Update templates

bunkerity · Oct 25, 2024 · 0dd1f53 · 0dd1f53
1 parent 71e70a0
commit 0dd1f53
Show file tree

Hide file tree

Showing 6 changed files with 427 additions and 4 deletions.
diff --git a/src/common/core/templates/templates/high.json b/src/common/core/templates/templates/high.json
@@ -1,3 +1,189 @@
 {
-  "name": "Advanced security level with focus on robust security measures and comprehensive protection"
+  "name": "Advanced security level with focus on robust security measures and comprehensive protection",
+  "settings": {
+    "SERVER_NAME": "www.example.com",
+    "USE_REVERSE_PROXY": "yes",
+    "REVERSE_PROXY_HOST": "http://upstream-server:8080",
+    "REVERSE_PROXY_URL": "/",
+    "REVERSE_PROXY_CUSTOM_HOST": "",
+    "REVERSE_PROXY_SSL_SNI": "no",
+    "REVERSE_PROXY_SSL_SNI_NAME": "",
+    "REVERSE_PROXY_WS": "no",
+    "REVERSE_PROXY_KEEPALIVE": "no",
+    "AUTO_LETS_ENCRYPT": "yes",
+    "USE_LETS_ENCRYPT_STAGING": "no",
+    "ALLOWED_METHODS": "GET|POST|HEAD",
+    "MAX_CLIENT_SIZE": "10m",
+    "HTTP2": "yes",
+    "HTTP3": "yes",
+    "SSL_PROTOCOLS": "TLSv1.2 TLSv1.3",
+    "COOKIE_FLAGS": "* HttpOnly SameSite=Lax",
+    "CONTENT_SECURITY_POLICY": "object-src 'none'; form-action 'self'; frame-ancestors 'self';",
+    "PERMISSIONS_POLICY": "accelerometer=(), ambient-light-sensor=(), attribution-reporting=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), compute-pressure=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=(), interest-cohort=()",
+    "KEEP_UPSTREAM_HEADERS": "Content-Security-Policy Permissions-Policy X-Frame-Options",
+    "REFERRER_POLICY": "no-referrer",
+    "USE_CORS": "no",
+    "CORS_ALLOW_ORIGIN": "*",
+    "USE_BAD_BEHAVIOR": "yes",
+    "BAD_BEHAVIOR_STATUS_CODES": "400 401 403 404 405 429 444",
+    "BAD_BEHAVIOR_BAN_TIME": "86400",
+    "BAD_BEHAVIOR_THRESHOLD": "10",
+    "BAD_BEHAVIOR_COUNT_TIME": "60",
+    "USE_ANTIBOT": "captcha",
+    "ANTIBOT_URI": "/challenge",
+    "ANTIBOT_RECAPTCHA_SCORE": "0.9",
+    "ANTIBOT_RECAPTCHA_SITEKEY": "",
+    "ANTIBOT_RECAPTCHA_SECRET": "",
+    "ANTIBOT_HCAPTCHA_SITEKEY": "",
+    "ANTIBOT_HCAPTCHA_SECRET": "",
+    "ANTIBOT_TURNSTILE_SITEKEY": "",
+    "ANTIBOT_TURNSTILE_SECRET": "",
+    "USE_BLACKLIST": "yes",
+    "USE_DNSBL": "yes",
+    "USE_LIMIT_CONN": "yes",
+    "LIMIT_CONN_MAX_HTTP1": "10",
+    "LIMIT_CONN_MAX_HTTP2": "100",
+    "USE_LIMIT_REQ": "yes",
+    "LIMIT_REQ_URL": "/",
+    "LIMIT_REQ_RATE": "2r/s",
+    "USE_AUTH_BASIC": "no",
+    "AUTH_BASIC_LOCATION": "sitewide",
+    "AUTH_BASIC_USER": "changeme",
+    "AUTH_BASIC_PASSWORD": "changeme",
+    "AUTH_BASIC_TEXT": "Restricted area",
+    "BLACKLIST_COUNTRY": "",
+    "WHITELIST_COUNTRY": "",
+    "USE_REVERSE_SCAN": "yes",
+    "REVERSE_SCAN_PORTS": "22 80 443 3128 8000 8080",
+    "USE_MODSECURITY": "yes",
+    "USE_MODSECURITY_CRS_PLUGINS": "yes",
+    "MODSECURITY_CRS_VERSION": "4",
+    "MODSECURITY_CRS_PLUGIN_URLS": ""
+  },
+  "configs": ["modsec/anomaly_score.conf"],
+  "steps": [
+    {
+      "title": "Web service - Front service",
