getjerry · bellondr · Dec 13, 2024 · Dec 14, 2024 · Dec 14, 2024 · Dec 16, 2024
diff --git a/src/autoconf/Dockerfile b/src/autoconf/Dockerfile
@@ -72,7 +72,7 @@ VOLUME /data
 
 WORKDIR /usr/share/bunkerweb/autoconf
 
-USER autoconf:autoconf
+USER root
-USER root
+USER autoconf:autoconf
-USER root
+USER autoconf:autoconf
 
 HEALTHCHECK --interval=10s --timeout=10s --start-period=60s --retries=6 CMD /usr/share/bunkerweb/helpers/healthcheck-autoconf.sh
 

diff --git a/src/autoconf/IngressController.py b/src/autoconf/IngressController.py
@@ -47,15 +47,6 @@ def _to_instances(self, controller_instance) -> List[dict]:
         else:
             for env in pod.env:
                 instance["env"][env.name] = env.value or ""
-        for controller_service in self._get_controller_services():
-            if controller_service.metadata.annotations:
-                for (
-                    annotation,
-                    value,
-                ) in controller_service.metadata.annotations.items():
-                    if not annotation.startswith("bunkerweb.io/"):
-                        continue
-                    instance["env"][annotation.replace("bunkerweb.io/", "", 1)] = value
         return [instance]
 
     def _get_controller_services(self) -> list:
@@ -66,6 +57,8 @@ def _to_services(self, controller_service) -> List[dict]:
             return []
         namespace = controller_service.metadata.namespace
         services = []
+        if controller_service.metadata.annotations is None or "bunkerweb.io" not in controller_service.metadata.annotations:
+            return []
         # parse rules
         for rule in controller_service.spec.rules:
             if not rule.host:
@@ -79,45 +72,13 @@ def _to_services(self, controller_service) -> List[dict]:
                 services.append(service)
                 continue
             location = 1
-            for path in rule.http.paths:
-                if not path.path:
-                    self._logger.warning(
-                        "Ignoring unsupported ingress rule without path.",
-                    )
-                    continue
-                elif not path.backend.service:
-                    self._logger.warning(
-                        "Ignoring unsupported ingress rule without backend service.",
-                    )
-                    continue
-                elif not path.backend.service.port:
-                    self._logger.warning(
-                        "Ignoring unsupported ingress rule without backend service port.",
-                    )
-                    continue
-                elif not path.backend.service.port.number:
-                    self._logger.warning(
-                        "Ignoring unsupported ingress rule without backend service port number.",
-                    )
-                    continue
-
-                service_list = self.__corev1.list_service_for_all_namespaces(
-                    watch=False,
-                    field_selector=f"metadata.name={path.backend.service.name},metadata.namespace={namespace}",
-                ).items
-
-                if not service_list:
-                    self._logger.warning(
-                        f"Ignoring ingress rule with service {path.backend.service.name} : service not found.",
-                    )
-                    continue
-
-                reverse_proxy_host = f"http://{path.backend.service.name}.{namespace}.svc.cluster.local:{path.backend.service.port.number}"
+            if len(rule.http.paths) > 0:
+                reverse_proxy_host = "http://localhost:80"
                 service.update(
                     {
                         "USE_REVERSE_PROXY": "yes",
                         f"REVERSE_PROXY_HOST_{location}": reverse_proxy_host,
-                        f"REVERSE_PROXY_URL_{location}": path.path,
+                        f"REVERSE_PROXY_URL_{location}": "/",
                     }
                 )
                 location += 1
@@ -132,12 +93,12 @@ def _to_services(self, controller_service) -> List[dict]:
                 ) in controller_service.metadata.annotations.items():
                     if not annotation.startswith("bunkerweb.io/"):
                         continue
-
                     variable = annotation.replace("bunkerweb.io/", "", 1)
                     server_name = service["SERVER_NAME"].strip().split(" ")[0]
                     if not variable.startswith(f"{server_name}_"):
-                        continue
-                    service[variable.replace(f"{server_name}_", "", 1)] = value
+                        service[variable] = value
+                    else:
+                        service[variable.replace(f"{server_name}_", "", 1)] = value
 
