bunkerity
diff --git a/‎.github/workflows/codeql.yml
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/codeql.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/container-build.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/container-build.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/scorecards-analysis.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/scorecards-analysis.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎README.md
Lines changed: 1 addition & 0 deletions b/‎README.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/features.md
Lines changed: 467 additions & 450 deletions b/‎docs/features.md
Lines changed: 467 additions & 450 deletions
diff --git a/‎docs/integrations.md
Lines changed: 16 additions & 15 deletions b/‎docs/integrations.md
Lines changed: 16 additions & 15 deletions
diff --git a/‎docs/upgrading.md
Lines changed: 50 additions & 18 deletions b/‎docs/upgrading.md
Lines changed: 50 additions & 18 deletions
diff --git a/‎src/autoconf/Dockerfile
Lines changed: 1 addition & 1 deletion b/‎src/autoconf/Dockerfile
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/common/core/antibot/README.md
Lines changed: 1 addition & 1 deletion b/‎src/common/core/antibot/README.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/common/core/ui/confs/http/ui.modsec-crs
Lines changed: 2 additions & 2 deletions b/‎src/common/core/ui/confs/http/ui.modsec-crs
Lines changed: 2 additions & 2 deletions
@@ -34,12 +34,12 @@ jobs:
           python -m pip install --no-cache-dir --require-hashes -r src/common/db/requirements.txt
           echo "CODEQL_PYTHON=$(which python)" >> $GITHUB_ENV
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
+        uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql.yml
           setup-python-dependencies: false
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
+        uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
         with:
           category: "/language:${{matrix.language}}"
@@ -120,7 +120,7 @@ jobs:
       # Check OS vulnerabilities
       - name: Check OS vulnerabilities
         if: ${{ inputs.CACHE_SUFFIX != 'arm' }}
-        uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.31.0
+        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
         with:
           vuln-type: os
           skip-dirs: /root/.cargo
 
@@ -25,6 +25,6 @@ jobs:
           results_format: sarif
           publish_results: true
       - name: "Upload SARIF results to code scanning"
-        uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
+        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
         with:
           sarif_file: results.sarif
@@ -394,6 +394,7 @@ BunkerWeb UI supports multiple languages. Translations are managed in the `src/u
 - Chinese (zh)
 - German (de)
 - Italian (it)
+- Turkish (tr)
 
 See the [locales/README.md](https://github.com/bunkerity/bunkerweb/raw/v1.6.2/src/ui/app/static/locales/README.md) for details on translation provenance and review status.
 
 
@@ -527,17 +527,18 @@ For a simplified installation experience, BunkerWeb provides an easy install scr
 Download and run the installation script:
 
 ```bash
-curl -fsSL https://github.com/bunkerity/bunkerweb/raw/v1.6.2/misc/install-bunkerweb.sh | sudo bash
-```
-
-Or download first and then execute:
-
-```bash
-wget https://github.com/bunkerity/bunkerweb/raw/v1.6.2/misc/install-bunkerweb.sh
+wget https://raw.githubusercontent.com/bunkerity/bunkerweb/v1.6.2/misc/install-bunkerweb.sh
 chmod +x install-bunkerweb.sh
 sudo ./install-bunkerweb.sh
 ```
 
+!!! warning "Security Notice"
+    Before running any installation script, especially with elevated privileges, it's recommended to review the script content first.
+
+    ```bash
+    cat install-bunkerweb.sh
+    ```
+
 #### Interactive installation
 
 By default, the script runs in interactive mode and will:
@@ -640,7 +641,7 @@ Please ensure that you have **NGINX 1.28.0 installed before installing BunkerWeb
 
     ```shell
     sudo apt update && \
-    sudo apt install -y nginx=1.28.0-1~$(lsb_release -cs)
+    sudo apt install -y --allow-downgrades nginx=1.28.0-1~$(lsb_release -cs)
     ```
 
