github bunkerity/bunkerweb v1.6.10
on GitHub

3 hours ago

Documentation : https://docs.bunkerweb.io/1.6.10/

Docker tags :

  • All-in-one : bunkerity/bunkerweb-all-in-one:1.6.10 or ghcr.io/bunkerity/bunkerweb-all-in-one:1.6.10
  • BunkerWeb : bunkerity/bunkerweb:1.6.10 or ghcr.io/bunkerity/bunkerweb:1.6.10
  • Scheduler : bunkerity/bunkerweb-scheduler:1.6.10 or ghcr.io/bunkerity/bunkerweb-scheduler:1.6.10
  • Autoconf : bunkerity/bunkerweb-autoconf:1.6.10 or ghcr.io/bunkerity/bunkerweb-autoconf:1.6.10
  • UI : bunkerity/bunkerweb-ui:1.6.10 or ghcr.io/bunkerity/bunkerweb-ui:1.6.10
  • API : bunkerity/bunkerweb-api:1.6.10 or ghcr.io/bunkerity/bunkerweb-api:1.6.10

Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=1.6.10&filter=all&dist=

Changelog :

[SECURITY]

  • [SECURITY] nginx: update NGINX to 1.30.1 to fix various CVEs.
  • [SECURITY] ui: neutralize CSV/XLSX formula injection in bans and reports exports (CWE-1236).
    • Server-side CSV now uses defusedcsv.
    • XLSX exports escape cells through the shared csv_safe() helper.
    • DataTables csv, excel, and copy buttons inherit the same protection through bwCsvSafe.
    • Cells starting with =, +, -, @, |, or % are prefixed with '.
    • Embedded | characters are backslash-escaped.
  • [API/SECURITY] Fix PATCH /global_config accidentally deleting all services, custom configs, and jobs cache.
  • [API/SECURITY] Add data-loss guards in Database.save_config and Database.update_external_plugins.
    • Refuse updates that would delete every global setting for a method.
    • Refuse plugin cascade-deletion when the incoming plugin list is empty.
    • Skip setting/selects/multiselects pruning on same-content plugin reinstalls detected by checksum.
  • [SECURITY] Update coreruleset-v3 to v3.3.9 to fix CVE-2026-33691. (Fixes #3402)
  • [SECURITY] Update coreruleset-v4 to v4.26.0, including the CVE-2026-33691 fix. (Fixes #3402)
  • [SECURITY] Harden tar/zip extraction with centralized safe_tar_extractall / safe_zip_extractall helpers, pre-extraction validation, and Path.is_relative_to() containment checks. Mitigates CVE-2025-4517 on Python < 3.13.4.
  • [SECURITY] Harden AIO service log forwarding against terminal injection in docker logs.
    • Strip C0/C1 control characters.
    • Disable pathname expansion around HIDE_SERVICE_LOGS.
    • Reject .. path-traversal segments in LOG_FILE_PATH.
  • [SECURITY] Harden AIO logstream.sh forwarding for nginx, access, error, and ModSecurity audit logs with the same control-character stripping.
  • [SECURITY] Replace Trivy with Docker Scout for container image vulnerability scanning in the CI/CD pipeline.
  • [UI/SECURITY] Replace unbounded DataTables All page length with capped values and clamp server-side length / start parameters to prevent oversized requests from causing OOM.

[BUGFIX]

