr + +name="bunkerweb" +rcvar="bunkerweb_enable" + +load_rc_config "$name" + +: ${bunkerweb_enable:="NO"} +: ${bunkerweb_conf:="/usr/local/etc/nginx/nginx.conf"} +: ${bunkerweb_prefix:="/usr/local/etc/nginx"} +: ${bunkerweb_logdir:="/var/log/bunkerweb"} + +command="%%PREFIX%%/bin/openresty" +pidfile="/var/run/bunkerweb/nginx.pid" +command_args="-e ${bunkerweb_logdir}/error.log -p ${bunkerweb_prefix} -c ${bunkerweb_conf}" + +start_precmd="${name}_prestart" +stop_cmd="${name}_stop" +reload_cmd="${name}_reload" + +bunkerweb_prestart() +{ + install -d -m 0755 "${bunkerweb_prefix}" + install -d -m 0755 "${bunkerweb_logdir}" + install -d -m 0755 /var/run/bunkerweb +} + +bunkerweb_stop() +{ + ${command} -e "${bunkerweb_logdir}/error.log" \ + -p "${bunkerweb_prefix}" \ + -c "${bunkerweb_conf}" \ + -s stop +} + +bunkerweb_reload() +{ + ${command} -e "${bunkerweb_logdir}/error.log" \ + -p "${bunkerweb_prefix}" \ + -c "${bunkerweb_conf}" \ + -s reload +} + +run_rc_command "$1" diff --git a/www/bunkerweb/files/bunkerweb_api.in b/www/bunkerweb/files/bunkerweb_api.in new file mode 100644 index 000000000000..a3df22de7e3b --- /dev/null +++ b/www/bunkerweb/files/bunkerweb_api.in @@ -0,0 +1,33 @@ +#!/bin/sh + +# PROVIDE: bunkerweb_api +# REQUIRE: LOGIN +# KEYWORD: shutdown + +. /etc/rc.subr + +name="bunkerweb_api" +rcvar="${name}_enable" + +load_rc_config "$name" + +: ${bunkerweb_api_enable:="NO"} +: ${bunkerweb_api_python:="/usr/local/bin/python3.11"} +: ${bunkerweb_api_pidfile:="/var/run/${name}.pid"} +: ${bunkerweb_api_logfile:="/var/log/bunkerweb/api.log"} +: ${bunkerweb_api_env:=""} + +pidfile="${bunkerweb_api_pidfile}" +command="/usr/sbin/daemon" +procname="${bunkerweb_api_python}" + +command_args="-f -p ${pidfile} -o ${bunkerweb_api_logfile} /usr/bin/env ${bunkerweb_api_env} PYTHONPATH=/usr/local/share/bunkerweb/deps/python:/usr/local/share/bunkerweb/common/utils:/usr/local/share/bunkerweb/common/api:/usr/local/share/bunkerweb/api:/usr/local/share/bunkerweb/common/db ${bunkerweb_api_python} -m gunicorn --chdir /usr/local/share/bunkerweb/api --logger-class utils.logger.APILogger --config /usr/local/share/bunkerweb/api/utils/gunicorn.conf.py" + +start_precmd="${name}_prestart" + +bunkerweb_api_prestart() +{ + /bin/mkdir -p /var/log/bunkerweb /var/run/bunkerweb /var/tmp/bunkerweb/api /var/lib/bunkerweb +} + +run_rc_command "$1" diff --git a/www/bunkerweb/files/bunkerweb_scheduler.in b/www/bunkerweb/files/bunkerweb_scheduler.in new file mode 100644 index 000000000000..69499ba16746 --- /dev/null +++ b/www/bunkerweb/files/bunkerweb_scheduler.in @@ -0,0 +1,58 @@ +#!/bin/sh + +# PROVIDE: bunkerweb_scheduler +# REQUIRE: LOGIN +# KEYWORD: shutdown + +. /etc/rc.subr + +name="bunkerweb_scheduler" +rcvar="bunkerweb_scheduler_enable" + +load_rc_config "$name" + +: ${bunkerweb_scheduler_enable:="NO"} + +pidfile="/var/run/${name}.pid" +procname="/usr/local/bin/python3.11" +command="/usr/sbin/daemon" +command_args="-f -p ${pidfile} /usr/bin/env PYTHONPATH=/usr/local/share/bunkerweb/common/utils:/usr/local/share/bunkerweb/common/db:/usr/local/share/bunkerweb/common/api:/usr/local/share/bunkerweb/deps/python /usr/local/bin/python3.11 /usr/local/share/bunkerweb/scheduler/main.py" + +bunkerweb_scheduler_precmd() +{ + mkdir -p /var/cache/bunkerweb/misc + mkdir -p /usr/local/share/bunkerweb/misc + mkdir -p /var/log/bunkerweb + + if [ ! -f /var/cache/bunkerweb/misc/default-server-cert.pem ] || \ + [ ! -f /var/cache/bunkerweb/misc/default-server-cert.key ]; then + /usr/bin/openssl req -x509 -nodes -newkey rsa:2048 \ + -days 3650 \ + -subj "/CN=localhost" \ + -keyout /var/cache/bunkerweb/misc/default-server-cert.key \ + -out /var/cache/bunkerweb/misc/default-server-cert.pem >/dev/null 2>&1 + fi + + if [ ! -f /usr/local/share/bunkerweb/misc/root-ca.pem ] || \ + [ ! -f /usr/local/share/bunkerweb/misc/root-ca.key ]; then + /usr/bin/openssl req -x509 -nodes -newkey rsa:2048 \ + -days 3650 \ + -subj "/CN=BunkerWeb Root CA" \ + -keyout /usr/local/share/bunkerweb/misc/root-ca.key \ + -out /usr/local/share/bunkerweb/misc/root-ca.pem >/dev/null 2>&1 + fi + + chown -R bunkerweb:bunkerweb /var/cache/bunkerweb + chmod 600 /var/cache/bunkerweb/misc/default-server-cert.key + chmod 644 /var/cache/bunkerweb/misc/default-server-cert.pem + + chown root:bunkerweb /usr/local/share/bunkerweb/misc/root-ca.key /usr/local/share/bunkerweb/misc/root-ca.pem + chmod 640 /usr/local/share/bunkerweb/misc/root-ca.key + chmod 644 /usr/local/share/bunkerweb/misc/root-ca.pem + + chown -R bunkerweb:bunkerweb /var/log/bunkerweb +} + +start_precmd="bunkerweb_scheduler_precmd" + +run_rc_command "$1" diff --git a/www/bunkerweb/files/bunkerweb_ui.in b/www/bunkerweb/files/bunkerweb_ui.in new file mode 100644 index 000000000000..46c6b6e84059 --- /dev/null +++ b/www/bunkerweb/files/bunkerweb_ui.in @@ -0,0 +1,29 @@ +#!