cookie flags and maxmind update

2020-01-02 16:13:44 +00:00 · 2020-01-02 16:13:44 +00:00 · 1b5f6deb22
parent ea1dbc617c
commit 1b5f6deb22
7 changed files with 21 additions and 9 deletions
--- a/3
+++ b/3
@ -8,8 +8,9 @@ RUN chmod +x /tmp/compile.sh && \
 COPY entrypoint.sh /opt/entrypoint.sh
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
+COPY misc/GeoLite2-Country.mmdb /etc/nginx/geoip.mmdb

-RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl && \
+RUN apk --no-cache add php7-fpm php7-session certbot libstdc++ libmaxminddb geoip pcre yajl && \
    chmod +x /opt/entrypoint.sh /opt/scripts/* && \
    mkdir /www && \
    adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
--- a/README.md
+++ b/README.md
@ -28,9 +28,9 @@ Let's Encrypt needs port 80 to be open to request and sign certificates but ngin
 ## List of variables

 ### nginx security
-*SERVER_TOKENS*
-Values : on | off
-Default value : off
+*SERVER_TOKENS*  
+Values : on | off  
+Default value : off  
 If set to on, nginx will display server version in Server header and default error pages.

 *HEADER_SERVER*
@ -76,7 +76,6 @@ Default value : no-referrer

 ## TODO
 - File permissions hardening
- Secure and HttpOnly cookies
 - Custom nginx configuration
 - Custom TLS certificates
 - Documentation
--- a/compile.sh
+++ b/compile.sh
@ -24,12 +24,14 @@ git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
 git clone https://github.com/openresty/headers-more-nginx-module.git
 # geoip
 git clone https://github.com/leev/ngx_http_geoip2_module.git
+# cookie
+git clone https://github.com/AirisX/nginx_cookie_flag_module.git

 # compile and install nginx
 cd /tmp
 git clone https://github.com/nginx/nginx.git
 cd nginx
-./auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --modules-path=/usr/lib/nginx/modules --with-file-aio --with-http_ssl_module --with-http_v2_module --add-module=/tmp/ModSecurity-nginx --add-module=/tmp/headers-more-nginx-module --add-module=/tmp/ngx_http_geoip2_module
+./auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --modules-path=/usr/lib/nginx/modules --with-file-aio --with-http_ssl_module --with-http_v2_module --add-module=/tmp/ModSecurity-nginx --add-module=/tmp/headers-more-nginx-module --add-module=/tmp/ngx_http_geoip2_module --add-module=/tmp/nginx_cookie_flag_module
 make -j $NTASK
 make install

--- a/confs/cookie-flags.conf
+++ b/confs/cookie-flags.conf
@ -0,0 +1 @@
+set_cookie_flag %COOKIE_FLAGS%;
--- a/confs/server.conf
+++ b/confs/server.conf
@ -22,5 +22,6 @@ server {
 	%FEATURE_POLICY%
 	%BLOCK_COUNTRY%
 	%BLOCK_USER_AGENT%
+	%COOKIE_FLAGS%
 	%ERRORS%
 }
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -55,6 +55,7 @@ PHP_UPLOAD_MAX_FILESIZE="${PHP_UPLOAD_MAX_FILESIZE:-10M}"
 PHP_DISABLE_FUNCTIONS="${PHP_DISABLE_FUNCTIONS:-system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo}"
 USE_MODSECURITY="${USE_MODSECURITY:-yes}"
 CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY:-default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; reflected-xss block; base-uri 'self'; referrer no-referrer}"
+COOKIE_FLAGS="${COOKIE_FLAGS:-* HttpOnly}"

 # replace values
 replace_in_file "/etc/nginx/nginx.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE"
@ -142,9 +143,9 @@ else
 fi
 replace_in_file "/etc/nginx/server.conf" "%SERVER_NAME%" "$SERVER_NAME"
 replace_in_file "/etc/nginx/server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS"
-if [ ! -f /etc/nginx/geoip.mmdb ] ; then
-	/opt/scripts/geolite.sh
-fi
+#if [ ! -f /etc/nginx/geoip.mmdb ] ; then
+#	/opt/scripts/geolite.sh
+#fi
 if [ "$BLOCK_COUNTRY" != "" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;"
 	replace_in_file "/etc/nginx/geoip.conf" "%BLOCK_COUNTRY%" "$(echo $BLOCK_COUNTRY | sed 's/ / no;\n/g') no;"
@ -222,6 +223,12 @@ if [ "$CONTENT_SECURITY_POLICY" != "" ] ; then
 else
        replace_in_file "/etc/nginx/server.conf" "%CONTENT_SECURITY_POLICY%" ""
 fi
+if [ "$COOKIE_FLAGS" != "" ] ; then
+        replace_in_file "/etc/nginx/server.conf" "%COOKIE_FLAGS%" "include /etc/nginx/cookie-flags.conf;"
+        replace_in_file "/etc/nginx/cookie-flags.conf" "%COOKIE_FLAGS%" "$COOKIE_FLAGS"
+else
+        replace_in_file "/etc/nginx/server.conf" "%COOKIE_FLAGS%" ""
+fi


 # start PHP
--- a/scripts/geolite.sh
+++ b/scripts/geolite.sh
@ -1,5 +1,6 @@
 #!/bin/sh

+# wget "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=&suffix=tar.gz" -O toto.tar.gz
 wget -O /etc/nginx/geoip.mmdb.gz https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.mmdb.gz
 gunzip -f /etc/nginx/geoip.mmdb.gz
 if [ -f /run/nginx/nginx.pid ] ; then