Replace custom nginx / certbot config with BunkerWeb

[spwoodcock]

What type of PR is this? (check all applicable)

• 🍕 Feature
• 🐛 Bug Fix
• 📝 Documentation
• 🧑‍💻 Refactor
• ✅ Test
• 🤖 Build or CI
• ❓ Other (please specify)

Related Issue

Fixes #1686
Also fixes #1479

Related to: #1650, but does not fix it.
(the FastAPI middleware is probably required after all)

Describe this PR

Bunkerweb repo: https://github.com/bunkerity/bunkerweb/

• Replaces the nginx configuration on this repo entirely with BunkerWeb, which has a lot of nice security defaults (see original issue).
  • I was able to remove the entire nginx directory and related code / configs / scripts.
  • This also manages all certs for us, rather than our custom certbot config.
• @dakotabenjamin this is a pretty neat all-in-one web proxy that I would recommend to put all our services behind! It has rate limiting, brotli compression, optional antibot, good ModSecurity defaults, 'bad behaviour' checking and banning.
• I added the config for local development. Still todo development and main compose configs.
• It's a bit of a pain that the architecture of this system relies on a scheduler and docker socket binding service. Thankfully I managed to get this to work as initialisation only, rather than running continuously.
  • Using timeout 120 for each service allows the configs to generated and copied to the nginx webserver, then the scheduler and docker socket service shut down.

Alternative Approaches Considered

• Adding modsecurity etc to our existing nginx config.
• But why bother maintaining our own nginx module building (e.g. brotli, modsecurity) and configuration, when we an outsource this to a well adopted upstream service.
• Resource usage is no more than the standard nginx server we were using, about 100-200mb memory usage at idle.

https://github.com/hotosm/fmtm/blob/development/docs/decisions/0006-web-app-firewall.md

Notes

• Once merged, we can remove the proxy images from the repo.
• The NGINX_IMG_TAG var can also be removed from Github environment vars.
• Local projects will no longer work as the ODK_CENTRAL_URL was updated from https://proxy --> https://odkcentral
  • Existing projects for local development should be removed docker compose down -v

Review Guide

Notes for the reviewer. How to test this change?

Checklist before requesting a review

• 📖 Read the FMTM Contributing Guide: https://github.com/hotosm/fmtm/blob/main/CONTRIBUTING.md
• 📖 Read the HOT Code of Conduct: https://docs.hotosm.org/code-of-conduct
• 👷‍♀️ Create small PRs. In most cases, this will be possible.
• ✅ Provide tests for your changes.
• 📝 Use descriptive commit messages.
• 📗 Update any related documentation and include any relevant screenshots.

[optional] What gif best describes this PR or how it makes you feel?

[dakotabenjamin]

I've used a turnkey-like server solution Caddy before, but this seems like it's got even more and its security focused. Looks good to me.

[spwoodcock]

Thanks!

I like that it reduces the maintenance burden for building nginx images with brotli and maintaining configs 😄

Hoping to finish this at some point & also roll it out for DroneTM eventually too 👍

[spwoodcock]

Tests failing I presume because the CI image doesn't have the correct dev cert for ODK Central.

Merging pre-emptively in the hope that a new CI image build will fix this 😄