Settings
Settings generator tool
To help you tune BunkerWeb, we have made an easy-to-use settings generator tool available at config.bunkerweb.io.
This section contains the full list of settings supported by BunkerWeb. If you are not yet familiar with BunkerWeb, you should first read the concepts section of the documentation. Please follow the instructions for your own integration on how to apply the settings.
As a general rule when multisite mode is enabled, if you want to apply settings with multisite context to a specific server, you will need to add the primary (first) server name as a prefix like www.example.com_USE_ANTIBOT=captcha
or myapp.example.com_USE_GZIP=yes
for example.
When settings are considered as "multiple", it means that you can have multiple groups of settings for the same feature by adding numbers as suffix like REVERSE_PROXY_URL_1=/subdir
, REVERSE_PROXY_HOST_1=http://myhost1
, REVERSE_PROXY_URL_2=/anotherdir
, REVERSE_PROXY_HOST_2=http://myhost2
, ... for example.
Global settings
STREAM support
Setting | Default | Context | Multiple | Description |
---|---|---|---|---|
IS_LOADING |
no |
global | no | Internal use : set to yes when BW is loading. |
NGINX_PREFIX |
/etc/nginx/ |
global | no | Where nginx will search for configurations. |
HTTP_PORT |
8080 |
global | no | HTTP port number which bunkerweb binds to. |
HTTPS_PORT |
8443 |
global | no | HTTPS port number which bunkerweb binds to. |
MULTISITE |
no |
global | no | Multi site activation. |
SERVER_NAME |
www.example.com |
multisite | no | List of the virtual hosts served by bunkerweb. |
WORKER_PROCESSES |
auto |
global | no | Number of worker processes. |
WORKER_RLIMIT_NOFILE |
2048 |
global | no | Maximum number of open files for worker processes. |
WORKER_CONNECTIONS |
1024 |
global | no | Maximum number of connections per worker. |
LOG_FORMAT |
$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" |
global | no | The format to use for access logs. |
LOG_LEVEL |
notice |
global | no | The level to use for error logs. |
DNS_RESOLVERS |
127.0.0.11 |
global | no | DNS addresses of resolvers to use. |
DATASTORE_MEMORY_SIZE |
64m |
global | no | Size of the internal datastore. |
CACHESTORE_MEMORY_SIZE |
64m |
global | no | Size of the internal cachestore. |
CACHESTORE_IPC_MEMORY_SIZE |
16m |
global | no | Size of the internal cachestore (ipc). |
CACHESTORE_MISS_MEMORY_SIZE |
16m |
global | no | Size of the internal cachestore (miss). |
CACHESTORE_LOCKS_MEMORY_SIZE |
16m |
global | no | Size of the internal cachestore (locks). |
USE_API |
yes |
global | no | Activate the API to control BunkerWeb. |
API_HTTP_PORT |
5000 |
global | no | Listen port number for the API. |
API_LISTEN_IP |
0.0.0.0 |
global | no | Listen IP address for the API. |
API_SERVER_NAME |
bwapi |
global | no | Server name (virtual host) for the API. |
API_WHITELIST_IP |
127.0.0.0/8 |
global | no | List of IP/network allowed to contact the API. |
AUTOCONF_MODE |
no |
global | no | Enable Autoconf Docker integration. |
SWARM_MODE |
no |
global | no | Enable Docker Swarm integration. |
KUBERNETES_MODE |
no |
global | no | Enable Kubernetes integration. |
SERVER_TYPE |
http |
multisite | no | Server type : http or stream. |
LISTEN_STREAM |
yes |
multisite | no | Enable listening for non-ssl (passthrough). |
LISTEN_STREAM_PORT |
1337 |
multisite | no | Listening port for non-ssl (passthrough). |
LISTEN_STREAM_PORT_SSL |
4242 |
multisite | no | Listening port for ssl (passthrough). |
USE_UDP |
no |
multisite | no | UDP listen instead of TCP (stream). |
USE_IPV6 |
no |
global | no | Enable IPv6 connectivity. |
Core settings
Antibot
STREAM support
Bot detection by using a challenge.