         # parse tls
         if controller_service.spec.tls:
@@ -210,7 +171,7 @@ def __process_event(self, event):
         if obj.kind == "Pod":
             return annotations and "bunkerweb.io/INSTANCE" in annotations
         if obj.kind == "Ingress":
-            return True
+            return annotations and "bunkerweb.io" in annotations
         if obj.kind == "ConfigMap":
             return annotations and "bunkerweb.io/CONFIG_TYPE" in annotations
         if obj.kind == "Service":

diff --git a/src/autoconf/main.py b/src/autoconf/main.py
@@ -15,13 +15,22 @@
 from SwarmController import SwarmController
 from IngressController import IngressController
 from DockerController import DockerController
+import uuid
+from kubernetes import config
+from kubernetes.leaderelection import leaderelection
+from kubernetes.leaderelection.resourcelock.configmaplock import ConfigMapLock
+from kubernetes.leaderelection import electionconfig
 
 # Get variables
 logger = setup_logger("Autoconf", getenv("LOG_LEVEL", "INFO"))
 swarm = getenv("SWARM_MODE", "no").lower() == "yes"
 kubernetes = getenv("KUBERNETES_MODE", "no").lower() == "yes"
 docker_host = getenv("DOCKER_HOST", "unix:///var/run/docker.sock")
 wait_retry_interval = getenv("WAIT_RETRY_INTERVAL", "5")
+namespace = getenv("NAMESPACE", "default")
+pod_name =  getenv("POD_NAME", f'auto-{uuid.uuid4()}')
+# Authenticate using config file
+config.load_incluster_config()
 
 if not wait_retry_interval.isdigit():
     logger.error("Invalid WAIT_RETRY_INTERVAL value, must be an integer")
@@ -38,19 +47,34 @@ def exit_handler(signum, frame):
 signal(SIGINT, exit_handler)
 signal(SIGTERM, exit_handler)
 
-try:
-    # Instantiate the controller
-    if swarm:
-        logger.info("Swarm mode detected")
-        controller = SwarmController(docker_host)
-    elif kubernetes:
-        logger.info("Kubernetes mode detected")
-        controller = IngressController()
-    else:
-        logger.info("Docker mode detected")
-        controller = DockerController(docker_host)
-
-    # Wait for instances
+
+def run_on_kubernetes_ha_mode():
+    lock_name = "autoconfig-election"
+
+    config = electionconfig.Config(
+        ConfigMapLock(lock_name, namespace, pod_name),
+        lease_duration=17,
+        renew_deadline=15,
+        retry_period=5,
+        onstarted_leading=kubernetes_start,
+        onstopped_leading=onstopped_leading
+    )
+    logger.info(f'I am {pod_name} with {lock_name} in namespace {namespace}')
+    # Enter leader election
+    leaderelection.LeaderElection(config).run()
+
+
+def onstopped_leading():
+    logger.info(f'{pod_name} is follower')
+
+
+def kubernetes_start():
+    logger.info(f'{pod_name} is leader')
+    controller = IngressController()
+    start(controller=controller)
+
+
+def start(controller):
     logger.info("Waiting for BunkerWeb instances ...")
     instances = controller.wait(wait_retry_interval)
     logger.info("BunkerWeb instances are ready 🚀")
@@ -65,8 +89,29 @@ def exit_handler(signum, frame):
     Path(sep, "var", "tmp", "bunkerweb", "autoconf.healthy").write_text("ok")
     logger.info("Processing events ...")
     controller.process_events()
-except:
-    logger.error(f"Exception while running autoconf :\n{format_exc()}")
-    sys_exit(1)
-finally:
-    Path(sep, "var", "tmp", "bunkerweb", "autoconf.healthy").unlink(missing_ok=True)
+
+
+def start_server():
+    try:
+        # Instantiate the controller
+        if kubernetes:
+            run_on_kubernetes_ha_mode()
+        elif swarm:
+            logger.info("Swarm mode detected")
+            controller = SwarmController(docker_host)
+        else:
+            logger.info("Docker mode detected")
+            controller = DockerController(docker_host)
+
+        if not kubernetes:
+            start(controller=controller)
+
+    except:
+        logger.error(f"Exception while running autoconf :\n{format_exc()}")
+        sys_exit(1)
-    except:
-        logger.error(f"Exception while running autoconf :\n{format_exc()}")
-        sys_exit(1)
+    except Exception as e:
+        logger.error(f"Exception while running autoconf :\n{format_exc()}")
+        logger.error(f"Error type: {type(e).__name__}")
+        sys_exit(1)
-    except:
-        logger.error(f"Exception while running autoconf :\n{format_exc()}")
-        sys_exit(1)
+    except Exception as e:
+        logger.error(f"Exception while running autoconf :\n{format_exc()}")
+        logger.error(f"Error type: {type(e).__name__}")
+        sys_exit(1)
+    finally:
+        Path(sep, "var", "tmp", "bunkerweb", "autoconf.healthy").unlink(missing_ok=True)
+
+
+if __name__ == '__main__':
+    start_server()
diff --git a/src/bw/Dockerfile b/src/bw/Dockerfile
@@ -19,11 +19,13 @@ WORKDIR /usr/share/bunkerweb
 # Copy python requirements
 COPY src/deps/requirements.txt /tmp/requirements-deps.txt
 COPY src/common/gen/requirements.txt deps/requirements-gen.txt
+COPY src/common/db/requirements.txt deps/requirements-db.txt
 
