librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

templating - started integration into docker image

This commit is contained in:
bunkerity 2021-05-26 14:50:50 +02:00
parent ec19f93081
commit a8bc17e836
No known key found for this signature in database
GPG Key ID: 3D80806F12602A7C
115 changed files with 511 additions and 2490 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile
View File

@ -11,11 +11,13 @@ RUN chmod +x /tmp/dependencies.sh && \
/tmp/dependencies.sh && \
rm -rf /tmp/dependencies.sh
COPY gen/ /opt/gen
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY lua/ /usr/local/lib/lua
COPY antibot/ /antibot
COPY settings.json /opt
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && \

2
Dockerfile-amd64
View File

@ -11,11 +11,13 @@ RUN chmod +x /tmp/dependencies.sh && \
/tmp/dependencies.sh && \
rm -rf /tmp/dependencies.sh
COPY gen/ /opt/gen
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY lua/ /usr/local/lib/lua
COPY antibot/ /antibot
COPY settings.json /opt
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && \

2
Dockerfile-arm32v7
View File

@ -18,11 +18,13 @@ RUN chmod +x /tmp/dependencies.sh && \
/tmp/dependencies.sh && \
rm -rf /tmp/dependencies.sh
COPY gen/ /opt/gen
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY lua/ /usr/local/lib/lua
COPY antibot/ /antibot
COPY settings.json /opt
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && \

2
Dockerfile-arm64v8
View File

@ -18,11 +18,13 @@ RUN chmod +x /tmp/dependencies.sh && \
/tmp/dependencies.sh && \
rm -rf /tmp/dependencies.sh
COPY gen/ /opt/gen
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY lua/ /usr/local/lib/lua
COPY antibot/ /antibot
COPY settings.json /opt
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && \

2
Dockerfile-i386
View File

@ -11,11 +11,13 @@ RUN chmod +x /tmp/dependencies.sh && \
/tmp/dependencies.sh && \
rm -rf /tmp/dependencies.sh
COPY gen/ /opt/gen
COPY entrypoint/ /opt/entrypoint
COPY confs/ /opt/confs
COPY scripts/ /opt/scripts
COPY lua/ /usr/local/lib/lua
COPY antibot/ /antibot
COPY settings.json /opt
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && \

10
confs/global/api-temp.conf
View File

@ -1,15 +1,15 @@
location ~ ^%API_URI%/ping {
# todo : if api_uri == "random"
location ~ ^{{ API_URI }}/ping {
return 444;
}
location ~ ^%API_URI% {
location ~ {{ API_URI }} {
rewrite_by_lua_block {
local api = require "api"
local api_whitelist_ip = {%API_WHITELIST_IP%}
local api_uri = "%API_URI%"
local api_whitelist_ip = {% raw %}{{% endraw %}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
local api_uri = "{{ API_URI }}"
local logger = require "logger"
if api.is_api_call(api_uri, api_whitelist_ip) then

5
confs/global/api.conf
View File

@ -1,8 +1,9 @@
# todo : if api_uri == "random"
rewrite_by_lua_block {
local api = require "api"
local api_whitelist_ip = {%API_WHITELIST_IP%}
local api_uri = "%API_URI%"
local api_whitelist_ip = {% raw %}{{% endraw %}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
local api_uri = "{{ API_URI }}"
local logger = require "logger"
if api.is_api_call(api_uri, api_whitelist_ip) then

4
confs/global/cache.conf
View File

@ -1,4 +0,0 @@
open_file_cache %CACHE%;
open_file_cache_errors %CACHE_ERRORS%;
open_file_cache_min_uses %CACHE_USES%;
open_file_cache_valid %CACHE_VALID%;

9
confs/global/geoip.conf
View File

@ -5,6 +5,11 @@ geoip2 /etc/nginx/geoip.mmdb {
}
map $geoip2_data_country_code $allowed_country {
default %DEFAULT%;
%COUNTRY%
default {% if WHITELIST_COUNTRY != "" %}no{% else %}yes{% endif %};
{% for country in WHITELIST_COUNTRY.split(" ") %}
{{ country }} yes;
{% endfor %}
{% for country in BLACKLIST_COUNTRY.split(" ") %}
{{ country }} no;
{% endfor %}
}

12
confs/global/init-lua.conf
View File

@ -3,12 +3,12 @@ init_by_lua_block {
local dataloader = require "dataloader"
local logger = require "logger"
local use_proxies = %USE_PROXIES%
local use_abusers = %USE_ABUSERS%
local use_tor_exit_nodes = %USE_TOR_EXIT_NODES%
local use_user_agents = %USE_USER_AGENTS%
local use_referrers = %USE_REFERRERS%
local use_crowdsec = %USE_CROWDSEC%
local use_proxies = {% if has_value("BLOCK_PROXIES", "yes") %}true{% else %}false{% endif %}
local use_abusers = {% if has_value("BLOCK_ABUSERS", "yes") %}true{% else %}false{% endif %}
local use_tor_exit_nodes = {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}true{% else %}false{% endif %}
local use_user_agents = {% if has_value("BLOCK_USER_AGENT", "yes") %}true{% else %}false{% endif %}
local use_referrers = {% if has_value("BLOCK_REFERRER", "yes") %}true{% else %}false{% endif %}
local use_crowdsec = {% if has_value("USE_CROWDSEC", "yes") %}true{% else %}false{% endif %}
if use_proxies then
dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data)

12
confs/global/multisite-default-server-https.conf
View File

@ -1,11 +1,13 @@
listen 0.0.0.0:%HTTPS_PORT% default_server ssl %HTTP2%;
listen 0.0.0.0:{{ HTTPS_PORT }} default_server ssl {% if USE_HTTP2 == "yes" %}http2{% endif %};
ssl_certificate /etc/nginx/default-cert.pem;
ssl_certificate_key /etc/nginx/default-key.pem;
ssl_protocols %HTTPS_PROTOCOLS%;
ssl_protocols {{ HTTPS_PROTOCOLS }};
ssl_prefer_server_ciphers off;
ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
%SSL_DHPARAM%
%SSL_CIPHERS%
%LETS_ENCRYPT_WEBROOT%
{% if "TLSv1.2" in HTTPS_PROTOCOLS %}
ssl_dhparam /etc/nginx/dhparam;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
{% endif %}
include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;

7
confs/global/multisite-default-server.conf
View File

@ -1,6 +1,7 @@
toto
server {
%LISTEN_HTTP%
{% if LISTEN_HTTP == "yes" %}listen 0.0.0.0:{{ HTTP_PORT }} default_server{% endif %}
server_name _;
%USE_HTTPS%
%MULTISITE_DISABLE_DEFAULT_SERVER%
{% if has_value("AUTO_LETS_ENCRYPT", "yes") %}include /etc/nginx/multisite-default-server-https.conf;{% endif %}
{% if DISABLE_DEFAULT_SERVER == "yes" %}include /etc/nginx/multisite-disable-default-server.conf;{% endif %}
}

57
confs/global/nginx.conf
View File

@ -26,11 +26,11 @@ pcre_jit on;
include /etc/nginx/modules/*.conf;
# max open files for each worker
worker_rlimit_nofile %WORKER_RLIMIT_NOFILE%;
worker_rlimit_nofile {{ WORKER_RLIMIT_NOFILE }};
events {
# max connections per worker
worker_connections %WORKER_CONNECTIONS%;
worker_connections {{ WORKER_CONNECTIONS }};
# epoll seems to be the best on Linux
use epoll;
@ -51,9 +51,9 @@ http {
default_type application/octet-stream;
# write logs to local syslog
log_format logf '%LOG_FORMAT%';
log_format logf '{{ LOG_FORMAT }}';
access_log /var/log/access.log logf;
error_log /var/log/error.log %LOG_LEVEL%;
error_log /var/log/error.log {{ LOG_LEVEL }};
# temp paths
proxy_temp_path /tmp/proxy_temp;
@ -72,36 +72,39 @@ http {
send_timeout 10;
# resolvers to use
resolver %DNS_RESOLVERS% ipv6=off;
resolver {{ DNS_RESOLVERS }} ipv6=off;
# remove ports when sending redirects
port_in_redirect off;
# lua path and dicts
lua_package_path "/usr/local/lib/lua/?.lua;;";
%WHITELIST_IP_CACHE%
%WHITELIST_REVERSE_CACHE%
%BLACKLIST_IP_CACHE%
%BLACKLIST_REVERSE_CACHE%
%DNSBL_CACHE%
%BLOCK_PROXIES%
%BLOCK_ABUSERS%
%BLOCK_TOR_EXIT_NODES%
%BLOCK_USER_AGENTS%
%BLOCK_REFERRERS%
%BAD_BEHAVIOR%
{% if has_value("USE_WHITELIST_IP", "yes") %}lua_shared_dict whitelist_ip_cache 10m;{% endif %}
{% if has_value("USE_WHITELIST_REVERSE", "yes") %}lua_shared_dict whitelist_reverse_cache 10m;{% endif %}
{% if has_value("USE_BLACKLIST_IP", "yes") %}lua_shared_dict blacklist_ip_cache 10m;{% endif %}
{% if has_value("USE_BLACKLIST_REVERSE", "yes") %}lua_shared_dict blacklist_reverse_cache 10m;{% endif %}
{% if has_value("USE_DNSBL", "yes") %}lua_shared_dict dnsbl_cache 10m;{% endif %}
{% if has_value("BLOCK_PROXIES", "yes") %}lua_shared_dict proxies_data 250m;{% endif %}
{% if has_value("BLOCK_ABUSERS", "yes") %}lua_shared_dict abusers_data 50m;{% endif %}
{% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}lua_shared_dict tor_exit_nodes_data 1m;{% endif %}
{% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_data 1m;{% endif %}
{% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_cache 10m;{% endif %}
{% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_data 1m;{% endif %}
{% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_cache 10m;{% endif %}
{% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_ban 10m;{% endif %}
{% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_count 10m;{% endif %}
# shared memory zone for limit_req
%LIMIT_REQ_ZONE%
{% if has_value("USE_LIMIT_REQ", "yes") %}limit_req_zone $binary_remote_addr$uri zone=limit:{{ LIMIT_REQ_CACHE }} rate={{ LIMIT_REQ_RATE }};{% endif %}
# shared memory zone for limit_conn
%LIMIT_CONN_ZONE%
{% if has_value("USE_LIMIT_CONN", "yes") %}limit_conn_zone $binary_remote_addr zone=ddos:{{ LIMIT_CONN_CACHE }};{% endif %}
# whitelist or blacklist country
%USE_COUNTRY%
{% if BLACKLIST_COUNTRY != "" or WHITELIST_COUNTRY != "" %}include /etc/nginx/geoip.conf;{% endif %}
# zone for proxy_cache
%PROXY_CACHE_PATH%
{% if has_value("USE_PROXY_CACHE", "yes") %}proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:{{ PROXY_CACHE_PATH_ZONE_SIZE }} {{ PROXY_CACHE_PATH_PARAMS }};{% endif %}
# custom http confs
include /http-confs/*.conf;
@ -110,11 +113,19 @@ http {
include /etc/nginx/init-lua.conf;
# default server when MULTISITE=yes
%MULTISITE_DEFAULT_SERVER%
{% if MULTISITE == "yes" %}include /etc/nginx/multisite-default-server.conf;{% endif %}
# server config(s)
%INCLUDE_SERVER%
{% if SWARM_MODE == "no" %}
{% if MULTISITE == "yes" %}
{% for server_name in SERVER_NAME.split(" ") %}
include /etc/nginx/{{ server_name }}/server.conf;
{% endfor %}
{% else %}
include /etc/nginx/server.conf;
{% endif %}
{% endif %}
# API
%USE_API%
{% if USE_API == "yes" %}include /etc/nginx/api.conf;{% endif %}
}

