templating - init work on site templates
This commit is contained in:
parent
996c45df42
commit
633a07686f
|
@ -1,4 +1,4 @@
|
|||
location = %ANTIBOT_URI% {
|
||||
location = {{ ANTIBOT_URI }} {
|
||||
|
||||
default_type 'text/html';
|
||||
|
||||
|
@ -13,7 +13,7 @@ location = %ANTIBOT_URI% {
|
|||
end
|
||||
local img, res = captcha.get_challenge()
|
||||
cookie.set({captchares = res})
|
||||
local code = captcha.get_code(img, "%ANTIBOT_URI%")
|
||||
local code = captcha.get_code(img, "{{ ANTIBOT_URI }}")
|
||||
ngx.say(code)
|
||||
}
|
||||
}
|
||||
|
@ -37,7 +37,7 @@ location = %ANTIBOT_URI% {
|
|||
local check = captcha.check(captcha_user, cookie.get("captchares"))
|
||||
if not check then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "captcha fail (4) for " .. ngx.var.remote_addr)
|
||||
return ngx.redirect("%ANTIBOT_URI%")
|
||||
return ngx.redirect("{{ ANTIBOT_URI }}")
|
||||
end
|
||||
cookie.set({captcha = "ok"})
|
||||
return ngx.redirect(cookie.get("uri"))
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
location = %ANTIBOT_URI% {
|
||||
location = {{ ANTIBOT_URI }} {
|
||||
|
||||
default_type 'text/html';
|
||||
|
||||
|
@ -12,7 +12,7 @@ location = %ANTIBOT_URI% {
|
|||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
local challenge = cookie.get("challenge")
|
||||
local code = javascript.get_code(challenge, "%ANTIBOT_URI%", cookie.get("uri"))
|
||||
local code = javascript.get_code(challenge, "{{ ANTIBOT_URI }}", cookie.get("uri"))
|
||||
ngx.say(code)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
location = %ANTIBOT_URI% {
|
||||
location = {{ ANTIBOT_URI }} {
|
||||
|
||||
default_type 'text/html';
|
||||
|
||||
|
@ -11,7 +11,7 @@ location = %ANTIBOT_URI% {
|
|||
logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (1) for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
local code = recaptcha.get_code("%ANTIBOT_URI%", "%ANTIBOT_RECAPTCHA_SITEKEY%")
|
||||
local code = recaptcha.get_code("{{ ANTIBOT_URI }}", "{{ ANTIBOT_RECAPTCHA_SITEKEY }}")
|
||||
ngx.say(code)
|
||||
}
|
||||
}
|
||||
|
@ -32,8 +32,8 @@ location = %ANTIBOT_URI% {
|
|||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
local token = args["token"]
|
||||
local check = recaptcha.check(token, "%ANTIBOT_RECAPTCHA_SECRET%")
|
||||
if check < %ANTIBOT_RECAPTCHA_SCORE% then
|
||||
local check = recaptcha.check(token, "{{ ANTIBOT_RECAPTCHA_SECRET }}")
|
||||
if check < {{ ANTIBOT_RECAPTCHA_SCORE }} then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (4) for " .. ngx.var.remote_addr .. " (score = " .. tostring(check) .. ")")
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
auth_basic "%AUTH_BASIC_TEXT%";
|
||||
auth_basic_user_file %NGINX_PREFIX%.htpasswd;
|
||||
auth_basic "{{ AUTH_BASIC_TEXT }}";
|
||||
auth_basic_user_file {{ NGINX_PREFIX }}.htpasswd;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
location %AUTH_BASIC_LOCATION% {
|
||||
auth_basic "%AUTH_BASIC_TEXT%";
|
||||
auth_basic_user_file %NGINX_PREFIX%.htpasswd;
|
||||
location {{ AUTH_BASIC_LOCATION }} {
|
||||
auth_basic "{{ AUTH_BASIC_TEXT }}";
|
||||