/bin/sh + +# PROVIDE: bunkerweb_ui +# REQUIRE: LOGIN +# KEYWORD: shutdown + +. /etc/rc.subr + +name="bunkerweb_ui" +rcvar="bunkerweb_ui_enable" + +load_rc_config $name +: ${bunkerweb_ui_enable:="NO"} +: ${bunkerweb_ui_pidfile:="/var/run/${name}.pid"} +: ${bunkerweb_ui_logfile:="/var/log/bunkerweb/ui.log"} + +pidfile="${bunkerweb_ui_pidfile}" +command="/usr/sbin/daemon" +procname="/usr/local/bin/python3.11" +command_args="-f -p ${pidfile} -o ${bunkerweb_ui_logfile} /usr/bin/env ENABLE_HEALTHCHECK=yes LISTEN_ADDR=0.0.0.0 LISTEN_PORT=7000 PYTHONPATH=/usr/local/share/bunkerweb/ui:/usr/local/share/bunkerweb/common/utils:/usr/local/share/bunkerweb/common/db:/usr/local/share/bunkerweb/common/api /usr/local/bin/gunicorn --bind 0.0.0.0:7000 -c /usr/local/share/bunkerweb/ui/utils/gunicorn.conf.py main:app" + +start_precmd="${name}_prestart" + +bunkerweb_ui_prestart() +{ + /bin/mkdir -p /var/log/bunkerweb /var/run/bunkerweb +} + +run_rc_command "$1" diff --git a/www/bunkerweb/files/patch-src_api_app_config.py b/www/bunkerweb/files/patch-src_api_app_config.py new file mode 100644 index 000000000000..4723cecbc480 --- /dev/null +++ b/www/bunkerweb/files/patch-src_api_app_config.py @@ -0,0 +1,13 @@ +--- src/api/app/config.py.orig 2026-05-10 11:25:04 UTC ++++ src/api/app/config.py +@@ -57,8 +57,8 @@ class ApiConfig(YamlBaseSettings): + API_RATE_LIMIT_EXEMPT_IPS: Optional[str] = None + + model_config = YamlSettingsConfigDict( # type: ignore +- yaml_file=getenv("SETTINGS_YAML_FILE", "/etc/bunkerweb/api.yml"), +- env_file=getenv("SETTINGS_ENV_FILE", "/etc/bunkerweb/api.env"), ++ yaml_file=getenv("SETTINGS_YAML_FILE", "/usr/local/etc/bunkerweb/api.yml"), ++ env_file=getenv("SETTINGS_ENV_FILE", "/usr/local/etc/bunkerweb/api.env"), + secrets_dir=getenv("SETTINGS_SECRETS_DIR", "/run/secrets"), + env_file_encoding="utf-8", + extra="allow", diff --git a/www/bunkerweb/files/patch-src_api_app_models_api__database.py b/www/bunkerweb/files/patch-src_api_app_models_api__database.py new file mode 100644 index 000000000000..55835800b1f2 --- /dev/null +++ b/www/bunkerweb/files/patch-src_api_app_models_api__database.py @@ -0,0 +1,11 @@ +--- src/api/app/models/api_database.py.orig 2026-05-10 11:25:04 UTC ++++ src/api/app/models/api_database.py +@@ -6,7 +6,7 @@ from typing import Optional, Union + from typing import Optional, Union + + +-for deps_path in [join(sep, "usr", "share", "bunkerweb", *paths) for paths in (("deps", "python"), ("utils",), ("api",), ("db",))]: ++for deps_path in [join(sep, "usr", "share", "bunkerweb", *paths) for paths in (("deps", "python"), ("common", "utils"), ("api",), ("common", "db"))]: + if deps_path not in sys_path: + sys_path.append(deps_path) + diff --git a/www/bunkerweb/files/patch-src_api_app_rate__limit.py b/www/bunkerweb/files/patch-src_api_app_rate__limit.py new file mode 100644 index 000000000000..b4ef443dd831 --- /dev/null +++ b/www/bunkerweb/files/patch-src_api_app_rate__limit.py @@ -0,0 +1,31 @@ +--- src/api/app/rate_limit.py.orig 2026-05-10 11:25:04 UTC ++++ src/api/app/rate_limit.py +@@ -10,8 +10,15 @@ from regex import compile as regex_compile, Pattern, e + from fastapi.responses import Response + + from regex import compile as regex_compile, Pattern, escape, fullmatch, search, split +-from slowapi import Limiter, _rate_limit_exceeded_handler +-from slowapi.errors import RateLimitExceeded ++try: ++ from slowapi import Limiter, _rate_limit_exceeded_handler ++ from slowapi.errors import RateLimitExceeded ++ _SLOWAPI_AVAILABLE = True ++except ModuleNotFoundError: ++ Limiter = None # type: ignore[assignment] ++ _rate_limit_exceeded_handler = None # type: ignore[assignment] ++ RateLimitExceeded = Exception # type: ignore[assignment] ++ _SLOWAPI_AVAILABLE = False + from yaml import safe_load + + from .config import api_config +@@ -533,6 +540,10 @@ def setup_rate_limiter(app) -> None: + def setup_rate_limiter(app) -> None: + if not api_config.rate_limit_enabled: + LOGGER.info("API rate limiting disabled by configuration") ++ return ++ ++ if not _SLOWAPI_AVAILABLE: ++ LOGGER.warning("API rate limiting requested but slowapi is unavailable; disabling rate limiting on this platform") + return + + global _limiter, _enabled, _rules, _base_limits, _exempt_networks, _auth_limit diff --git a/www/bunkerweb/files/patch-src_api_app_yaml__base__settings.py b/www/bunkerweb/files/patch-src_api_app_yaml__base__settings.py new file mode 100644 index 000000000000..3bb317974ec6 --- /dev/null +++ b/www/bunkerweb/files/patch-src_api_app_yaml__base__settings.py @@ -0,0 +1,11 @@ +--- src/api/app/yaml_base_settings.py.orig 2026-05-10 11:25:04 UTC ++++ src/api/app/yaml_base_settings.py +@@ -176,7 +176,7 @@ class YamlBaseSettings(BaseSettings): + # Baseline defaults; models can override via their own model_config + model_config = SettingsConfigDict( + secrets_dir=getenv("SETTINGS_SECRETS_DIR", "/etc/secrets"), +- yaml_file=getenv("SETTINGS_YAML_FILE", "/etc/bunkerweb/config.yml"), ++ yaml_file=getenv("SETTINGS_YAML_FILE", "/usr/local/etc/bunkerweb/config.yml"), + ) # type: ignore + + diff --git a/www/bunkerweb/files/patch-src_api_utils_gunicorn.conf.py b/www/bunkerweb/files/patch-src_api_utils_gunicorn.conf.py new file mode 100644 index 000000000000..4dad063deb57 --- /dev/null +++ b/www/bunkerweb/files/patch-src_api_utils_gunicorn.conf.py @@ -0,0 +1,38 @@ +--- src/api/utils/gunicorn.conf.py.orig 2026-05-28 20:12:40 UTC ++++ src/api/utils/gunicorn.conf.py +@@ -10,7 +10,7 @@ from traceback import format_exc + from time import sleep + from traceback import format_exc + +-for deps_path in [join(sep, "usr", "share", "bunkerweb", *paths) for paths in (("deps", "python"), ("utils",), ("api",), ("db",))]: ++for deps_path in [join(sep, "usr", "local", "share", "bunkerweb", *paths) for paths in (("deps", "python"), ("utils",), ("api",), ("db",))]: + if deps_path not in sys_path: + sys_path.append(deps_path) + +@@ -94,7 +94,7 @@ daemon = False + limit_request_field_size = 0 + reuse_port = False + daemon = False +-chdir = join(sep, "usr", "share", "bunkerweb", "api") ++chdir = join(sep, "usr", "local", "share", "bunkerweb", "api") + umask = 0x027 + pidfile = PID_FILE.as_posix() + control_socket_disable = True +@@ -108,7 +108,7 @@ forwarded_allow_ips = FORWARDED_ALLOW_IPS + "X-FORWARDED-SSL": "on", + } + forwarded_allow_ips = FORWARDED_ALLOW_IPS +-pythonpath = join(sep, "usr", "share", "bunkerweb", "deps", "python") + "," + join(sep, "usr", "share", "bunkerweb", "api") ++pythonpath = join(sep, "usr", "local", "share", "bunkerweb", "deps", "python") + "," + join(sep, "usr", "local", "share", "bunkerweb", "api") + proxy_allow_ips = PROXY_ALLOW_IPS + casefold_http_method = True + workers = MAX_WORKERS +@@ -128,7 +128,7 @@ if DEBUG: + reload = True + reload_extra_files = [ + file.as_posix() +- for file in Path(sep, "usr", "share", "bunkerweb", "api", "app").rglob("*") ++ for file in Path(sep, "usr", "local", "share", "bunkerweb", "api", "app").rglob("*") + if "__pycache__" not in file.parts and "static" not in file.parts + ] + diff --git a/www/bunkerweb/files/patch-src_bw_lua_bunkerweb_helpers.lua b/www/bunkerweb/files/patch-src_bw_lua_bunkerweb_helpers.lua new file mode 100644 index 000000000000..ced22ead3345 --- /dev/null +++ b/www/bunkerweb/files/patch-src_bw_lua_bunkerweb_helpers.lua @@ -0,0 +1,20 @@ +--- src/bw/lua/bunkerweb/helpers.lua.orig 2026-05-25 18:23:18 UTC ++++ src/bw/lua/bunkerweb/helpers.lua +@@ -80,7 +80,7 @@ helpers.order_plugins = function(plugins, variables) + + helpers.order_plugins = function(plugins, variables) + -- Extract default orders +- local file, err, nb = open("/usr/share/bunkerweb/core/order.json", "r") ++ local file, err, nb = open("/usr/local/share/bunkerweb/common/core/order.json", "r") + if not file then + return false, err .. " (nb = " .. tostring(nb) .. ")" + end +@@ -353,7 +353,7 @@ function helpers.load_variables(all_variables, plugins + end + end + end +- local file = open("/usr/share/bunkerweb/settings.json") ++ local file = open("/usr/local/share/bunkerweb/common/settings.json") + if not file then + return false, "can't open settings.json" + end diff --git a/www/bunkerweb/files/patch-src_common_confs_api.conf b/www/bunkerweb/files/patch-src_common_confs_api.conf new file mode 100644 index 