Merge pull request #1773 from bunkerity/dev

Merge branch "dev" into branch "beta"

README.md

@@ -375,7 +375,7 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug
 |  **Discord**   |   1.6   | Send security notifications to a Discord channel using a Webhook.                                                                |    [bunkerweb-plugins/discord](https://github.com/bunkerity/bunkerweb-plugins/tree/main/discord)    |
 |   **Slack**    |   1.6   | Send security notifications to a Slack channel using a Webhook.                                                                  |      [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/slack)      |
 | **VirusTotal** |   1.6   | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious.          | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) |
-|  **WebHook**   |   1.6   | Send security notifications to a custom HTTP endpoint using a Webhook.                                                           |     [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook)     |
+|  **WebHook**   |   1.6   | Send security notifications to a custom HTTP endpoint using a Webhook.                                                           |     [bunkerweb-plugins/webhook](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook)     |
 
 You will find more information in the [plugins section](https://docs.bunkerweb.io/1.6.0-beta/plugins/?utm_campaign=self&utm_source=github) of the documentation.
 

docs/security-tuning.md

@@ -758,10 +758,10 @@ DNSBL or "DNS BlackList" is an external list of malicious IPs that you query usi
 
 Here is the list of settings related to DNSBL :
 
-|   Setting    |                                   Default                                    | Description                                    |
-| :----------: | :--------------------------------------------------------------------------: | :--------------------------------------------- |
-| `USE_DNSBL`  |                                    `yes`                                     | When set to `yes`, will enable DNSBL checking. |
-| `DNSBL_LIST` | `bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org` | List of DNSBL servers to ask.                  |
+|   Setting    |                       Default                       | Description                                    |
+| :----------: | :-------------------------------------------------: | :--------------------------------------------- |
+| `USE_DNSBL`  |                        `yes`                        | When set to `yes`, will enable DNSBL checking. |
+| `DNSBL_LIST` | `bl.blocklist.de sbl.spamhaus.org xbl.spamhaus.org` | List of DNSBL servers to ask.                  |
 
 ## Limiting
 

src/common/core/templates/templates/high.json

@@ -48,6 +48,7 @@
     "USE_LIMIT_CONN": "yes",
     "LIMIT_CONN_MAX_HTTP1": "10",
     "LIMIT_CONN_MAX_HTTP2": "100",
+    "LIMIT_CONN_MAX_HTTP3": "100",
     "USE_LIMIT_REQ": "yes",
     "LIMIT_REQ_URL": "/",
     "LIMIT_REQ_RATE": "2r/s",

src/common/core/templates/templates/low.json

@@ -48,6 +48,7 @@
     "USE_LIMIT_CONN": "yes",
     "LIMIT_CONN_MAX_HTTP1": "25",
     "LIMIT_CONN_MAX_HTTP2": "200",
+    "LIMIT_CONN_MAX_HTTP3": "200",
     "USE_LIMIT_REQ": "yes",
     "LIMIT_REQ_URL": "/",
     "LIMIT_REQ_RATE": "5r/s",

src/common/core/templates/templates/medium.json

@@ -48,6 +48,7 @@
     "USE_LIMIT_CONN": "yes",
     "LIMIT_CONN_MAX_HTTP1": "20",
     "LIMIT_CONN_MAX_HTTP2": "150",
+    "LIMIT_CONN_MAX_HTTP3": "150",
     "USE_LIMIT_REQ": "yes",
     "LIMIT_REQ_URL": "/",
     "LIMIT_REQ_RATE": "4r/s",

src/common/db/Database.py

@@ -49,7 +49,7 @@
 from common_utils import bytes_hash  # type: ignore
 
 from pymysql import install_as_MySQLdb
-from sqlalchemy import create_engine, event, MetaData as sql_metadata, func, join, select as db_select, text, inspect
+from sqlalchemy import case, create_engine, event, MetaData as sql_metadata, func, join, select as db_select, text, inspect
 from sqlalchemy.engine import Engine
 from sqlalchemy.exc import (
     ArgumentError,
@@ -3659,7 +3659,11 @@ def get_plugin_page(self, plugin_id: str) -> Optional[bytes]:
     def get_templates(self, plugin: Optional[str] = None) -> Dict[str, dict]:
         """Get templates."""
         with self._db_session() as session:
-            query = session.query(Templates).with_entities(Templates.id, Templates.plugin_id, Templates.name)
+            query = (
+                session.query(Templates)
+                .with_entities(Templates.id, Templates.plugin_id, Templates.name)
+                .order_by(case((Templates.name == "low", 0), else_=1))  # Pass as positional arguments
+            )
 
             if plugin:
                 query = query.filter_by(plugin_id=plugin)

