Documentation : https://docs.bunkerweb.io/1.6.10~rc7/
Docker tags :
- All-in-one :
bunkerity/bunkerweb-all-in-one:1.6.10-rc7orghcr.io/bunkerity/bunkerweb-all-in-one:1.6.10-rc7 - BunkerWeb :
bunkerity/bunkerweb:1.6.10-rc7orghcr.io/bunkerity/bunkerweb:1.6.10-rc7 - Scheduler :
bunkerity/bunkerweb-scheduler:1.6.10-rc7orghcr.io/bunkerity/bunkerweb-scheduler:1.6.10-rc7 - Autoconf :
bunkerity/bunkerweb-autoconf:1.6.10-rc7orghcr.io/bunkerity/bunkerweb-autoconf:1.6.10-rc7 - UI :
bunkerity/bunkerweb-ui:1.6.10-rc7orghcr.io/bunkerity/bunkerweb-ui:1.6.10-rc7 - API :
bunkerity/bunkerweb-api:1.6.10-rc7orghcr.io/bunkerity/bunkerweb-api:1.6.10-rc7
Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=1.6.10~rc7&filter=all&dist=
Changelog :
- [FEATURE]
installer:misc/install-bunkerweb.shinteractive prompts now use a modern inline TUI via gum (--tui/--no-tui/BW_INSTALL_TUI). Three-tier dispatch — gum → whiptail (only if pre-installed) → plainread— keeps every host usable. - [SECURITY]
ui: neutralize CSV/XLSX formula injection (CWE-1236) in bans and reports exports. Server-side CSV now goes throughdefusedcsv(new pinned dep) and a sharedcsv_safe()helper escapes openpyxl XLSX cells; client-side DataTablescsv/excel/copybuttons inherit the same rule via a globalbwCsvSafehook indataTableInit.js. Cells whose first character is= + - @ | %are prefixed with', and embedded|is backslash-escaped. - [BUGFIX]
metrics: bound per-worker LRU and per-key event-history arrays via newMAX_LRU_HISTORYsetting (default1k) to close OSS RAM leak under high-cardinality block traffic. - [BUGFIX]
metrics: lowerMETRICS_MAX_BLOCKED_REQUESTS_REDISdefault100000→10k. - [BUGFIX]
datastore: lower shared worker-LRU default100000→1k, configurable via newDATASTORE_LRU_SIZEglobal setting. - [BUGFIX]
modsec: fix memory leak in variables retrieval from modsecurity to lua - [FEATURE]
metrics/misc:METRICS_MAX_BLOCKED_REQUESTS,METRICS_MAX_BLOCKED_REQUESTS_REDIS,MAX_LRU_HISTORY, andDATASTORE_LRU_SIZEacceptk/mshorthand. - [UI] List pages: unrestricted
10/25/50/100page-size dropdown, header checkbox selects current page only, with opt-in "Select all N matching" banner so bulk actions cover every page. (Fixes #3513) - [FEATURE]
all-in-one: embedded Redis now boots from a generated/var/lib/bunkerweb/redis-runtime.conf(copy of/etc/redis.conf+ env-driven defaults for directives the conf is silent about)..confalways prevails; env varsREDIS_MAXMEMORY,REDIS_MAXMEMORY_POLICY,REDIS_APPENDONLY,REDIS_SAVE/REDIS_SAVE_<N>(BunkerWeb multi-value pattern; empty disables RDB) andREDIS_PASSWORD(wired torequirepass) only fill the gaps. Defaults follow the documented Redis Best Practices. - [FEATURE]
all-in-one/misc: defaultmaxmemory-policyflipped fromallkeys-lrutovolatile-lruin the AIO entrypoint, the Linux installer, all bundled compose examples, and the Redis Best Practices docs. Transient counters (rate-limit, bad-behavior) now evict before keys with TTLs that matter for sessions and timed bans; permanent bans (no TTL) are immune. - [FEATURE]
ui: align Web UI session handling with the Luasessionsplugin three-tier model.SESSION_LIFETIME_HOURS(default12) now drives a sliding idling TTL refreshed on every request, newSESSION_ABSOLUTE_HOURS(default168= 7 days) enforces a hard cap regardless of activity, and newSESSION_ROLLING_HOURS(default0= disabled) optionally regenerates the session ID at a fixed interval. Combined withvolatile-lru, recently active UI sessions are kept across Redis memory pressure. - [FEATURE]
installer: post-install "Next steps" prints the host's real IPv4 instead of the literalyour-server-ipplaceholder. Detection usesip route get(kernel-authoritative outbound source) with RFC1918 → public →hostname -I→ip addrfallbacks, rejecting loopback and link-local. New--server-ip <IP>flag andSERVER_IP_INPUTenv var override detection; on hosts with multiple global IPv4s, interactive installs show a numbered menu (kernel choice preselected). Placeholder is preserved only when no IPv4 is detectable. (Fixes #3527) - [DEPS] Updated LuaJIT version to v2.1-20260415
- [DEPS] Updated lua-resty-string version to v0.17
- [DEPS] Updated lua-cjson version to v2.1.0.17