bunkerity
diff --git a/‎docs/assets/img/ui-wizard-step1.png
32.6 KB b/‎docs/assets/img/ui-wizard-step1.png
32.6 KB
diff --git a/‎docs/assets/img/ui-wizard-step2-advanced.png
191 KB b/‎docs/assets/img/ui-wizard-step2-advanced.png
191 KB
diff --git a/‎docs/assets/img/ui-wizard-step2.png
19.8 KB b/‎docs/assets/img/ui-wizard-step2.png
19.8 KB
diff --git a/‎docs/assets/img/ui-wizard-step3.png
95.4 KB b/‎docs/assets/img/ui-wizard-step3.png
95.4 KB
diff --git a/‎docs/assets/img/ui-wizard-step4.png
98.2 KB b/‎docs/assets/img/ui-wizard-step4.png
98.2 KB
diff --git a/‎docs/features.md
Lines changed: 2 additions & 1 deletion b/‎docs/features.md
Lines changed: 2 additions & 1 deletion
diff --git a/‎docs/quickstart-guide.md
Lines changed: 37 additions & 7 deletions b/‎docs/quickstart-guide.md
Lines changed: 37 additions & 7 deletions
diff --git a/‎docs/web-ui.md
Lines changed: 21 additions & 9 deletions b/‎docs/web-ui.md
Lines changed: 21 additions & 9 deletions
@@ -1612,7 +1612,7 @@ CrowdSec is a modern, open-source security engine that detects and blocks malici
           - bw-db
 
       crowdsec:
-        image: crowdsecurity/crowdsec:v1.6.6 # Use the latest version but always pin the version for a better stability/security
+        image: crowdsecurity/crowdsec:v1.6.10 # Use the latest version but always pin the version for a better stability/security
         volumes:
           - cs-data:/var/lib/crowdsec/data # To persist the CrowdSec data
           - bw-logs:/var/log:ro # The logs of BunkerWeb for CrowdSec to parse
@@ -4650,6 +4650,7 @@ ROBOTSTXT_SITEMAP: "https://example.com/sitemap.xml"
 ---
 
 For more information, see the [robots.txt documentation](https://www.robotstxt.org/robotstxt.html).
+
 ## SSL
 
 STREAM support :white_check_mark:
 
@@ -372,7 +372,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.3-rc1
         image: bunkerity/bunkerweb-ui:1.6.3-rc1
         environment:
           <<: *bw-ui-env
-          TOTP_SECRETS: "mysecret" # Remember to set a stronger secret key (see the Prerequisites section)
+          TOTP_ENCRYPTION_KEYS: "mysecret" # Remember to set a stronger secret key (see the Prerequisites section)
         restart: "unless-stopped"
         networks:
           - bw-universe
@@ -542,7 +542,7 @@ See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.6.3-rc1
         image: bunkerity/bunkerweb-ui:1.6.3-rc1
         environment:
           <<: *bw-ui-env
-          TOTP_SECRETS: "mysecret" # Remember to set a stronger secret key (see the Prerequisites section)
+          TOTP_ENCRYPTION_KEYS: "mysecret" # Remember to set a stronger secret key (see the Prerequisites section)
         restart: "unless-stopped"
         networks:
           - bw-universe
@@ -608,21 +608,51 @@ You should see a setup page just like this one:
 
 Once you're on the setup page, you can enter the **administrator username, email, and password** and click on the "Next" button.
 
-### Configure the Reverse Proxy and HTTPS
+### Configure the Reverse Proxy, HTTPS and other advanced settings
 
