github bunkerity/bunkerweb v1.6.10-rc4
on GitHub

pre-release10 hours ago

Documentation : https://docs.bunkerweb.io/1.6.10~rc4/

Docker tags :

  • All-in-one : bunkerity/bunkerweb-all-in-one:1.6.10-rc4 or ghcr.io/bunkerity/bunkerweb-all-in-one:1.6.10-rc4
  • BunkerWeb : bunkerity/bunkerweb:1.6.10-rc4 or ghcr.io/bunkerity/bunkerweb:1.6.10-rc4
  • Scheduler : bunkerity/bunkerweb-scheduler:1.6.10-rc4 or ghcr.io/bunkerity/bunkerweb-scheduler:1.6.10-rc4
  • Autoconf : bunkerity/bunkerweb-autoconf:1.6.10-rc4 or ghcr.io/bunkerity/bunkerweb-autoconf:1.6.10-rc4
  • UI : bunkerity/bunkerweb-ui:1.6.10-rc4 or ghcr.io/bunkerity/bunkerweb-ui:1.6.10-rc4
  • API : bunkerity/bunkerweb-api:1.6.10-rc4 or ghcr.io/bunkerity/bunkerweb-api:1.6.10-rc4

Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=1.6.10~rc4&filter=all&dist=

Changelog :

  • [SECURITY] Harden AIO log wrapper: strip C0/C1 control chars from service output to prevent terminal injection in docker logs, disable pathname expansion around HIDE_SERVICE_LOGS word splitting, and reject .. path-traversal segments in LOG_FILE_PATH validation.
  • [SECURITY] Harden the AIO logstream.sh nginx/ModSecurity log forwarder with the same C0/DEL control-character strip as service-log-wrapper.sh, so attacker-controlled access.log/error.log/modsec_audit.log content cannot inject ANSI/CSI/OSC escape sequences into docker logs output.
  • [SECURITY] errors: honor DENY_HTTP_STATUS=444 on /bwerror* handlers — close the connection instead of serving the branded BunkerWeb error page. (Fixes #3448)
  • [BUGFIX] Throttle repeated Redis-failure logs in metrics, sessions, and badbehavior timer hooks: errors of the same kind now log once then recap with a count at 60s window boundaries instead of flooding the error log on every tick.
  • [BUGFIX] Add multisite SESSIONS_DOMAIN setting (default empty) that emits a Domain attribute on the session cookie per server, allowing antibot/challenge state to be shared across sibling subdomains of the same registrable domain. (Fixes #3415)
  • [BUGFIX] Web UI: launch tmp-gunicorn with env -u LOG_FILE_PATH so the bootstrap UI falls back to its own tmp-ui.log instead of colliding with the main UI's ui.log.
  • [BUGFIX] Fix securitytxt RFC 9116 compliance: populate the default Canonical: URL (was https:///.well-known/security.txt), emit Expires: as UTC with a trailing Z, rename the field to Acknowledgments:, and cache the auto-generated expiry per server so the served file is byte-stable across requests.
  • [BUGFIX] Fix DATABASE_URI driver injection corrupting hostnames when the host matches the scheme name (e.g. postgresql://u:p@postgresql:5432/db). Use SQLAlchemy's make_url + URL.set(drivername=...) instead of str.replace so only the scheme is rewritten. (Fixes #3438)
  • [BUGFIX] badbehavior: don't increment the counter for already-banned IPs. Log phase fast-paths on ctx.bw.is_banned; timer phase re-checks is_banned() authoritatively (Redis reachable) before calling increase(). (Fixes #3448)
  • [BUGFIX] Add REVERSE_PROXY_MODSECURITY multisite setting (default yes) that emits modsecurity off; in the per-URL reverse-proxy location block when set to no, working around the ModSecurity-nginx connector's full-body buffering that causes OOM on large uploads. (Fixes #3154)
  • [FEATURE] Let's Encrypt: new LETS_ENCRYPT_MAX_LOG_BACKUPS global setting (default 50) caps certbot's own log rotation via --max-log-backups, preventing the default 1000-file pile-up in every integration mode.
  • [ALL-IN-ONE] Python services (UI, API, scheduler, autoconf) now log to the container's stdout/stderr only. service-log-wrapper.sh prefixes each line with [SERVICE], strips control characters, and honors HIDE_SERVICE_LOGS; no on-disk files are written. Retention is managed by the container logging driver (docker logs, journald, ...).
  • [UI] Fix "Blocked Requests by Country" map: an off-by-one in getColor() plus an HSL-ramp clip to #000 collapsed every populated country to the same color.
  • [UI] Add import/export for custom configurations, with an opt-in .zip bundle that lets a service export include its attached custom configurations and re-import them in one shot.
  • [AUTOCONF] Fix Kubernetes ingress rules being silently dropped and never recovering when a backend Service isn't visible to a GET at apply time (apiserver watch-vs-GET race seen on AKS). A background worker retries missing backends with exponential backoff and re-triggers the apply once they appear.
  • [AUTOCONF] Relax the empty SERVER_NAME guard in Database.save_config for autoconf: if every existing service is autoconf/scheduler-owned, treat the empty list as a legitimate full-teardown and clear the services instead of aborting. Mixed-ownership DBs still abort.
  • [AUTOCONF] Add AUTOCONF_DISABLE_CLEANUP (default no): convert services removed from the orchestrator to draft instead of deleting them, and let the Web UI delete drafted autoconf services.
  • [CONTRIBUTION] Thank you @harshadkhetpal for your contribution regarding exception handling in the autoconf entrypoint. (#3421)
  • [CONTRIBUTION] Thank you @Simonmiz for your contribution regarding the German translation of the web UI. (#3422)
  • [CONTRIBUTION] Thank you @daemon-byte for your contribution adding the Cap.js self-hosted proof-of-work antibot mode. (#3454)
Check out latest releases or
releases around bunkerity/bunkerweb v1.6.10-rc4

Don't miss a new bunkerweb release

NewReleases is sending notifications on new releases.

Get notifications