+      "subtitle": "Configure your web service facing your clients",
+      "settings": [
+        "SERVER_NAME",
+        "AUTO_LETS_ENCRYPT",
+        "USE_LETS_ENCRYPT_STAGING"
+      ]
+    },
+    {
+      "title": "Web service - Upstream server",
+      "subtitle": "Configure the upstream server to be protected by BunkerWeb",
+      "settings": [
+        "USE_REVERSE_PROXY",
+        "REVERSE_PROXY_HOST",
+        "REVERSE_PROXY_URL",
+        "REVERSE_PROXY_CUSTOM_HOST",
+        "REVERSE_PROXY_SSL_SNI",
+        "REVERSE_PROXY_SSL_SNI_NAME",
+        "REVERSE_PROXY_WS",
+        "REVERSE_PROXY_KEEPALIVE"
+      ]
+    },
+    {
+      "title": "HTTP - General",
+      "subtitle": "Configure the settings related to the HTTP(S) protocol",
+      "settings": [
+        "MAX_CLIENT_SIZE",
+        "ALLOWED_METHODS",
+        "HTTP2",
+        "HTTP3",
+        "SSL_PROTOCOLS"
+      ]
+    },
+    {
+      "title": "HTTP - Headers",
+      "subtitle": "Configure the settings related to the HTTP headers",
+      "settings": [
+        "COOKIE_FLAGS",
+        "CONTENT_SECURITY_POLICY",
+        "PERMISSIONS_POLICY",
+        "USE_CORS",
+        "CORS_ALLOW_ORIGIN",
+        "KEEP_UPSTREAM_HEADERS",
+        "REFERRER_POLICY"
+      ]
+    },
+    {
+      "title": "Security - Bad behavior",
+      "subtitle": "Configure the settings related to the automatic ban when a bad behavior is detected.",
+      "settings": [
+        "USE_BAD_BEHAVIOR",
+        "BAD_BEHAVIOR_STATUS_CODES",
+        "BAD_BEHAVIOR_BAN_TIME",
+        "BAD_BEHAVIOR_THRESHOLD",
+        "BAD_BEHAVIOR_COUNT_TIME"
+      ]
+    },
+    {
+      "title": "Security - Blacklisting",
+      "subtitle": "Configure the settings related to the external blacklists.",
+      "settings": ["USE_BLACKLIST", "USE_DNSBL"]
+    },
+    {
+      "title": "Security - Limiting",
+      "subtitle": "Configure the settings related to limiting requests and connections.",
+      "settings": [
+        "USE_LIMIT_CONN",
+        "LIMIT_CONN_MAX_HTTP1",
+        "LIMIT_CONN_MAX_HTTP2",
+        "LIMIT_CONN_MAX_HTTP3",
+        "USE_LIMIT_REQ",
+        "LIMIT_REQ_URL",
+        "LIMIT_REQ_RATE"
+      ]
+    },
+    {
+      "title": "Security - Antibot",
+      "subtitle": "Configure the settings about bot detection",
+      "settings": [
+        "USE_ANTIBOT",
+        "ANTIBOT_URI",
+        "ANTIBOT_RECAPTCHA_SCORE",
+        "ANTIBOT_RECAPTCHA_SITEKEY",
+        "ANTIBOT_RECAPTCHA_SECRET",
+        "ANTIBOT_HCAPTCHA_SITEKEY",
+        "ANTIBOT_HCAPTCHA_SECRET",
+        "ANTIBOT_TURNSTILE_SITEKEY",
+        "ANTIBOT_TURNSTILE_SECRET"
+      ]
+    },
+    {
+      "title": "Security - Auth basic",
+      "subtitle": "Configure HTTP basic authentication",
+      "settings": [
+        "USE_AUTH_BASIC",
+        "AUTH_BASIC_LOCATION",
+        "AUTH_BASIC_USER",
+        "AUTH_BASIC_PASSWORD",
+        "AUTH_BASIC_TEXT"
+      ]
+    },
+    {
+      "title": "Security - Country",
+      "subtitle": "Configure the settings about country access policy",
