mirror of
https://github.com/bunkerity/bunkerized-nginx
synced 2023-12-13 21:30:18 +01:00
cookie flags and maxmind update
This commit is contained in:
parent
ea1dbc617c
commit
1b5f6deb22
7 changed files with 21 additions and 9 deletions
|
@ -8,8 +8,9 @@ RUN chmod +x /tmp/compile.sh && \
|
|||
COPY entrypoint.sh /opt/entrypoint.sh
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY misc/GeoLite2-Country.mmdb /etc/nginx/geoip.mmdb
|
||||
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl && \
|
||||
RUN apk --no-cache add php7-fpm php7-session certbot libstdc++ libmaxminddb geoip pcre yajl && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /www && \
|
||||
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
|
||||
|
|
|
@ -28,9 +28,9 @@ Let's Encrypt needs port 80 to be open to request and sign certificates but ngin
|
|||
## List of variables
|
||||
|
||||
### nginx security
|
||||
*SERVER_TOKENS*
|
||||
Values : on | off
|
||||
Default value : off
|
||||
*SERVER_TOKENS*
|
||||
Values : on | off
|
||||
Default value : off
|
||||
If set to on, nginx will display server version in Server header and default error pages.
|
||||
|
||||
*HEADER_SERVER*
|
||||
|
@ -76,7 +76,6 @@ Default value : no-referrer
|
|||
|
||||
## TODO
|
||||
- File permissions hardening
|
||||
- Secure and HttpOnly cookies
|
||||
- Custom nginx configuration
|
||||
- Custom TLS certificates
|
||||
- Documentation
|
||||
|
|
|
@ -24,12 +24,14 @@ git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
|
|||
git clone https://github.com/openresty/headers-more-nginx-module.git
|
||||
# geoip
|
||||
git clone https://github.com/leev/ngx_http_geoip2_module.git
|
||||
# cookie
|
||||
git clone https://github.com/AirisX/nginx_cookie_flag_module.git
|
||||
|
||||
# compile and install nginx
|
||||
cd /tmp
|
||||
git clone https://github.com/nginx/nginx.git
|
||||
cd nginx
|
||||
./auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --modules-path=/usr/lib/nginx/modules --with-file-aio --with-http_ssl_module --with-http_v2_module --add-module=/tmp/ModSecurity-nginx --add-module=/tmp/headers-more-nginx-module --add-module=/tmp/ngx_http_geoip2_module
|
||||
./auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --modules-path=/usr/lib/nginx/modules --with-file-aio --with-http_ssl_module --with-http_v2_module --add-module=/tmp/ModSecurity-nginx --add-module=/tmp/headers-more-nginx-module --add-module=/tmp/ngx_http_geoip2_module --add-module=/tmp/nginx_cookie_flag_module
|
||||
make -j $NTASK
|
||||
make install
|
||||
|
||||
|
|
1
confs/cookie-flags.conf
Normal file
1
confs/cookie-flags.conf
Normal file
|
@ -0,0 +1 @@
|
|||
set_cookie_flag %COOKIE_FLAGS%;
|
|
@ -22,5 +22,6 @@ server {
|
|||
%FEATURE_POLICY%
|
||||
%BLOCK_COUNTRY%
|
||||
%BLOCK_USER_AGENT%
|
||||
%COOKIE_FLAGS%
|
||||
%ERRORS%
|
||||
}
|
||||
|
|
|
@ -55,6 +55,7 @@ PHP_UPLOAD_MAX_FILESIZE="${PHP_UPLOAD_MAX_FILESIZE:-10M}"
|
|||
PHP_DISABLE_FUNCTIONS="${PHP_DISABLE_FUNCTIONS:-system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo}"
|
||||
USE_MODSECURITY="${USE_MODSECURITY:-yes}"
|
||||
CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY:-default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; reflected-xss block; base-uri 'self'; referrer no-referrer}"
|
||||
COOKIE_FLAGS="${COOKIE_FLAGS:-* HttpOnly}"
|
||||
|
||||
# replace values
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE"
|
||||
|
@ -142,9 +143,9 @@ else
|
|||
fi
|
||||
replace_in_file "/etc/nginx/server.conf" "%SERVER_NAME%" "$SERVER_NAME"
|
||||
replace_in_file "/etc/nginx/server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS"
|
||||
if [ ! -f /etc/nginx/geoip.mmdb ] ; then
|
||||
/opt/scripts/geolite.sh
|
||||
fi
|
||||
#if [ ! -f /etc/nginx/geoip.mmdb ] ; then
|
||||
# /opt/scripts/geolite.sh
|
||||
#fi
|
||||
if [ "$BLOCK_COUNTRY" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;"
|
||||
replace_in_file "/etc/nginx/geoip.conf" "%BLOCK_COUNTRY%" "$(echo $BLOCK_COUNTRY | sed 's/ / no;\n/g') no;"
|
||||
|
@ -222,6 +223,12 @@ if [ "$CONTENT_SECURITY_POLICY" != "" ] ; then
|
|||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%CONTENT_SECURITY_POLICY%" ""
|
||||
fi
|
||||
if [ "$COOKIE_FLAGS" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%COOKIE_FLAGS%" "include /etc/nginx/cookie-flags.conf;"
|
||||
replace_in_file "/etc/nginx/cookie-flags.conf" "%COOKIE_FLAGS%" "$COOKIE_FLAGS"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%COOKIE_FLAGS%" ""
|
||||
fi
|
||||
|
||||
|
||||
# start PHP
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
#!/bin/sh
|
||||
|
||||
# wget "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=&suffix=tar.gz" -O toto.tar.gz
|
||||
wget -O /etc/nginx/geoip.mmdb.gz https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.mmdb.gz
|
||||
gunzip -f /etc/nginx/geoip.mmdb.gz
|
||||
if [ -f /run/nginx/nginx.pid ] ; then
|
||||
|
|
Loading…
Reference in a new issue