Setting | Default | Context | Multiple | Description |
---|---|---|---|---|
USE_ANTIBOT |
no |
multisite | no | Activate antibot feature. |
ANTIBOT_URI |
/challenge |
multisite | no | Unused URI that clients will be redirected to to solve the challenge. |
ANTIBOT_RECAPTCHA_SCORE |
0.7 |
multisite | no | Minimum score required for reCAPTCHA challenge. |
ANTIBOT_RECAPTCHA_SITEKEY |
multisite | no | Sitekey for reCAPTCHA challenge. | |
ANTIBOT_RECAPTCHA_SECRET |
multisite | no | Secret for reCAPTCHA challenge. | |
ANTIBOT_HCAPTCHA_SITEKEY |
multisite | no | Sitekey for hCaptcha challenge. | |
ANTIBOT_HCAPTCHA_SECRET |
multisite | no | Secret for hCaptcha challenge. | |
ANTIBOT_TIME_RESOLVE |
60 |
multisite | no | Maximum time (in seconds) clients have to resolve the challenge. Once this time has passed, a new challenge will be generated. |
ANTIBOT_TIME_VALID |
86400 |
multisite | no | Maximum validity time of solved challenges. Once this time has passed, clients will need to resolve a new one. |
Auth basic
STREAM support
Enforce login before accessing a resource or the whole site using HTTP basic auth method.
Setting | Default | Context | Multiple | Description |
---|---|---|---|---|
USE_AUTH_BASIC |
no |
multisite | no | Use HTTP basic auth |
AUTH_BASIC_LOCATION |
sitewide |
multisite | no | URL of the protected resource or sitewide value. |
AUTH_BASIC_USER |
changeme |
multisite | no | Username |
AUTH_BASIC_PASSWORD |
changeme |
multisite | no | Password |
AUTH_BASIC_TEXT |
Restricted area |
multisite | no | Text to display |
Bad behavior
STREAM support
Ban IP generating too much 'bad' HTTP status code in a period of time.
Setting | Default | Context | Multiple | Description |
---|---|---|---|---|
USE_BAD_BEHAVIOR |
yes |
multisite | no | Activate Bad behavior feature. |
BAD_BEHAVIOR_STATUS_CODES |
400 401 403 404 405 429 444 |
multisite | no | List of HTTP status codes considered as 'bad'. |
BAD_BEHAVIOR_BAN_TIME |
86400 |
multisite | no | The duration time (in seconds) of a ban when the corresponding IP has reached the threshold. |
BAD_BEHAVIOR_THRESHOLD |
10 |
multisite | no | Maximum number of 'bad' HTTP status codes within the period of time before IP is banned. |
BAD_BEHAVIOR_COUNT_TIME |
60 |
multisite | no | Period of time (in seconds) during which we count 'bad' HTTP status codes. |
Blacklist
STREAM support
Deny access based on internal and external IP/network/rDNS/ASN blacklists.
Setting | Default | Context | Multiple | Description |
---|---|---|---|---|
USE_BLACKLIST |
yes |
multisite | no | Activate blacklist feature. |
BLACKLIST_IP |
multisite | no | List of IP/network, separated with spaces, to block. | |
BLACKLIST_IP_URLS |
https://www.dan.me.uk/torlist/?exit |
global | no | List of URLs, separated with spaces, containing bad IP/network to block. |
BLACKLIST_RDNS_GLOBAL |
yes |
multisite | no | Only perform RDNS blacklist checks on global IP addresses. |
BLACKLIST_RDNS |
.shodan.io .censys.io |
multisite | no | List of reverse DNS suffixes, separated with spaces, to block. |
BLACKLIST_RDNS_URLS |
global | no | List of URLs, separated with spaces, containing reverse DNS suffixes to block. | |
BLACKLIST_ASN |
multisite | no | List of ASN numbers, separated with spaces, to block. | |
BLACKLIST_ASN_URLS |
global | no | List of URLs, separated with spaces, containing ASN to block. | |
BLACKLIST_USER_AGENT |
multisite | no | List of User-Agent (PCRE regex), separated with spaces, to block. | |
BLACKLIST_USER_AGENT_URLS |
https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list |
global | no | List of URLs, separated with spaces, containing bad User-Agent to block. |
BLACKLIST_URI |
multisite | no | List of URI (PCRE regex), separated with spaces, to block. | |
BLACKLIST_URI_URLS |
