readme update
This commit is contained in:
parent
e166b1fea9
commit
81cff3648c
76
README.md
76
README.md
|
@ -13,6 +13,7 @@ Non-exhaustive list of features :
|
|||
- State-of-the-art web security : HTTP security headers, php.ini hardening, prevent leaks, ...
|
||||
- Integrated ModSecurity WAF with the OWASP Core Rule Set
|
||||
- Automatic ban of strange behaviors with fail2ban
|
||||
- Antibot challenge through cookie, javascript, captcha or recaptcha v3
|
||||
- Block TOR, proxies, bad user-agents, countries, ...
|
||||
- Perform automatic DNSBL checks to block known bad IP
|
||||
- Prevent bruteforce attacks with rate limiting
|
||||
|
@ -21,7 +22,7 @@ Non-exhaustive list of features :
|
|||
|
||||
Fooling automated tools/scanners :
|
||||
|
||||
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/dev/demo.gif?raw=true" />
|
||||
<img src="https://github.com/bunkerity/bunkerized-nginx/blob/master/demo.gif?raw=true" />
|
||||
|
||||
# Table of contents
|
||||
- [bunkerized-nginx](#bunkerized-nginx)
|
||||
|
@ -31,15 +32,17 @@ Fooling automated tools/scanners :
|
|||
* [Run HTTP server with default settings](#run-http-server-with-default-settings)
|
||||
* [In combination with PHP](#in-combination-with-php)
|
||||
* [Run HTTPS server with automated Let's Encrypt](#run-https-server-with-automated-let-s-encrypt)
|
||||
* [Reverse proxy](#reverse-proxy)
|
||||
- [Tutorials](#tutorials)
|
||||
* [Behind a reverse proxy](#behind-a-reverse-proxy)
|
||||
* [As a reverse proxy](#as-a-reverse-proxy)
|
||||
* [Antibot challenge](#antibot-challenge)
|
||||
- [Tutorials and examples](#tutorials-and-examples)
|
||||
- [List of environment variables](#list-of-environment-variables)
|
||||
* [nginx](#nginx)
|
||||
+ [Misc](#misc)
|
||||
+ [Information leak](#information-leak)
|
||||
+ [Custom error pages](#custom-error-pages)
|
||||
+ [HTTP basic authentication](#http-basic-authentication)
|
||||
+ [Behind a reverse proxy](#behind-a-reverse-proxy)
|
||||
+ [Reverse proxy](#reverse-proxy)
|
||||
* [HTTPS](#https)
|
||||
+ [Let's Encrypt](#let-s-encrypt)
|
||||
+ [HTTP](#http)
|
||||
|
@ -49,6 +52,7 @@ Fooling automated tools/scanners :
|
|||
* [ModSecurity](#modsecurity)
|
||||
* [Security headers](#security-headers)
|
||||
* [Blocking](#blocking)
|
||||
+ [Antibot](#antibot)
|
||||
+ [External blacklist](#external-blacklist)
|
||||
+ [DNSBL](#dnsbl)
|
||||
+ [Custom whitelisting](#custom-whitelisting)
|
||||
|
@ -94,14 +98,23 @@ docker run -p 80:80 -p 443:443 -v /path/to/web/files:/www -v /where/to/save/cert
|
|||
```
|
||||
|
||||
Certificates are stored in the /etc/letsencrypt directory, you should save it on your local drive.
|
||||
If you don't want your webserver to listen on HTTP add the environment variable `LISTEN_HTTP` with a "no" value. But Let's Encrypt needs the port 80 to be opened so redirecting the port is mandatory.
|
||||
If you don't want your webserver to listen on HTTP add the environment variable `LISTEN_HTTP` with a *no* value. But Let's Encrypt needs the port 80 to be opened so redirecting the port is mandatory.
|
||||
|
||||
Here you have three environment variables :
|
||||
- `SERVER_NAME` : define the FQDN of your webserver, this is mandatory for Let's Encrypt (www.yourdomain.com should point to your IP address)
|
||||
- `AUTO_LETS_ENCRYPT` : enable automatic Let's Encrypt creation and renewal of certificates
|
||||
- `REDIRECT_HTTP_TO_HTTPS` : enable HTTP to HTTPS redirection
|
||||
|
||||
## Reverse proxy
|
||||
## Behind a reverse proxy
|
||||
```shell
|
||||
docker run -p 80:80 -v /path/to/web/files:/www -e PROXY_REAL_IP=yes bunkerity/bunkerized-nginx
|
||||
```
|
||||
|
||||
The `PROXY_REAL_IP` environment variable, when set to *yes*, activates the [ngx_http_realip_module](https://nginx.org/en/docs/http/ngx_http_realip_module.html) to get the real client IP from the reverse proxy.
