improved README

README.md

@@ -27,7 +27,7 @@ Let's Encrypt needs port 80 to be open to request and sign certificates but ngin
 
 ## List of environment variables
 
-### nginx security
+### nginx
 *SERVER_TOKENS*  
 Values : on | off  
 Default value : off  
@@ -48,6 +48,42 @@ Values : yes | no
 Default value : no  
 If set to yes, nginx will only respond to HTTP request when the Host header match the SERVER_NAME. For example, it will close the connection if a bot access the site with direct ip.
 
+*SERVE_FILES*  
+Values : yes | no  
+Default value : yes  
+If set to yes, nginx will serve files from /www directory within the container.  
+A use case to not serving files is when you setup bunkerized-nginx as a reverse proxy via a custom configuration.
+
+*MAX_CLIENT_SIZE*  
+Values : 0 | Xm  
+Default value : 10m  
+Sets the maximum body size before nginx returns a 413 error code.  
+Setting to 0 means "infinite" body size.
+
+*SERVER_NAME*  
+Values : <first name> <second name> ...
+Default value : www.bunkerity.com
+Sets the host names of the webserver. This is the names used by your clients.  
+Usefull when used with AUTO_LETSENCRYPT=yes and/or DISABLE_DEFAULT_SERVER=yes.
+
+### HTTPS
+*AUTO_LETS_ENCRYPT*  
+Values : yes | no  
+Default value : no  
+If set to yes, automatic certificate generation and renewal will be setup through Let's Encrypt. This will enable HTTPS on your website for free.  
+You will need to redirect both 80 and 443 port to your container and also set the SERVER_NAME environment variable.
+
+*HTTP2*  
+Values : yes | no  
+Default value : yes  
+If set to yes, nginx will use HTTP2 protocol when HTTPS is enabled.
+
+### ModSecurity
+*USE_MODSECURITY*  
+Values : yes | no  
+Default value : yes  
+If set to yes, the ModSecurity WAF will be enabled with the OWASP Core Rule Set.
+
 ### Security headers
 *X_FRAME_OPTIONS*  
 Values : DENY | SAMEORIGIN | ALLOW-FROM https://www.website.net | ALLOWALL  
@@ -85,6 +121,81 @@ Default value : * HttpOnly
 Adds some security to the cookies set by the server.  
 Accepted value can be found [here](https://github.com/AirisX/nginx_cookie_flag_module).
 
+*STRICT_TRANSPORT_POLICY*  
+Values : max-age=expireTime [; includeSubDomains] [; preload]
+Default value : max-age=31536000  
+Tells the browser to use exclusively HTTPS instead of HTTP when communicating with the server.  
+More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security).
+
+*CONTENT_SECURITY_POLICY*  
+Values : <directive 1>; <directive 2>; ...
+Default value : default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; reflected-xss block; base-uri 'self'; referrer no-referrer  
+Policy to be used when loading resources (scripts, forms, frames, ...).  
+More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).
+
+### Blocking
+*BLOCK_COUNTRY*  
+Values : <country code 1> <country code 2> ...  
+Default value :  
+Block some countries from accessing your website. Use 2 letters country code separated with space.
+
+*BLOCK_USER_AGENT*  
+Values : yes | no
+Default value : yes
+If set to yes, block clients with "bad" user agent.  
+Blacklist can be found [here](https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list).
+
+*BLOCK_TOR_EXIT_NODE*  
+Values : yes | no  
+Default value : no  
+Is set to yes, will block TOR clients.
+
+### PHP
+*USE_PHP*  
+Values : yes | no  
+Default value : yes  
+If set to yes, PHP files will be executed by the server.
+
+*PHP_DISPLAY_ERRORS*  
+Values : yes | no  
+Default value : no  
+If set to yes, PHP errors will be shown to clients.
+
+*PHP_EXPOSE*  
+Values : yes | no  
+Default value : no  
+If set to yes, the PHP version will be sent within the X-Powered-By header.
+
+*PHP_OPEN_BASEDIR*  
+Values : <directory>  
+Default value : /www/  
+Limits access to files within the given directory. For example include() or fopen() calls outside the directory will fail.
+
+*PHP_ALLOW_URL_FOPEN*  
+Values : yes | no
+Default value : no
+If set to yes, allows using url in fopen() calls (i.e. : ftp://, http://, ...). 
+
+*PHP_ALLOW_URL_INCLUDE*  
+Values : yes | no
+Default value : no
+If set to yes, allows using url in include() calls (i.e. : ftp://, http://, ...). 
+
+*PHP_FILE_UPLOADS*  
+Values : yes | no
+Default value : yes
+If set to yes, allows clients to upload files.
+
+*PHP_UPLOAD_MAX_FILESIZE*  
+Values : <size in bytes> | XM
+Default value : 10M  
+Sets the maximum file size allowed when uploading files.
+
+*PHP_DISABLE_FUNCTIONS*  
+Values : <function 1>, <function 2> ...  
+Default value : system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo  
+List of PHP functions blacklisted. They can't be used anywhere in PHP code.
+
 ## TODO
 - File permissions hardening
 - Custom TLS certificates

entrypoint.sh

@@ -44,6 +44,7 @@ SERVER_NAME="${SERVER_NAME:-www.bunkerity.io}"
 ALLOWED_METHODS="${ALLOWED_METHODS:-GET|POST|HEAD}"
 BLOCK_COUNTRY="${BLOCK_COUNTRY:-}"
 BLOCK_USER_AGENT="${BLOCK_USER_AGENT:-yes}"
+BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE:-no}"
 AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT:-no}"
 HTTP2="${HTTP2:-yes}"
 STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY:-max-age=31536000}"