How to use bunker with services in different hosts without weakening security

[sbe-arg]

Can I have bunker in host1 and services in host2 and host3 and reverse proxy by host ip?

I have been trying to do this but.
1- services don't work either with or without lets encrypt nor http or https
2- lets encrypt fails. I assume because services don't work

[TheophileDiot]

Hi @sbe-arg, yes you can. Are you creating the config via the web UI ?

Also it would really help if you could provide the following information:

• The version you’re using of BunkerWeb
• The integration you’re using
• Some system information like your OS
• Your BW configuration (e.g. : compose file, variables.env, …)
• Some logs if they are available

[sbe-arg]

Was setting it up via docker compose.

Using the latest version and the autoconf

The host is ubuntu 22.04

Ill paste the template tomorrow I'm afk atm

[TheophileDiot]

No worries, thank you for that information 🙏

[sbe-arg]

In my direct attempts without NPM, directly exposing the http and https bunker ports loop crashes requesting the cert or certs if I add more sites. Basically same setup without the following block.

      - USE_REAL_IP=yes
      - USE_PROXY_PROTOCOL=yes
      - REAL_IP_FROM=192.168.1.ip/32 # <<< the ip of the proxy manager
      #- REAL_IP_HEADER=X-Forwarded-For # <<< I have no clue if I have explicitly set X-Forwarded-For in NPM

It relates to this topic. About how to place it behind NPM: #608

in NPM sub.domain.tld (handles the domain) > destination http://ip-bunkerweb:port

name: 'waf'

services:

  bunkerweb:
    image: bunkerity/bunkerweb:1.5.6
    ports:
      - 20080:8080 # triying to place it behind nginx proxy manager
      - 20443:8443 # triying to place it behind nginx proxy manager
    labels:
      - "bunkerweb.INSTANCE=yes"
    environment:
      - USE_REAL_IP=yes
      - USE_PROXY_PROTOCOL=yes
      - REAL_IP_FROM=192.168.1.ip/32 # <<< the ip of the proxy manager
      #- REAL_IP_HEADER=X-Forwarded-For # <<< I have no clue if I have explicitly set X-Forwarded-For in NPM
      - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24 192.168.1.0/24
      - MULTISITE=yes
      - SERVER_NAME=sub.domain.tld
      - USE_REVERSE_PROXY=yes # Will be applied to all server config
      - REVERSE_PROXY_URL=/ # Will be applied to all server config
      - sub.domain.tld_REVERSE_PROXY_HOST=http://192.168.1.ip:port
    networks:
      - bw-universe
      - bw-services

  bw-scheduler:
    image: bunkerity/bunkerweb-scheduler:1.5.6
    depends_on:
      - bunkerweb
      - bw-docker
    volumes:
      - bw-data:/data
    environment:
      - DOCKER_HOST=tcp://bw-docker:2375
    networks:
      - bw-universe
      - bw-docker

  bw-docker:
    image: tecnativa/docker-socket-proxy:nightly
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - CONTAINERS=1
      - LOG_LEVEL=warning
    networks:
      - bw-docker

volumes:
  bw-data:

networks:
  bw-universe:
    name: bw-universe
    ipam:
      driver: default
      config:
        - subnet: 10.20.30.0/24
  bw-services:
    name: bw-services
  bw-docker:
    name: bw-docker

[sbe-arg]

this is the lets encrypt crash

bunkerweb-1  | 2024/05/05 21:35:35 [error] 51#51: [LETSENCRYPT] error while reading files : /var/cache/bunkerweb/letsencrypt/etc/live/sub.domain.tld/fullchain.pem = /var/cache/bunkerweb/letsencrypt/etc/live/sub.domain.tld/fullchain.pem: No such file or directory
bunkerweb-1  | 2024/05/05 21:35:35 [error] 51#51: [INIT] letsencrypt:init() call failed : error reading files

[sbe-arg]

Actually.. big big apologies...
I had a block rule for the new host that I moved all containers to...

it now works fine 🤦

[TheophileDiot]

Hi @sbe-arg, happy to hear you found a solution !
Enjoy bunkerizing your services 🚀