  • [BUGFIX] metrics / datastore / modsec: fix multiple memory leaks and unsafe defaults.
    • Bound per-worker LRU and per-key event-history arrays with MAX_LRU_HISTORY, default 1k.
    • Lower METRICS_MAX_BLOCKED_REQUESTS_REDIS default from 100000 to 10k.
    • Lower shared datastore worker-LRU default from 100000 to 1k.
    • Add DATASTORE_LRU_SIZE.
    • Fix memory leak in ModSecurity-to-Lua variable retrieval.
  • [BUGFIX] reverseproxy: pin USE_UI=yes service upstreams to HTTP/1.1 so global REVERSE_PROXY_HTTP_VERSION=2 no longer locks out the Web UI. (Fixes #3550)
  • [BUGFIX] misc: fix per-service HTTPS handshakes aborting with no ssl_client_hello_by_lua* defined in server <name> when DISABLE_DEFAULT_SERVER_STRICT_SNI=yes.
  • [BUGFIX] modsecurity / ui / antibot: stop USE_MODSECURITY_GLOBAL_CRS=yes from returning 403 on UI POSTs and antibot challenges. (Fixes #3118)
  • [BUGFIX] Fix ModSecurity REQUEST_HEADERS:Host and SERVER_NAME being empty for HTTP/3 requests. (Fixes #3298)
  • [BUGFIX] Add MODSECURITY_SEC_REQUEST_BODY_LIMIT and MODSECURITY_SEC_REQUEST_BODY_LIMIT_ACTION to decouple ModSecurity body inspection from MAX_CLIENT_SIZE. (Fixes #3154)
  • [BUGFIX] Add explicit ModSecurity request-body parsing error rules so truncated or malformed bodies are logged and rejected with the correct status.
  • [BUGFIX] Add REVERSE_PROXY_MODSECURITY setting to disable ModSecurity per reverse-proxy URL when needed, especially for large uploads. (Fixes #3154)
  • [BUGFIX] Add WORKER_SHUTDOWN_TIMEOUT, default 30s, to terminate old NGINX workers after reloads and avoid unbounded memory growth. (Fixes #3153)
  • [BUGFIX] database: add a __del__ safety net on the SQLAlchemy Database wrapper so per-job engines dispose cleanly during garbage collection.
  • [BUGFIX] database: back-fill bw_settings defaults from settings.json at read time when catalogue rows are missing, NULL, or empty. (Fixes #3450)
  • [BUGFIX] Fix DATABASE_URI driver injection corrupting hostnames when the host matches the scheme name. (Fixes #3438)
  • [BUGFIX] Fix PostgreSQL table bloat in bw_plugin_pages and bw_jobs_cache.
  • [BUGFIX] Fix scheduler memory leak from unbounded job module cache, broken sys.modules cleanup, bulk cache loading, and infrequent garbage collection.
  • [BUGFIX] Disable Gunicorn 25.1.0 control socket to prevent worker deadlocks in UI, TMP-UI, and API.
  • [BUGFIX] Clean orphaned NGINX temp files on startup after OOM kills or ungraceful shutdowns.
  • [BUGFIX] Fix entrypoint spinning at 100% CPU when nginx/supervisord is OOM-killed.
  • [BUGFIX] Throttle repeated Redis-failure logs in metrics, sessions, and badbehavior.
  • [BUGFIX] Fix metrics Redis sync cascading failures after mid-cycle connection drops by adding auto-reconnect with circuit breaker.
  • [BUGFIX] Fix dead Redis connections being returned to the keepalive pool.
  • [BUGFIX] Fix cachestore:set() silently dropping cache writes in non-cosocket phases.
  • [BUGFIX] Fix cachestore:del_redis() calling a non-existent clusterstore:del() method.
  • [BUGFIX] Move cachestore:update() IPC polling to valid Lua phases to remove repeated retry warnings.
  • [BUGFIX] Fix badbehavior:log() crash caused by resty.lock calling ngx.sleep() in log_by_lua*.
  • [BUGFIX] Fix whitelist default-server crash caused by resty.lock calling ngx.sleep() in set_by_lua*. (Fixes #2583)
  • [BUGFIX] Fix is_cosocket_available() SSL phase detection and add missing yieldable phases.
  • [BUGFIX] badbehavior: do not increment counters for already-banned IPs. (Fixes #3448)
  • [BUGFIX] Fix ngx.exit(nil) crash when DENY_HTTP_STATUS is missing. (Fixes #2516)
  • [BUGFIX] Fix unbanning IPs for stream services by refreshing local ban cache from Redis after unban. (Fixes #2516)
  • [BUGFIX] Fix BunkerNet log_stream() crash in stream context where ngx.req.get_headers() is unavailable.
  • [BUGFIX] Fix robots.txt and security.txt plugins running expensive initialization on every request. (Fixes #3155)
  • [BUGFIX] Fix securitytxt RFC 9116 compliance.
    • Fix default Canonical: URL.
    • Emit Expires: as UTC with trailing Z.
    • Rename field to Acknowledgments:.
    • Cache auto-generated expiry per server.
  • [BUGFIX] Fix Post-Quantum Cryptography auto-detection on OpenSSL 3.5+ when SSL_ECDH_CURVE=auto.
  • [BUGFIX] Fix RC regression in @bwerror* handling where real 4xx/5xx rendering could be broken. (Fixes #3490)
  • [MISC] Improve JobScheduler per-job failure tracking.