|
||||
|
||||
See [this section](#reverse-proxy) if you need to tweak some values (trusted ip/network, header, ...).
|
||||
|
||||
## As a reverse proxy
|
||||
You can setup a reverse proxy by adding your own custom configurations at server context.
|
||||
For example, this is a dummy reverse proxy configuration :
|
||||
```shell
|
||||
|
@ -125,8 +138,16 @@ Here you have three environment variables :
|
|||
- `SERVE_FILES` : nginx will not serve files from the /www directory
|
||||
- `DISABLE_DEFAULT_SERVER` : nginx will not respond to requests if Host header is not in the SERVER_NAME list
|
||||
|
||||
# Tutorials
|
||||
You will find some tutorials about bunkerized-nginx in our [blog](https://www.bunkerity.com/category/bunkerized-nginx/).
|
||||
## Antibot challenge
|
||||
```shell
|
||||
docker run -p 80:80 -v /path/to/web/files:/www -e USE_ANTIBOT=captcha bunkerity/bunkerized-nginx
|
||||
```
|
||||
|
||||
When `USE_ANTIBOT` is set to *captcha*, every users visiting your website must complete a captcha before accessing the pages. Others challenges are also available : *cookie*, *javascript* or *recaptcha* (more info [here](#antibot)).
|
||||
|
||||
# Tutorials and examples
|
||||
|
||||
You will some docker-compose.yml examples in the [examples directory](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples) and tutorials about bunkerized-nginx in our [blog](https://www.bunkerity.com/category/bunkerized-nginx/).
|
||||
|
||||
# List of environment variables
|
||||
|
||||
|
@ -221,7 +242,7 @@ Values : *\<any valid text\>*
|
|||
Default value : *Restricted area*
|
||||
The text displayed inside the login prompt when `USE_AUTH_BASIC` is set to yes.
|
||||
|
||||
### Behind a reverse proxy
|
||||
### Reverse proxy
|
||||
|
||||
`PROXY_REAL_IP`
|
||||
Values : *yes* | *no*
|
||||
|
@ -405,6 +426,42 @@ More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Conte
|
|||
|
||||
## Blocking
|
||||
|
||||
### Antibot
|
||||
|
||||
`USE_ANTIBOT`
|
||||
Values : *no* | *cookie* | *javascript* | *captcha* | *recaptcha*
|
||||
Default value : *no*
|
||||
If set to another allowed value than *no*, users must complete a "challenge" before accessing the pages on your website :
|
||||
- *cookie* : asks the users to set a cookie
|
||||
- *javascript* : users must execute a javascript code
|
||||
- *captcha* : a text captcha must be resolved by the users
|
||||
- *recaptcha* : use [Google reCAPTCHA v3](https://developers.google.com/recaptcha/intro) score to allow/deny users
|
||||
|
||||
`ANTIBOT_URI`
|
||||
Values : *\<any valid uri\>*
|
||||
Default value : */challenge*
|
||||
A valid and unused URI to redirect users when `USE_ANTIBOT` is used. Be sure that it doesn't exist on your website.
|
||||
|
||||
`ANTIBOT_SESSION_SECRET`
|
||||
Values : *random* | *\<32 chars of your choice\>*
|
||||
Default value : *random*
|
||||
A secret used to generate sessions when `USE_ANTIBOT is set. Using the special *random* value will generate a random one. Be sure to use the same value when you are in a multi-server environment (so sessions are valid in all the servers).
|
||||
|
||||
`ANTIBOT_RECAPTCHA_SCORE`
|
||||
Values : *\<0.0 to 1.0\>*
|
||||
Default value : *0.7*
|
||||
The minimum score required when `USE_ANTIBOT` is set to *recaptcha*.
|
||||
|
||||
`ANTIBOT_RECAPTCHA_SITEKEY`
|
||||
Values : *\<public key given by Google\>*
|
||||
Default value :
|
||||
The sitekey given by Google when `USE_ANTIBOT` is set to *recaptcha*.
|
||||
|
||||
`ANTIBOT_RECAPTCHA_SECRET`
|
||||
Values : *\<private key given by Google\>*
|
||||
Default value :
|
||||
The secret given by Google when `USE_ANTIBOT` is set to *recaptcha*.