 # Install python requirements
 RUN export MAKEFLAGS="-j$(nproc)" && \
 	pip install --break-system-packages --no-cache-dir --require-hashes --ignore-installed -r /tmp/requirements-deps.txt && \
-	pip install --break-system-packages --no-cache-dir --require-hashes --target deps/python -r deps/requirements-gen.txt
+	pip install --break-system-packages --no-cache-dir --require-hashes --target deps/python -r deps/requirements-gen.txt && \
+	pip install --break-system-packages --no-cache-dir --require-hashes --target deps/python -r deps/requirements-db.txt
 
 # Copy files
 # can't exclude deps from . so we are copying everything by hand
@@ -36,6 +38,7 @@ COPY src/common/cli cli
 COPY src/common/confs confs
 COPY src/common/core core
 COPY src/common/gen gen
+COPY src/common/db db
 COPY src/common/helpers helpers
 COPY src/common/settings.json settings.json
 COPY src/common/utils utils

diff --git a/src/common/confs/default-server-http.conf b/src/common/confs/default-server-http.conf
@@ -97,6 +97,25 @@ server {
 				})
 		}
 	}
+{% else +%}
+	location / {
+		etag off;
+		proxy_pass "http://localhost:80";
+		proxy_set_header Host $host;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header X-Forwarded-Protocol $scheme;
+		proxy_set_header X-Forwarded-Host $http_host;
+
+		proxy_set_header X-Forwarded-Prefix "/";
+
+		proxy_buffering on;
+
+		proxy_connect_timeout 60s;
+		proxy_read_timeout 600s;
+		proxy_send_timeout 600s;
+ 	}
 {% endif %}
 
 	# include core and plugins default-server configurations
@@ -189,5 +208,4 @@ server {
 		logger:log(INFO, "log_default phase ended")
 
 	}
-
 }
diff --git a/src/common/confs/healthcheck.conf b/src/common/confs/healthcheck.conf
@@ -15,6 +15,12 @@ server {
 		}
 	}
 
+	location /nginx_status {
+		stub_status on;
+		allow 127.0.0.1;
+		deny all;
+	}
+
 	# disable logging
 	access_log off;
 

diff --git a/src/common/confs/http-modsec-crs/http-http3.conf b/src/common/confs/http-modsec-crs/http-http3.conf
@@ -0,0 +1,9 @@
+{% if USE_MODSECURITY == "yes" and MODSECURITY_CRS_VERSION == "3" and HTTP3 == "yes" +%}
+SecAction \
+"id:900230,\
+ phase:1,\
+ nolog,\
+ pass,\
+ t:none,\
+ setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
+{% endif %}
diff --git a/src/common/confs/http-modsecurity/http-modsecurity.conf b/src/common/confs/http-modsecurity/http-modsecurity.conf
@@ -0,0 +1,4 @@
+{% if USE_MODSECURITY == "yes" +%}
-{% if USE_MODSECURITY == "yes" +%}
+{% if USE_MODSECURITY == "yes" %}
-{% if USE_MODSECURITY == "yes" +%}
+{% if USE_MODSECURITY == "yes" %}
+modsecurity on;
+modsecurity_rules_file /etc/nginx/http-modsecurity/modsecurity-rules.conf.modsec;
+{% endif %}