000000000000..bd6b052d4dfa --- /dev/null +++ b/www/bunkerweb/files/patch-src_common_confs_api.conf @@ -0,0 +1,10 @@ +--- src/common/confs/api.conf.orig 2026-05-10 11:17:17 UTC ++++ src/common/confs/api.conf +@@ -25,7 +25,6 @@ server { + ssl_ecdh_curve X25519:prime256v1:secp384r1; + ssl_certificate /var/cache/bunkerweb/jobs/api-server-cert.pem; + ssl_certificate_key /var/cache/bunkerweb/jobs/api-server-cert.key; +- http2 on; + listen {{ API_LISTEN_IP }}:{{ API_HTTPS_PORT }} ssl reuseport; + {% if API_LISTEN_IP != "127.0.0.1" +%} + listen 127.0.0.1:{{ API_HTTPS_PORT }} ssl reuseport; diff --git a/www/bunkerweb/files/patch-src_common_confs_default-server-http.conf b/www/bunkerweb/files/patch-src_common_confs_default-server-http.conf new file mode 100644 index 000000000000..df549ad34660 --- /dev/null +++ b/www/bunkerweb/files/patch-src_common_confs_default-server-http.conf @@ -0,0 +1,47 @@ +--- src/common/confs/default-server-http.conf.orig 2026-05-25 18:23:18 UTC ++++ src/common/confs/default-server-http.conf +@@ -45,7 +45,7 @@ server { + {% endif %} + ssl_ecdh_curve {{ resolve_ssl_ecdh_curve(SSL_ECDH_CURVE) }}; + {% if "TLSv1.2" in SSL_PROTOCOLS +%} +- ssl_dhparam /etc/nginx/dhparam; ++ ssl_dhparam /usr/local/etc/nginx/dhparam; + {% if SSL_CIPHERS_CUSTOM != "" %} + ssl_ciphers {{ SSL_CIPHERS_CUSTOM }}; + {% else %} +@@ -61,7 +61,6 @@ server { + ssl_certificate /var/cache/bunkerweb/misc/default-server-cert.pem; + ssl_certificate_key /var/cache/bunkerweb/misc/default-server-cert.key; + {% if HTTP2 == "yes" %} +- http2 on; + {% endif %} + {% set common_options = " ssl default_server" %} + {% if USE_PROXY_PROTOCOL == "yes" %} +@@ -75,14 +74,10 @@ server { + {% endfor %} + + {% if "TLSv1.3" in SSL_PROTOCOLS and HTTP3 == "yes" and USE_PROXY_PROTOCOL == "no" %} +- http3 on; + {% for k, port in all.items() if k.startswith("HTTPS_PORT") %} +- listen 0.0.0.0:{{ port }} quic reuseport default_server; + {% if USE_IPV6 == "yes" %} +- listen [::]:{{ port }} quic reuseport default_server; + {% endif %} + {% endfor %} +- add_header Alt-Svc 'h3=":{{ HTTP3_ALT_SVC_PORT }}"; ma=86400'; + {% endif %} + + ssl_client_hello_by_lua_block { +@@ -233,10 +228,10 @@ server { + {% endif %} + + # include core and plugins default-server configurations +- include /etc/nginx/default-server-http/*.conf; ++ include /usr/local/etc/nginx/default-server-http/*.conf; + + # include custom default-server configurations +- include /etc/bunkerweb/configs/default-server-http/*.conf; ++ include /usr/local/etc/bunkerweb/configs/default-server-http/*.conf; + + log_by_lua_block { + diff --git a/www/bunkerweb/files/patch-src_common_confs_http.conf b/www/bunkerweb/files/patch-src_common_confs_http.conf new file mode 100644 index 000000000000..cf045acf29e1 --- /dev/null +++ b/www/bunkerweb/files/patch-src_common_confs_http.conf @@ -0,0 +1,67 @@ +--- src/common/confs/http.conf.orig 2026-05-25 18:23:18 UTC ++++ src/common/confs/http.conf +@@ -1,4 +1,4 @@ +-# /etc/nginx/http.conf ++# /usr/local/etc/nginx/http.conf + + # zero copy within the kernel + sendfile on; +@@ -10,7 +10,7 @@ tcp_nodelay on; + tcp_nodelay on; + + # load mime types and set default one +-include /etc/nginx/mime.types; ++include /usr/local/etc/nginx/mime.types; + default_type application/octet-stream; + + # access log format +@@ -51,9 +51,9 @@ port_in_redirect off; + port_in_redirect off; + + # lua configs +-lua_package_path "/usr/share/bunkerweb/lua/?.lua;/usr/share/bunkerweb/core/?.lua;/etc/bunkerweb/plugins/?.lua;/etc/bunkerweb/pro/plugins/?.lua;/usr/share/bunkerweb/deps/lib/lua/?.lua;/usr/share/bunkerweb/deps/lib/lua/?/init.lua;;"; +-lua_package_cpath "/usr/share/bunkerweb/deps/lib/?.so;/usr/share/bunkerweb/deps/lib/lua/?.so;;"; +-lua_ssl_trusted_certificate "/usr/share/bunkerweb/misc/root-ca.pem"; ++lua_package_path "/usr/local/share/bunkerweb/bw/lua/?.lua;/usr/local/share/bunkerweb/lua/?.lua;/usr/local/share/bunkerweb/common/core/?.lua;/usr/local/share/bunkerweb/common/core/?/?.lua;/usr/local/share/bunkerweb/common/core/?