6
confs/site/antibot-captcha.conf
View File

@ -1,4 +1,4 @@
location = %ANTIBOT_URI% {
location = {{ ANTIBOT_URI }} {
default_type 'text/html';
@ -13,7 +13,7 @@ location = %ANTIBOT_URI% {
end
local img, res = captcha.get_challenge()
cookie.set({captchares = res})
local code = captcha.get_code(img, "%ANTIBOT_URI%")
local code = captcha.get_code(img, "{{ ANTIBOT_URI }}")
ngx.say(code)
}
}
@ -37,7 +37,7 @@ location = %ANTIBOT_URI% {
local check = captcha.check(captcha_user, cookie.get("captchares"))
if not check then
logger.log(ngx.WARN, "ANTIBOT", "captcha fail (4) for " .. ngx.var.remote_addr)
return ngx.redirect("%ANTIBOT_URI%")
return ngx.redirect("{{ ANTIBOT_URI }}")
end
cookie.set({captcha = "ok"})
return ngx.redirect(cookie.get("uri"))

4
confs/site/antibot-javascript.conf
View File

@ -1,4 +1,4 @@
location = %ANTIBOT_URI% {
location = {{ ANTIBOT_URI }} {
default_type 'text/html';
@ -12,7 +12,7 @@ location = %ANTIBOT_URI% {
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
local challenge = cookie.get("challenge")
local code = javascript.get_code(challenge, "%ANTIBOT_URI%", cookie.get("uri"))
local code = javascript.get_code(challenge, "{{ ANTIBOT_URI }}", cookie.get("uri"))
ngx.say(code)
}
}

8
confs/site/antibot-recaptcha.conf
View File

@ -1,4 +1,4 @@
location = %ANTIBOT_URI% {
location = {{ ANTIBOT_URI }} {
default_type 'text/html';
@ -11,7 +11,7 @@ location = %ANTIBOT_URI% {
logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (1) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
local code = recaptcha.get_code("%ANTIBOT_URI%", "%ANTIBOT_RECAPTCHA_SITEKEY%")
local code = recaptcha.get_code("{{ ANTIBOT_URI }}", "{{ ANTIBOT_RECAPTCHA_SITEKEY }}")
ngx.say(code)
}
}
@ -32,8 +32,8 @@ location = %ANTIBOT_URI% {
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
local token = args["token"]
local check = recaptcha.check(token, "%ANTIBOT_RECAPTCHA_SECRET%")
if check < %ANTIBOT_RECAPTCHA_SCORE% then
local check = recaptcha.check(token, "{{ ANTIBOT_RECAPTCHA_SECRET }}")
if check < {{ ANTIBOT_RECAPTCHA_SCORE }} then
logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (4) for " .. ngx.var.remote_addr .. " (score = " .. tostring(check) .. ")")
return ngx.exit(ngx.HTTP_FORBIDDEN)
end

4
confs/site/auth-basic-sitewide.conf
View File

@ -1,2 +1,2 @@
auth_basic "%AUTH_BASIC_TEXT%";
auth_basic_user_file %NGINX_PREFIX%.htpasswd;
auth_basic "{{ AUTH_BASIC_TEXT }}";
auth_basic_user_file {{ NGINX_PREFIX }}htpasswd;

6
confs/site/auth-basic.conf
View File

@ -1,4 +1,4 @@
location %AUTH_BASIC_LOCATION% {
auth_basic "%AUTH_BASIC_TEXT%";
auth_basic_user_file %NGINX_PREFIX%.htpasswd;
location {{ AUTH_BASIC_LOCATION }} {
auth_basic "{{ AUTH_BASIC_TEXT }}";
auth_basic_user_file {{ NGINX_PREFIX }}htpasswd;
}

6
confs/site/brotli.conf
View File

@ -1,4 +1,4 @@
brotli on;
brotli_types %BROTLI_TYPES%;
brotli_comp_level %BROTLI_COMP_LEVEL%;
brotli_min_length %BROTLI_MIN_LENGTH%;
brotli_types {{ BROTLI_TYPES }};
brotli_comp_level {{ BROTLI_COMP_LEVEL }};
brotli_min_length {{ BROTLI_MIN_LENGTH }};

6
confs/site/client-cache.conf
View File

@ -1,6 +1,6 @@
etag %CLIENT_CACHE_ETAG%;
etag {{ CLIENT_CACHE_ETAG }};
set $cache "";
if ($uri ~* \.(%CLIENT_CACHE_EXTENSIONS%)$) {
set $cache "%CLIENT_CACHE_CONTROL%";
if ($uri ~* \.({{ CLIENT_CACHE_EXTENSIONS }})$) {
set $cache "{{ CLIENT_CACHE_CONTROL }}";
}
add_header Cache-Control $cache;

2
confs/site/content-security-policy.conf
View File

@ -1 +1 @@
more_set_headers "Content-Security-Policy: %CONTENT_SECURITY_POLICY%";
more_set_headers "Content-Security-Policy: {{ CONTENT_SECURITY_POLICY }}";

2
confs/site/cookie-flags.conf
View File

@ -1 +1 @@
set_cookie_flag %COOKIE_FLAGS%;
set_cookie_flag {{ COOKIE_FLAGS }}{% if COOKIE_AUTO_SECURE_FLAG == "yes" %} Secure{% endif %};

10
confs/site/custom-https.conf
View File

@ -1,7 +1,9 @@
listen 0.0.0.0:443 ssl %HTTP2%;
ssl_certificate %HTTPS_CUSTOM_CERT%;
ssl_certificate_key %HTTPS_CUSTOM_KEY%;
listen 0.0.0.0:443 ssl {% if HTTP2 == "yes" %}http2{% endif %};
ssl_certificate {{ HTTPS_CUSTOM_CERT }};
ssl_certificate_key {{ HTTPS_CUSTOM_KEY }};
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_session_tickets off;
%STRICT_TRANSPORT_SECURITY%
{% if STRICT_TRANSPORT_SECURITY != "" %}
more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}';
{% endif %}

2
confs/site/disable-default-server.conf
View File

@ -1,3 +1,3 @@
if ($host !~ ^(%SERVER_NAME%)$) {
if ($host !~ ^({{ SERVER_NAME.replace(" ", "|") }})$) {
return 444;
}

12
confs/site/error.conf
View File

@ -1,7 +1,13 @@
error_page %CODE% %PAGE%;
{% if ERRORS != "" %}
{% for element in ERRORS.split(" ") %}
{% set code = element.split("=")[0] %}
{% set page = element.split("=")[1] %}
error_page {{ code }} {{ page }};
location = %PAGE% {
root %ROOT_FOLDER%;
location = {{ page }} {
root {{ ROOT_FOLDER }};
modsecurity off;
internal;
}
{% endfor %}
{% endif %}

2
confs/site/fastcgi.conf
View File

@ -13,7 +13,7 @@ fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param SERVER_SOFTWARE nginx;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;

2
confs/site/feature-policy.conf
View File

@ -1 +1 @@
more_set_headers "Feature-Policy: %FEATURE_POLICY%";
more_set_headers "Feature-Policy: {{ FEATURE_POLICY }}";