     !!! warning "Testing/dev version"
@@ -662,7 +663,7 @@ Please ensure that you have **NGINX 1.28.0 installed before installing BunkerWeb
     ```shell
     curl -s https://repo.bunkerweb.io/install/script.deb.sh | sudo bash && \
     sudo apt update && \
-    sudo -E apt install -y bunkerweb=1.6.2
+    sudo -E apt install -y --allow-downgrades bunkerweb=1.6.2
     ```
 
     To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command:
@@ -688,7 +689,7 @@ Please ensure that you have **NGINX 1.28.0 installed before installing BunkerWeb
 
     ```shell
     sudo apt update && \
-    sudo apt install -y nginx=1.28.0-1~$(lsb_release -cs)
+    sudo apt install -y --allow-downgrades nginx=1.28.0-1~$(lsb_release -cs)
     ```
 
     !!! warning "Testing/dev version"
@@ -710,7 +711,7 @@ Please ensure that you have **NGINX 1.28.0 installed before installing BunkerWeb
     ```shell
     curl -s https://repo.bunkerweb.io/install/script.deb.sh | sudo bash && \
     sudo apt update && \
-    sudo -E apt install -y bunkerweb=1.6.2
+    sudo -E apt install -y --allow-downgrades bunkerweb=1.6.2
     ```
 
     To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command:
@@ -736,7 +737,7 @@ Please ensure that you have **NGINX 1.28.0 installed before installing BunkerWeb
     Fedora already provides NGINX 1.26.3 that we support (NGINX 1.28.0 is not yet available in Fedora repositories):
 
     ```shell
-    sudo dnf install -y nginx-1.26.3
+    sudo dnf install -y --allowerasing nginx-1.26.3
     ```
 
     !!! example "Disable the setup wizard"
@@ -751,7 +752,7 @@ Please ensure that you have **NGINX 1.28.0 installed before installing BunkerWeb
     ```shell
     curl -s https://repo.bunkerweb.io/install/script.rpm.sh | sudo bash && \
   	sudo dnf makecache && \
-  	sudo -E dnf install -y bunkerweb-1.6.2
+  	sudo -E dnf install -y --allowerasing bunkerweb-1.6.2
     ```
 
     To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command:
@@ -786,7 +787,7 @@ Please ensure that you have **NGINX 1.28.0 installed before installing BunkerWeb
     You should now be able to install NGINX 1.28.0:
 
     ```shell
-    sudo dnf install nginx-1.28.0
+    sudo dnf install --allowerasing nginx-1.28.0
     ```
 
     !!! example "Disable the setup wizard"
@@ -801,7 +802,7 @@ Please ensure that you have **NGINX 1.28.0 installed before installing BunkerWeb
     ```shell
     curl -s https://repo.bunkerweb.io/install/script.rpm.sh | sudo bash && \
     sudo dnf check-update && \
-    sudo -E dnf install -y bunkerweb-1.6.2
+    sudo -E dnf install -y --allowerasing bunkerweb-1.6.2
     ```
 
     To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command:
 
@@ -119,7 +119,7 @@
 
                     ```shell
                     sudo apt update && \
-                    sudo apt install -y bunkerweb=1.6.2
+                    sudo apt install -y --allow-downgrades bunkerweb=1.6.2
                     ```
 
                     To prevent the BunkerWeb package from upgrading when executing `apt upgrade`, you can use the following command :
@@ -145,7 +145,7 @@
 
                     ```shell
                     sudo dnf makecache && \
-                    sudo dnf install -y bunkerweb-1.6.2
+                    sudo dnf install -y --allowerasing bunkerweb-1.6.2
                     ```
 
                     To prevent the BunkerWeb package from upgrading when executing `dnf upgrade`, you can use the following command :
@@ -199,7 +199,15 @@
 
 === "Docker"
 
-    1. **Restore the backup**.
+    1. **Extract the backup if zipped**.
+
+        Extract the backup zip file first:
+
+        ```bash
+        unzip /path/to/backup/directory/backup.zip -d /path/to/backup/directory/
+        ```
+
+    2. **Restore the backup**.
 