/init.lua;/usr/local/share/bunkerweb/core/?.lua;/usr/local/etc/bunkerweb/plugins/?.lua;/usr/local/etc/bunkerweb/pro/plugins/?.lua;/usr/local/share/bunkerweb/deps/src/luajit-geoip/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-dns/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-env/src/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-http/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-ipmatcher/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-lock/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-lrucache/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-mlcache/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-openssl/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-random/lib/?.lua;/usr/local/shar e/bunkerweb/deps/src/lua-resty-redis-connector/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-redis/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-session/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-signal/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-string/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-template/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-upload/lib/?.lua;/usr/local/share/bunkerweb/deps/lib/lua/?.lua;/usr/local/share/bunkerweb/deps/lib/lua/?/init.lua;;"; ++lua_package_cpath "/usr/local/share/bunkerweb/deps/lib/?.so;/usr/local/share/bunkerweb/deps/lib/lua/?.so;;"; ++lua_ssl_trusted_certificate "/usr/local/share/bunkerweb/misc/root-ca.pem"; + lua_ssl_verify_depth 2; + lua_shared_dict internalstore {{ normalize_memory_size(INTERNALSTORE_MEMORY_SIZE) }}; + lua_shared_dict datastore {{ normalize_memory_size(DATASTORE_MEMORY_SIZE) }}; +@@ -68,20 +68,20 @@ access_by_lua_no_postpone on; + access_by_lua_no_postpone on; + + # LUA init block +-include /etc/nginx/init-lua.conf; ++include /usr/local/etc/nginx/init-lua.conf; + + # LUA init worker block +-include /etc/nginx/init-worker-lua.conf; ++include /usr/local/etc/nginx/init-worker-lua.conf; + + # API server +-{% if USE_API == "yes" %}include /etc/nginx/api.conf;{% endif +%} ++{% if USE_API == "yes" %}include /usr/local/etc/nginx/api.conf;{% endif +%} + + # healthcheck server +-include /etc/nginx/healthcheck.conf; ++include /usr/local/etc/nginx/healthcheck.conf; + + # default server + {% if MULTISITE == "yes" or DISABLE_DEFAULT_SERVER == "yes" or IS_LOADING == "yes" +%} +-include /etc/nginx/default-server-http.conf; ++include /usr/local/etc/nginx/default-server-http.conf; + {% endif +%} + + # disable sending nginx version globally +@@ -114,8 +114,8 @@ server_names_hash_bucket_size {{ SERVER_NAMES_HASH_BUC + {% endif %} + {% endfor %} + {% for first_server in map_servers +%} +-include /etc/nginx/{{ first_server }}/server.conf; ++include /usr/local/etc/nginx/{{ first_server }}/server.conf; + {% endfor %} + {% elif MULTISITE == "no" and SERVER_NAME != "" and SERVER_TYPE == "http" +%} +-include /etc/nginx/server.conf; ++include /usr/local/etc/nginx/server.conf; + {% endif %} diff --git a/www/bunkerweb/files/patch-src_common_confs_init-lua.conf b/www/bunkerweb/files/patch-src_common_confs_init-lua.conf new file mode 100644 index 000000000000..b31a35e76718 --- /dev/null +++ b/www/bunkerweb/files/patch-src_common_confs_init-lua.conf @@ -0,0 +1,29 @@ +--- src/common/confs/init-lua.conf.orig 2026-05-25 18:23:18 UTC ++++ src/common/confs/init-lua.conf +@@ -33,7 +33,7 @@ init_by_lua_block { + -- Load plugins from disk + logger:log(NOTICE, "loading plugins ...") + local new_plugins = {} +- local plugin_paths = { "/usr/share/bunkerweb/core", "/etc/bunkerweb/plugins", "/etc/bunkerweb/pro/plugins" } ++ local plugin_paths = { "/usr/local/share/bunkerweb/common/core", "/usr/local/etc/bunkerweb/plugins", "/usr/local/etc/bunkerweb/pro/plugins" } + for i, plugin_path in ipairs(plugin_paths) do + local paths = popen("find -L " .. plugin_path .. " -maxdepth 1 -type d ! -path " .. plugin_path) + for path in paths:lines() do +@@ -50,14 +50,14 @@ init_by_lua_block { + + -- Load variables from disk + logger:log(NOTICE, "loading variables ...") +- local file = open("/etc/nginx/variables.env") ++ local file = open("/usr/local/etc/nginx/variables.env") + if not file then +- logger:log(ERR, "can't open /etc/nginx/variables.env file, keeping previous LRU data") ++ logger:log(ERR, "can't open /usr/local/etc/nginx/variables.env file, keeping previous LRU data") + return false + end + file:close() + local all_variables = {} +- for line in io.lines("/etc/nginx/variables.env") do ++ for line in io.lines("/usr/local/etc/nginx/variables.env") do + local variable, value = line:match("^([^=]+)=(.