|
||||
|
||||
### External blacklist
|
||||
|
||||
`BLOCK_USER_AGENT`
|
||||
|
@ -526,7 +583,6 @@ The IP addresses of the DNS resolvers to use when performing reverse DNS lookups
|
|||
|
||||
## PHP
|
||||
|
||||
|
||||
### Remote PHP
|
||||
`REMOTE_PHP`
|
||||
Values : *\<any valid IP/hostname\>*
|
||||
|
|
|
@ -152,9 +152,9 @@ SELF_SIGNED_SSL_STATE="${SELF_SIGNED_SSL_STATE-Switzerland}"
|
|||
SELF_SIGNED_SSL_CITY="${SELF_SIGNED_SSL_CITY-Bern}"
|
||||
SELF_SIGNED_SSL_ORG="${SELF_SIGNED_SSL_ORG-AcmeInc}"
|
||||
SELF_SIGNED_SSL_OU="${SELF_SIGNED_SSL_OU-IT}"
|
||||
SELF_SIGNED_SSL_CN="${SELF_SIGNED_SSL_CN-bunkerity-nginx}"
|
||||
SELF_SIGNED_SSL_CN="${SELF_SIGNED_SSL_CN-web}"
|
||||
ANTIBOT_URI="${ANTIBOT_URI-/challenge}"
|
||||
USE_ANTIBOT="${USE_ANTIBOT-cookie}"
|
||||
USE_ANTIBOT="${USE_ANTIBOT-no}"
|
||||
ANTIBOT_RECAPTCHA_SCORE="${ANTIBOT_RECAPTCHA_SCORE-0.7}"
|
||||
ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}"
|
||||
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
|
||||
mywww:
|
||||
image: bunkerity/bunkerized-nginx
|
||||
restart: always
|
||||
ports:
|
||||
- 80:80
|
||||
- 443:443
|
||||
volumes:
|
||||
- ./web-files:/www
|
||||
- ./letsencrypt:/etc/letsencrypt
|
||||
environment:
|
||||
- SERVER_NAME=www.website.com # replace with your domain
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- REMOTE_PHP=myphp
|
||||
- REMOTE_PHP_PATH=/app
|
||||
|
||||
myphp:
|
||||
image: php:fpm
|
||||
restart: always
|
||||
volumes:
|
||||
- ./web-files:/app
|
|
@ -0,0 +1,5 @@
|
|||
<?php
|
||||
|
||||
echo "Hello World!";
|
||||
|
||||
?>
|
|
@ -0,0 +1,53 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
|
||||
mytraefik:
|
||||
image: traefik
|
||||
restart: always
|
||||
ports:
|
||||
- 80:80
|
||||
- 443:443
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
- ./traefik:/etc/traefik
|
||||
|
||||
mywww1:
|
||||
image: bunkerity/bunkerized-nginx
|
||||
restart: always
|
||||
volumes:
|
||||
- ./web1:/www
|
||||
environment:
|
||||
- PROXY_REAL_IP=yes
|
||||
- REMOTE_PHP=myphp1
|
||||
- REMOTE_PHP_PATH=/app
|
||||
labels:
|
||||
- 'traefik.enable=true'
|
||||
- 'traefik.port=80'
|
||||
- 'traefik.frontend.rule=Host:web1.domain.com # replace with your domain
|
||||
|
||||
mywww2:
|
||||
image: bunkerity/bunkerized-nginx
|
||||
restart: always
|
||||
volumes:
|
||||
- ./web2:/www
|
||||
environment:
|
||||
- PROXY_REAL_IP=yes
|
||||
- REMOTE_PHP=myphp2
|
||||
- REMOTE_PHP_PATH=/app
|
||||
labels:
|
||||
- 'traefik.enable=true'
|
||||
- 'traefik.port=80'
|
||||
- 'traefik.frontend.rule=Host:web2.domain.com # replace with your domain
|
||||
|
||||
myphp1:
|
||||
image: php:fpm
|
||||
restart: always
|
||||
volumes:
|
||||
- ./web1:/app
|
||||
|
||||
myphp2:
|
||||
image: php:fpm
|
||||
restart: always
|
||||
volumes:
|
||||
- ./web2:/app
|
|
@ -0,0 +1 @@
|
|||
todo
|
|
@ -0,0 +1,5 @@
|
|||
<?php
|
||||
|
||||
echo "Web1 app.";
|
||||
|
||||
?>
|
|
@ -0,0 +1,5 @@
|
|||
<?php
|
||||
|
||||
echo "Web2 app.";
|
||||
|
||||
?>
|
|
@ -0,0 +1,20 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
|
||||
myreverse:
|
||||
image: bunkerity/bunkerized-nginx
|
||||
restart: always
|
||||
ports:
|
||||
- 80:80
|
||||
- 443:443
|
||||
volumes:
|
||||
- ./http-confs:/www
|
||||
environment:
|
||||
- SERVER_NAME=pma.domain.com app.domain.com # replace with your domains
|
||||
- SERVE_FILES=no
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
|
||||
# TODO : pma + nodeJS ?
|
Loading…
Reference in New Issue