github bunkerity/bunkerweb v1.6.12-rc3
on GitHub

pre-release5 hours ago

Documentation : https://docs.bunkerweb.io/1.6.12~rc3/

Docker tags :

  • All-in-one : bunkerity/bunkerweb-all-in-one:1.6.12-rc3 or ghcr.io/bunkerity/bunkerweb-all-in-one:1.6.12-rc3
  • BunkerWeb : bunkerity/bunkerweb:1.6.12-rc3 or ghcr.io/bunkerity/bunkerweb:1.6.12-rc3
  • Scheduler : bunkerity/bunkerweb-scheduler:1.6.12-rc3 or ghcr.io/bunkerity/bunkerweb-scheduler:1.6.12-rc3
  • Autoconf : bunkerity/bunkerweb-autoconf:1.6.12-rc3 or ghcr.io/bunkerity/bunkerweb-autoconf:1.6.12-rc3
  • UI : bunkerity/bunkerweb-ui:1.6.12-rc3 or ghcr.io/bunkerity/bunkerweb-ui:1.6.12-rc3
  • API : bunkerity/bunkerweb-api:1.6.12-rc3 or ghcr.io/bunkerity/bunkerweb-api:1.6.12-rc3

Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=1.6.12~rc3&filter=all&dist=

Changelog :

  • [SECURITY] nginx: update nginx to 1.30.3 (except for Fedora, which stays on 1.30.2 until it is available in its repositories) to fix CVE-2026-42055 — a heap buffer overflow in ngx_http_proxy_v2_module/ngx_http_grpc_module — and CVE-2026-48142 — a heap buffer overread in ngx_http_charset_module.
  • [FEATURE] antibot: ANTIBOT_IGNORE_URI can now match full request URIs including query strings. (Fixes #3374)
  • [SECURITY] antibot: validate the post-challenge redirect target as a same-origin relative path (closes an open redirect via crafted Referer/request URI), keep the original query string out of the redirect URL, and reject malformed challenge submissions instead of erroring.
  • [BUGFIX] antibot: solving the challenge now returns to the originally requested URL instead of / on Chrome. (Fixes #3650)
  • [BUGFIX] api: a malformed API_ALLOWED_HOSTS wildcard (e.g. foo.*.com) no longer bricks the API on every request — the patterns are now validated at startup and a bad entry is logged and skipped, instead of tripping Starlette's TrustedHostMiddleware assertion lazily on the first request (which the add_middleware try/except could not catch) or being silently accepted under python -O.
  • [BUGFIX] letsencrypt: stale-ACME-account recovery now works under LETS_ENCRYPT_CONCURRENT_REQUESTS=yes — the JWS-rejection purge targeted the per-service temporary scratch dir (discarded on the failed run, merged back only on success) instead of the canonical account store, so a server-pruned account was restored on every retry and issuance kept failing identically. It now purges DATA_PATH/accounts.
  • [BUGFIX] letsencrypt (UI): deleting a certificate no longer fails with a 500 (leaving the cache row stale so the cert reappears on the next scheduler sync) when an unrelated orphaned certificate is present in the cache — the delete now bypasses the global consistency gate like the Heal flow, since removing one certificate cannot introduce a new orphan reference (the scheduler-side gate still guards against runtime poisoning).
  • [BUGFIX] datastore: setting DATASTORE_LRU_SIZE to any value other than the default (1k) no longer bricks every BunkerWeb worker API with HTTP 444 (a full scheduler↔worker bootstrap deadlock). The lazy per-worker LRU resize replaced the cache with a fresh empty instance mid-init_by_lua, discarding the bootstrap variables (including API_WHITELIST_IP) and plugin metadata it had just stored, so the API rejected every IP. The resize now migrates existing entries into the new cache and only ever grows above the default. (Fixes #3618)
  • [FEATURE] reverseproxy: verify the upstream HTTPS certificate with REVERSE_PROXY_SSL_VERIFY, REVERSE_PROXY_SSL_VERIFY_DEPTH, and a trusted CA as a path or base64/PEM data (REVERSE_PROXY_SSL_TRUSTED_CERTIFICATE, _DATA, _PRIORITY), for HTTP and stream. The scheduler caches the CA and distributes it to every instance; fails safe to off when no CA is available. (Fixes #574)
  • [FEATURE] ui: overhaul the logs viewer — per-format syntax highlighting (BunkerWeb, certbot and NGINX access logs), severity filter chips with counts, in-page search and next/previous error navigation, live-tail with pause and a "new lines" cue, download/copy, an opt-in local-time toggle, and collapsible multi-line entries (tracebacks and config dumps fold to a labelled ⋯ N lines / Traceback (N lines) pill). Hiding a severity hides the whole multi-line entry, and the toolbar reflows into a tidy, touch-friendly layout on mobile.
  • [BUGFIX] ui: editing a service or global config in RAW mode no longer shatters multi-line "file" settings (PEM certificates and keys such as CUSTOM_SSL_CERT_DATA) into bogus variables. The RAW parser now reassembles multi-line values instead of splitting every line as KEY=VALUE, which previously produced a flood of "Variable not valid" errors and silently dropped the certificate, even when only an unrelated setting was edited. (Fixes #3651)
  • [FEATURE] ui: the RAW config editor can now fold multi-line file settings (certificates and keys) under their KEY= header into a labelled ⋯ N lines pill, with a collapse/expand-all toolbar toggle.
  • [DEPS] ui: update jQuery to v4.0.0.
  • [DEPS] ui: update Bootstrap to v5.3.8 and drop the redundant standalone Popper.js (it is already bundled in bootstrap.bundle.min.js).
  • [DEPS] ui: update DataTables (and bundled extensions) to v2.3.8.
  • [DEPS] ui: update Ace editor to v1.44.0.
  • [DEPS] ui: update ApexCharts.js to v5.15.0.
  • [DEPS] ui: update DOMPurify to v3.4.11.
  • [DEPS] ui: update i18next to v26.3.1 and i18next-http-backend to v4.0.0.
  • [DEPS] ui: update Perfect Scrollbar to v1.5.6.
  • [DEPS] ui: update lottie-player to v2.0.12, canvas-confetti to v1.9.4, and ipaddr.js to v2.4.0.
  • [DEPS] update build tooling — cssnano to v8.0.2 and domino to v2.1.7; remove the unused root jquery dependency.
Check out latest releases or
releases around bunkerity/bunkerweb v1.6.12-rc3

Don't miss a new bunkerweb release

NewReleases is sending notifications on new releases.

Get notifications