bunkerweb

Documentation : https://docs.bunkerweb.io/1.6.10/

Docker tags :

• All-in-one : bunkerity/bunkerweb-all-in-one:1.6.10 or ghcr.io/bunkerity/bunkerweb-all-in-one:1.6.10
• BunkerWeb : bunkerity/bunkerweb:1.6.10 or ghcr.io/bunkerity/bunkerweb:1.6.10
• Scheduler : bunkerity/bunkerweb-scheduler:1.6.10 or ghcr.io/bunkerity/bunkerweb-scheduler:1.6.10
• Autoconf : bunkerity/bunkerweb-autoconf:1.6.10 or ghcr.io/bunkerity/bunkerweb-autoconf:1.6.10
• UI : bunkerity/bunkerweb-ui:1.6.10 or ghcr.io/bunkerity/bunkerweb-ui:1.6.10
• API : bunkerity/bunkerweb-api:1.6.10 or ghcr.io/bunkerity/bunkerweb-api:1.6.10

Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=1.6.10&filter=all&dist=

Changelog :

[SECURITY]

• [SECURITY] nginx: update NGINX to 1.30.1 to fix various CVEs.
• [SECURITY] ui: neutralize CSV/XLSX formula injection in bans and reports exports (CWE-1236).
  • Server-side CSV now uses defusedcsv.
  • XLSX exports escape cells through the shared csv_safe() helper.
  • DataTables csv, excel, and copy buttons inherit the same protection through bwCsvSafe.
  • Cells starting with =, +, -, @, |, or % are prefixed with '.
  • Embedded | characters are backslash-escaped.
• [API/SECURITY] Fix PATCH /global_config accidentally deleting all services, custom configs, and jobs cache.
• [API/SECURITY] Add data-loss guards in Database.save_config and Database.update_external_plugins.
  • Refuse updates that would delete every global setting for a method.
  • Refuse plugin cascade-deletion when the incoming plugin list is empty.
  • Skip setting/selects/multiselects pruning on same-content plugin reinstalls detected by checksum.
• [SECURITY] Update coreruleset-v3 to v3.3.9 to fix CVE-2026-33691. (Fixes #3402)
• [SECURITY] Update coreruleset-v4 to v4.26.0, including the CVE-2026-33691 fix. (Fixes #3402)
• [SECURITY] Harden tar/zip extraction with centralized safe_tar_extractall / safe_zip_extractall helpers, pre-extraction validation, and Path.is_relative_to() containment checks. Mitigates CVE-2025-4517 on Python < 3.13.4.
• [SECURITY] Harden AIO service log forwarding against terminal injection in docker logs.
  • Strip C0/C1 control characters.
  • Disable pathname expansion around HIDE_SERVICE_LOGS.
  • Reject .. path-traversal segments in LOG_FILE_PATH.
• [SECURITY] Harden AIO logstream.sh forwarding for nginx, access, error, and ModSecurity audit logs with the same control-character stripping.
• [SECURITY] Replace Trivy with Docker Scout for container image vulnerability scanning in the CI/CD pipeline.
• [UI/SECURITY] Replace unbounded DataTables All page length with capped values and clamp server-side length / start parameters to prevent oversized requests from causing OOM.

[BUGFIX]