-The next step will ask you to enter the **server name** (domain/FQDN) that the web UI will use. You can also choose to enable **Let's Encrypt** or use a **custom certificate**.
+=== "Basic setup"
+
+    The next step will ask you to enter the **server name** (domain/FQDN) that the web UI will use.
+
+    You can also choose to enable [Let's Encrypt](features.md#lets-encrypt)
+
+    <figure markdown>
+      ![Setup Wizard step 2](assets/img/ui-wizard-step2.png){ align=center }
+      <figcaption>Setup Wizard step 2</figcaption>
+    </figure>
+
+=== "Advanced setup"
+
+    The next step will ask you to enter the **server name** (domain/FQDN) that the web UI will use.
+
+    You can also choose to enable [Let's Encrypt](features.md#lets-encrypt).
+
+    If you expand the `Advanced settings` section, you can also configure the following options:
+
+    * **Reverse Proxy**: Tweak the Reverse Proxy settings for your administrator interface (e.g., if you want to use a path).
+    * [Real IP](features.md#real-ip): Configure the Real IP settings to properly identify the client's IP address (e.g., if you are behind a load balancer or a CDN).
+    * [Custom Certificate](features.md#custom-ssl-certificate): Upload a custom TLS certificate if you don't want to use Let's Encrypt.
+
+    <figure markdown>
+      ![Setup Wizard step 2](assets/img/ui-wizard-step2-advanced.png){ align=center }
+      <figcaption>Setup Wizard step 2 (advanced)</figcaption>
+    </figure>
+
+### PRO activation
+
+If you have a PRO license, you can activate it by entering your license key in the `Upgrade to PRO` section. This will enable the PRO features of BunkerWeb.
 
 <figure markdown>
-  ![Setup Wizard step 2](assets/img/ui-wizard-step2.png){ align=center }
-  <figcaption>Setup Wizard step 2</figcaption>
+  ![Setup Wizard PRO step](assets/img/ui-wizard-step3.png){ align=center }
+  <figcaption>Setup Wizard PRO step</figcaption>
 </figure>
 
 ### Overview of your settings
 
 The last step will give you an overview of the settings you've entered. You can click on the "Setup" button to complete the setup.
 
 <figure markdown>
-  ![Setup Wizard final step](assets/img/ui-wizard-step3.png){ align=center }
+  ![Setup Wizard final step](assets/img/ui-wizard-step4.png){ align=center }
   <figcaption>Setup Wizard final step</figcaption>
 </figure>
 
 
@@ -165,7 +165,7 @@ To keep the logs accessible from the web UI, we recommend that you use a syslog
           DATABASE_URI: "mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db" # Remember to set a stronger password for the database
           ADMIN_USERNAME: "changeme"
           ADMIN_PASSWORD: "changeme" # Remember to set a stronger password for the admin user
-          TOTP_SECRETS: "mysecret" # Remember to set a stronger secret key (see the Prerequisites section)
+          TOTP_ENCRYPTION_KEYS: "mysecret" # Remember to set a stronger secret key (see the Prerequisites section)
         volumes:
           - bw-logs:/var/log/bunkerweb # This is the volume used to store the logs
         restart: "unless-stopped"
@@ -302,7 +302,7 @@ To keep the logs accessible from the web UI, we recommend that you use a syslog
           <<: *bw-ui-env
           ADMIN_USERNAME: "changeme"
           ADMIN_PASSWORD: "changeme" # Remember to set a stronger password for the admin user
-          TOTP_SECRETS: "mysecret" # Remember to set a stronger secret key (see the Prerequisites section)
+          TOTP_ENCRYPTION_KEYS: "mysecret" # Remember to set a stronger secret key (see the Prerequisites section)
         volumes:
           - bw-logs:/var/log/bunkerweb
         restart: "unless-stopped"
@@ -451,6 +451,18 @@ Please note that when your username or password is updated, you will be logout f
 
 ### Two-Factor authentication
 
+!!! tip "Mandatory encryption keys"
+
+    When enabling 2FA, you must provide at least one encryption key. This key will be used to encrypt your TOTP secrets.
+
+    The recommended way to generate a valid key is to use the `passlib` package:
+
+    ```shell
+    python3 -c "from passlib import totp; print(totp.generate_secret())"
+    ```
+
+    Set the generated key in the `TOTP_ENCRYPTION_KEYS` environment variable of the web UI. You can also set multiple keys separated by spaces or as a dictionary (for backward compatibility).
+
 !!! warning "Lost secret key"
 