*)$") + if variable then + all_variables[variable] = value diff --git a/www/bunkerweb/files/patch-src_common_confs_init-stream-lua.conf b/www/bunkerweb/files/patch-src_common_confs_init-stream-lua.conf new file mode 100644 index 000000000000..2242db14ebac --- /dev/null +++ b/www/bunkerweb/files/patch-src_common_confs_init-stream-lua.conf @@ -0,0 +1,29 @@ +--- src/common/confs/init-stream-lua.conf.orig 2026-05-25 18:23:18 UTC ++++ src/common/confs/init-stream-lua.conf +@@ -33,7 +33,7 @@ init_by_lua_block { + -- Load plugins from disk + logger:log(NOTICE, "loading plugins ...") + local new_plugins = {} +- local plugin_paths = { "/usr/share/bunkerweb/core", "/etc/bunkerweb/plugins", "/etc/bunkerweb/pro/plugins" } ++ local plugin_paths = { "/usr/local/share/bunkerweb/common/core", "/usr/local/etc/bunkerweb/plugins", "/usr/local/etc/bunkerweb/pro/plugins" } + for i, plugin_path in ipairs(plugin_paths) do + local paths = popen("find -L " .. plugin_path .. " -maxdepth 1 -type d ! -path " .. plugin_path) + for path in paths:lines() do +@@ -50,14 +50,14 @@ init_by_lua_block { + + -- Load variables from disk + logger:log(NOTICE, "loading variables ...") +- local file = open("/etc/nginx/variables.env") ++ local file = open("/usr/local/etc/nginx/variables.env") + if not file then +- logger:log(ERR, "can't open /etc/nginx/variables.env file, keeping previous LRU data") ++ logger:log(ERR, "can't open /usr/local/etc/nginx/variables.env file, keeping previous LRU data") + return false + end + file:close() + local all_variables = {} +- for line in io.lines("/etc/nginx/variables.env") do ++ for line in io.lines("/usr/local/etc/nginx/variables.env") do + local variable, value = line:match("^([^=]+)=(.*)$") + if variable then + all_variables[variable] = value diff --git a/www/bunkerweb/files/patch-src_common_confs_init-worker-lua.conf b/www/bunkerweb/files/patch-src_common_confs_init-worker-lua.conf new file mode 100644 index 000000000000..b17b229d95ee --- /dev/null +++ b/www/bunkerweb/files/patch-src_common_confs_init-worker-lua.conf @@ -0,0 +1,11 @@ +--- src/common/confs/init-worker-lua.conf.orig 2026-05-29 08:21:28 UTC ++++ src/common/confs/init-worker-lua.conf +@@ -284,7 +284,7 @@ init_worker_by_lua_block { + logger:log(INFO, "init phase ended") + + local res, err = remove("/var/tmp/bunkerweb_reloading") +- if not res and err ~= "No such file or directory" then ++ if not res and err and not err:find("No such file or directory", 1, true) then + logger:log(WARN, "unable to remove /var/tmp/bunkerweb_reloading file: " .. err) + end + diff --git a/www/bunkerweb/files/patch-src_common_confs_nginx.conf b/www/bunkerweb/files/patch-src_common_confs_nginx.conf new file mode 100644 index 000000000000..1e2918d0edb6 --- /dev/null +++ b/www/bunkerweb/files/patch-src_common_confs_nginx.conf @@ -0,0 +1,61 @@ +--- src/common/confs/nginx.conf.orig 2026-05-25 18:23:18 UTC ++++ src/common/confs/nginx.conf +@@ -1,27 +1,15 @@ +-# /etc/nginx/nginx.conf ++# /usr/local/etc/nginx/nginx.conf + + # load dynamic modules + {% set os = import("os") %} + {% if os.path.isfile("/usr/lib64/nginx/modules/ngx_stream_module.so") +%} +-load_module /usr/lib64/nginx/modules/ngx_stream_module.so; + {% elif os.path.isfile("/usr/local/libexec/nginx/ngx_stream_module.so") +%} +-load_module /usr/local/libexec/nginx/ngx_stream_module.so; + {% elif os.path.isfile("/usr/share/bunkerweb/modules/ngx_stream_module.so") +%} +-load_module /usr/share/bunkerweb/modules/ngx_stream_module.so; + {% endif %} +-load_module /usr/share/bunkerweb/modules/ndk_http_module.so; +-load_module /usr/share/bunkerweb/modules/ngx_http_cookie_flag_filter_module.so; +-load_module /usr/share/bunkerweb/modules/ngx_http_headers_more_filter_module.so; +-load_module /usr/share/bunkerweb/modules/ngx_http_lua_module.so; +-load_module /usr/share/bunkerweb/modules/ngx_http_modsecurity_module.so; +-load_module /usr/share/bunkerweb/modules/ngx_http_brotli_filter_module.so; +-load_module /usr/share/bunkerweb/modules/ngx_http_brotli_static_module.so; +-load_module /usr/share/bunkerweb/modules/ngx_stream_lua_module.so; +-load_module /usr/share/bunkerweb/modules/ngx_http_lua_upstream_module.so; + + {% if os.uname().sysname == "FreeBSD" -%} + # run workers as the dedicated BunkerWeb account +-user nginx; ++user www; + {% endif %} + + # PID file +@@ -66,22 +54,22 @@ http { + + http { + # include base http configuration +- include /etc/nginx/http.conf; ++ include /usr/local/etc/nginx/http.conf; + + # include