6
confs/site/gzip.conf
View File

@ -1,4 +1,4 @@
gzip on;
gzip_comp_level %GZIP_COMP_LEVEL%;
gzip_min_length %GZIP_MIN_LENGTH%;
gzip_types %GZIP_TYPES%;
gzip_comp_level {{ GZIP_COMP_LEVEL }};
gzip_min_length {{ GZIP_MIN_LENGTH }};
gzip_types {{ GZIP_TYPES }};

0
confs2/site/htpasswd → confs/site/htpasswd
View File

22
confs/site/https.conf
View File

@ -1,12 +1,18 @@
listen 0.0.0.0:%HTTPS_PORT% ssl %HTTP2%;
ssl_certificate %HTTPS_CERT%;
ssl_certificate_key %HTTPS_KEY%;
ssl_protocols %HTTPS_PROTOCOLS%;
listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %};
ssl_certificate {{ HTTPS_CERT }};
ssl_certificate_key {{ HTTPS_KEY }};
ssl_protocols {{ HTTPS_PROTOCOLS }};
ssl_prefer_server_ciphers on;
ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
%STRICT_TRANSPORT_SECURITY%
%SSL_DHPARAM%
%SSL_CIPHERS%
%LETS_ENCRYPT_WEBROOT%
{% if STRICT_TRANSPORT_SECURITY != "" %}
more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}';
{% endif %}
{% if "TLSv1.2" in HTTPS_PROTOCOLS %}
ssl_dhparam /etc/nginx/dhparam;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
{% endif %}
{% if AUTO_LETS_ENCRYPT %}
include {{ NGINX_PREFIX }}lets-encrypt-webroot.conf;
{% endif %}

2
confs/site/limit-conn.conf
View File

@ -1 +1 @@
limit_conn ddos %LIMIT_CONN_MAX%;
limit_conn ddos {{ LIMIT_CONN_MAX }};

2
confs/site/limit-req.conf
View File

@ -1,3 +1,3 @@
limit_req_status 429;
limit_req zone=limit burst=%LIMIT_REQ_BURST% nodelay;
limit_req zone=limit burst={{ LIMIT_REQ_BURST }} nodelay;

10
confs/site/log-lua.conf
View File

@ -1,12 +1,12 @@
log_by_lua_block {
-- bad behavior
local use_bad_behavior = %USE_BAD_BEHAVIOR%
local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %}
local behavior = require "behavior"
local bad_behavior_status_codes = {%BAD_BEHAVIOR_STATUS_CODES%}
local bad_behavior_threshold = %BAD_BEHAVIOR_THRESHOLD%
local bad_behavior_count_time = %BAD_BEHAVIOR_COUNT_TIME%
local bad_behavior_ban_time = %BAD_BEHAVIOR_BAN_TIME%
local bad_behavior_status_codes = {% raw %}{{% endraw %}{% set elements = BAD_BEHAVIOR_STATUS_CODES.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
local bad_behavior_threshold = {{ BAD_BEHAVIOR_THRESHOLD }}
local bad_behavior_count_time = {{ BAD_BEHAVIOR_COUNT_TIME }}
local bad_behavior_ban_time = {{ BAD_BEHAVIOR_BAN_TIME }}
if use_bad_behavior then
behavior.count(bad_behavior_status_codes, bad_behavior_threshold, bad_behavior_count_time, bad_behavior_ban_time)

72
confs/site/main-lua.conf
View File

@ -1,51 +1,55 @@
set $session_secret %ANTIBOT_SESSION_SECRET%;
{% if ANTIBOT_SESSION_SECRET == "random" %}
set $session_secret {{ random(32) }} ;
{% else %}
set $session_secret {{ ANTIBOT_SESSION_SECRET }};
{% endif %}
set $session_check_addr on;
access_by_lua_block {
-- let's encrypt
local use_lets_encrypt = %USE_LETS_ENCRYPT%
local use_lets_encrypt = {% if AUTO_LETS_ENCRYPT == "yes" %}true{% else %}false{% endif %}
-- external blacklists
local use_user_agents = %USE_USER_AGENTS%
local use_proxies = %USE_PROXIES%
local use_abusers = %USE_ABUSERS%
local use_tor_exit_nodes = %USE_TOR_EXIT_NODES%
local use_referrers = %USE_REFERRERS%
local use_user_agents = {% if BLOCK_USER_AGENT == "yes" %}true{% else %}false{% endif %}
local use_proxies = {% if BLOCK_PROXIES == "yes" %}true{% else %}false{% endif %}
local use_abusers = {% if BLOCK_ABUSERS == "yes" %}true{% else %}false{% endif %}
local use_tor_exit_nodes = {% if BLOCK_TOR_EXIT_NODE == "yes" %}true{% else %}false{% endif %}
local use_referrers = {% if BLOCK_REFERRER == "yes" %}true{% else %}false{% endif %}
-- countries
local use_country = %USE_COUNTRY%
local use_country = {% if WHITELIST_COUNTRY != "" or BLACKLIST_COUNTRY != "" %}true{% else %}false{% endif %}
-- crowdsec
local use_crowdsec = %USE_CROWDSEC%
local use_crowdsec = {% if USE_CROWDSEC == "yes" %}true{% else %}false{% endif %}
-- antibot
local use_antibot_cookie = %USE_ANTIBOT_COOKIE%
local use_antibot_javascript = %USE_ANTIBOT_JAVASCRIPT%
local use_antibot_captcha = %USE_ANTIBOT_CAPTCHA%
local use_antibot_recaptcha = %USE_ANTIBOT_RECAPTCHA%
local use_antibot_cookie = {% if USE_ANTIBOT == "cookie" %}true{% else %}false{% endif %}
local use_antibot_javascript = {% if USE_ANTIBOT == "javascript" %}true{% else %}false{% endif %}
local use_antibot_captcha = {% if USE_ANTIBOT == "captcha" %}true{% else %}false{% endif %}
local use_antibot_recaptcha = {% if USE_ANTIBOT == "recaptcha" %}true{% else %}false{% endif %}
-- resolvers
local dns_resolvers = {%DNS_RESOLVERS%}
local dns_resolvers = {% raw %}{{% endraw %}{% set elements = DNS_RESOLVERS.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
-- whitelist
local use_whitelist_ip = %USE_WHITELIST_IP%
local use_whitelist_reverse = %USE_WHITELIST_REVERSE%
local whitelist_ip_list = {%WHITELIST_IP_LIST%}
local whitelist_reverse_list = {%WHITELIST_REVERSE_LIST%}
local use_whitelist_ip = {% if USE_WHITELIST_IP == "yes" %}true{% else %}false{% endif %}
local use_whitelist_reverse = {% if USE_WHITELIST_REVERSE == "yes" %}true{% else %}false{% endif %}
local whitelist_ip_list = {% raw %}{{% endraw %}{% set elements = WHITELIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
local whitelist_reverse_list = {% raw %}{{% endraw %}{% set elements = WHITELIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
-- blacklist
local use_blacklist_ip = %USE_BLACKLIST_IP%
local use_blacklist_reverse = %USE_BLACKLIST_REVERSE%
local blacklist_ip_list = {%BLACKLIST_IP_LIST%}
local blacklist_reverse_list = {%BLACKLIST_REVERSE_LIST%}
local use_blacklist_ip = {% if USE_BLACKLIST_IP == "yes" %}true{% else %}false{% endif %}
local use_blacklist_reverse = {% if USE_BLACKLIST_REVERSE == "yes" %}true{% else %}false{% endif %}
local blacklist_ip_list = {% raw %}{{% endraw %}{% set elements = BLACKLIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
local blacklist_reverse_list = {% raw %}{{% endraw %}{% set elements = BLACKLIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
-- dnsbl
local use_dnsbl = %USE_DNSBL%
local dnsbl_list = {%DNSBL_LIST%}
local use_dnsbl = {% if USE_DNSBL == "yes" %}true{% else %}false{% endif %}
local dnsbl_list = {% raw %}{{% endraw %}{% set elements = DNSBL_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
-- bad behavior
local use_bad_behavior = %USE_BAD_BEHAVIOR%
local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %}
-- include LUA code
local whitelist = require "whitelist"
@ -60,9 +64,9 @@ local behavior = require "behavior"
local logger = require "logger"
-- user variables
local antibot_uri = "%ANTIBOT_URI%"
local whitelist_user_agent = {%WHITELIST_USER_AGENT%}
local whitelist_uri = {%WHITELIST_URI%}
local antibot_uri = "{{ ANTIBOT_URI }}"
local whitelist_user_agent = {% raw %}{{% endraw %}{% set elements = WHITELIST_USER_AGENT.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
local whitelist_uri = {% raw %}{{% endraw %}{% set elements = WHITELIST_URI.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
-- check if already in whitelist cache
if use_whitelist_ip and whitelist.ip_cached_ok() then
@ -291,8 +295,10 @@ ngx.exit(ngx.OK)
}
%INCLUDE_ANTIBOT_JAVASCRIPT%
%INCLUDE_ANTIBOT_CAPTCHA%
%INCLUDE_ANTIBOT_RECAPTCHA%
{% if USE_ANTIBOT == "javascript" %}
include {{ NGINX_PREFIX }}antibot-javascript.conf;
{% elif USE_ANTIBOT == "captcha" %}
include {{ NGINX_PREFIX }}antibot-captcha.conf;
{% elif USE_ANTIBOT == "recaptcha" %}
include {{ NGINX_PREFIX }}antibot-recaptcha.conf;
{% endif %}