auth_basic_user_file {{ NGINX_PREFIX }}.htpasswd;
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
brotli on;
|
||||
brotli_types %BROTLI_TYPES%;
|
||||
brotli_comp_level %BROTLI_COMP_LEVEL%;
|
||||
brotli_min_length %BROTLI_MIN_LENGTH%;
|
||||
brotli_types {{ BROTLI_TYPES }};
|
||||
brotli_comp_level {{ BROTLI_COMP_LEVEL }};
|
||||
brotli_min_length {{ BROTLI_MIN_LENGTH }};
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
etag %CLIENT_CACHE_ETAG%;
|
||||
etag {{ CLIENT_CACHE_ETAG }};
|
||||
set $cache "";
|
||||
if ($uri ~* \.(%CLIENT_CACHE_EXTENSIONS%)$) {
|
||||
set $cache "%CLIENT_CACHE_CONTROL%";
|
||||
if ($uri ~* \.({{ CLIENT_CACHE_EXTENSIONS }})$) {
|
||||
set $cache "{{ CLIENT_CACHE_CONTROL }}";
|
||||
}
|
||||
add_header Cache-Control $cache;
|
||||
|
|
|
@ -1 +1 @@
|
|||
more_set_headers "Content-Security-Policy: %CONTENT_SECURITY_POLICY%";
|
||||
more_set_headers "Content-Security-Policy: {{ CONTENT_SECURITY_POLICY }}";
|
||||
|
|
|
@ -1 +1 @@
|
|||
set_cookie_flag %COOKIE_FLAGS%;
|
||||
set_cookie_flag {{ COOKIE_FLAGS }}{% if COOKIE_AUTO_SECURE_FLAG == "yes" %} Secure{% endif %};
|
||||
|
|
|
@ -1,7 +1,9 @@
|
|||
listen 0.0.0.0:443 ssl %HTTP2%;
|
||||
ssl_certificate %HTTPS_CUSTOM_CERT%;
|
||||
ssl_certificate_key %HTTPS_CUSTOM_KEY%;
|
||||
listen 0.0.0.0:443 ssl {% if HTTP2 == "yes" %}http2{% endif %};
|
||||
ssl_certificate {{ HTTPS_CUSTOM_CERT }};
|
||||
ssl_certificate_key {{ HTTPS_CUSTOM_KEY }};
|
||||
ssl_protocols TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_session_tickets off;
|
||||
%STRICT_TRANSPORT_SECURITY%
|
||||
{% if STRICT_TRANSPORT_SECURITY != "" %}
|
||||
more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}';
|
||||
{% endif %}
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
if ($host !~ ^(%SERVER_NAME%)$) {
|
||||
if ($host !~ ^({{ SERVER_NAME.replace(" ", "|") }})$) {
|
||||
return 444;
|
||||
}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
error_page %CODE% %PAGE%;
|
||||
error_page {{ CODE }} {{ PAGE }};
|
||||
|
||||
location = %PAGE% {
|
||||
root %ROOT_FOLDER%;
|
||||
location = {{ PAGE }} {
|
||||
root {{ ROOT_FOLDER }};
|
||||
modsecurity off;
|
||||
internal;
|
||||
}
|
||||
|
|
|
@ -13,7 +13,7 @@ fastcgi_param REQUEST_SCHEME $scheme;
|
|||
fastcgi_param HTTPS $https if_not_empty;
|
||||
|
||||
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
|
||||
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
|
||||
fastcgi_param SERVER_SOFTWARE nginx;
|
||||
|
||||
fastcgi_param REMOTE_ADDR $remote_addr;
|
||||
fastcgi_param REMOTE_PORT $remote_port;
|
||||
|
|
|
@ -1 +1 @@
|
|||
more_set_headers "Feature-Policy: %FEATURE_POLICY%";
|
||||
more_set_headers "Feature-Policy: {{ FEATURE_POLICY }}";
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
gzip on;
|
||||
gzip_comp_level %GZIP_COMP_LEVEL%;
|
||||
gzip_min_length %GZIP_MIN_LENGTH%;
|
||||
gzip_types %GZIP_TYPES%;
|
||||
gzip_comp_level {{ GZIP_COMP_LEVEL }};
|
||||
gzip_min_length {{ GZIP_MIN_LENGTH }};
|
||||
gzip_types {{ GZIP_TYPES }};
|
||||
|
|
|
@ -1,12 +1,18 @@
|
|||
listen 0.0.0.0:%HTTPS_PORT% ssl %HTTP2%;
|
||||