global | no | List of URLs, separated with spaces, containing bad URI to block. | |
BLACKLIST_IGNORE_IP |
multisite | no | List of IP/network, separated with spaces, to ignore in the blacklist. | |
BLACKLIST_IGNORE_IP_URLS |
global | no | List of URLs, separated with spaces, containing IP/network to ignore in the blacklist. | |
BLACKLIST_IGNORE_RDNS |
multisite | no | List of reverse DNS suffixes, separated with spaces, to ignore in the blacklist. | |
BLACKLIST_IGNORE_RDNS_URLS |
global | no | List of URLs, separated with spaces, containing reverse DNS suffixes to ignore in the blacklist. | |
BLACKLIST_IGNORE_ASN |
multisite | no | List of ASN numbers, separated with spaces, to ignore in the blacklist. | |
BLACKLIST_IGNORE_ASN_URLS |
global | no | List of URLs, separated with spaces, containing ASN to ignore in the blacklist. | |
BLACKLIST_IGNORE_USER_AGENT |
multisite | no | List of User-Agent (PCRE regex), separated with spaces, to ignore in the blacklist. | |
BLACKLIST_IGNORE_USER_AGENT_URLS |
global | no | List of URLs, separated with spaces, containing User-Agent to ignore in the blacklist. | |
BLACKLIST_IGNORE_URI |
multisite | no | List of URI (PCRE regex), separated with spaces, to ignore in the blacklist. | |
BLACKLIST_IGNORE_URI_URLS |
global | no | List of URLs, separated with spaces, containing URI to ignore in the blacklist. |
Brotli
STREAM support
Compress HTTP requests with the brotli algorithm.
Setting | Default | Context | Multiple | Description |
---|---|---|---|---|
USE_BROTLI |
no |
multisite | no | Use brotli |
BROTLI_TYPES |
application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml |
multisite | no | List of MIME types that will be compressed with brotli. |
BROTLI_MIN_LENGTH |
1000 |
multisite | no | Minimum length for brotli compression. |
BROTLI_COMP_LEVEL |
6 |
multisite | no | The compression level of the brotli algorithm. |
BunkerNet
STREAM support
Share threat data with other BunkerWeb instances via BunkerNet.
Setting | Default | Context | Multiple | Description |
---|---|---|---|---|
USE_BUNKERNET |
yes |
multisite | no | Activate BunkerNet feature. |
BUNKERNET_SERVER |
https://api.bunkerweb.io |
global | no | Address of the BunkerNet API. |
CORS
STREAM support
Cross-Origin Resource Sharing.
Setting | Default | Context | Multiple | Description |
---|---|---|---|---|
USE_CORS |
no |
multisite | no | Use CORS |
CORS_ALLOW_ORIGIN |
* |
multisite | no | Allowed origins to make CORS requests : PCRE regex or *. |
CORS_EXPOSE_HEADERS |
Content-Length,Content-Range |
multisite | no | Value of the Access-Control-Expose-Headers header. |
CORS_MAX_AGE |
86400 |
multisite | no | Value of the Access-Control-Max-Age header. |
CORS_ALLOW_CREDENTIALS |
no |
multisite | no | Send the Access-Control-Allow-Credentials header. |
CORS_ALLOW_METHODS |
GET, POST, OPTIONS |
multisite | no | Value of the Access-Control-Allow-Methods header. |
CORS_ALLOW_HEADERS |
DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range |
multisite | no | Value of the Access-Control-Allow-Headers header. |
CORS_DENY_REQUEST |
yes |
multisite | no | Deny request and don't send it to backend if Origin is not allowed. |
Client cache
STREAM support
Manage caching for clients.
Setting | Default | Context | Multiple | Description |
---|---|---|---|---|
USE_CLIENT_CACHE |
no |
multisite | no | Tell client to store locally static files. |
CLIENT_CACHE_EXTENSIONS |
jpg|jpeg|png|bmp|ico|svg|tif|css|js|otf|ttf|eot|woff|woff2 |
global | no | List of file extensions, separated with pipes that should be cached. |
CLIENT_CACHE_ETAG |
yes |
multisite | no | Send the HTTP ETag header for static resources. |
CLIENT_CACHE_CONTROL |
public, max-age=15552000 |
multisite | no | Value of the Cache-Control HTTP header. |
Country
STREAM support
Deny access based on the country of the client IP.