• [BUGFIX] metrics / datastore / modsec: fix multiple memory leaks and unsafe defaults.
  • Bound per-worker LRU and per-key event-history arrays with MAX_LRU_HISTORY, default 1k.
  • Lower METRICS_MAX_BLOCKED_REQUESTS_REDIS default from 100000 to 10k.
  • Lower shared datastore worker-LRU default from 100000 to 1k.
  • Add DATASTORE_LRU_SIZE.
  • Fix memory leak in ModSecurity-to-Lua variable retrieval.
• [BUGFIX] reverseproxy: pin USE_UI=yes service upstreams to HTTP/1.1 so global REVERSE_PROXY_HTTP_VERSION=2 no longer locks out the Web UI. (Fixes #3550)
• [BUGFIX] misc: fix per-service HTTPS handshakes aborting with no ssl_client_hello_by_lua* defined in server <name> when DISABLE_DEFAULT_SERVER_STRICT_SNI=yes.
• [BUGFIX] modsecurity / ui / antibot: stop USE_MODSECURITY_GLOBAL_CRS=yes from returning 403 on UI POSTs and antibot challenges. (Fixes #3118)
• [BUGFIX] Fix ModSecurity REQUEST_HEADERS:Host and SERVER_NAME being empty for HTTP/3 requests. (Fixes #3298)
• [BUGFIX] Add MODSECURITY_SEC_REQUEST_BODY_LIMIT and MODSECURITY_SEC_REQUEST_BODY_LIMIT_ACTION to decouple ModSecurity body inspection from MAX_CLIENT_SIZE. (Fixes #3154)
• [BUGFIX] Add explicit ModSecurity request-body parsing error rules so truncated or malformed bodies are logged and rejected with the correct status.
• [BUGFIX] Add REVERSE_PROXY_MODSECURITY setting to disable ModSecurity per reverse-proxy URL when needed, especially for large uploads. (Fixes #3154)
• [BUGFIX] Add WORKER_SHUTDOWN_TIMEOUT, default 30s, to terminate old NGINX workers after reloads and avoid unbounded memory growth. (Fixes #3153)
• [BUGFIX] database: add a __del__ safety net on the SQLAlchemy Database wrapper so per-job engines dispose cleanly during garbage collection.
• [BUGFIX] database: back-fill bw_settings defaults from settings.json at read time when catalogue rows are missing, NULL, or empty. (Fixes #3450)
• [BUGFIX] Fix DATABASE_URI driver injection corrupting hostnames when the host matches the scheme name. (Fixes #3438)
• [BUGFIX] Fix PostgreSQL table bloat in bw_plugin_pages and bw_jobs_cache.
• [BUGFIX] Fix scheduler memory leak from unbounded job module cache, broken sys.modules cleanup, bulk cache loading, and infrequent garbage collection.
• [BUGFIX] Disable Gunicorn 25.1.0 control socket to prevent worker deadlocks in UI, TMP-UI, and API.
• [BUGFIX] Clean orphaned NGINX temp files on startup after OOM kills or ungraceful shutdowns.
• [BUGFIX] Fix entrypoint spinning at 100% CPU when nginx/supervisord is OOM-killed.
• [BUGFIX] Throttle repeated Redis-failure logs in metrics, sessions, and badbehavior.
• [BUGFIX] Fix metrics Redis sync cascading failures after mid-cycle connection drops by adding auto-reconnect with circuit breaker.
• [BUGFIX] Fix dead Redis connections being returned to the keepalive pool.
• [BUGFIX] Fix cachestore:set() silently dropping cache writes in non-cosocket phases.
• [BUGFIX] Fix cachestore:del_redis() calling a non-existent clusterstore:del() method.
• [BUGFIX] Move cachestore:update() IPC polling to valid Lua phases to remove repeated retry warnings.
• [BUGFIX] Fix badbehavior:log() crash caused by resty.lock calling ngx.sleep() in log_by_lua*.
• [BUGFIX] Fix whitelist default-server crash caused by resty.lock calling ngx.sleep() in set_by_lua*. (Fixes #2583)
• [BUGFIX] Fix is_cosocket_available() SSL phase detection and add missing yieldable phases.
• [BUGFIX] badbehavior: do not increment counters for already-banned IPs. (Fixes #3448)
• [BUGFIX] Fix ngx.exit(nil) crash when DENY_HTTP_STATUS is missing. (Fixes #2516)
• [BUGFIX] Fix unbanning IPs for stream services by refreshing local ban cache from Redis after unban. (Fixes #2516)
• [BUGFIX] Fix BunkerNet log_stream() crash in stream context where ngx.req.get_headers() is unavailable.
• [BUGFIX] Fix robots.txt and security.txt plugins running expensive initialization on every request. (Fixes #3155)
• [BUGFIX] Fix securitytxt RFC 9116 compliance.
  • Fix default Canonical: URL.
  • Emit Expires: as UTC with trailing Z.
  • Rename field to Acknowledgments:.
  • Cache auto-generated expiry per server.
• [BUGFIX] Fix Post-Quantum Cryptography auto-detection on OpenSSL 3.5+ when SSL_ECDH_CURVE=auto.
• [BUGFIX] Fix RC regression in @bwerror* handling where real 4xx/5xx rendering could be broken. (Fixes #3490)
• [MISC] Improve JobScheduler per-job failure tracking.