32
confs/site/modsecurity-rules.conf
View File

@ -49,17 +49,35 @@ SecResponseBodyLimit 524288
SecResponseBodyLimitAction ProcessPartial
# log usefull stuff
SecAuditEngine %MODSECURITY_SEC_AUDIT_ENGINE%
SecAuditEngine {{ MODSECURITY_SEC_AUDIT_ENGINE }}
SecAuditLogType Serial
SecAuditLog /var/log/nginx/modsec_audit.log
# scan uploaded files with clamv
%USE_CLAMAV_UPLOAD%
{% if USE_CLAMAV_UPLOAD == "yes" %}
include {{ NGINX_PREFIX }}modsecurity-clamav.conf
{% endif %}
# include OWASP CRS configuration
{% if USE_MODSECURITY_CRS == "yes" %}
include /opt/owasp/crs.conf
# custom CRS configurations before loading rules (exclusions)
{% if is_custom_conf("/modsec-crs-confs") %}
include /modsec-crs-confs/*.conf
{% endif %}
{% if MULTISITE == "yes" and is_custom_conf("/modsec-crs-confs/" + FIRST_SERVER) %}
include /modsec-crs-confs/{{ FIRST_SERVER }}/*.conf
{% endif %}
# include OWASP CRS rules
%MODSECURITY_INCLUDE_CRS%
%MODSECURITY_INCLUDE_CUSTOM_CRS%
%MODSECURITY_INCLUDE_CRS_RULES%
include /opt/owasp/crs/*.conf
{% endif %}
# include custom rules
%MODSECURITY_INCLUDE_CUSTOM_RULES%
# custom rules after loading the CRS
{% if is_custom_conf("/modsec-confs") %}
include /modsec-confs/*.conf
{% endif %}
{% if MULTISITE == "yes" and is_custom_conf("/modsec-confs/" + FIRST_SERVER) %}
include /modsec-confs/{{ FIRST_SERVER }}/*.conf
{% endif %}

2
confs/site/modsecurity.conf
View File

@ -1,2 +1,2 @@
modsecurity on;
modsecurity_rules_file %MODSEC_RULES_FILE%;
modsecurity_rules_file {{ NGINX_PREFIX }}modsecurity-rules.conf;

8
confs/site/open-file-cache.conf
View File

@ -1,4 +1,4 @@
open_file_cache %OPEN_FILE_CACHE%;
open_file_cache_errors %OPEN_FILE_CACHE_ERRORS%;
open_file_cache_min_uses %OPEN_FILE_CACHE_MIN_USES%;
open_file_cache_valid %OPEN_FILE_CACHE_VALID%;
open_file_cache {{ OPEN_FILE_CACHE }};
open_file_cache_errors {{ OPEN_FILE_CACHE_ERRORS }};
open_file_cache_min_uses {{ OPEN_FILE_CACHE_MIN_USES }};
open_file_cache_valid {{ OPEN_FILE_CACHE_VALID }};

2
confs/site/permissions-policy.conf
View File

@ -1 +1 @@
more_set_headers "Permissions-Policy: %PERMISSIONS_POLICY%";
more_set_headers "Permissions-Policy: {{ PERMISSIONS_POLICY }}";

2
confs/site/php.conf
View File

@ -1,4 +1,4 @@
location ~ \.php$ {
fastcgi_pass %REMOTE_PHP%:9000;
fastcgi_pass {{ REMOTE_PHP }}:9000;
fastcgi_index index.php;
}

16
confs/site/proxy-cache.conf
View File

@ -1,7 +1,11 @@
proxy_cache proxycache;
proxy_cache_methods %PROXY_CACHE_METHODS%;
proxy_cache_min_uses %PROXY_CACHE_MIN_USES%;
proxy_cache_key %PROXY_CACHE_KEY%;
proxy_no_cache %PROXY_NO_CACHE%;
proxy_cache_bypass %PROXY_CACHE_BYPASS%;
%PROXY_CACHE_VALID%
proxy_cache_methods {{ PROXY_CACHE_METHODS }};
proxy_cache_min_uses {{ PROXY_CACHE_MIN_USES }};
proxy_cache_key {{ PROXY_CACHE_KEY }};
proxy_no_cache {{ PROXY_NO_CACHE }};
proxy_cache_bypass {{ PROXY_CACHE_BYPASS }};
{% if PROXY_CACHE_VALID != "" %}
{% for element in PROXY_CACHE_VALID.split(" ") %}
proxy_cache_valid {{ element.split("=")[0] }} {{ element.split("=")[1] }};
{% endfor %}
{% endif %}

10
confs/site/proxy-real-ip.conf
View File

@ -1,4 +1,8 @@
%PROXY_REAL_IP_FROM%
real_ip_header %PROXY_REAL_IP_HEADER%;
real_ip_recursive %PROXY_REAL_IP_RECURSIVE%;
{% if PROXY_REAL_IP_FROM != "" %}
{% for element in PROXY_REAL_IP_FROM.split(" ") %}
set_real_ip_from {{ element }};
{% endfor %}
{% endif %}
real_ip_header {{ PROXY_REAL_IP_HEADER }};
real_ip_recursive {{ PROXY_REAL_IP_RECURSIVE }};

2
confs/site/referrer-policy.conf
View File

@ -1 +1 @@
more_set_headers "Referrer-Policy: %REFERRER_POLICY%";
more_set_headers "Referrer-Policy: {{ REFERRER_POLICY }}";

30
confs/site/reverse-proxy.conf
View File

@ -1,7 +1,25 @@
location %REVERSE_PROXY_URL% {
{% if USE_REVERSE_PROXY == "yes" %}
{% for k, v in all.items() %}
{% if k.startswith("REVERSE_PROXY_URL") %}
{% set url = v %}
{% set host = all[k.replace("URL", "HOST")] if k.replace("URL", "HOST") in all else "" %}
{% set ws = all[k.replace("URL", "WS")] if k.replace("URL", "WS") in all else "" %}
{% set headers = all[k.replace("URL", "HEADERS")] if k.replace("URL", "HEADERS") in all else "" %}
location {{ url }} {% raw %}{{% endraw %}
etag off;
proxy_pass %REVERSE_PROXY_HOST%;
%REVERSE_PROXY_HEADERS%
%REVERSE_PROXY_WS%
%REVERSE_PROXY_CUSTOM_HEADERS%
}
proxy_pass {{ host }};
include {{ NGINX_PREFIX }}reverse-proxy-headers.conf;
{% if ws == "yes" %}
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
{% endif %}
{% if headers != "" %}
{% for header in headers.split(";") %}
proxy_set_header {{ header }};
{% endfor %}
{% endif %}
{% raw %}}{% endraw %}
{% endif %}
{% endfor %}
{% endif %}

2
confs/site/serve-files.conf
View File

@ -1,3 +1,3 @@
root %ROOT_FOLDER%;
root {{ ROOT_FOLDER }}/{{ FIRST_SERVER }};
index index.html index.php;
try_files $uri $uri/ =404;