core and plugins http configurations +- include /etc/nginx/http/*.conf; ++ include /usr/local/etc/nginx/http/*.conf; + + # include custom http configurations +- include /etc/bunkerweb/configs/http/*.conf; ++ include /usr/local/etc/bunkerweb/configs/http/*.conf; + } + + stream { + # include base stream configuration +- include /etc/nginx/stream.conf; ++ include /usr/local/etc/nginx/stream.conf; + + # include core and plugins stream configurations +- include /etc/nginx/stream/*.conf; ++ include /usr/local/etc/nginx/stream/*.conf; + + # include custom stream configurations +- include /etc/bunkerweb/configs/stream/*.conf; ++ include /usr/local/etc/bunkerweb/configs/stream/*.conf; + } diff --git a/www/bunkerweb/files/patch-src_common_confs_server-http_server.conf b/www/bunkerweb/files/patch-src_common_confs_server-http_server.conf new file mode 100644 index 000000000000..f1684510cb1b --- /dev/null +++ b/www/bunkerweb/files/patch-src_common_confs_server-http_server.conf @@ -0,0 +1,14 @@ +--- src/common/confs/server-http/server.conf.orig 2026-05-25 18:23:18 UTC ++++ src/common/confs/server-http/server.conf +@@ -33,9 +33,9 @@ server { + index index.php index.html index.htm; + + # custom config +- include /etc/bunkerweb/configs/server-http/*.conf; ++ include /usr/local/etc/bunkerweb/configs/server-http/*.conf; + {% if MULTISITE == "yes" +%} +- include /etc/bunkerweb/configs/server-http/{{ SERVER_NAME.split(" ")[0] }}/*.conf; ++ include /usr/local/etc/bunkerweb/configs/server-http/{{ SERVER_NAME.split(" ")[0] }}/*.conf; + {% endif %} + + # include config files diff --git a/www/bunkerweb/files/patch-src_common_confs_server-http_ssl-certificate-lua.conf b/www/bunkerweb/files/patch-src_common_confs_server-http_ssl-certificate-lua.conf new file mode 100644 index 000000000000..c68acd360f6a --- /dev/null +++ b/www/bunkerweb/files/patch-src_common_confs_server-http_ssl-certificate-lua.conf @@ -0,0 +1,11 @@ +--- src/common/confs/server-http/ssl-certificate-lua.conf.orig 2026-05-25 18:23:18 UTC ++++ src/common/confs/server-http/ssl-certificate-lua.conf +@@ -17,7 +17,7 @@ ssl_ecdh_curve {{ resolve_ssl_ecdh_curve(SSL_ECDH_CURV + {% endif %} + ssl_ecdh_curve {{ resolve_ssl_ecdh_curve(SSL_ECDH_CURVE) }}; + {% if "TLSv1.2" in SSL_PROTOCOLS +%} +-ssl_dhparam /etc/nginx/dhparam; ++ssl_dhparam /usr/local/etc/nginx/dhparam; + {% if SSL_CIPHERS_CUSTOM|default('')|trim != "" %} + ssl_ciphers {{ SSL_CIPHERS_CUSTOM }}; + {% else %} diff --git a/www/bunkerweb/files/patch-src_common_confs_server-stream_server-stream.conf b/www/bunkerweb/files/patch-src_common_confs_server-stream_server-stream.conf new file mode 100644 index 000000000000..a850ed1de3bc --- /dev/null +++ b/www/bunkerweb/files/patch-src_common_confs_server-stream_server-stream.conf @@ -0,0 +1,14 @@ +--- src/common/confs/server-stream/server-stream.conf.orig 2026-05-10 09:52:37 UTC ++++ src/common/confs/server-stream/server-stream.conf +@@ -32,9 +32,9 @@ server { + {% endif %} + + # custom config +- include /etc/bunkerweb/configs/server-stream/*.conf; ++ include /usr/local/etc/bunkerweb/configs/server-stream/*.conf; + {% if MULTISITE == "yes" +%} +- include /etc/bunkerweb/configs/server-stream/{{ SERVER_NAME.split(" ")[0] }}/*.conf; ++ include /usr/local/etc/bunkerweb/configs/server-stream/{{ SERVER_NAME.split(" ")[0] }}/*.conf; + {% endif %} + + # include config files diff --git a/www/bunkerweb/files/patch-src_common_confs_server-stream_ssl-certificate-stream-lua.conf b/www/bunkerweb/files/patch-src_common_confs_server-stream_ssl-certificate-stream-lua.conf new file mode 100644 index 000000000000..89978075a48f --- /dev/null +++ b/www/bunkerweb/files/patch-src_common_confs_server-stream_ssl-certificate-stream-lua.conf @@ -0,0 +1,11 @@ +--- src/common/confs/server-stream/ssl-certificate-stream-lua.conf.orig 2026-05-10 09:52:37 UTC ++++ src/common/confs/server-stream/ssl-certificate-stream-lua.conf +@@ -17,7 +17,7 @@ ssl_ecdh_curve {{ resolve_ssl_ecdh_curve(SSL_ECDH_CURV + {% endif %} + ssl_ecdh_curve {{ resolve_ssl_ecdh_curve(SSL_ECDH_CURVE) }}; + {% if "TLSv1.2" in SSL_PROTOCOLS +%} +-ssl_dhparam /etc/nginx/dhparam; ++ssl_dhparam /usr/local/etc/nginx/dhparam; + {% if SSL_CIPHERS_CUSTOM|default('')|trim != "" %} + ssl_ciphers {{ SSL_CIPHERS_CUSTOM }}; + {% else %} diff --git a/www/bunkerweb/files/patch-src_common_confs_stream.conf b/www/bunkerweb/files/patch-src_common_confs_stream.conf new file mode 100644 index 000000000000..2c76feba2342 --- /dev/null +++ b/www/bunkerweb/files/patch-src_common_confs_stream.conf @@ -0,0 +1,15 @@ +--- src/common/confs/stream.conf.orig 2026-05-25 18:23:18 UTC ++++ src/common/confs/stream.conf +@@ -23,9 +23,9 @@ tcp_nodelay on; + tcp_nodelay on; + + # lua path and dicts +-lua_package_path "/usr/share/bunkerweb/lua/?.lua;/usr/share/bunkerweb/core/?.lua;/etc/bunkerweb/plugins/?.lua;/etc/bunkerweb/pro/plugins/?.lua;/usr/share/bunkerweb/deps/lib/lua/?.lua;/usr/share/bunkerweb/deps/lib/lua/?