diff --git a/examples/bunkerweb/README.md b/examples/bunkerweb/README.md new file mode 100644 index 00000000..ea4049cc --- /dev/null +++ b/examples/bunkerweb/README.md @@ -0,0 +1,54 @@ +# BunkerWeb (Basic Setup) + +[BunkerWeb](https://www.bunkerweb.io) is a next-generation Web Application Firewall (WAF). +This example implements the **Basic Setup** using: +* **BunkerWeb**: The core WAF and reverse proxy. +* **Scheduler**: Manages configuration and jobs. +* **UI**: Web administration interface (internal). +* **MariaDB**: Database storage. +* **Valkey**: High-performance key-value store (used for caching/stats, replacing Redis). +* **App**: A demo application (`bunkerity/bunkerweb-hello`) labeled as `app`. + +## Usage + +The provided `compose.yaml` follows the official Quickstart Guide. The configuration is primarily managed **via the Web UI**. + +### 1. Start the Services + +```bash +docker compose up -d +``` + +### 2. Access the Setup Wizard + +Since `SERVER_NAME` is empty, BunkerWeb will initially route traffic to the **Setup Wizard**. + +1. Open your browser and navigate to `http://localhost/setup` (or `http:///setup`). + * *Note: Access via port 80/443 (HTTP/HTTPS) handled by the `bunkerweb` container.* +2. Follow the wizard to create an administrator account. +3. **Important**: When asked for the **Server Name** inside the wizard, enter `localhost` (or your domain). + * This domain will be used to access the Web UI from now on. + +### 3. Configure the Application Service + +Once logged into the Web UI: + +1. Go to the **Services** tab to create a new service. +2. **Domain**: `localhost` (or the domain you configured). + * *Note: If you use the same domain as the UI, BunkerWeb manages the routing (UI path vs App path).* +3. **Upstream HTTP Host**: `http://app:80` +4. **Upstream Path**: `/` +5. Save the configuration. + +### 4. Verify + +* Access your protected application at `http://localhost`. + +## Notes + +* **Passwords**: The default password is set to `changeme` in the `compose.yaml`. **Change this immediately** for any serious usage. +* **Valkey**: This setup uses [Valkey](https://valkey.io/) (an open-source Redis fork) as recommended for recent BunkerWeb versions. +* **Networks**: + * `bw-universe`: For internal communication between BunkerWeb components. + * `bw-services`: For connecting the WAF to your applications (like `app`). + * `bw-db`: Dedicated network for database access. diff --git a/examples/bunkerweb/compose.yaml b/examples/bunkerweb/compose.yaml new file mode 100644 index 00000000..aace0684 --- /dev/null +++ b/examples/bunkerweb/compose.yaml @@ -0,0 +1,106 @@ +x-bw-env: + &bw-env # We use an anchor to avoid repeating the same settings for both services + API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24" # Make sure to set the correct IP range so the scheduler can send the configuration to the instance + # Optional: set an API token and mirror it in both containers + API_TOKEN: "" + + DATABASE_URI: "mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db" # Remember to set a stronger password for the database +services: + bunkerweb: + # This is the name that will be used to identify the instance in the Scheduler + image: bunkerity/bunkerweb:1.6.7 + ports: + - "80:8080/tcp" + - "443:8443/tcp" + - "443:8443/udp" # For QUIC / HTTP3 support + environment: + <<: *bw-env # We use the anchor to avoid repeating the same settings for all services + restart: "unless-stopped" + networks: + - bw-universe + - bw-services + + bw-scheduler: + image: bunkerity/bunkerweb-scheduler:1.6.7 + environment: + <<: *bw-env + BUNKERWEB_INSTANCES: "bunkerweb" # Make sure to set the correct instance name + SERVER_NAME: "" + MULTISITE: "yes" + UI_HOST: "http://bw-ui:7000" # Change it if needed + USE_REDIS: "yes" + REDIS_HOST: "valkey" + volumes: + - bw-storage:/data # This is used to persist the cache and other data like the backups + restart: "unless-stopped" + networks: + - bw-universe + - bw-db + + bw-ui: + image: bunkerity/bunkerweb-ui:1.6.7 + environment: + <<: *bw-env + restart: "unless-stopped" + networks: + - bw-universe + - bw-db + + bw-db: + image: mariadb:11 + # We set the max allowed packet size to avoid issues with large queries + command: --max-allowed-packet=67108864 + environment: + MYSQL_RANDOM_ROOT_PASSWORD: "yes" + MYSQL_DATABASE: "db" + MYSQL_USER: "bunkerweb" + MYSQL_PASSWORD: "changeme" # Remember to set a stronger password for the database + volumes: + - bw-data:/var/lib/mysql + restart: "unless-stopped" + networks: + - bw-db + + valkey: # Valkey service for the persistence of reports/bans/stats + image: valkey/valkey:9-alpine + command: > + valkey-server + --maxmemory 256mb + --maxmemory-policy allkeys-lru + --save 60 1000 + --appendonly yes + healthcheck: + test: ["CMD-SHELL", "valkey-cli ping | grep PONG"] + interval: 30s + timeout: 10s + retries: 5 + sysctls: + - net.core.somaxconn=1024 + volumes: + - valkey-data:/data + restart: "unless-stopped" + networks: + - bw-universe + + app: + image: bunkerity/bunkerweb-hello:v1.0 + networks: + - bw-services + restart: "unless-stopped" + +volumes: + bw-data: + bw-storage: + valkey-data: + +networks: + bw-universe: + name: bw-universe + ipam: + driver: default + config: + - subnet: 10.20.30.0/24 # Make sure to set the correct IP range so the scheduler can send the configuration to the instance + bw-services: + name: bw-services + bw-db: + name: bw-db