     In case you lost your secret key, two options are available:
@@ -514,7 +526,7 @@ The web UI can be deployed and configured without going through the setup wizard
     - `ADMIN_USERNAME`: username to access the web UI.
     - `ADMIN_PASSWORD`: password to access the web UI.
     - `FLASK_SECRET`: a secret key used to encrypt the session cookie (if not set, a random key will be generated).
-    - `TOTP_SECRETS`: a list of TOTP secrets separated by spaces or a dictionary (e.g.: `{"1": "mysecretkey"}` or `mysecretkey` or `mysecretkey mysecretkey1`). **We strongly recommend you to set this variable if you want to use 2FA, as it will be used to encrypt the TOTP secret keys** (if not set, a random number of secret keys will be generated). Check out the [passlib documentation](https://passlib.readthedocs.io/en/stable/narr/totp-tutorial.html#application-secrets) for more information.
+    - `TOTP_ENCRYPTION_KEYS` (or `TOTP_SECRETS`): a list of TOTP encryption keys separated by spaces or a dictionary (e.g.: `{"1": "mysecretkey"}` or `mysecretkey` or `mysecretkey mysecretkey1`). **We strongly recommend you to set this variable if you want to use 2FA, as it will be used to encrypt the TOTP secret keys** (if not set, a random number of secret keys will be generated). Check out the [passlib documentation](https://passlib.readthedocs.io/en/stable/narr/totp-tutorial.html#application-secrets) for more information.
     - `LISTEN_ADDR`: the address where the web UI will listen (default is `0.0.0.0` in **Docker images** and `127.0.0.1` on **Linux installations**).
     - `LISTEN_PORT`: the port where the web UI will listen (default is `7000`).
     - `MAX_WORKERS`: the number of workers used by the web UI (default is the number of CPUs).
@@ -535,7 +547,7 @@ The web UI can be deployed and configured without going through the setup wizard
     python3 -c "import secrets; print(secrets.token_hex(64))"
     ```
 
-    You can generate valid space-separated **TOTP_SECRETS** using the following command (you will need the `passlib` package):
+    You can generate valid space-separated **TOTP_ENCRYPTION_KEYS** using the following command (you will need the `passlib` package):
 
     ```shell
     python3 -c "from passlib import totp; print(totp.generate_secret())"
@@ -557,12 +569,12 @@ The web UI can be deployed and configured without going through the setup wizard
     ```conf
     ADMIN_USERNAME=changeme
     ADMIN_PASSWORD=changeme
-    TOTP_SECRETS=mysecret
+    TOTP_ENCRYPTION_KEYS=mysecret
     ```
 
     Replace the `changeme` data with your own values.
 
-    Remember to set a stronger secret key for the `TOTP_SECRETS`.
+    Remember to set a stronger secret key for the `TOTP_ENCRYPTION_KEYS`.
 
     Each time you edit the `/etc/bunkerweb/ui.env` file, you will need to restart the service:
 
@@ -663,7 +675,7 @@ The web UI can be deployed and configured without going through the setup wizard
           <<: *ui-env
           ADMIN_USERNAME: "changeme"
           ADMIN_PASSWORD: "changeme" # Remember to set a stronger password for the changeme user
-          TOTP_SECRETS: "mysecret" # Remember to set a stronger secret key (see the Prerequisites section)
+          TOTP_ENCRYPTION_KEYS: "mysecret" # Remember to set a stronger secret key (see the Prerequisites section)
         networks:
           - bw-universe
           - bw-db
@@ -801,7 +813,7 @@ The web UI can be deployed and configured without going through the setup wizard
           <<: *ui-env
           ADMIN_USERNAME: "changeme"
           ADMIN_PASSWORD: "changeme" # Remember to set a stronger password for the changeme user
-          TOTP_SECRETS: "mysecret" # Remember to set a stronger secret key (see the Prerequisites section)
+          TOTP_ENCRYPTION_KEYS: "mysecret" # Remember to set a stronger secret key (see the Prerequisites section)
         labels:
           - "bunkerweb.SERVER_NAME=www.example.com"
           - "bunkerweb.USE_TEMPLATE=ui"
@@ -992,7 +1004,7 @@ The web UI can be deployed and configured without going through the setup wizard
           <<: *ui-env
           ADMIN_USERNAME: "changeme"
           ADMIN_PASSWORD: "changeme" # Remember to set a stronger password for the changeme user
-          TOTP_SECRETS: "mysecret" # Remember to set a stronger secret key (see the Prerequisites section)
+          TOTP_ENCRYPTION_KEYS: "mysecret" # Remember to set a stronger secret key (see the Prerequisites section)
         networks:
           - bw-universe
           - bw-db