src/common/settings.json

@@ -50,7 +50,7 @@
     "help": "List of the virtual hosts served by bunkerweb.",
     "id": "server-name",
     "label": "Server name",
-    "regex": "^(((?!.*\\.\\.)(?![^\\s]{256,})([A-Za-z0-9]([A-Za-z0-9-]{0,61}[A-Za-z0-9])?\\.)+[A-Za-z]{2,63})(?!.*\\s\\2(\\s|$)))?(\\s(((?!.*\\.\\.)(?![^\\s]{256,})([A-Za-z0-9]([A-Za-z0-9-]{0,61}[A-Za-z0-9])?\\.)+[A-Za-z]{2,63}))(?!.*\\s\\5(\\s|$)))*$",
+    "regex": "^(((?!.*\\.\\.)(?![^\\s]{256,})([A-Za-z0-9]([A-Za-z0-9\\-]{0,61}[A-Za-z0-9])?\\.)+[A-Za-z]{2,63})(?!.*\\s\\2(\\s|$)))?(\\s(((?!.*\\.\\.)(?![^\\s]{256,})([A-Za-z0-9]([A-Za-z0-9\\-]{0,61}[A-Za-z0-9])?\\.)+[A-Za-z]{2,63}))(?!.*\\s\\5(\\s|$)))*$",
     "type": "text"
   },
   "WORKER_PROCESSES": {

src/linux/Dockerfile-rhel

@@ -1,4 +1,4 @@
-FROM redhat/ubi8:8.10@sha256:d497966ce214138de5271eef321680639e18daf105ae94a6bff54247d8a191a3 AS builder
+FROM redhat/ubi8:8.10@sha256:79d46e7029c2b13a713b2089650fd235aadb3e6e449c79f6741d6c9381ab41a1 AS builder
 
 ENV OS=rhel
 ENV NGINX_VERSION=1.26.2
@@ -64,7 +64,7 @@ COPY src/scheduler scheduler
 COPY src/VERSION VERSION
 COPY src/ui ui
 
-FROM redhat/ubi8:8.10@sha256:d497966ce214138de5271eef321680639e18daf105ae94a6bff54247d8a191a3
+FROM redhat/ubi8:8.10@sha256:79d46e7029c2b13a713b2089650fd235aadb3e6e449c79f6741d6c9381ab41a1
 
 # Set default umask to prevent huge recursive chmod increasing the final image size
 RUN umask 027

src/linux/Dockerfile-rhel9

@@ -1,4 +1,4 @@
-FROM redhat/ubi9:9.5@sha256:2bae9062eddbbc18e76555972e7026ffe02cef560a0076e6d7f72bed2c05723f AS builder
+FROM redhat/ubi9:9.5@sha256:1057dab827c782abcfb9bda0c3900c0966b5066e671d54976a7bcb3a2d1a5e53 AS builder
 
 ENV OS=rhel
 ENV NGINX_VERSION=1.26.2
@@ -65,7 +65,7 @@ COPY src/scheduler scheduler
 COPY src/VERSION VERSION
 COPY src/ui ui
 
-FROM redhat/ubi9:9.5@sha256:2bae9062eddbbc18e76555972e7026ffe02cef560a0076e6d7f72bed2c05723f
+FROM redhat/ubi9:9.5@sha256:1057dab827c782abcfb9bda0c3900c0966b5066e671d54976a7bcb3a2d1a5e53
 
 # Set default umask to prevent huge recursive chmod increasing the final image size
 RUN umask 027

src/linux/Dockerfile-ubuntu

@@ -1,4 +1,4 @@
-FROM ubuntu:noble@sha256:278628f08d4979fb9af9ead44277dbc9c92c2465922310916ad0c46ec9999295 AS builder
+FROM ubuntu:noble@sha256:80dd3c3b9c6cecb9f1667e9290b3bc61b78c2678c02cbdae5f0fea92cc6734ab AS builder
 
 ENV OS=ubuntu
 ENV NGINX_VERSION=1.26.2
@@ -57,7 +57,7 @@ COPY src/scheduler scheduler
 COPY src/VERSION VERSION
 COPY src/ui ui
 
-FROM ubuntu:noble@sha256:278628f08d4979fb9af9ead44277dbc9c92c2465922310916ad0c46ec9999295
+FROM ubuntu:noble@sha256:80dd3c3b9c6cecb9f1667e9290b3bc61b78c2678c02cbdae5f0fea92cc6734ab
 
 # Set default umask to prevent huge recursive chmod increasing the final image size
 RUN umask 027

src/ui/app/routes/services.py

@@ -357,7 +357,7 @@ def update_service(service: str, variables: Dict[str, str], is_draft: bool, mode
 
     mode = request.args.get("mode", "easy")
     search_type = request.args.get("type", "all")
-    template = request.args.get("template", "high")
+    template = request.args.get("template", "low")
     db_templates = DB.get_templates()
     db_custom_configs = DB.get_custom_configs(with_drafts=True, as_dict=True)
     clone = None

src/ui/app/routes/setup.py

@@ -249,7 +249,7 @@ def setup_loading():
     db_config = DB.get_config(filtered_settings=("SERVER_NAME", "USE_UI", "REVERSE_PROXY_URL"))
     ui_service = {}
     ui_admin = DB.get_ui_user()
-    admin_old_enough = ui_admin and ui_admin.creation_date < datetime.now() - timedelta(minutes=5)
+    admin_old_enough = ui_admin and ui_admin.creation_date < datetime.now().astimezone() - timedelta(minutes=5)
 
     for server_name in db_config["SERVER_NAME"].split(" "):
         if server_name and db_config.get(f"{server_name}_USE_UI", "no") == "yes":

src/ui/app/static/js/plugins-settings.js

@@ -56,7 +56,7 @@ $(document).ready(() => {
     params.mode = currentMode;
     if (currentMode === "advanced" && currentType !== "all")
       params.type = currentType;
-    if (currentMode === "easy" && currentTemplate !== "high")
+    if (currentMode === "easy" && currentTemplate !== "low")
       params.template = currentTemplate;
 