+      "settings": ["BLACKLIST_COUNTRY", "WHITELIST_COUNTRY"]
+    },
+    {
+      "title": "Security - Reverse scan",
+      "subtitle": "Configure the settings about scanning clients ports",
+      "settings": ["USE_REVERSE_SCAN", "REVERSE_SCAN_PORTS"]
+    },
+    {
+      "title": "Security - ModSecurity",
+      "subtitle": "Configure the settings related to the ModSecurity WAF",
+      "settings": [
+        "USE_MODSECURITY",
+        "USE_MODSECURITY_CRS_PLUGINS",
+        "MODSECURITY_CRS_VERSION",
+        "MODSECURITY_CRS_PLUGIN_URLS"
+      ],
+      "configs": ["modsec/anomaly_score.conf"]
+    }
+  ]
 }
diff --git a/src/common/core/templates/templates/high/configs/modsec/anomaly_score.conf b/src/common/core/templates/templates/high/configs/modsec/anomaly_score.conf
@@ -0,0 +1,19 @@
+SecAction \
+   "id:900001,\
+   phase:1,\
+   pass,\
+   t:none,\
+   nolog,\
+   tag:'OWASP_CRS',\
+   ver:'OWASP_CRS/4.7.0-dev',\
+   setvar:tx.detection_paranoia_level=2"
+
+SecAction \
+  "id:900110,\
+  phase:1,\
+  pass,\
+  t:none,\
+  nolog,\
+  tag:'OWASP_CRS',\
+  setvar:tx.inbound_anomaly_score_threshold=5,\
+  setvar:tx.outbound_anomaly_score_threshold=4"
diff --git a/src/common/core/templates/templates/low.json b/src/common/core/templates/templates/low.json
@@ -46,12 +46,19 @@
     "USE_LIMIT_REQ": "yes",
     "LIMIT_REQ_URL": "/",
     "LIMIT_REQ_RATE": "5r/s",
+    "USE_AUTH_BASIC": "no",
+    "AUTH_BASIC_LOCATION": "sitewide",
+    "AUTH_BASIC_USER": "changeme",
+    "AUTH_BASIC_PASSWORD": "changeme",
+    "AUTH_BASIC_TEXT": "Restricted area",
+    "BLACKLIST_COUNTRY": "",
+    "WHITELIST_COUNTRY": "",
     "USE_MODSECURITY": "yes",
     "USE_MODSECURITY_CRS_PLUGINS": "yes",
     "MODSECURITY_CRS_VERSION": "4",
     "MODSECURITY_CRS_PLUGIN_URLS": ""
   },
-  "configs": ["modsec/low_anomaly_score.conf"],
+  "configs": ["modsec/anomaly_score.conf"],
   "steps": [
     {
       "title": "Web service - Front service",
@@ -144,6 +151,22 @@
         "ANTIBOT_TURNSTILE_SECRET"
       ]
     },
+    {
+      "title": "Security - Auth basic",
+      "subtitle": "Configure HTTP basic authentication",
+      "settings": [
+        "USE_AUTH_BASIC",
+        "AUTH_BASIC_LOCATION",
+        "AUTH_BASIC_USER",
+        "AUTH_BASIC_PASSWORD",
+        "AUTH_BASIC_TEXT"
+      ]
+    },
+    {
+      "title": "Security - Country",
+      "subtitle": "Configure the settings about country access policy",
+      "settings": ["BLACKLIST_COUNTRY", "WHITELIST_COUNTRY"]
+    },
     {
       "title": "Security - ModSecurity",
       "subtitle": "Configure the settings related to the ModSecurity WAF",
@@ -153,7 +176,7 @@
         "MODSECURITY_CRS_VERSION",
         "MODSECURITY_CRS_PLUGIN_URLS"
       ],
-      "configs": ["modsec/low_anomaly_score.conf"]
+      "configs": ["modsec/anomaly_score.conf"]
     }
   ]
 }
diff --git a/...low/configs/modsec/low_anomaly_score.conf → ...tes/low/configs/modsec/anomaly_score.conf b/...low/configs/modsec/low_anomaly_score.conf → ...tes/low/configs/modsec/anomaly_score.conf