Setting | Default | Context | Multiple | Description |
---|---|---|---|---|
BLACKLIST_COUNTRY |
multisite | no | Deny access if the country of the client is in the list (2 letters code). | |
WHITELIST_COUNTRY |
multisite | no | Deny access if the country of the client is not in the list (2 letters code). |
Custom HTTPS certificate
STREAM support
Choose custom certificate for HTTPS.
Setting | Default | Context | Multiple | Description |
---|---|---|---|---|
USE_CUSTOM_SSL |
no |
multisite | no | Use custom HTTPS certificate. |
CUSTOM_SSL_CERT |
multisite | no | Full path of the certificate or bundle file. | |
CUSTOM_SSL_KEY |
multisite | no | Full path of the key file. |
DB
STREAM support
Integrate easily the Database.
Setting | Default | Context | Multiple | Description |
---|---|---|---|---|
DATABASE_URI |
sqlite:////var/lib/bunkerweb/db.sqlite3 |
global | no | The database URI, following the sqlalchemy format. |
DNSBL
STREAM support
Deny access based on external DNSBL servers.
Setting | Default | Context | Multiple | Description |
---|---|---|---|---|
USE_DNSBL |
yes |
multisite | no | Activate DNSBL feature. |
DNSBL_LIST |
bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org |
global | no | List of DNSBL servers. |
Errors
STREAM support
Manage default error pages
Setting | Default | Context | Multiple | Description |
---|---|---|---|---|
ERRORS |
multisite | no | List of HTTP error code and corresponding error pages, separated with spaces (404=/my404.html 403=/errors/403.html ...). | |
INTERCEPTED_ERROR_CODES |
400 401 403 404 405 413 429 500 501 502 503 504 |
multisite | no | List of HTTP error code intercepted by Bunkerweb |
Greylist
STREAM support
Allow access while keeping security features based on internal and external IP/network/rDNS/ASN greylists.
Setting | Default | Context | Multiple | Description |
---|---|---|---|---|
USE_GREYLIST |
no |
multisite | no | Activate greylist feature. |
GREYLIST_IP |
multisite | no | List of IP/network, separated with spaces, to put into the greylist. | |
GREYLIST_IP_URLS |
global | no | List of URLs, separated with spaces, containing good IP/network to put into the greylist. | |
GREYLIST_RDNS_GLOBAL |
yes |
multisite | no | Only perform RDNS greylist checks on global IP addresses. |
GREYLIST_RDNS |
multisite | no | List of reverse DNS suffixes, separated with spaces, to put into the greylist. | |
GREYLIST_RDNS_URLS |
global | no | List of URLs, separated with spaces, containing reverse DNS suffixes to put into the greylist. | |
GREYLIST_ASN |
multisite | no | List of ASN numbers, separated with spaces, to put into the greylist. | |
GREYLIST_ASN_URLS |
global | no | List of URLs, separated with spaces, containing ASN to put into the greylist. | |
GREYLIST_USER_AGENT |
multisite | no | List of User-Agent (PCRE regex), separated with spaces, to put into the greylist. | |
GREYLIST_USER_AGENT_URLS |
global | no | List of URLs, separated with spaces, containing good User-Agent to put into the greylist. | |
GREYLIST_URI |
multisite | no | List of URI (PCRE regex), separated with spaces, to put into the greylist. | |
GREYLIST_URI_URLS |
global | no | List of URLs, separated with spaces, containing bad URI to put into the greylist. |
Gzip
STREAM support
Compress HTTP requests with the gzip algorithm.
Setting | Default | Context | Multiple | Description |
---|---|---|---|---|
USE_GZIP |
no |
multisite | no | Use gzip |
GZIP_TYPES |
application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml |
multisite | no | List of MIME types that will be compressed with gzip. |
GZIP_MIN_LENGTH |
1000 |
multisite | no | Minimum length for gzip compression. |
GZIP_COMP_LEVEL |
5 |
multisite | no | The compression level of the gzip algorithm. |
HTML injection
STREAM support
Inject custom HTML code before the