[FEATURE]

  • [FEATURE] misc: add MAX_HEADERS, default 100, to cap request header lines.
  • [FEATURE] reverseproxy: add per-backend REVERSE_PROXY_HTTP_VERSION.
    • Default: 1.1.
    • Accepted values: 1.0, 1.1, 2.
    • WebSocket upstreams remain pinned to HTTP/1.1.
  • [FEATURE] templates: bundled ui and api templates now set REVERSE_PROXY_KEEPALIVE=yes.
  • [FEATURE] ui: align Web UI sessions with the Lua sessions plugin model.
    • SESSION_LIFETIME_HOURS, default 12, controls sliding idle TTL.
    • SESSION_ABSOLUTE_HOURS, default 168, enforces a hard cap.
    • SESSION_ROLLING_HOURS, default 0, optionally regenerates session IDs periodically.
  • [FEATURE] Add multisite SESSIONS_DOMAIN to share antibot/challenge state across sibling subdomains. (Fixes #3415)
  • [FEATURE] metrics / misc: allow k / m shorthand for metrics and datastore size settings.
  • [MISC] Accept g / G suffix on shared memory size settings and normalize to megabytes at template rendering time.
  • [MISC] Allow custom uppercase HTTP methods containing underscores and dashes in ALLOWED_METHODS. (Fixes #3411)
  • [MISC] Update default Permissions-Policy with local-network, local-network-access, and loopback-network.
  • [FEATURE] Let's Encrypt: add LETS_ENCRYPT_MAX_LOG_BACKUPS, default 50, to cap certbot log rotation.
  • [FEATURE] installer: add modern inline TUI prompts through gum.
    • Dispatch order: gum → pre-installed whiptail → plain read.
    • Controlled by --tui, --no-tui, and BW_INSTALL_TUI.
  • [FEATURE] installer: post-install "Next steps" now prints the detected host IPv4 instead of your-server-ip. (Fixes #3527)
    • Adds --server-ip <IP> and SERVER_IP_INPUT.
    • Interactive installs show a menu when multiple global IPv4s are detected.

[PERF]

  • [PERF] database: add 18 missing single-column indexes. (Fixes #3368, addresses #3367)

[UI]

  • [UI] List pages: restore unrestricted 10/25/50/100 page-size dropdown.
  • [UI] List pages: header checkbox now selects the current page only.
  • [UI] List pages: add opt-in "Select all N matching" banner for bulk actions across pages. (Fixes #3513)
  • [UI] Reports and Bans pages: CSV/Excel exports now include every column and honor active search and SearchPanes filters. (Fixes #3489)
  • [UI] Service edit page: restore non-UI-method settings and template defaults on advanced/raw save.
  • [UI] Service edit page: keep raw-mode draft toggle and the IS_DRAFT= line synchronized.
  • [UI] Add import/export for custom configurations, including optional .zip bundles attached to service exports.
  • [UI] Fix "Blocked Requests by Country" map coloring.
  • [UI] Fix service template switching so selected template defaults apply immediately while preserving customized fields. (Fixes #3241)
  • [UI] Fix multiselect dropdown being clipped in template wizard steps. (Fixes #3401)
  • [UI] Fix multiselect settings not displaying or applying values correctly in the template editor and service creation wizard.
  • [UI] Fix multiselect and multivalue settings resetting to defaults when all options are unchecked.
  • [UI] Fix Reports page search not matching Request ID.
  • [UI] Fix Reports page IP hit counts decreasing when filtering by IP. (Fixes #3407)
  • [UI] Prevent reload and worker-restart infinite loops when the database is read-only or configuration flag reset fails.
  • [UI] Check the database for USE_REDIS before showing the filesystem session backend warning.
  • [UI] Launch tmp-gunicorn with env -u LOG_FILE_PATH so bootstrap UI logs do not collide with main UI logs.

