[BUG] IPs in WHITELIST_IP gets banned for Bad Behavior in the middle of the night

[axeleroy]

What happened?

Hello,

I have setup Uptime Kuma to track uptimes of services hosted behind Bunkerweb. Since updating to Bunkerweb 1.5.5 every night near 03:00, my local gateway (through which Uptime Kuma pings my services) gets banned, even though its IP is in the WHITELIST_IP environment variable.

How to reproduce?

1. Deploy BunkerWeb and a service using the docker-compose.yml files bellow
2. Deploy Uptime Kuma and create an HTTP(s) Monitor to ping the deployed service
   • Use the domain name in the URL
   • In my case, the domain points to my ISP router in bridge mode, so every queries made on the local network are sent from 192.168.0.1
3. Wait until ~3:00 AM
4. 192.168.0.1 is banned and the Uptime Kuma monitor is down

Configuration file(s) (yaml or .env)

bunkerweb/docker-compose.yml

version: '3'

services:
  bunkerweb:
    image: bunkerity/bunkerweb:1.5.5
    container_name: bunkerweb
    ports:
      - 8080:8080
      - 8443:8443
    environment:
      - SERVER_NAME=
      - AUTOCONF_MODE=yes
      - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
      - MULTISITE=yes
      - DATABASE_URI=mariadb+pymysql://bunkerweb:XXXXXXXXXXXXX@bw-db:3306/db
      - DISABLE_DEFAULT_SERVER=yes
      - USE_REAL_IP=yes
      - REAL_IP_FROM=192.168.0.0/24 172.18.0.0/16
      - REAL_IP_HEADER=X-Forwarded-For
      - WHITELIST_IP=192.168.0.1 192.168.0.0/24 192.168.1.0/24
      - INTERCEPTED_ERROR_CODES=405 413 429 500 501 502 503 504
      - AUTO_LETS_ENCRYPT=yes
      - EMAIL_LETS_ENCRYPT=XXXXXXXXXXXXX
      - SERVE_FILES=no
      - ALLOWED_METHODS=GET|POST|PUT|PATCH|DELETE|HEAD
    labels:
      - "bunkerweb.INSTANCE=yes"
    networks:
      - bw-universe
      - bw-services
    restart: unless-stopped

  bw-autoconf:
    depends_on:
      - bunkerweb
      - bw-docker
    image: bunkerity/bunkerweb-autoconf:1.5.5
    container_name: bunkerweb-autoconf
    environment:
      - DATABASE_URI=mariadb+pymysql://bunkerweb:XXXXXXXXXXXXXX@bw-db:3306/db
      - AUTOCONF_MODE=yes
      - DOCKER_HOST=tcp://bw-docker:2375
    networks:
      - bw-universe
      - bw-docker

  bw-scheduler:
    image: bunkerity/bunkerweb-scheduler:1.5.5
    container_name: bunkerweb-scheduler
    depends_on:
      - bunkerweb
      - bw-docker
    environment:
      - DATABASE_URI=mariadb+pymysql://bunkerweb:XXXXXXXXXX@bw-db:3306/db
      - DOCKER_HOST=tcp://bw-docker:2375
      - AUTOCONF_MODE=yes
    volumes:
      - letsencrypt:/var/cache/bunkerweb/letsencrypt
    networks:
      - bw-universe
      - bw-docker

  bw-docker:
    image: tecnativa/docker-socket-proxy:nightly
    container_name: bunkerweb-docker-proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - CONTAINERS=1
      - LOG_LEVEL=warning
    networks:
      - bw-docker

  bw-db:
    image: mariadb:10.10
    container_name: bunkerweb-db
    environment:
      - MYSQL_RANDOM_ROOT_PASSWORD=yes
      - MYSQL_DATABASE=db
      - MYSQL_USER=bunkerweb
      - MYSQL_PASSWORD=XXXXXXXXXXX
    volumes:
      - bunkerweb-data:/var/lib/mysql
    networks:
      - bw-docker