208
confs/site/server.conf
View File

@ -1,41 +1,177 @@
%PRE_SERVER_CONF%
# custom config before server block
include /pre-server-confs/*.conf;
{% if MULTISITE == "yes" %}
include /pre-server-confs/{{ FIRST_SERVER }}/*.conf;
{% endif %}
server {
%FASTCGI_PATH%
%SERVER_CONF%
%PROXY_REAL_IP%
%INCLUDE_LUA%
%USE_MODSECURITY%
%LISTEN_HTTP%
%USE_HTTPS%
%REDIRECT_HTTP_TO_HTTPS%
server_name %SERVER_NAME%;
%DISABLE_DEFAULT_SERVER%
%SERVE_FILES%
if ($request_method !~ ^(%ALLOWED_METHODS%)$)
{
# FastCGI variables
{% if REMOTE_PHP != "" %}
include {{ NGINX_PREFIX }}fastcgi.conf;
{% endif %}
# custom config
include /server-confs/*.conf;
{% if MULTISITE == "yes" %}
include /server-confs/{{ FIRST_SERVER }}/*.conf;
{% endif %}
# proxy real IP
{% if PROXY_REAL_IP == "yes" %}
include {{ NGINX_PREFIX }}proxy-real-ip.conf;
{% endif %}
# include LUA files
include {{ NGINX_PREFIX }}main-lua.conf;
include {{ NGINX_PREFIX }}log-lua.conf;
# ModSecurity
{% if USE_MODSECURITY == "yes" %}
include {{ NGINX_PREFIX }}modsecurity.conf;
{% endif %}
# HTTP listen
{% if LISTEN_HTTP == "yes" %}
listen 0.0.0.0:{{ HTTP_PORT }};
{% endif %}
# HTTPS listen + config
{% if AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_HTTPS == "yes" or GENERATE_SELF_SIGNED_SSL == "yes" %}
include {{ NGINX_PREFIX }}https.conf;
{% endif %}
# HTTP to HTTPS
{% if REDIRECT_HTTP_TO_HTTPS == "yes" %}
include {{ NGINX_PREFIX }}redirect-http-to-https.conf;
{% endif %}
# server name (vhost)
server_name {{ SERVER_NAME }};
# disable default server
{% if DISABLE_DEFAULT_SERVER == "yes" and MULTISITE != "yes" %}
include {{ NGINX_PREFIX }}disable-default-server.conf;
{% endif %}
# serve local files
{% if SERVE_FILES == "yes" %}
include {{ NGINX_PREFIX}}serve-files.conf;
{% endif %}
# allowed HTTP methods
if ($request_method !~ ^({{ ALLOWED_METHODS }})$) {
return 405;
}
%LIMIT_REQ%
%LIMIT_CONN%
%AUTH_BASIC%
%REMOVE_HEADERS%
%X_FRAME_OPTIONS%
%X_XSS_PROTECTION%
%X_CONTENT_TYPE_OPTIONS%
%CONTENT_SECURITY_POLICY%
%REFERRER_POLICY%
%FEATURE_POLICY%
%PERMISSIONS_POLICY%
%COOKIE_FLAGS%
%ERRORS%
%USE_CLIENT_CACHE%
%USE_GZIP%
%USE_BROTLI%
client_max_body_size %MAX_CLIENT_SIZE%;
server_tokens %SERVER_TOKENS%;
%USE_OPEN_FILE_CACHE%
%USE_PROXY_CACHE%
%USE_REVERSE_PROXY%
%USE_PHP%
# requests limiting
{% if USE_LIMIT_REQ == "yes" %}
include {{ NGINX_PREFIX }}limit-req.conf;
{% endif %}
# connections limiting
{% if USE_LIMIT_CONN == "yes" %}
include {{ NGINX_PREFIX }}limit-conn.conf;
{% endif %}
# auth basic
{% if USE_AUTH_BASIC == "yes" %}
{% if AUTH_BASIC_LOCATION == "sitewide" %}
include {{ NGINX_PREFIX }}auth-basic-sitewide.conf;
{% else %}
include {{ NGINX_PREFIX }}auth-basic.conf;
{% endif %}
{% endif %}
# remove headers
{% if REMOVE_HEADERS != "" %}
{% for header in REMOVE_HEADERS.split(" ") %}
more_clear_headers '{{ header }}';
{% endfor %}
{% endif %}
# X-Frame-Option header
{% if X_FRAME_OPTIONS != "" %}
include {{ NGINX_PREFIX }}x-frame-options.conf;
{% endif %}
# X-XSS-Protection header
{% if X_XSS_PROTECTION != "" %}
include {{ NGINX_PREFIX }}x-xss-protection.conf;
{% endif %}
# X-Content-Type header
{% if X_CONTENT_TYPE_OPTIONS != "" %}
include {{ NGINX_PREFIX }}x-content-type-options.conf;
{% endif %}
# Content-Security-Policy header
{% if CONTENT_SECURITY_POLICY != "" %}
include {{ NGINX_PREFIX }}content-security-policy.conf;
{% endif %}
# Referrer-Policy header
{% if REFERRER_POLICY != "" %}
include {{ NGINX_PREFIX }}referrer-policy.conf;
{% endif %}
# Feature-Policy header
{% if FEATURE_POLICY != "" %}
include {{ NGINX_PREFIX }}feature-policy.conf;
{% endif %}
# Permissions-Policy header
{% if PERMISSIONS_POLICY != "" %}
include {{ NGINX_PREFIX }}permissions-policy.conf;
{% endif %}
# cookie flags
{% if COOKIE_FLAGS != "" %}
include {{ NGINX_PREFIX }}cookie-flags.conf;
{% endif %}
# custom errors
include {{ NGINX_PREFIX }}error.conf;
# client caching
{% if USE_CLIENT_CACHE == "yes" %}
include {{ NGINX_PREFIX }}client-cache.conf;
{% endif %}
# gzip compression
{% if USE_GZIP == "yes" %}
include {{ NGINX_PREFIX }}gzip.conf;
{% endif %}
# brotli compression
{% if USE_GZIP == "yes" %}
include {{ NGINX_PREFIX }}gzip.conf;
{% endif %}
# maximum body size
client_max_body_size {{ MAX_CLIENT_SIZE }};
# enable/disable showing version
server_tokens {{ SERVER_TOKENS }};
# open file caching
{% if USE_OPEN_FILE_CACHE == "yes" %}
include {{ NGINX_PREFIX }}open-file-cache.conf;
{% endif %}
# proxy caching
{% if USE_PROXY_CACHE == "yes" %}
include {{ NGINX_PREFIX }}proxy-cache.conf;
{% endif %}
# reverse proxy
{% if USE_REVERSE_PROXY == "yes" %}
include {{ NGINX_PREFIX }}reverse-proxy.conf;
{% endif %}
# remote PHP
{% if REMOTE_PHP != "" %}
include {{ NGINX_PREFIX }}php.conf;
{% endif %}
}

2
confs/site/x-content-type-options.conf
View File

@ -1 +1 @@
more_set_headers "X-Content-Type-Options: %X_CONTENT_TYPE_OPTIONS%";
more_set_headers "X-Content-Type-Options: {{ X_CONTENT_TYPE_OPTIONS }}";

2
confs/site/x-frame-options.conf
View File

@ -1 +1 @@
more_set_headers "X-Frame-Options: %X_FRAME_OPTIONS%";
more_set_headers "X-Frame-Options: {{ X_FRAME_OPTIONS }}";

2
confs/site/x-xss-protection.conf
View File

@ -1 +1 @@
more_set_headers "X-XSS-Protection: %X_XSS_PROTECTION%";
more_set_headers "X-XSS-Protection: {{ X_XSS_PROTECTION }}";

0
confs2/global/abusers.list
View File

32
confs2/global/api-temp.conf
View File

@ -1,32 +0,0 @@
# todo : if api_uri == "random"
location ~ ^{{ API_URI }}/ping {
return 444;
}
location ~ {{ API_URI }} {
rewrite_by_lua_block {
local api = require "api"
local api_whitelist_ip = {% raw %}{{% endraw %}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
local api_uri = "{{ API_URI }}"
local logger = require "logger"
if api.is_api_call(api_uri, api_whitelist_ip) then
ngx.header.content_type = 'text/plain'
if api.do_api_call(api_uri) then
logger.log(ngx.NOTICE, "API", "API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
ngx.say("ok")
else
logger.log(ngx.WARN, "API", "API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr)
ngx.say("ko")
end
ngx.exit(ngx.HTTP_OK)
end
ngx.exit(ngx.OK)
}
}

24
confs2/global/api.conf
View File

@ -1,24 +0,0 @@
# todo : if api_uri == "random"
rewrite_by_lua_block {
local api = require "api"
local api_whitelist_ip = {% raw %}{{% endraw %}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
local api_uri = "{{ API_URI }}"
local logger = require "logger"
if api.is_api_call(api_uri, api_whitelist_ip) then
ngx.header.content_type = 'text/plain'
if api.do_api_call(api_uri) then
logger.log(ngx.NOTICE, "API", "API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
ngx.say("ok")
else
logger.log(ngx.WARN, "API", "API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr)
ngx.say("ko")
end
ngx.exit(ngx.HTTP_OK)
end
ngx.exit(ngx.OK)
}

8
confs2/global/dhparam
View File

@ -1,8 +0,0 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----

15
confs2/global/geoip.conf
View File

@ -1,15 +0,0 @@
geoip2 /etc/nginx/geoip.mmdb {
auto_reload 5m;
$geoip2_metadata_country_build metadata build_epoch;
$geoip2_data_country_code country iso_code;
}
map $geoip2_data_country_code $allowed_country {
default {% if WHITELIST_COUNTRY != "" %}no{% else %}yes{% endif %};
{% for country in WHITELIST_COUNTRY.split(" ") %}
{{ country }} yes;
{% endfor %}
{% for country in BLACKLIST_COUNTRY.split(" ") %}
{{ country }} no;
{% endfor %}
}

43
confs2/global/init-lua.conf
View File

@ -1,43 +0,0 @@
init_by_lua_block {
local dataloader = require "dataloader"
local logger = require "logger"
local use_proxies = {% if USE_PROXIES == "yes" %}true{% else %}false{% endif %}
local use_abusers = {% if USE_ABUSERS == "yes" %}true{% else %}false{% endif %}
local use_tor_exit_nodes = {% if USE_TOR_EXIT_NODES == "yes" %}true{% else %}false{% endif %}
local use_user_agents = {% if USE_USER_AGENTS == "yes" %}true{% else %}false{% endif %}
local use_referrers = {% if USE_REFERRERS == "yes" %}true{% else %}false{% endif %}
local use_crowdsec = {% if USE_CROWDSEC == "yes" %}true{% else %}false{% endif %}
if use_proxies then
dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data)
end
if use_abusers then
dataloader.load_ip("/etc/nginx/abusers.list", ngx.shared.abusers_data)
end
if use_tor_exit_nodes then
dataloader.load_ip("/etc/nginx/tor-exit-nodes.list", ngx.shared.tor_exit_nodes_data)
end
if use_user_agents then
dataloader.load_raw("/etc/nginx/user-agents.list", ngx.shared.user_agents_data)
end
if use_referrers then
dataloader.load_raw("/etc/nginx/referrers.list", ngx.shared.referrers_data)
end
if use_crowdsec then
local cs = require "crowdsec.CrowdSec"
local ok, err = cs.init("/etc/nginx/crowdsec.conf")
if ok == nil then
logger.log(ngx.ERR, "CROWDSEC", err)
error()
end
logger.log(ngx.ERR, "CROWDSEC", "*NOT AN ERROR* initialisation done")
end
}