[API]

  • [API] Fix update_config_upload resetting a custom config's service scope to global when the caller did not request a service move.

[AUTOCONF]

  • [AUTOCONF] Fix Docker/Podman instance discovery looping on No instance found.
    • Health falls back to run-state when State.Health is missing.
    • Environment parsing is hardened.
    • The wait loop now logs exceptions instead of swallowing them.
  • [AUTOCONF] Fix Docker socket proxy restarts triggering deletion of all instances and services.
  • [AUTOCONF] Fix Docker API errors being silently swallowed as empty container/service lists.
  • [AUTOCONF] Fix Docker healthcheck exec events causing endless config regeneration and NGINX reloads.
  • [AUTOCONF] Fix multiple Kubernetes Ingress/Route resources for the same hostname overwriting each other instead of merging paths.
  • [AUTOCONF] Fix Kubernetes ingress rules being dropped when backend Services are not visible yet.
    • Missing backends are retried with exponential backoff.
    • Configuration apply is retriggered once backends appear.
  • [AUTOCONF] Relax empty SERVER_NAME guard for autoconf-owned full teardowns.
  • [AUTOCONF] Add AUTOCONF_DISABLE_CLEANUP, default no, to convert removed orchestrator services to draft instead of deleting them.
  • [BUGFIX] Configurator now supplements its internal server list from the database Services table in multisite mode.

[ALL-IN-ONE]

  • [ALL-IN-ONE] Update CrowdSec to 1.7.8.
  • [ALL-IN-ONE] Embedded Redis now boots from generated /var/lib/bunkerweb/redis-runtime.conf.
    • /etc/redis.conf remains authoritative.
    • Environment variables only fill missing directives.
    • Supported variables include REDIS_MAXMEMORY, REDIS_MAXMEMORY_POLICY, REDIS_APPENDONLY, REDIS_SAVE, REDIS_SAVE_<N>, and REDIS_PASSWORD.
  • [ALL-IN-ONE] Default Redis maxmemory-policy changed from allkeys-lru to volatile-lru.
    • Applied to the AIO entrypoint, Linux installer, bundled compose examples, and Redis Best Practices docs.
    • Helps preserve sessions and timed bans under memory pressure.
  • [ALL-IN-ONE] Python services now log only to container stdout/stderr.
    • service-log-wrapper.sh prefixes each line with [SERVICE].
    • Control characters are stripped.
    • HIDE_SERVICE_LOGS is honored.
    • No on-disk service log files are written.

[LINUX]

  • [LINUX] Add Fedora 44 support.

[DOCS]

  • [DOCS] Add llms.txt and llms-full.txt generation through a MkDocs post-build hook.

[DEPS]

  • [DEPS] NGINX updated to v1.30.1.
  • [DEPS] ModSecurity updated to v3.0.15.
  • [DEPS] Mbed TLS updated to v4.1.0.
  • [DEPS] libinjection updated to v4.0.0.
  • [DEPS] coreruleset-v3 updated to v3.3.9.
  • [DEPS] coreruleset-v4 updated to v4.26.0.
  • [DEPS] LuaJIT updated to v2.1-20260415.
  • [DEPS] lua-resty-string updated to v0.17.
  • [DEPS] lua-cjson updated to v2.1.0.17.
  • [DEPS] Brotli updated to v1.2.0.
  • [DEPS] headers-more-nginx-module updated to v0.39.
  • [DEPS] CrowdSec updated to v1.7.8.

[CONTRIBUTION]

  • [CONTRIBUTION] Thank you @harshadkhetpal for exception handling improvements in the autoconf entrypoint. (#3421)
  • [CONTRIBUTION] Thank you @Simonmiz for the German Web UI translation. (#3422)
  • [CONTRIBUTION] Thank you @daemon-byte for adding the Cap.js self-hosted proof-of-work antibot mode. (#3454)
Check out latest releases or
releases around bunkerity/bunkerweb v1.6.10

Don't miss a new bunkerweb release

NewReleases is sending notifications on new releases.

Get notifications