volumes:
  bunkerweb-data:
  letsencrypt:
  planning-poker-data:
  freshrss-data:
  freshrss-extensions:
  n8n-data:

networks:
  bw-universe:
    name: bw-universe
    ipam:
      driver: default
      config:
        - subnet: 10.20.30.0/24
  bw-services:
    name: bw-services
  bw-docker:
    name: bw-docker

freshrss/docker-compose.yml

version: '3'

services:
  freshrss:
    image: freshrss/freshrss:1.23.1
    container_name: freshrss
    networks:
      bw-services:
            aliases:
              - freshrss
    expose:
      - 80
    environment:
      - TZ=Europe/Paris
      - CRON_MIN=*/15
      - LISTEN=0.0.0.0:80
    volumes:
      - freshrss-data:/var/www/FreshRSS/data
      - freshrss-extensions:/var/www/FreshRSS/extensions
    restart: unless-stopped
    dns:
      - 192.168.0.113
    labels:
        - "bunkerweb.SERVER_NAME=freshrss.domain.com"
        - "bunkerweb.USE_REVERSE_PROXY=yes"
        - "bunkerweb.REVERSE_PROXY_URL=/"
        - "bunkerweb.REVERSE_PROXY_HOST=http://freshrss"
        - "bunkerweb.USE_LIMIT_REQ=no"

networks:
  bw-services:
    external: true
    name: bw-services

volumes:
  freshrss-data:
    name: bunkerweb_freshrss-data
    external: true
  freshrss-extensions:
    name: bunkerweb_freshrss-extensions
    external: true

Relevant log output

I could not really find anything relevant, other than a few findings that confuse me:

• the timing of the Uptime Kuma monitor going down seem to match with the ModSecurity configuration reload

• but there are occurrences of the IP getting banned before the monitor reports being down at 2024-02-07 03:05:25

  2024/02/07 02:55:00 [warn] 147364#147364: *561287 [ACCESS] IP 192.168.0.1 is banned with reason bad behavior (83112.277s remaining), client: 192.168.0.1, server: jellyfin.selfhosting.domain.com, request: "GET /Users/XXXXXXXXXX/Items/Latest?Limit=12&ParentId=XXXXXXXX HTTP/1.1", host: "jellyfin.selfhosting.domain.com"
  

BunkerWeb version

1.5.5

What integration are you using?

Autoconf

Linux distribution (if applicable)

Ubuntu Server 22.04

Removed private data

• I have removed all private data from the configuration file and the logs

Code of Conduct

• I agree to follow this project's Code of Conduct

[TheophileDiot]

Hi @axeleroy, thank you for opening this issue. I'll investigate on this and let you know.

[TheophileDiot]

This commit should fix your issue, now the whitelist will be also executed on the default-server 😄

[axeleroy]

So I just have to pull the dev images? Any other changes I should be aware of before deploying?

[TheophileDiot]

Every change should be listed right here:
https://github.com/bunkerity/bunkerweb/blob/dev/CHANGELOG.md

[axeleroy]

Thanks! A bit off-topic but I read "Add new Metrics core plugin that will allow metrics collection and retrieval of internal metrics", is it documented somewhere already? 👀

[TheophileDiot]

It's a secret 🤫 (stay tuned for more information on the metrics) 🚀

[axeleroy]

I can confirm the bug has been fixed, thanks!

[TheophileDiot]

@axeleroy Happy to see that you can also confirm it 😄

Let's keep that Issue open until the fix is present on an official release if that's alright with you.

[fl0ppy-d1sk]

Hello @axeleroy,

Fix should be available on the testing version, more info here : https://docs.bunkerweb.io/testing/

Don't hesitate to test it and tell us if everything is ok !

[fl0ppy-d1sk]

Hello @axeleroy,

Fix is now available in the v1.5.6 release. Thanks for your feedback !