13
confs2/global/multisite-default-server-https.conf
View File

@ -1,13 +0,0 @@
listen 0.0.0.0:{{ HTTPS_PORT }} default_server ssl {% if USE_HTTP2 == "yes" %}http2{% endif %};
ssl_certificate /etc/nginx/default-cert.pem;
ssl_certificate_key /etc/nginx/default-key.pem;
ssl_protocols {{ HTTPS_PROTOCOLS }};
ssl_prefer_server_ciphers off;
ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
{% if "TLSv1.2" in HTTPS_PROTOCOLS %}
ssl_dhparam /etc/nginx/dhparam;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
{% endif %}
include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;

3
confs2/global/multisite-default-server-lets-encrypt-webroot.conf
View File

@ -1,3 +0,0 @@
location ~ ^/.well-known/acme-challenge/ {
root /acme-challenge;
}

7
confs2/global/multisite-default-server.conf
View File

@ -1,7 +0,0 @@
toto
server {
{% if LISTEN_HTTP == "yes" %}listen 0.0.0.0:{{ HTTP_PORT }} default_server{% endif %}
server_name _;
{% if has_value("AUTO_LETS_ENCRYPT", "yes") %}include /etc/nginx/multisite-default-server-https.conf;{% endif %}
{% if DISABLE_DEFAULT_SERVER == "yes" %}include /etc/nginx/multisite-disable-default-server.conf;{% endif %}
}

3
confs2/global/multisite-disable-default-server.conf
View File

@ -1,3 +0,0 @@
location / {
return 444;
}

30
confs2/global/nginx-temp.conf
View File

@ -1,30 +0,0 @@
load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
daemon on;
pid /tmp/nginx-temp.pid;
events {
worker_connections 1024;
use epoll;
}
http {
proxy_temp_path /tmp/proxy_temp;
client_body_temp_path /tmp/client_temp;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
lua_package_path "/usr/local/lib/lua/?.lua;;";
server {
listen 0.0.0.0:%HTTP_PORT% default_server;
server_name _;
location ~ ^/.well-known/acme-challenge/ {
root /acme-challenge;
}
%USE_API%
location / {
return 444;
}
}
}

131
confs2/global/nginx.conf
View File

@ -1,131 +0,0 @@
# /etc/nginx/nginx.conf
# load dynamic modules
load_module /usr/lib/nginx/modules/ngx_http_cookie_flag_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so;
load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;
# run in foreground
daemon off;
# PID file
pid /tmp/nginx.pid;
# worker number = CPU core(s)
worker_processes auto;
# faster regexp
pcre_jit on;
# config files for dynamic modules
include /etc/nginx/modules/*.conf;
# max open files for each worker
worker_rlimit_nofile {{ WORKER_RLIMIT_NOFILE }};
events {
# max connections per worker
worker_connections {{ WORKER_CONNECTIONS }};
# epoll seems to be the best on Linux
use epoll;
}
http {
# zero copy within the kernel
sendfile on;
# send packets only if filled
tcp_nopush on;
# remove 200ms delay
tcp_nodelay on;
# load mime types and set default one
include /etc/nginx/mime.types;
default_type application/octet-stream;
# write logs to local syslog
log_format logf '{{ LOG_FORMAT }}';
access_log /var/log/access.log logf;
error_log /var/log/error.log {{ LOG_LEVEL }};
# temp paths
proxy_temp_path /tmp/proxy_temp;
client_body_temp_path /tmp/client_temp;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
# close connections in FIN_WAIT1 state
reset_timedout_connection on;
# timeouts
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 15;
send_timeout 10;
# resolvers to use
resolver {{ DNS_RESOLVERS }} ipv6=off;
# remove ports when sending redirects
port_in_redirect off;
# lua path and dicts
lua_package_path "/usr/local/lib/lua/?.lua;;";
{% if has_value("USE_WHITELIST_IP", "yes") %}lua_shared_dict whitelist_ip_cache 10m;{% endif %}
{% if has_value("USE_WHITELIST_REVERSE", "yes") %}lua_shared_dict whitelist_reverse_cache 10m;{% endif %}
{% if has_value("USE_BLACKLIST_IP", "yes") %}lua_shared_dict blacklist_ip_cache 10m;{% endif %}
{% if has_value("USE_BLACKLIST_REVERSE", "yes") %}lua_shared_dict blacklist_reverse_cache 10m;{% endif %}
{% if has_value("USE_DNSBL", "yes") %}lua_shared_dict dnsbl_cache 10m;{% endif %}
{% if has_value("BLOCK_PROXIES", "yes") %}lua_shared_dict proxies_data 250m;{% endif %}
{% if has_value("BLOCK_ABUSERS", "yes") %}lua_shared_dict abusers_data 50m;{% endif %}
{% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}lua_shared_dict tor_exit_nodes_data 1m;{% endif %}
{% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_data 1m;{% endif %}
{% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_cache 10m;{% endif %}
{% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_data 1m;{% endif %}
{% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_cache 10m;{% endif %}
{% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_ban 10m;{% endif %}
{% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_count 10m;{% endif %}
# shared memory zone for limit_req
{% if has_value("USE_LIMIT_REQ", "yes") %}limit_req_zone $binary_remote_addr$uri zone=limit:{{ LIMIT_REQ_CACHE }} rate={{ LIMIT_REQ_RATE }};{% endif %}
# shared memory zone for limit_conn
{% if has_value("USE_LIMIT_CONN", "yes") %}limit_conn_zone $binary_remote_addr zone=ddos:{{ LIMIT_CONN_CACHE }};{% endif %}
# whitelist or blacklist country
{% if BLACKLIST_COUNTRY != "" or WHITELIST_COUNTRY != "" %}include /etc/nginx/geoip.conf;{% endif %}
# zone for proxy_cache
{% if has_value("USE_PROXY_CACHE", "yes") %}proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:{{ PROXY_CACHE_PATH_ZONE_SIZE }} {{ PROXY_CACHE_PATH_PARAMS }};{% endif %}
# custom http confs
include /http-confs/*.conf;
# LUA init block
include /etc/nginx/init-lua.conf;
# default server when MULTISITE=yes
{% if MULTISITE == "yes" %}include /etc/nginx/multisite-default-server.conf;{% endif %}
# server config(s)
{% if SWARM_MODE == "no" %}
{% if MULTISITE == "yes" %}
{% for server_name in SERVER_NAME.split(" ") %}
include /etc/nginx/{{ server_name }}/server.conf;
{% endfor %}
{% else %}
include /etc/nginx/server.conf;
{% endif %}
{% endif %}
# API
{% if USE_API == "yes" %}include /etc/nginx/api.conf;{% endif %}
}

0
confs2/global/proxies.list
View File

0
confs2/global/referrers.list
View File

0
confs2/global/tor-exit-nodes.list
View File

0
confs2/global/user-agents.list
View File

46
confs2/site/antibot-captcha.conf
View File

@ -1,46 +0,0 @@
location = {{ ANTIBOT_URI }} {
default_type 'text/html';
if ($request_method = GET) {
content_by_lua_block {
local cookie = require "cookie"
local captcha = require "captcha"
local logger = require "logger"
if not cookie.is_set("uri") then
logger.log(ngx.WARN, "ANTIBOT", "captcha fail (1) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
local img, res = captcha.get_challenge()
cookie.set({captchares = res})
local code = captcha.get_code(img, "{{ ANTIBOT_URI }}")
ngx.say(code)
}
}
if ($request_method = POST) {
access_by_lua_block {
local cookie = require "cookie"
local captcha = require "captcha"
local logger = require "logger"
if not cookie.is_set("captchares") then
logger.log(ngx.WARN, "ANTIBOT", "captcha fail (2) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
ngx.req.read_body()
local args, err = ngx.req.get_post_args(1)
if err == "truncated" or not args or not args["captcha"] then
logger.log(ngx.WARN, "ANTIBOT", "captcha fail (3) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
local captcha_user = args["captcha"]
local check = captcha.check(captcha_user, cookie.get("captchares"))
if not check then
logger.log(ngx.WARN, "ANTIBOT", "captcha fail (4) for " .. ngx.var.remote_addr)
return ngx.redirect("{{ ANTIBOT_URI }}")
end
cookie.set({captcha = "ok"})
return ngx.redirect(cookie.get("uri"))
}
}
}

45
confs2/site/antibot-javascript.conf
View File

@ -1,45 +0,0 @@
location = {{ ANTIBOT_URI }} {
default_type 'text/html';
if ($request_method = GET) {
content_by_lua_block {
local cookie = require "cookie"
local javascript = require "javascript"
local logger = require "logger"
if not cookie.is_set("challenge") then
logger.log(ngx.WARN, "ANTIBOT", "javascript fail (1) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
local challenge = cookie.get("challenge")
local code = javascript.get_code(challenge, "{{ ANTIBOT_URI }}", cookie.get("uri"))
ngx.say(code)
}
}
if ($request_method = POST) {
content_by_lua_block {
local cookie = require "cookie"
local javascript = require "javascript"
local logger = require "logger"
if not cookie.is_set("challenge") then
logger.log(ngx.WARN, "ANTIBOT", "javascript fail (2) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
ngx.req.read_body()
local args, err = ngx.req.get_post_args(1)
if err == "truncated" or not args or not args["challenge"] then
logger.log(ngx.WARN, "ANTIBOT", "javascript fail (3) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
local challenge = args["challenge"]
local check = javascript.check(cookie.get("challenge"), challenge)
if not check then
logger.log(ngx.WARN, "ANTIBOT", "javascript fail (4) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
cookie.set({javascript = "ok"})
return ngx.exit(ngx.OK)
}
}
}