         === "SQLite"
 
@@ -268,7 +276,7 @@
                 docker compose down
                 ```
 
-    2. **Downgrade BunkerWeb**.
+    3. **Downgrade BunkerWeb**.
 
         ```yaml
         services:
@@ -286,21 +294,29 @@
                 ...
         ```
 
-    3. **Start the containers**.
+    4. **Start the containers**.
 
         ```bash
         docker compose up -d
         ```
 
 === "Linux"
 
-    4. **Stop the services**.
+    4. **Extract the backup if zipped**.
+
+        Extract the backup zip file first:
+
+        ```bash
+        unzip /path/to/backup/directory/backup.zip -d /path/to/backup/directory/
+        ```
+
+    5. **Stop the services**.
 
         ```bash
         sudo systemctl stop bunkerweb bunkerweb-ui bunkerweb-scheduler
         ```
 
-    5. **Restore the backup**.
+    6. **Restore the backup**.
 
         === "SQLite"
 
@@ -337,13 +353,13 @@
                 psql -U <username> -d <database_name> < /path/to/backup/directory/backup.sql
                 ```
 
-    6. **Start the services**.
+    7. **Start the services**.
 
         ```bash
         sudo systemctl start bunkerweb bunkerweb-ui bunkerweb-scheduler
         ```
 
-    7. **Downgrade BunkerWeb**.
+    8. **Downgrade BunkerWeb**.
         - Downgrade BunkerWeb to the previous version by following the same steps as when upgrading BunkerWeb in the [integration Linux page](integrations.md#linux)
 
 ## Upgrade from 1.5.X
@@ -577,7 +593,7 @@ We added a **namespace** feature to the autoconf integrations. Namespaces allow
 
                     ```shell
                     sudo apt update && \
-                    sudo apt install -y bunkerweb=1.6.2
+                    sudo apt install -y --allow-downgrades bunkerweb=1.6.2
                     ```
 
                     To prevent the BunkerWeb package from upgrading when executing `apt upgrade`, you can use the following command :
@@ -603,7 +619,7 @@ We added a **namespace** feature to the autoconf integrations. Namespaces allow
 
                     ```shell
                     sudo dnf makecache && \
-                    sudo dnf install -y bunkerweb-1.6.2
+                    sudo dnf install -y --allowerasing bunkerweb-1.6.2
                     ```
 
                     To prevent the BunkerWeb package from upgrading when executing `dnf upgrade`, you can use the following command :
@@ -655,7 +671,15 @@ We added a **namespace** feature to the autoconf integrations. Namespaces allow
 
 === "Docker"
 
-    1. **Restore the backup**.
+    1. **Extract the backup if zipped**.
+
+        Extract the backup zip file first:
+
+        ```bash
+        unzip /path/to/backup/directory/backup.zip -d /path/to/backup/directory/
+        ```
+
+    2. **Restore the backup**.
 
         === "SQLite"
 
@@ -724,7 +748,7 @@ We added a **namespace** feature to the autoconf integrations. Namespaces allow
                 docker compose down
                 ```
 
-    2. **Downgrade BunkerWeb**.
+    3. **Downgrade BunkerWeb**.
 
         ```yaml
         services:
@@ -742,21 +766,29 @@ We added a **namespace** feature to the autoconf integrations. Namespaces allow
                 ...
         ```
 
-    3. **Start the containers**.
+    4. **Start the containers**.
 
         ```bash
         docker compose up -d
         ```
 
 === "Linux"
 
-    4. **Stop the services**.
+    4. **Extract the backup if zipped**.
+
+        Extract the backup zip file first:
+
+        ```bash
+        unzip /path/to/backup/directory/backup.zip -d /path/to/backup/directory/
+        ```
+
+    5. **Stop the services**.
 
         ```bash
         sudo systemctl stop bunkerweb bunkerweb-ui bunkerweb-scheduler
         ```
 
-    5. **Restore the backup**.
+    6. **Restore the backup**.
 