ssl_certificate %HTTPS_CERT%;
|
||||
ssl_certificate_key %HTTPS_KEY%;
|
||||
ssl_protocols %HTTPS_PROTOCOLS%;
|
||||
listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" }}http2{% endif %};
|
||||
ssl_certificate {{ HTTPS_CERT }};
|
||||
ssl_certificate_key {{ HTTPS_KEY }};
|
||||
ssl_protocols {{ HTTPS_PROTOCOLS }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_tickets off;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
%STRICT_TRANSPORT_SECURITY%
|
||||
%SSL_DHPARAM%
|
||||
%SSL_CIPHERS%
|
||||
%LETS_ENCRYPT_WEBROOT%
|
||||
{% if STRICT_TRANSPORT_SECURITY != "" }}
|
||||
more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}';
|
||||
{% endif %}
|
||||
{% if "TLSv1.2" in {{ HTTPS_PROTOCOLS }} %}
|
||||
ssl_dhparam /etc/nginx/dhparam;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
{% endif %}
|
||||
{% if AUTO_LETS_ENCRYPT %}
|
||||
include {{ NGINX_PREFIX }}lets-encrypt-webroot.conf;
|
||||
{% endif %}
|
||||
|
|
|
@ -1 +1 @@
|
|||
limit_conn ddos %LIMIT_CONN_MAX%;
|
||||
limit_conn ddos {{ LIMIT_CONN_MAX }};
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
limit_req_status 429;
|
||||
limit_req zone=limit burst=%LIMIT_REQ_BURST% nodelay;
|
||||
limit_req zone=limit burst={{ LIMIT_REQ_BURST }} nodelay;
|
||||
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
log_by_lua_block {
|
||||
|
||||
-- bad behavior
|
||||
local use_bad_behavior = %USE_BAD_BEHAVIOR%
|
||||
local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %}
|
||||
local behavior = require "behavior"
|
||||
local bad_behavior_status_codes = {{ BAD_BEHAVIOR_STATUS_CODES }}
|
||||
local bad_behavior_threshold = %BAD_BEHAVIOR_THRESHOLD%
|
||||
local bad_behavior_count_time = %BAD_BEHAVIOR_COUNT_TIME%
|
||||
local bad_behavior_ban_time = %BAD_BEHAVIOR_BAN_TIME%
|
||||
local bad_behavior_status_codes = {% raw %}{{% endraw %}{% set elements = BAD_BEHAVIOR_STATUS_CODES.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
local bad_behavior_threshold = {{ BAD_BEHAVIOR_THRESHOLD }}
|
||||
local bad_behavior_count_time = {{ BAD_BEHAVIOR_COUNT_TIME }}
|
||||
local bad_behavior_ban_time = {{ BAD_BEHAVIOR_BAN_TIME }}
|
||||
|
||||
if use_bad_behavior then
|
||||
behavior.count(bad_behavior_status_codes, bad_behavior_threshold, bad_behavior_count_time, bad_behavior_ban_time)
|
||||
|
|
|
@ -1,51 +1,51 @@
|
|||
set $session_secret %ANTIBOT_SESSION_SECRET%;
|
||||
set $session_secret {{ ANTIBOT_SESSION_SECRET }};
|
||||
set $session_check_addr on;
|
||||
|
||||
access_by_lua_block {
|
||||
|
||||
-- let's encrypt
|
||||
local use_lets_encrypt = %USE_LETS_ENCRYPT%
|
||||
local use_lets_encrypt = {% if AUTO_LETS_ENCRYPT == "yes" %}true{% else %}false{% endif %}
|
||||
|
||||
-- external blacklists
|
||||
local use_user_agents = %USE_USER_AGENTS%
|
||||
local use_proxies = %USE_PROXIES%
|
||||
local use_abusers = %USE_ABUSERS%
|
||||
local use_tor_exit_nodes = %USE_TOR_EXIT_NODES%
|
||||
local use_referrers = %USE_REFERRERS%
|
||||
local use_user_agents = {% if BLOCK_USER_AGENT == "yes" %}true{% else %}false{% endif %}
|
||||