[FEATURE]

• [FEATURE] misc: add MAX_HEADERS, default 100, to cap request header lines.
• [FEATURE] reverseproxy: add per-backend REVERSE_PROXY_HTTP_VERSION.
  • Default: 1.1.
  • Accepted values: 1.0, 1.1, 2.
  • WebSocket upstreams remain pinned to HTTP/1.1.
• [FEATURE] templates: bundled ui and api templates now set REVERSE_PROXY_KEEPALIVE=yes.
• [FEATURE] ui: align Web UI sessions with the Lua sessions plugin model.
  • SESSION_LIFETIME_HOURS, default 12, controls sliding idle TTL.
  • SESSION_ABSOLUTE_HOURS, default 168, enforces a hard cap.
  • SESSION_ROLLING_HOURS, default 0, optionally regenerates session IDs periodically.
• [FEATURE] Add multisite SESSIONS_DOMAIN to share antibot/challenge state across sibling subdomains. (Fixes #3415)
• [FEATURE] metrics / misc: allow k / m shorthand for metrics and datastore size settings.
• [MISC] Accept g / G suffix on shared memory size settings and normalize to megabytes at template rendering time.
• [MISC] Allow custom uppercase HTTP methods containing underscores and dashes in ALLOWED_METHODS. (Fixes #3411)
• [MISC] Update default Permissions-Policy with local-network, local-network-access, and loopback-network.
• [FEATURE] Let's Encrypt: add LETS_ENCRYPT_MAX_LOG_BACKUPS, default 50, to cap certbot log rotation.
• [FEATURE] installer: add modern inline TUI prompts through gum.
  • Dispatch order: gum → pre-installed whiptail → plain read.
  • Controlled by --tui, --no-tui, and BW_INSTALL_TUI.
• [FEATURE] installer: post-install "Next steps" now prints the detected host IPv4 instead of your-server-ip. (Fixes #3527)
  • Adds --server-ip <IP> and SERVER_IP_INPUT.
  • Interactive installs show a menu when multiple global IPv4s are detected.

[PERF]

• [PERF] database: add 18 missing single-column indexes. (Fixes #3368, addresses #3367)

[UI]

• [UI] List pages: restore unrestricted 10/25/50/100 page-size dropdown.
• [UI] List pages: header checkbox now selects the current page only.
• [UI] List pages: add opt-in "Select all N matching" banner for bulk actions across pages. (Fixes #3513)
• [UI] Reports and Bans pages: CSV/Excel exports now include every column and honor active search and SearchPanes filters. (Fixes #3489)
• [UI] Service edit page: restore non-UI-method settings and template defaults on advanced/raw save.
• [UI] Service edit page: keep raw-mode draft toggle and the IS_DRAFT= line synchronized.
• [UI] Add import/export for custom configurations, including optional .zip bundles attached to service exports.
• [UI] Fix "Blocked Requests by Country" map coloring.
• [UI] Fix service template switching so selected template defaults apply immediately while preserving customized fields. (Fixes #3241)
• [UI] Fix multiselect dropdown being clipped in template wizard steps. (Fixes #3401)
• [UI] Fix multiselect settings not displaying or applying values correctly in the template editor and service creation wizard.
• [UI] Fix multiselect and multivalue settings resetting to defaults when all options are unchecked.
• [UI] Fix Reports page search not matching Request ID.
• [UI] Fix Reports page IP hit counts decreasing when filtering by IP. (Fixes #3407)
• [UI] Prevent reload and worker-restart infinite loops when the database is read-only or configuration flag reset fails.
• [UI] Check the database for USE_REDIS before showing the filesystem session backend warning.
• [UI] Launch tmp-gunicorn with env -u LOG_FILE_PATH so bootstrap UI logs do not collide with main UI logs.