         === "SQLite"
 
@@ -793,11 +825,11 @@ We added a **namespace** feature to the autoconf integrations. Namespaces allow
                 psql -U <username> -d <database_name> < /path/to/backup/directory/backup.sql
                 ```
 
-    6. **Start the services**.
+    7. **Start the services**.
 
         ```bash
         sudo systemctl start bunkerweb bunkerweb-ui bunkerweb-scheduler
         ```
 
-    7. **Downgrade BunkerWeb**.
+    8. **Downgrade BunkerWeb**.
         - Downgrade BunkerWeb to the previous version by following the same steps as when upgrading BunkerWeb in the [integration Linux page](integrations.md#linux)
@@ -43,7 +43,7 @@ RUN apk add --no-cache bash tzdata && \
   adduser -h /usr/share/bunkerweb/autoconf -g autoconf -s /sbin/nologin -G autoconf -D -H -u 101 --disabled-password autoconf
 
 # Fix CVEs
-# There are no CVEs for the following packages
+RUN apk add --no-cache "libcrypto3>=3.5.1-r0" "libssl3>=3.5.1-r0" # CVE-2025-4575
 
 # Copy dependencies
 COPY --from=builder --chown=0:101 --chmod=550 /usr/share/bunkerweb /usr/share/bunkerweb
 
@@ -11,7 +11,7 @@ Attackers often use automated tools (bots) to try and exploit your website. To p
 
 Follow these steps to enable and configure the Antibot feature:
 
-1. **Choose a challenge type:** Decide which type of antibot challenge to use (e.g., [captcha](#__tabbed_1_3), [hcaptcha](#__tabbed_1_5), [javascript](#__tabbed_1_2)).
+1. **Choose a challenge type:** Decide which type of antibot challenge to use (e.g., [captcha](#__tabbed_3_3), [hcaptcha](#__tabbed_3_5), [javascript](#__tabbed_3_2)).
 2. **Enable the feature:** Set the `USE_ANTIBOT` setting to your chosen challenge type in your BunkerWeb configuration.
 3. **Configure the settings:** Adjust the other `ANTIBOT_*` settings as needed. For reCAPTCHA, hCaptcha, Turnstile, and mCaptcha, you must create an account with the respective service and obtain API keys.
 4. **Important:** Ensure the `ANTIBOT_URI` is a unique URL on your site that is not in use.
 
@@ -43,12 +43,12 @@ SecRule REQUEST_HEADERS:Host "@eq {{ server_name }}" \
     "nolog"
 
 SecRule REQUEST_FILENAME "@endsWith /login" \
-    "id:1007778,ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:password,ctl:ruleRemoveTargetByTag=attack-rce;ARGS:password,ctl:ruleRemoveTargetByTag=attack-rfi;ARGS:password,ctl:ruleRemoveTargetByTag=attack-lfi;ARGS:password,ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:password,ctl:ruleRemoveTargetByTag=attack-ssrf;ARGS:password,ctl:ruleRemoveTargetByTag=attack-xss;ARGS:password,nolog"
+    "id:1007778,ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:password,ctl:ruleRemoveTargetByTag=attack-rce;ARGS:password,ctl:ruleRemoveTargetByTag=attack-rfi;ARGS:password,ctl:ruleRemoveTargetByTag=attack-lfi;ARGS:password,ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:password,ctl:ruleRemoveTargetByTag=attack-ssrf;ARGS:password,ctl:ruleRemoveTargetByTag=attack-xss;ARGS:password,nolog,chain"
 SecRule REQUEST_HEADERS:Host "@eq {{ server_name }}" \
     "nolog"
 
 SecRule REQUEST_FILENAME "@endsWith /instances/new" \
-    "id:1007779,ctl:ruleRemoveTargetById=931100;ARGS:hostname,nolog"
+    "id:1007779,ctl:ruleRemoveTargetById=931100;ARGS:hostname,nolog,chain"
 SecRule REQUEST_HEADERS:Host "@eq {{ server_name }}" \
     "nolog"