     // If "easy" is selected, remove the "mode" parameter
@@ -153,8 +153,8 @@ $(document).ready(() => {
 
         params.type = null; // Remove the type parameter
 
-        // If "high" is selected, remove the "template" parameter
-        if (currentTemplate === "high") {
+        // If "low"  is selected, remove the "template" parameter
+        if (currentTemplate === "low") {
           params.template = null; // Set template to null to remove it from the URL
           updateUrlParams(params); // Call the function without the hash (keep it intact)
         } else {
@@ -983,11 +983,11 @@ $(document).ready(() => {
     currentMode === "easy"
   ) {
     $(`button[data-bs-target="#navs-modes-advanced"]`).tab("show");
-  } else if (usedTemplate !== "high" && currentMode === "easy") {
+  } else if (usedTemplate !== "low" && currentMode === "easy") {
     $(`button[data-bs-target="#navs-templates-${usedTemplate}"]`).tab("show");
   }
 
-  if (currentMode === "easy" && currentTemplate !== "high") {
+  if (currentMode === "easy" && currentTemplate !== "low") {
     $(`button[data-bs-target="#navs-templates-${currentTemplate}"]`).tab(
       "show",
     );
@@ -1128,18 +1128,16 @@ $(document).ready(() => {
     if (isReadOnly) return;
 
     const form = getFormFromSettings($(this));
-    if (currentMode !== "easy") {
-      let minSettings = 4;
-      if (!form.find("input[name='IS_DRAFT']").length) minSettings = 1;
+    let minSettings = 4;
+    if (!form.find("input[name='IS_DRAFT']").length) minSettings = 1;
 
-      const draftInput = $("#is-draft");
-      const wasDraft = draftInput.data("original") === "yes";
-      let isDraft = draftInput.val() === "yes";
-      if (currentMode === "raw")
-        isDraft = form.find("input[name='IS_DRAFT']").val() === "yes";
+    const draftInput = $("#is-draft");
+    const wasDraft = draftInput.data("original") === "yes";
+    let isDraft = draftInput.val() === "yes";
+    if (currentMode === "raw")
+      isDraft = form.find("input[name='IS_DRAFT']").val() === "yes";
 
-      if (form.children().length <= minSettings && isDraft === wasDraft) return;
-    }
+    if (form.children().length <= minSettings && isDraft === wasDraft) return;
 
     // Cross-browser compatibility (for older browsers)
     var message =

src/ui/app/templates/service_settings.html

@@ -10,7 +10,7 @@
            id="selected-mode"
            name="selected_mode"
            value="{{ mode }}">
-    <input type="hidden" id="used-template" name="used_template" value="{% if current_endpoint == "new" and not clone %}high{% else %}{{ config.get('USE_TEMPLATE', {'value': ''})['value'] }}
+    <input type="hidden" id="used-template" name="used_template" value="{% if current_endpoint == "new" and not clone %}low{% else %}{{ config.get('USE_TEMPLATE', {'value': ''})['value'] }}
     {% endif %}
     ">
     <input type="hidden"

tests/linux/Dockerfile-rhel

@@ -1,4 +1,4 @@
-FROM redhat/ubi8-init:8.10-9.1731462872@sha256:f27239c96f6878d49c9ba0cb3ba9376156529bd79c63d2316284a36d6a29dbf3
+FROM redhat/ubi8-init:8.10@sha256:7eb3cfe9b9df3b8f7b145839778f8fc282892eab47bda0488dc8b379691d5c5a
 
 ENV NGINX_VERSION=1.26.2
 

tests/linux/Dockerfile-rhel9

@@ -1,4 +1,4 @@
-FROM redhat/ubi9-init:9.5@sha256:86b5c0a442723b5679ce64f8d9d73de24271d16c9cc89865e976d61ead350130
+FROM redhat/ubi9-init:9.5@sha256:2624d481eba41047d204eff27bb20449158d11783e717647b9dae6e59140a82b
 
 ENV NGINX_VERSION=1.26.2
 

tests/linux/Dockerfile-ubuntu

@@ -1,4 +1,4 @@
-FROM ubuntu:noble@sha256:278628f08d4979fb9af9ead44277dbc9c92c2465922310916ad0c46ec9999295
+FROM ubuntu:noble@sha256:80dd3c3b9c6cecb9f1667e9290b3bc61b78c2678c02cbdae5f0fea92cc6734ab
 
 ENV container=docker
 ENV LC_ALL=C