local use_proxies = {% if BLOCK_PROXIES == "yes" %}true{% else %}false{% endif %}
|
||||
local use_abusers = {% if BLOCK_ABUSERS == "yes" %}true{% else %}false{% endif %}
|
||||
local use_tor_exit_nodes = {% if BLOCK_TOR_EXIT_NODE == "yes" %}true{% else %}false{% endif %}
|
||||
local use_referrers = {% if BLOCK_REFERRER == "yes" %}true{% else %}false{% endif %}
|
||||
|
||||
-- countries
|
||||
local use_country = %USE_COUNTRY%
|
||||
local use_country = {% if WHITELIST_COUNTRY != "" or BLACKLIST_COUNTRY != "" %}true{% else %}false{% endif %}
|
||||
|
||||
-- crowdsec
|
||||
local use_crowdsec = %USE_CROWDSEC%
|
||||
local use_crowdsec = {% if USE_CROWDSEC == "yes" %}true{% else %}false{% endif %}
|
||||
|
||||
-- antibot
|
||||
local use_antibot_cookie = %USE_ANTIBOT_COOKIE%
|
||||
local use_antibot_javascript = %USE_ANTIBOT_JAVASCRIPT%
|
||||
local use_antibot_captcha = %USE_ANTIBOT_CAPTCHA%
|
||||
local use_antibot_recaptcha = %USE_ANTIBOT_RECAPTCHA%
|
||||
local use_antibot_cookie = {% if USE_ANTIBOT == "cookie" %}true{% else %}false{% endif %}
|
||||
local use_antibot_javascript = {% if USE_ANTIBOT == "javascript" %}true{% else %}false{% endif %}
|
||||
local use_antibot_captcha = {% if USE_ANTIBOT == "captcha" %}true{% else %}false{% endif %}
|
||||
local use_antibot_recaptcha = {% if USE_ANTIBOT == "recaptcha" %}true{% else %}false{% endif %}
|
||||
|
||||
-- resolvers
|
||||
local dns_resolvers = {{ DNS_RESOLVERS }}
|
||||
local dns_resolvers = {% raw %}{{% endraw %}{% set elements = DNS_RESOLVERS.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
|
||||
-- whitelist
|
||||
local use_whitelist_ip = %USE_WHITELIST_IP%
|
||||
local use_whitelist_reverse = %USE_WHITELIST_REVERSE%
|
||||
local whitelist_ip_list = {{ WHITELIST_IP_LIST }}
|
||||
local whitelist_reverse_list = {{ WHITELIST_REVERSE_LIST }}
|
||||
local use_whitelist_ip = {% if USE_WHITELIST_IP == "yes" %}true{% else %}false{% endif %}
|
||||
local use_whitelist_reverse = {% if USE_WHITELIST_REVERSE == "yes %}true{% else %}false{% endif %}
|
||||
local whitelist_ip_list = {% raw %}{{% endraw %}{% set elements = WHITELIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
local whitelist_reverse_list = {% raw %}{{% endraw %}{% set elements = WHITELIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
|
||||
-- blacklist
|
||||
local use_blacklist_ip = %USE_BLACKLIST_IP%
|
||||
local use_blacklist_reverse = %USE_BLACKLIST_REVERSE%
|
||||
local blacklist_ip_list = {{ BLACKLIST_IP_LIST }}
|
||||
local blacklist_reverse_list = {{ BLACKLIST_REVERSE_LIST }}
|
||||
local use_blacklist_ip = {% if USE_BLACKLIST_IP == "yes" %}true{% else %}false{% endif %}
|
||||
local use_blacklist_reverse = {% if USE_BLACKLIST_REVERSE == "yes %}true{% else %}false{% endif %}
|
||||
local blacklist_ip_list = {% raw %}{{% endraw %}{% set elements = BLACKLIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
local blacklist_reverse_list = {% raw %}{{% endraw %}{% set elements = BLACKLIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
|
||||
-- dnsbl
|
||||
local use_dnsbl = %USE_DNSBL%
|
||||
local dnsbl_list = {{ DNSBL_LIST }}
|
||||