44
confs2/site/antibot-recaptcha.conf
View File

@ -1,44 +0,0 @@
location = {{ ANTIBOT_URI }} {
default_type 'text/html';
if ($request_method = GET) {
content_by_lua_block {
local cookie = require "cookie"
local recaptcha = require "recaptcha"
local loggger = require "logger"
if not cookie.is_set("uri") then
logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (1) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
local code = recaptcha.get_code("{{ ANTIBOT_URI }}", "{{ ANTIBOT_RECAPTCHA_SITEKEY }}")
ngx.say(code)
}
}
if ($request_method = POST) {
access_by_lua_block {
local cookie = require "cookie"
local recaptcha = require "recaptcha"
local logger = require "logger"
if not cookie.is_set("uri") then
logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (2) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
ngx.req.read_body()
local args, err = ngx.req.get_post_args(1)
if err == "truncated" or not args or not args["token"] then
logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (3) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
local token = args["token"]
local check = recaptcha.check(token, "{{ ANTIBOT_RECAPTCHA_SECRET }}")
if check < {{ ANTIBOT_RECAPTCHA_SCORE }} then
logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (4) for " .. ngx.var.remote_addr .. " (score = " .. tostring(check) .. ")")
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
cookie.set({recaptcha = "ok"})
return ngx.redirect(cookie.get("uri"))
}
}
}

2
confs2/site/auth-basic-sitewide.conf
View File

@ -1,2 +0,0 @@
auth_basic "{{ AUTH_BASIC_TEXT }}";
auth_basic_user_file {{ NGINX_PREFIX }}htpasswd;

4
confs2/site/auth-basic.conf
View File

@ -1,4 +0,0 @@
location {{ AUTH_BASIC_LOCATION }} {
auth_basic "{{ AUTH_BASIC_TEXT }}";
auth_basic_user_file {{ NGINX_PREFIX }}htpasswd;
}

4
confs2/site/brotli.conf
View File

@ -1,4 +0,0 @@
brotli on;
brotli_types {{ BROTLI_TYPES }};
brotli_comp_level {{ BROTLI_COMP_LEVEL }};
brotli_min_length {{ BROTLI_MIN_LENGTH }};

6
confs2/site/client-cache.conf
View File

@ -1,6 +0,0 @@
etag {{ CLIENT_CACHE_ETAG }};
set $cache "";
if ($uri ~* \.({{ CLIENT_CACHE_EXTENSIONS }})$) {
set $cache "{{ CLIENT_CACHE_CONTROL }}";
}
add_header Cache-Control $cache;

1
confs2/site/content-security-policy.conf
View File

@ -1 +0,0 @@
more_set_headers "Content-Security-Policy: {{ CONTENT_SECURITY_POLICY }}";

1
confs2/site/cookie-flags.conf
View File

@ -1 +0,0 @@
set_cookie_flag {{ COOKIE_FLAGS }}{% if COOKIE_AUTO_SECURE_FLAG == "yes" %} Secure{% endif %};

9
confs2/site/custom-https.conf
View File

@ -1,9 +0,0 @@
listen 0.0.0.0:443 ssl {% if HTTP2 == "yes" %}http2{% endif %};
ssl_certificate {{ HTTPS_CUSTOM_CERT }};
ssl_certificate_key {{ HTTPS_CUSTOM_KEY }};
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_session_tickets off;
{% if STRICT_TRANSPORT_SECURITY != "" %}
more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}';
{% endif %}

3
confs2/site/disable-default-server.conf
View File

@ -1,3 +0,0 @@
if ($host !~ ^({{ SERVER_NAME.replace(" ", "|") }})$) {
return 444;
}

13
confs2/site/error.conf
View File

@ -1,13 +0,0 @@
{% if ERRORS != "" %}
{% for element in ERRORS.split(" ") %}
{% set code = element.split("=")[0] %}
{% set page = element.split("=")[1] %}
error_page {{ code }} {{ page }};
location = {{ page }} {
root {{ ROOT_FOLDER }};
modsecurity off;
internal;
}
{% endfor %}
{% endif %}

25
confs2/site/fastcgi.conf
View File

@ -1,25 +0,0 @@
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

1
confs2/site/feature-policy.conf
View File

@ -1 +0,0 @@
more_set_headers "Feature-Policy: {{ FEATURE_POLICY }}";

4
confs2/site/gzip.conf
View File

@ -1,4 +0,0 @@
gzip on;
gzip_comp_level {{ GZIP_COMP_LEVEL }};
gzip_min_length {{ GZIP_MIN_LENGTH }};
gzip_types {{ GZIP_TYPES }};

18
confs2/site/https.conf
View File

@ -1,18 +0,0 @@
listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %};
ssl_certificate {{ HTTPS_CERT }};
ssl_certificate_key {{ HTTPS_KEY }};
ssl_protocols {{ HTTPS_PROTOCOLS }};
ssl_prefer_server_ciphers on;
ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
{% if STRICT_TRANSPORT_SECURITY != "" %}
more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}';
{% endif %}
{% if "TLSv1.2" in HTTPS_PROTOCOLS %}
ssl_dhparam /etc/nginx/dhparam;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
{% endif %}
{% if AUTO_LETS_ENCRYPT %}
include {{ NGINX_PREFIX }}lets-encrypt-webroot.conf;
{% endif %}

3
confs2/site/lets-encrypt-webroot.conf
View File

@ -1,3 +0,0 @@
location ~ ^/.well-known/acme-challenge/ {
root /acme-challenge;
}

1
confs2/site/limit-conn.conf
View File

@ -1 +0,0 @@
limit_conn ddos {{ LIMIT_CONN_MAX }};

3
confs2/site/limit-req.conf
View File

@ -1,3 +0,0 @@
limit_req_status 429;
limit_req zone=limit burst={{ LIMIT_REQ_BURST }} nodelay;

15
confs2/site/log-lua.conf
View File

@ -1,15 +0,0 @@
log_by_lua_block {
-- bad behavior
local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %}
local behavior = require "behavior"
local bad_behavior_status_codes = {% raw %}{{% endraw %}{% set elements = BAD_BEHAVIOR_STATUS_CODES.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
local bad_behavior_threshold = {{ BAD_BEHAVIOR_THRESHOLD }}
local bad_behavior_count_time = {{ BAD_BEHAVIOR_COUNT_TIME }}
local bad_behavior_ban_time = {{ BAD_BEHAVIOR_BAN_TIME }}
if use_bad_behavior then
behavior.count(bad_behavior_status_codes, bad_behavior_threshold, bad_behavior_count_time, bad_behavior_ban_time)
end
}

