New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
BunkerWeb: web server based on the notorious NGINX and focused on security.
Make your web services secure by default !
BunkerWeb is a web server based on the notorious NGINX and focused on security.
It integrates into existing environments (Linux, Docker, Swarm, Kubernetes, …) to make your web services "secure by default" without any hassle. The security best practices are automatically applied for you while keeping control of every setting to meet your use case.
BunkerWeb contains primary security features as part of the core but can be easily extended with additional ones thanks to a plugin system.
Why BunkerWeb ?
Easy integration into existing environments : support for Linux, Docker, Swarm and Kubernetes
- Highly customizable : enable, disable and configure features easily to meet your use case
- Secure by default : offers out-of-the-box and hassle-free minimal security for your web services
- Free as in "freedom" : licensed under the free AGPLv3 license
Security features
A non-exhaustive list of security features :
- HTTPS support with transparent Let's Encrypt automation
- State-of-the-art web security : HTTP security headers, prevent leaks, TLS hardening, ...
- Integrated ModSecurity WAF with the OWASP Core Rule Set
- Automatic ban of strange behaviors based on HTTP status code
- Apply connections and requests limit for clients
- Block bots by asking them to solve a challenge (e.g. : cookie, javascript, captcha, hCaptcha or reCAPTCHA)
- Block known bad IPs with external blacklists and DNSBL
- And much more ...
Thanked by 1JasonM
Comments
An AGPLv3 webserver? Wouldn't this mean every site you host with it would need a link to the repo?
I don't think "notorious" is the word you're looking for here.
My webservices ARE secure by default out the box...
Not very SaaS friendly tho? Unless I’m missing something. But does offer some interesting features
My brain started in immediately with “this sounds like taking advantage of people who don’t know how to manage their own stuff” but it quickly turned into “this looks like a potential life saver for people who would rather not.”
Bloatware
Thinking the same.
Interesting, will bookmark just in case, my stack doesn't use nginx nor apache though but you never know if a middle proxy might come in handy if it can do that
I guess it's an easier fix but it has restrictions.
Only if you make your own modifications to the software and distribute that. Not different to the “must retain the above copyright notice” wording in the 2-clausde BSD license that nginx itself is covered by.
I'm assuming here that hosting content through the executable doesn't count as linking or creating a derivative work, much the same as processing images through ImageMagick doesn't affect the licensing terms associated with the resulting output. Though maybe worth clarifying with the project maintainers for paranoia's sake, in case they are interpreting things in an unusually strict manner.
Anyone knows if it is like nginx proxy manager?
Exactly. Nothing it does is inherently that complicated to do to a stock nginx config. But it does seem like something that would be of interest to those either new to nginx or something someone who does managed hosting could use to just make their life a bit easier / faster if doing a lot of deployments if they haven't already rolled a more crude solution.
I'd say it's value is about as much as any other Nginx auto-installer / configuration script. Has it's place for sure.
whats the minimum system specs to run this?
It depends if this project is B.I.G.
Not really someone who'd use this myself - but this actually looks like one of the cleanest 'bunkerized' NGINX setups I've seen for a while.
Definitely a good shout for someone who might not want to do this sort of stuff themselves.
Looks like just a country blocker with entire Asia on the block list by default. I like it though that it doesn't require docker.
Seems so, just without the GUI I guess.
From their docs: