choose connection and nofile numbers, increase error_log level to get modsecurity rules, add MODSECURITY_SEC_AUDIT_ENGINE var
This commit is contained in:
parent
ba4185a42e
commit
009d6fb5ae
|
@ -25,9 +25,12 @@ pcre_jit on;
|
|||
# config files for dynamic modules
|
||||
include /etc/nginx/modules/*.conf;
|
||||
|
||||
# max open files for each worker
|
||||
worker_rlimit_nofile %WORKER_RLIMIT_NOFILE%;
|
||||
|
||||
events {
|
||||
# max connections per worker
|
||||
worker_connections 1024;
|
||||
worker_connections %WORKER_CONNECTIONS%;
|
||||
|
||||
# epoll seems to be the best on Linux
|
||||
use epoll;
|
||||
|
@ -50,7 +53,7 @@ http {
|
|||
# write logs to local syslog
|
||||
log_format logf '%LOG_FORMAT%';
|
||||
access_log syslog:server=unix:/tmp/log,nohostname,facility=local0,severity=notice logf;
|
||||
error_log syslog:server=unix:/tmp/log,nohostname,facility=local0 notice;
|
||||
error_log syslog:server=unix:/tmp/log,nohostname,facility=local0 info;
|
||||
|
||||
# temp paths
|
||||
proxy_temp_path /tmp/proxy_temp;
|
||||
|
@ -63,8 +66,8 @@ http {
|
|||
reset_timedout_connection on;
|
||||
|
||||
# timeouts
|
||||
client_body_timeout 12;
|
||||
client_header_timeout 12;
|
||||
client_body_timeout 10;
|
||||
client_header_timeout 10;
|
||||
keepalive_timeout 15;
|
||||
send_timeout 10;
|
||||
|
||||
|
|
|
@ -49,7 +49,7 @@ SecResponseBodyLimit 524288
|
|||
SecResponseBodyLimitAction ProcessPartial
|
||||
|
||||
# log usefull stuff
|
||||
SecAuditEngine RelevantOnly
|
||||
SecAuditEngine %MODSECURITY_SEC_AUDIT_ENGINE%
|
||||
SecAuditLogType Serial
|
||||
SecAuditLog /var/log/nginx/modsec_audit.log
|
||||
|
||||
|
|
|
@ -6,6 +6,8 @@ HTTP_PORT="${HTTP_PORT-8080}"
|
|||
HTTPS_PORT="${HTTPS_PORT-8443}"
|
||||
MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}"
|
||||
SERVER_TOKENS="${SERVER_TOKENS-off}"
|
||||
WORKER_CONNECTIONS="${WORKER_CONNECTIONS-1024}"
|
||||
WORKER_RLIMIT_NOFILE="${WORKER_RLIMIT_NOFILE-2048}"
|
||||
USE_CLIENT_CACHE="${USE_CLIENT_CACHE-no}"
|
||||
CLIENT_CACHE_EXTENSIONS="${CLIENT_CACHE_EXTENSIONS-jpg|jpeg|png|bmp|ico|svg|tif|css|js|otf|ttf|eot|woff|woff2}"
|
||||
CLIENT_CACHE_CONTROL="${CLIENT_CACHE_CONTROL-public, max-age=15552000}"
|
||||
|
@ -62,6 +64,7 @@ HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.2 TLSv1.3}"
|
|||
STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}"
|
||||
USE_MODSECURITY="${USE_MODSECURITY-yes}"
|
||||
USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}"
|
||||
MODSECURITY_SEC_AUDIT_ENGINE="${MODSECURITY_SEC_AUDIT_ENGINE-RelevantOnly}"
|
||||
CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self';}"
|
||||
COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly SameSite=Lax}"
|
||||
COOKIE_AUTO_SECURE_FLAG="${COOKIE_AUTO_SECURE_FLAG-yes}"
|
||||
|
@ -131,3 +134,4 @@ USE_API="${USE_API-no}"
|
|||
API_URI="${API_URI-random}"
|
||||
API_WHITELIST_IP="${API_WHITELIST_IP-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
|
||||
SWARM_MODE="${SWARM_MODE-no}"
|
||||
|
||||
|
|
|
@ -224,3 +224,7 @@ if [ "$USE_API" = "yes" ] ; then
|
|||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%USE_API%" ""
|
||||
fi
|
||||
|
||||
# performance tuning
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%WORKER_CONNECTIONS%" "$WORKER_CONNECTIONS"
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%WORKER_RLIMIT_NOFILE%" "$WORKER_RLIMIT_NOFILE"
|
||||
|
|
|
@ -394,6 +394,7 @@ fi
|
|||
if [ "$USE_MODSECURITY" = "yes" ] ; then
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity.conf" "%MODSEC_RULES_FILE%" "${NGINX_PREFIX}modsecurity-rules.conf"
|
||||
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_MODSECURITY%" "include ${NGINX_PREFIX}modsecurity.conf;"
|
||||
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_SEC_AUDIT_ENGINE%" "$MODSECURITY_SEC_AUDIT_ENGINE"
|
||||
if [ "$MULTISITE" != "yes" ] ; then
|
||||
modsec_custom=""
|
||||
if ls /modsec-confs/*.conf > /dev/null 2>&1 ; then
|
||||
|
|
Loading…
Reference in New Issue