improved README
This commit is contained in:
parent
09e6b50e58
commit
62eda8173b
113
README.md
113
README.md
|
@ -27,7 +27,7 @@ Let's Encrypt needs port 80 to be open to request and sign certificates but ngin
|
|||
|
||||
## List of environment variables
|
||||
|
||||
### nginx security
|
||||
### nginx
|
||||
*SERVER_TOKENS*
|
||||
Values : on | off
|
||||
Default value : off
|
||||
|
@ -48,6 +48,42 @@ Values : yes | no
|
|||
Default value : no
|
||||
If set to yes, nginx will only respond to HTTP request when the Host header match the SERVER_NAME. For example, it will close the connection if a bot access the site with direct ip.
|
||||
|
||||
*SERVE_FILES*
|
||||
Values : yes | no
|
||||
Default value : yes
|
||||
If set to yes, nginx will serve files from /www directory within the container.
|
||||
A use case to not serving files is when you setup bunkerized-nginx as a reverse proxy via a custom configuration.
|
||||
|
||||
*MAX_CLIENT_SIZE*
|
||||
Values : 0 | Xm
|
||||
Default value : 10m
|
||||
Sets the maximum body size before nginx returns a 413 error code.
|
||||
Setting to 0 means "infinite" body size.
|
||||
|
||||
*SERVER_NAME*
|
||||
Values : <first name> <second name> ...
|
||||
Default value : www.bunkerity.com
|
||||
Sets the host names of the webserver. This is the names used by your clients.
|
||||
Usefull when used with AUTO_LETSENCRYPT=yes and/or DISABLE_DEFAULT_SERVER=yes.
|
||||
|
||||
### HTTPS
|
||||
*AUTO_LETS_ENCRYPT*
|
||||
Values : yes | no
|
||||
Default value : no
|
||||
If set to yes, automatic certificate generation and renewal will be setup through Let's Encrypt. This will enable HTTPS on your website for free.
|
||||
You will need to redirect both 80 and 443 port to your container and also set the SERVER_NAME environment variable.
|
||||
|
||||
*HTTP2*
|
||||
Values : yes | no
|
||||
Default value : yes
|
||||
If set to yes, nginx will use HTTP2 protocol when HTTPS is enabled.
|
||||
|
||||
### ModSecurity
|
||||
*USE_MODSECURITY*
|
||||
Values : yes | no
|
||||
Default value : yes
|
||||
If set to yes, the ModSecurity WAF will be enabled with the OWASP Core Rule Set.
|
||||
|
||||
### Security headers
|
||||
*X_FRAME_OPTIONS*
|
||||
Values : DENY | SAMEORIGIN | ALLOW-FROM https://www.website.net | ALLOWALL
|
||||
|
@ -85,6 +121,81 @@ Default value : * HttpOnly
|
|||
Adds some security to the cookies set by the server.
|
||||
Accepted value can be found [here](https://github.com/AirisX/nginx_cookie_flag_module).
|
||||
|
||||
*STRICT_TRANSPORT_POLICY*
|
||||
Values : max-age=expireTime [; includeSubDomains] [; preload]
|
||||
Default value : max-age=31536000
|
||||
Tells the browser to use exclusively HTTPS instead of HTTP when communicating with the server.
|
||||
More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security).
|
||||
|
||||
*CONTENT_SECURITY_POLICY*
|
||||
Values : <directive 1>; <directive 2>; ...
|
||||
Default value : default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; reflected-xss block; base-uri 'self'; referrer no-referrer
|
||||
Policy to be used when loading resources (scripts, forms, frames, ...).
|
||||
More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).
|
||||
|
||||
### Blocking
|
||||
*BLOCK_COUNTRY*
|
||||
Values : <country code 1> <country code 2> ...
|
||||
Default value :
|
||||
Block some countries from accessing your website. Use 2 letters country code separated with space.
|
||||
|
||||
*BLOCK_USER_AGENT*
|
||||
Values : yes | no
|
||||
Default value : yes
|
||||
If set to yes, block clients with "bad" user agent.
|
||||
Blacklist can be found [here](https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list).
|
||||
|
||||
*BLOCK_TOR_EXIT_NODE*
|
||||
Values : yes | no
|
||||
Default value : no
|
||||
Is set to yes, will block TOR clients.
|
||||
|
||||
### PHP
|
||||
*USE_PHP*
|
||||
Values : yes | no
|
||||
Default value : yes
|
||||
If set to yes, PHP files will be executed by the server.
|
||||
|
||||
*PHP_DISPLAY_ERRORS*
|
||||
Values : yes | no
|
||||
Default value : no
|
||||
If set to yes, PHP errors will be shown to clients.
|
||||
|
||||
*PHP_EXPOSE*
|
||||
Values : yes | no
|
||||
Default value : no
|
||||
If set to yes, the PHP version will be sent within the X-Powered-By header.
|
||||
|
||||
*PHP_OPEN_BASEDIR*
|
||||
Values : <directory>
|
||||
Default value : /www/
|
||||
Limits access to files within the given directory. For example include() or fopen() calls outside the directory will fail.
|
||||
|
||||
*PHP_ALLOW_URL_FOPEN*
|
||||
Values : yes | no
|
||||
Default value : no
|
||||
If set to yes, allows using url in fopen() calls (i.e. : ftp://, http://, ...).
|
||||
|
||||
*PHP_ALLOW_URL_INCLUDE*
|
||||
Values : yes | no
|
||||
Default value : no
|
||||
If set to yes, allows using url in include() calls (i.e. : ftp://, http://, ...).
|
||||
|
||||
*PHP_FILE_UPLOADS*
|
||||
Values : yes | no
|
||||
Default value : yes
|
||||
If set to yes, allows clients to upload files.
|
||||
|
||||
*PHP_UPLOAD_MAX_FILESIZE*
|
||||
Values : <size in bytes> | XM
|
||||
Default value : 10M
|
||||
Sets the maximum file size allowed when uploading files.
|
||||
|
||||
*PHP_DISABLE_FUNCTIONS*
|
||||
Values : <function 1>, <function 2> ...
|
||||
Default value : system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo
|
||||
List of PHP functions blacklisted. They can't be used anywhere in PHP code.
|
||||
|
||||
## TODO
|
||||
- File permissions hardening
|
||||
- Custom TLS certificates
|
||||
|
|
|
@ -44,6 +44,7 @@ SERVER_NAME="${SERVER_NAME:-www.bunkerity.io}"
|
|||
ALLOWED_METHODS="${ALLOWED_METHODS:-GET|POST|HEAD}"
|
||||
BLOCK_COUNTRY="${BLOCK_COUNTRY:-}"
|
||||
BLOCK_USER_AGENT="${BLOCK_USER_AGENT:-yes}"
|
||||
BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE:-no}"
|
||||
AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT:-no}"
|
||||
HTTP2="${HTTP2:-yes}"
|
||||
STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY:-max-age=31536000}"
|
||||
|
|
Loading…
Reference in New Issue