/init.lua;;"; +-lua_package_cpath "/usr/share/bunkerweb/deps/lib/?.so;/usr/share/bunkerweb/deps/lib/lua/?.so;;"; +-lua_ssl_trusted_certificate "/usr/share/bunkerweb/misc/root-ca.pem"; ++lua_package_path "/usr/local/share/bunkerweb/bw/lua/?.lua;/usr/local/share/bunkerweb/lua/?.lua;/usr/local/share/bunkerweb/common/core/?.lua;/usr/local/share/bunkerweb/common/core/?/?.lua;/usr/local/share/bunkerweb/common/core/?/init.lua;/usr/local/share/bunkerweb/core/?.lua;/usr/local/etc/bunkerweb/plugins/?.lua;/usr/local/etc/bunkerweb/pro/plugins/?.lua;/usr/local/share/bunkerweb/deps/src/luajit-geoip/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-dns/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-env/src/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-http/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-ipmatcher/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-lock/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-lrucache/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-mlcache/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-openssl/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-random/lib/?.lua;/usr/local/shar e/bunkerweb/deps/src/lua-resty-redis-connector/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-redis/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-session/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-signal/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-string/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-template/lib/?.lua;/usr/local/share/bunkerweb/deps/src/lua-resty-upload/lib/?.lua;/usr/local/share/bunkerweb/deps/lib/lua/?.lua;/usr/local/share/bunkerweb/deps/lib/lua/?/init.lua;;"; ++lua_package_cpath "/usr/local/share/bunkerweb/deps/lib/?.so;/usr/local/share/bunkerweb/deps/lib/lua/?.so;;"; ++lua_ssl_trusted_certificate "/usr/local/share/bunkerweb/misc/root-ca.pem"; + lua_ssl_verify_depth 2; + {% if has_variable(all, "SERVER_TYPE", "stream") +%} + lua_shared_dict internalstore_stream {{ normalize_memory_size(INTERNALSTORE_MEMORY_SIZE) }}; diff --git a/www/bunkerweb/files/patch-src_common_core_errors_confs_default-server-http_errors.conf b/www/bunkerweb/files/patch-src_common_core_errors_confs_default-server-http_errors.conf new file mode 100644 index 000000000000..f1c53fab2bb3 --- /dev/null +++ b/www/bunkerweb/files/patch-src_common_core_errors_confs_default-server-http_errors.conf @@ -0,0 +1,10 @@ +--- src/common/core/errors/confs/default-server-http/errors.conf.orig 2026-05-25 18:23:18 UTC ++++ src/common/core/errors/confs/default-server-http/errors.conf +@@ -8,7 +8,6 @@ location {% if intercepted_error_code == "400" %}= /{% + location {% if intercepted_error_code == "400" %}= /{% else %} @{% endif %}bwerror{{ intercepted_error_code }} { + auth_basic off; + internal; +- modsecurity off; + default_type 'text/html'; + root /usr/share/bunkerweb/core/errors/files; + content_by_lua_block { diff --git a/www/bunkerweb/files/patch-src_common_core_errors_confs_server-http_errors.conf b/www/bunkerweb/files/patch-src_common_core_errors_confs_server-http_errors.conf new file mode 100644 index 000000000000..bd77464c4a99 --- /dev/null +++ b/www/bunkerweb/files/patch-src_common_core_errors_confs_server-http_errors.conf @@ -0,0 +1,18 @@ +--- src/common/core/errors/confs/server-http/errors.conf.orig 2026-05-25 18:23:18 UTC ++++ src/common/core/errors/confs/server-http/errors.conf +@@ -6,7 +6,6 @@ location = {{ page }} { + error_page {{ code }} {{ page }}; + location = {{ page }} { + root {% if ROOT_FOLDER == "" %}/var/www/html/{% if MULTISITE == "yes" %}{{ SERVER_NAME.split(" ")[0] }}{% endif %}{% else %}{{ ROOT_FOLDER }}{% endif %}; *** 10071 LINES SKIPPED ***home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a1dc3c4.1a0ee.39585333>