local use_dnsbl = {% if USE_DNSBL == "yes" %}true{% else %}false{% endif %}
|
||||
local dnsbl_list = {% raw %}{{% endraw %}{% set elements = DNSBL_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
|
||||
-- bad behavior
|
||||
local use_bad_behavior = %USE_BAD_BEHAVIOR%
|
||||
local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %}
|
||||
|
||||
-- include LUA code
|
||||
local whitelist = require "whitelist"
|
||||
|
@ -60,9 +60,9 @@ local behavior = require "behavior"
|
|||
local logger = require "logger"
|
||||
|
||||
-- user variables
|
||||
local antibot_uri = "%ANTIBOT_URI%"
|
||||
local whitelist_user_agent = {{ WHITELIST_USER_AGENT }}
|
||||
local whitelist_uri = {{ WHITELIST_URI }}
|
||||
local antibot_uri = "{{ ANTIBOT_URI }}"
|
||||
local whitelist_user_agent = {% raw %}{{% endraw %}{% set elements = WHITELIST_USER_AGENT.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
local whitelist_uri = {% raw %}{{% endraw %}{% set elements = WHITELIST_URI.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
|
||||
-- check if already in whitelist cache
|
||||
if use_whitelist_ip and whitelist.ip_cached_ok() then
|
||||
|
@ -291,8 +291,10 @@ ngx.exit(ngx.OK)
|
|||
|
||||
}
|
||||
|
||||
%INCLUDE_ANTIBOT_JAVASCRIPT%
|
||||
|
||||
%INCLUDE_ANTIBOT_CAPTCHA%
|
||||
|
||||
%INCLUDE_ANTIBOT_RECAPTCHA%
|
||||
{% if USE_ANTIBOT == "javascript" %}
|
||||
include {{ NGINX_PREFIX }}antibot-javascript.conf;
|
||||
{% elif USE_ANTIBOT == "captcha" %}
|
||||
include {{ NGINX_PREFIX }}antibot-captcha.conf;
|
||||
{% elif USE_ANTIBOT == "recaptcha" %}
|
||||
include {{ NGINX_PREFIX }}antibot-recaptcha.conf;
|
||||
{% endif %}
|
||||
|
|
|
@ -49,17 +49,22 @@ SecResponseBodyLimit 524288
|
|||
SecResponseBodyLimitAction ProcessPartial
|
||||
|
||||
# log usefull stuff
|
||||
SecAuditEngine %MODSECURITY_SEC_AUDIT_ENGINE%
|
||||
SecAuditEngine {{ MODSECURITY_SEC_AUDIT_ENGINE }}
|
||||
SecAuditLogType Serial
|
||||
SecAuditLog /var/log/nginx/modsec_audit.log
|
||||
|
||||
# scan uploaded files with clamv
|
||||
%USE_CLAMAV_UPLOAD%
|
||||
{% if USE_CLAMAV_UPLOAD == "yes" %}
|
||||
include {{ NGINX_PREFIX }}modsecurity-clamav.conf
|
||||
{% endif %}
|
||||
|
||||
# include OWASP CRS rules
|
||||
%MODSECURITY_INCLUDE_CRS%
|
||||
%MODSECURITY_INCLUDE_CUSTOM_CRS%
|
||||
%MODSECURITY_INCLUDE_CRS_RULES%
|
||||
{% if USE_MODSECURITY_CRS == "yes" %}
|
||||
include /opt/owasp/crs.conf
|
||||
# TODO : include without errors ?
|
||||
#{{ MODSECURITY_INCLUDE_CUSTOM_CRS }}
|
||||
include /opt/owasp/crs/*.conf
|
||||
{% endif %}
|
||||
|
||||
# include custom rules
|
||||
%MODSECURITY_INCLUDE_CUSTOM_RULES%
|
||||
# TODO : include custom rules
|
||||
# {{ MODSECURITY_INCLUDE_CUSTOM_RULES }}
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
modsecurity on;
|
||||
modsecurity_rules_file %MODSEC_RULES_FILE%;
|
||||
modsecurity_rules_file {{ NGINX_PREFIX }}modsecurity-rules.conf;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
open_file_cache %OPEN_FILE_CACHE%;
|
||||
open_file_cache_errors %OPEN_FILE_CACHE_ERRORS%;
|
||||
open_file_cache_min_uses %OPEN_FILE_CACHE_MIN_USES%;
|
||||
open_file_cache_valid %OPEN_FILE_CACHE_VALID%;
|
||||
open_file_cache {{ OPEN_FILE_CACHE }};
|
||||
open_file_cache_errors {{ OPEN_FILE_CACHE_ERRORS }};
|
||||
open_file_cache_min_uses {{ OPEN_FILE_CACHE_MIN_USES }};
|
||||
open_file_cache_valid {{ OPEN_FILE_CACHE_VALID }};
|
||||
|
|
|
@ -1 +1 @@
|
|||
more_set_headers "Permissions-Policy: %PERMISSIONS_POLICY%";
|
||||
more_set_headers "Permissions-Policy: {{ PERMISSIONS_POLICY }}";
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
location ~ \.php$ {
|
||||
fastcgi_pass %REMOTE_PHP%:9000;
|
||||
fastcgi_pass {{ REMOTE_PHP }}:9000;
|
||||
fastcgi_index index.php;
|
||||
}
|
||||
|
|
|
@ -1,7 +1,11 @@
|
|||
proxy_cache proxycache;
|
||||
proxy_cache_methods %PROXY_CACHE_METHODS%;
|
||||
proxy_cache_min_uses %PROXY_CACHE_MIN_USES%;
|
||||
proxy_cache_key %PROXY_CACHE_KEY%;
|
||||
proxy_no_cache %PROXY_NO_CACHE%;
|
||||
proxy_cache_bypass %PROXY_CACHE_BYPASS%;
|
||||
%PROXY_CACHE_VALID%
|
||||
proxy_cache_methods {{ PROXY_CACHE_METHODS }};
|
||||
proxy_cache_min_uses {{ PROXY_CACHE_MIN_USES }};
|
||||
proxy_cache_key {{ PROXY_CACHE_KEY }};
|
||||
proxy_no_cache {{ PROXY_NO_CACHE }};
|
||||
proxy_cache_bypass {{ PROXY_CACHE_BYPASS }};
|
||||
{% if PROXY_CACHE_VALID != "" %}
|
||||
{% for element in PROXY_CACHE_VALID.split(" ") %}
|
||||
proxy_cache_valid {{ element.split("=")[0] }} {{ element.split("=")[1] }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
|
|
@ -1,4 +1,8 @@
|
|||
%PROXY_REAL_IP_FROM%
|
||||
real_ip_header %PROXY_REAL_IP_HEADER%;
|
||||
real_ip_recursive %PROXY_REAL_IP_RECURSIVE%;
|
||||
{% if PROXY_REAL_IP_FROM != "" %}
|
||||
{% for element in PROXY_REAL_IP_FROM.split(" ") %}
|
||||
set_real_ip_from {{ element }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
real_ip_header {{ PROXY_REAL_IP_HEADER }};
|
||||
real_ip_recursive {{ PROXY_REAL_IP_RECURSIVE }};
|
||||
|
||||
|
|
|
@ -1 +1 @@
|
|||
more_set_headers "Referrer-Policy: %REFERRER_POLICY%";
|
||||
more_set_headers "Referrer-Policy: {{ REFERRER_POLICY }}";
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
location %REVERSE_PROXY_URL% {
|
||||
location {{ REVERSE_PROXY_URL }} {
|
||||
etag off;
|
||||
proxy_pass %REVERSE_PROXY_HOST%;
|
||||
%REVERSE_PROXY_HEADERS%
|
||||
%REVERSE_PROXY_WS%
|
||||
%REVERSE_PROXY_CUSTOM_HEADERS%
|
||||
proxy_pass {{ REVERSE_PROXY_HOST }};
|
||||
{{ REVERSE_PROXY_HEADERS }}
|
||||
{{ REVERSE_PROXY_WS }}
|
||||
{{ REVERSE_PROXY_CUSTOM_HEADERS }}
|
||||
}
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
root %ROOT_FOLDER%;
|
||||
root {{ ROOT_FOLDER }}/{{ FIRST_SERVER }};
|
||||
index index.html index.php;
|
||||
try_files $uri $uri/ =404;
|
||||
|
|
|
@ -1,41 +1,176 @@
|
|||
%PRE_SERVER_CONF%
|
||||
# custom config before server block
|
||||
include /pre-server-confs/*.conf;
|
||||
{% if MULTISITE == "yes" %}
|
||||
include /pre-server-confs/{{ FIRST_SERVER }}/*.conf;
|
||||
{% endif %}
|
||||
|
||||
server {
|
||||
%FASTCGI_PATH%
|
||||
%SERVER_CONF%
|
||||
%PROXY_REAL_IP%
|
||||
%INCLUDE_LUA%
|
||||
%USE_MODSECURITY%
|
||||
%LISTEN_HTTP%
|
||||
%USE_HTTPS%
|
||||
%REDIRECT_HTTP_TO_HTTPS%
|
||||
server_name %SERVER_NAME%;
|
||||
%DISABLE_DEFAULT_SERVER%
|
||||
%SERVE_FILES%
|
||||
if ($request_method !~ ^(%ALLOWED_METHODS%)$)
|
||||
{
|
||||
|
||||
# FastCGI variables
|
||||
{% if REMOTE_PHP != "" %}
|
||||
include {{ NGINX_PREFIX }}fastcgi.conf;
|
||||
{% endif %}
|
||||
|
||||
# custom config
|
||||
include /server-confs/*.conf;
|
||||
{% if MULTISITE == "yes" %}
|
||||
include /server-confs/{{ FIRST_SERVER }}/*.conf;
|
||||
{% endif %}
|
||||
|
||||
# proxy real IP
|
||||
{% if PROXY_REAL_IP == "yes" %}
|
||||
include {{ NGINX_PREFIX }}proxy-real-ip.conf;
|
||||
{% endif %}
|
||||
|
||||
# include LUA files
|
||||
include {{ NGINX_PREFIX }}main-lua.conf;
|
||||
include {{ NGINX_PREFIX }}log-lua.conf;
|
||||
|
||||
# ModSecurity
|
||||
{% if USE_MODSECURITY == "yes" }}
|
||||
include {{ NGINX_PREFIX }}modsecurity.conf;
|
||||
{% endif %}
|
||||
|
||||
# HTTP listen
|
||||
{% if LISTEN_HTTP == "yes" }}
|
||||
listen 0.0.0.0:{{ HTTP_PORT }};
|
||||
{% endif %}
|
||||
|
||||
# HTTPS listen + config
|
||||
{% if AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_HTTPS == "yes" or GENERATE_SELF_SIGNED_SSL == "yes" %}
|
||||
include {{ NGINX_PREFIX }}https.conf;
|
||||
{% endif %}
|
||||
|
||||
# HTTP to HTTPS
|
||||
{% if REDIRECT_HTTP_TO_HTTPS == "yes" %}
|
||||
include {{ NGINX_PREFIX }}redirect-http-to-https.conf;
|
||||
{% endif %}
|
||||
|
||||
# server name (vhost)
|
||||
server_name {{ SERVER_NAME }};
|
||||
|
||||
# disable default server
|
||||
{% if DISABLE_DEFAULT_SERVER == "yes" and MULTISITE != "yes" %}
|
||||
include {{ NGINX_PREFIX }}disable-default-server.conf;
|
||||
{% endif %}
|
||||
|
||||
# serve local files
|
||||
{% if SERVE_FILES == "yes" %}
|
||||
include {{ NGINX_PREFIX}}serve-files.conf;
|
||||
{% endif %}
|
||||
|
||||
# allowed HTTP methods
|
||||
if ($request_method !~ ^({{ ALLOWED_METHODS }})$) {
|
||||
return 405;
|
||||
}
|
||||
%LIMIT_REQ%
|
||||
%LIMIT_CONN%
|
||||
%AUTH_BASIC%
|
||||
%REMOVE_HEADERS%
|
||||
%X_FRAME_OPTIONS%
|
||||
%X_XSS_PROTECTION%
|
||||
%X_CONTENT_TYPE_OPTIONS%
|
||||
%CONTENT_SECURITY_POLICY%
|
||||
%REFERRER_POLICY%
|
||||
%FEATURE_POLICY%
|
||||
%PERMISSIONS_POLICY%
|
||||
%COOKIE_FLAGS%
|
||||
%ERRORS%
|
||||
%USE_CLIENT_CACHE%
|
||||
%USE_GZIP%
|
||||
%USE_BROTLI%
|
||||
client_max_body_size %MAX_CLIENT_SIZE%;
|
||||
server_tokens %SERVER_TOKENS%;
|
||||
%USE_OPEN_FILE_CACHE%
|
||||
%USE_PROXY_CACHE%
|
||||
%USE_REVERSE_PROXY%
|
||||
%USE_PHP%
|
||||
|
||||
# requests limiting
|
||||
{% if USE_LIMIT_REQ == "yes" %}
|
||||
include {{ NGINX_PREFIX }}limit-req.conf;
|
||||
{% endif %}
|
||||
|
||||
# connections limiting
|
||||
{% if USE_LIMIT_CONN == "yes" %}
|
||||
include {{ NGINX_PREFIX }}limit-conn.conf;
|
||||
{% endif %}
|
||||
|
||||
# auth basic
|
||||
{% if USE_AUTH_BASIC == "yes" %}
|
||||
{% if AUTH_BASIC_LOCATION == "sitewide" %}
|
||||
include {{ NGINX_PREFIX }}auth-basic-sitewide.conf;
|
||||
{% else %}
|
||||
include {{ NGINX_PREFIX }}auth-basic.conf;
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
# remove headers
|
||||
{% if REMOVE_HEADERS != "" %}
|
||||
{% for header in REMOVE_HEADERS.split(" ") %}
|
||||
more_clear_headers '{{ header }}';
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
# X-Frame-Option header
|
||||
{% if X_FRAME_OPTIONS != "" %}
|
||||
include {{ NGINX_PREFIX }}x-frame-options.conf;
|
||||
{% endif %}
|
||||
|
||||
# X-XSS-Protection header
|
||||
{% if X_XSS_PROTECTION != "" %}
|
||||
include {{ NGINX_PREFIX }}x-xss-protection.conf;
|
||||
{% endif %}
|
||||
|
||||
# X-Content-Type header
|
||||
{% if X_CONTENT_TYPE != "" %}
|
||||
include {{ NGINX_PREFIX }}x-content-type.conf;
|
||||
{% endif %}
|
||||
|
||||
# Content-Security-Policy header
|
||||
{% if CONTENT_SECURITY_POLICY != "" %}
|
||||
include {{ NGINX_PREFIX }}content-security-policy.conf;
|
||||
{% endif %}
|
||||
|
||||
# Referrer-Policy header
|
||||
{% if REFERRER_POLICY != "" %}
|
||||
include {{ NGINX_PREFIX }}referrer-policy.conf;
|
||||
{% endif %}
|
||||
|
||||
# Feature-Policy header
|
||||
{% if FEATURE_POLICY != "" %}
|
||||
include {{ NGINX_PREFIX }}feature-policy.conf;
|
||||
{% endif %}
|
||||
|
||||
# Permissions-Policy header
|
||||
{% if PERMISSIONS_POLICY != "" %}
|
||||
include {{ NGINX_PREFIX }}permissions-policy.conf;
|
||||
{% endif %}
|
||||
|
||||
# cookie flags
|
||||
{% if COOKIE_FLAGS != "" %}
|
||||
include {{ NGINX_PREFIX }}cookie-flags.conf;
|
||||
{% endif %}
|
||||
|
||||
# TODO : ERRORS
|
||||
|
||||
# client caching
|
||||
{% if USE_CLIENT_CACHE == "yes" %}
|
||||
include {{ NGINX_PREFIX }}client-cache.conf;
|
||||
{% endif %}
|
||||
|
||||
# gzip compression
|
||||
{% if USE_GZIP == "yes" %}
|
||||
include {{ NGINX_PREFIX }}gzip.conf;
|
||||
{% endif %}
|
||||
|
||||
# brotli compression
|
||||
{% if USE_GZIP == "yes" %}
|
||||
include {{ NGINX_PREFIX }}gzip.conf;
|
||||
{% endif %}
|
||||
|
||||
# maximum body size
|
||||
client_max_body_size {{ MAX_CLIENT_SIZE }};
|
||||
|
||||
# enable/disable showing version
|
||||
server_tokens {{ SERVER_TOKENS }};
|
||||
|
||||
# open file caching
|
||||
{% if USE_OPEN_FILE_CACHE == "yes" %}
|
||||
include {{ NGINX_PREFIX }}open-file-cache.conf;
|
||||
{% endif %}
|
||||
|
||||
# proxy caching
|
||||
{% if USE_PROXY_CACHE == "yes" %}
|
||||
include {{ NGINX_PREFIX }}proxy-cache.conf;
|
||||
{% endif %}
|
||||
|
||||
# reverse proxy
|
||||
{% if USE_REVERSE_PROXY == "yes" %}
|
||||
include {{ NGINX_PREFIX }}reverse-proxy-*.conf;
|
||||
{% endif %}
|
||||
|
||||
# remote PHP
|
||||
{% if REMOTE_PHP != "" %}
|
||||
include {{ NGINX_PREFIX }}php.conf;
|
||||
{% endif %}
|
||||
|
||||
}
|
||||
|
|
|
@ -1 +1 @@
|
|||
more_set_headers "X-Content-Type-Options: %X_CONTENT_TYPE_OPTIONS%";
|
||||
more_set_headers "X-Content-Type-Options: {{ X_CONTENT_TYPE_OPTIONS }}";
|
||||
|
|
|
@ -1 +1 @@
|
|||
more_set_headers "X-Frame-Options: %X_FRAME_OPTIONS%";
|
||||
more_set_headers "X-Frame-Options: {{ X_FRAME_OPTIONS }}";
|
||||
|
|
|
@ -1 +1 @@
|
|||
more_set_headers "X-XSS-Protection: %X_XSS_PROTECTION%";
|
||||
more_set_headers "X-XSS-Protection: {{ X_XSS_PROTECTION }}";
|
||||
|
|
Loading…
Reference in New Issue