[API]

• [API] Fix update_config_upload resetting a custom config's service scope to global when the caller did not request a service move.

[AUTOCONF]

• [AUTOCONF] Fix Docker/Podman instance discovery looping on No instance found.
  • Health falls back to run-state when State.Health is missing.
  • Environment parsing is hardened.
  • The wait loop now logs exceptions instead of swallowing them.
• [AUTOCONF] Fix Docker socket proxy restarts triggering deletion of all instances and services.
• [AUTOCONF] Fix Docker API errors being silently swallowed as empty container/service lists.
• [AUTOCONF] Fix Docker healthcheck exec events causing endless config regeneration and NGINX reloads.
• [AUTOCONF] Fix multiple Kubernetes Ingress/Route resources for the same hostname overwriting each other instead of merging paths.
• [AUTOCONF] Fix Kubernetes ingress rules being dropped when backend Services are not visible yet.
  • Missing backends are retried with exponential backoff.
  • Configuration apply is retriggered once backends appear.
• [AUTOCONF] Relax empty SERVER_NAME guard for autoconf-owned full teardowns.
• [AUTOCONF] Add AUTOCONF_DISABLE_CLEANUP, default no, to convert removed orchestrator services to draft instead of deleting them.
• [BUGFIX] Configurator now supplements its internal server list from the database Services table in multisite mode.

[ALL-IN-ONE]

• [ALL-IN-ONE] Update CrowdSec to 1.7.8.
• [ALL-IN-ONE] Embedded Redis now boots from generated /var/lib/bunkerweb/redis-runtime.conf.
  • /etc/redis.conf remains authoritative.
  • Environment variables only fill missing directives.
  • Supported variables include REDIS_MAXMEMORY, REDIS_MAXMEMORY_POLICY, REDIS_APPENDONLY, REDIS_SAVE, REDIS_SAVE_<N>, and REDIS_PASSWORD.
• [ALL-IN-ONE] Default Redis maxmemory-policy changed from allkeys-lru to volatile-lru.
  • Applied to the AIO entrypoint, Linux installer, bundled compose examples, and Redis Best Practices docs.
  • Helps preserve sessions and timed bans under memory pressure.
• [ALL-IN-ONE] Python services now log only to container stdout/stderr.
  • service-log-wrapper.sh prefixes each line with [SERVICE].
  • Control characters are stripped.
  • HIDE_SERVICE_LOGS is honored.
  • No on-disk service log files are written.

[LINUX]

• [LINUX] Add Fedora 44 support.

[DOCS]

• [DOCS] Add llms.txt and llms-full.txt generation through a MkDocs post-build hook.

[DEPS]

• [DEPS] NGINX updated to v1.30.1.
• [DEPS] ModSecurity updated to v3.0.15.
• [DEPS] Mbed TLS updated to v4.1.0.
• [DEPS] libinjection updated to v4.0.0.
• [DEPS] coreruleset-v3 updated to v3.3.9.
• [DEPS] coreruleset-v4 updated to v4.26.0.
• [DEPS] LuaJIT updated to v2.1-20260415.
• [DEPS] lua-resty-string updated to v0.17.
• [DEPS] lua-cjson updated to v2.1.0.17.
• [DEPS] Brotli updated to v1.2.0.
• [DEPS] headers-more-nginx-module updated to v0.39.
• [DEPS] CrowdSec updated to v1.7.8.

[CONTRIBUTION]

• [CONTRIBUTION] Thank you @harshadkhetpal for exception handling improvements in the autoconf entrypoint. (#3421)
• [CONTRIBUTION] Thank you @Simonmiz for the German Web UI translation. (#3422)
• [CONTRIBUTION] Thank you @daemon-byte for adding the Cap.js self-hosted proof-of-work antibot mode. (#3454)