304
confs2/site/main-lua.conf
View File

@ -1,304 +0,0 @@
{% if ANTIBOT_SESSION_SECRET == "random" %}
set $session_secret {{ random(32) }} ;
{% else %}
set $session_secret {{ ANTIBOT_SESSION_SECRET }};
{% endif %}
set $session_check_addr on;
access_by_lua_block {
-- let's encrypt
local use_lets_encrypt = {% if AUTO_LETS_ENCRYPT == "yes" %}true{% else %}false{% endif %}
-- external blacklists
local use_user_agents = {% if BLOCK_USER_AGENT == "yes" %}true{% else %}false{% endif %}
local use_proxies = {% if BLOCK_PROXIES == "yes" %}true{% else %}false{% endif %}
local use_abusers = {% if BLOCK_ABUSERS == "yes" %}true{% else %}false{% endif %}
local use_tor_exit_nodes = {% if BLOCK_TOR_EXIT_NODE == "yes" %}true{% else %}false{% endif %}
local use_referrers = {% if BLOCK_REFERRER == "yes" %}true{% else %}false{% endif %}
-- countries
local use_country = {% if WHITELIST_COUNTRY != "" or BLACKLIST_COUNTRY != "" %}true{% else %}false{% endif %}
-- crowdsec
local use_crowdsec = {% if USE_CROWDSEC == "yes" %}true{% else %}false{% endif %}
-- antibot
local use_antibot_cookie = {% if USE_ANTIBOT == "cookie" %}true{% else %}false{% endif %}
local use_antibot_javascript = {% if USE_ANTIBOT == "javascript" %}true{% else %}false{% endif %}
local use_antibot_captcha = {% if USE_ANTIBOT == "captcha" %}true{% else %}false{% endif %}
local use_antibot_recaptcha = {% if USE_ANTIBOT == "recaptcha" %}true{% else %}false{% endif %}
-- resolvers
local dns_resolvers = {% raw %}{{% endraw %}{% set elements = DNS_RESOLVERS.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
-- whitelist
local use_whitelist_ip = {% if USE_WHITELIST_IP == "yes" %}true{% else %}false{% endif %}
local use_whitelist_reverse = {% if USE_WHITELIST_REVERSE == "yes" %}true{% else %}false{% endif %}
local whitelist_ip_list = {% raw %}{{% endraw %}{% set elements = WHITELIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
local whitelist_reverse_list = {% raw %}{{% endraw %}{% set elements = WHITELIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
-- blacklist
local use_blacklist_ip = {% if USE_BLACKLIST_IP == "yes" %}true{% else %}false{% endif %}
local use_blacklist_reverse = {% if USE_BLACKLIST_REVERSE == "yes" %}true{% else %}false{% endif %}
local blacklist_ip_list = {% raw %}{{% endraw %}{% set elements = BLACKLIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
local blacklist_reverse_list = {% raw %}{{% endraw %}{% set elements = BLACKLIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
-- dnsbl
local use_dnsbl = {% if USE_DNSBL == "yes" %}true{% else %}false{% endif %}
local dnsbl_list = {% raw %}{{% endraw %}{% set elements = DNSBL_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
-- bad behavior
local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %}
-- include LUA code
local whitelist = require "whitelist"
local blacklist = require "blacklist"
local dnsbl = require "dnsbl"
local cookie = require "cookie"
local javascript = require "javascript"
local captcha = require "captcha"
local recaptcha = require "recaptcha"
local iputils = require "resty.iputils"
local behavior = require "behavior"
local logger = require "logger"
-- user variables
local antibot_uri = "{{ ANTIBOT_URI }}"
local whitelist_user_agent = {% raw %}{{% endraw %}{% set elements = WHITELIST_USER_AGENT.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
local whitelist_uri = {% raw %}{{% endraw %}{% set elements = WHITELIST_URI.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
-- check if already in whitelist cache
if use_whitelist_ip and whitelist.ip_cached_ok() then
ngx.exit(ngx.OK)
end
if use_whitelist_reverse and whitelist.reverse_cached_ok() then
ngx.exit(ngx.OK)
end
-- check if already in blacklist cache
if use_blacklist_ip and blacklist.ip_cached_ko() then
ngx.exit(ngx.HTTP_FORBIDDEN)
end
if use_blacklist_reverse and blacklist.reverse_cached_ko() then
ngx.exit(ngx.HTTP_FORBIDDEN)
end
-- check if already in dnsbl cache
if use_dnsbl and dnsbl.cached_ko() then
ngx.exit(ngx.HTTP_FORBIDDEN)
end
-- check if IP is whitelisted (only if not in cache)
if use_whitelist_ip and not whitelist.ip_cached() then
if whitelist.check_ip(whitelist_ip_list) then
ngx.exit(ngx.OK)
end
end
-- check if reverse is whitelisted (only if not in cache)
if use_whitelist_reverse and not whitelist.reverse_cached() then
if whitelist.check_reverse(whitelist_reverse_list) then
ngx.exit(ngx.OK)
end
end
-- check if URI is whitelisted
for k, v in pairs(whitelist_uri) do
if ngx.var.request_uri == v then
logger.log(ngx.NOTICE, "WHITELIST", "URI " .. v .. " is whitelisted")
ngx.exit(ngx.OK)
end
end
-- check if it's certbot
if use_lets_encrypt and string.match(ngx.var.request_uri, "^/.well-known/acme-challenge/") then
logger.log(ngx.INFO, "LETSENCRYPT", "got a visit from Let's Encrypt")
ngx.exit(ngx.OK)
end
-- check if IP is blacklisted (only if not in cache)
if use_blacklist_ip and not blacklist.ip_cached() then
if blacklist.check_ip(blacklist_ip_list) then
ngx.exit(ngx.HTTP_FORBIDDEN)
end
end
-- check if reverse is blacklisted (only if not in cache)
if use_blacklist_reverse and not blacklist.reverse_cached() then
if blacklist.check_reverse(blacklist_reverse_list, dns_resolvers) then
ngx.exit(ngx.HTTP_FORBIDDEN)
end
end
-- check if IP is banned because of "bad behavior"
if use_bad_behavior and behavior.is_banned() then
logger.log(ngx.WARN, "BEHAVIOR", "IP " .. ngx.var.remote_addr .. " is banned because of bad behavior")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
-- check if IP is in proxies list
if use_proxies then
local value, flags = ngx.shared.proxies_data:get(iputils.ip2bin(ngx.var.remote_addr))
if value ~= nil then
logger.log(ngx.WARN, "PROXIES", "IP " .. ngx.var.remote_addr .. " is in proxies list")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
end
-- check if IP is in abusers list
if use_abusers then
local value, flags = ngx.shared.abusers_data:get(iputils.ip2bin(ngx.var.remote_addr))
if value ~= nil then
logger.log(ngx.WARN, "ABUSERS", "IP " .. ngx.var.remote_addr .. " is in abusers list")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
end
-- check if IP is in TOR exit nodes list
if use_tor_exit_nodes then
local value, flags = ngx.shared.tor_exit_nodes_data:get(iputils.ip2bin(ngx.var.remote_addr))
if value ~= nil then
logger.log(ngx.WARN, "TOR", "IP " .. ngx.var.remote_addr .. " is in TOR exit nodes list")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
end
-- check if user-agent is allowed
if use_user_agents and ngx.var.http_user_agent ~= nil then
local whitelisted = false
for k, v in pairs(whitelist_user_agent) do
if string.match(ngx.var.http_user_agent, v) then
logger.log(ngx.NOTICE, "WHITELIST", "User-Agent " .. ngx.var.http_user_agent .. " is whitelisted")
whitelisted = true
break
end
end
if not whitelisted then
local value, flags = ngx.shared.user_agents_cache:get(ngx.var.http_user_agent)
if value == nil then
local patterns = ngx.shared.user_agents_data:get_keys(0)
for i, pattern in ipairs(patterns) do
if string.match(ngx.var.http_user_agent, pattern) then
value = "ko"
ngx.shared.user_agents_cache:set(ngx.var.http_user_agent, "ko", 86400)
break
end
end
if value == nil then
value = "ok"
ngx.shared.user_agents_cache:set(ngx.var.http_user_agent, "ok", 86400)
end
end
if value == "ko" then
logger.log(ngx.WARN, "USER-AGENT", "User-Agent " .. ngx.var.http_user_agent .. " is blacklisted")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
end
end
-- check if referrer is allowed
if use_referrer and ngx.var.http_referer ~= nil then
local value, flags = ngx.shared.referrers_cache:get(ngx.var.http_referer)
if value == nil then
local patterns = ngx.shared.referrers_data:get_keys(0)
for i, pattern in ipairs(patterns) do
if string.match(ngx.var.http_referer, pattern) then
value = "ko"
ngx.shared.referrers_cache:set(ngx.var.http_referer, "ko", 86400)
break
end
end
if value == nil then
value = "ok"
ngx.shared.referrers_cache:set(ngx.var.http_referer, "ok", 86400)
end
end
if value == "ko" then
logger.log(ngx.WARN, "REFERRER", "Referrer " .. ngx.var.http_referer .. " is blacklisted")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
end
-- check if country is allowed
if use_country and ngx.var.allowed_country == "no" then
logger.log(ngx.WARN, "COUNTRY", "Country of " .. ngx.var.remote_addr .. " is blacklisted")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
-- check if IP is in DNSBLs (only if not in cache)
if use_dnsbl and not dnsbl.cached() then
if dnsbl.check(dnsbl_list, dns_resolvers) then
ngx.exit(ngx.HTTP_FORBIDDEN)
end
end
-- check if IP is in CrowdSec DB
if use_crowdsec then
local ok, err = require "crowdsec.CrowdSec".allowIp(ngx.var.remote_addr)
if ok == nil then
logger.log(ngx.ERR, "CROWDSEC", err)
end
if not ok then
logger.log(ngx.WARN, "CROWDSEC", "denied " .. ngx.var.remote_addr)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
end
-- cookie check
if use_antibot_cookie and ngx.var.uri ~= "/favicon.ico" then
if not cookie.is_set("uri") then
if ngx.var.request_uri ~= antibot_uri then
cookie.set({uri = ngx.var.request_uri})
return ngx.redirect(antibot_uri)
end
logger.log(ngx.WARN, "ANTIBOT", "cookie fail for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
else
if ngx.var.request_uri == antibot_uri then
return ngx.redirect(cookie.get("uri"))
end
end
end
-- javascript check
if use_antibot_javascript and ngx.var.uri ~= "/favicon.ico" then
if not cookie.is_set("javascript") then
if ngx.var.request_uri ~= antibot_uri then
cookie.set({uri = ngx.var.request_uri, challenge = javascript.get_challenge()})
return ngx.redirect(antibot_uri)
end
end
end
-- captcha check
if use_antibot_captcha and ngx.var.uri ~= "/favicon.ico" then
if not cookie.is_set("captcha") then
if ngx.var.request_uri ~= antibot_uri then
cookie.set({uri = ngx.var.request_uri})
return ngx.redirect(antibot_uri)
end
end
end
-- recaptcha check
if use_antibot_recaptcha and ngx.var.uri ~= "/favicon.ico" then
if not cookie.is_set("recaptcha") then
if ngx.var.request_uri ~= antibot_uri then
cookie.set({uri = ngx.var.request_uri})
return ngx.redirect(antibot_uri)
end
end
end
ngx.exit(ngx.OK)
}
{% if USE_ANTIBOT == "javascript" %}
include {{ NGINX_PREFIX }}antibot-javascript.conf;
{% elif USE_ANTIBOT == "captcha" %}
include {{ NGINX_PREFIX }}antibot-captcha.conf;
{% elif USE_ANTIBOT == "recaptcha" %}
include {{ NGINX_PREFIX }}antibot-recaptcha.conf;
{% endif %}

4
confs2/site/modsecurity-clamav.conf
View File

@ -1,4 +0,0 @@
SecUploadDir /tmp
SecUploadKeepFiles On
SecRule FILES_TMPNAMES "@inspectFile /opt/scripts/clamav.sh" \
"phase:2,t:none,deny,msg:'Virus found in uploaded file',id:'399999'"

83
confs2/site/modsecurity-rules.conf
View File

@ -1,83 +0,0 @@
# process rules with disruptive actions
SecRuleEngine On
# allow body checks
SecRequestBodyAccess On
# enable XML parsing
SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
# enable JSON parsing
SecRule REQUEST_HEADERS:Content-Type "application/json" \
"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
# maximum data size
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
# reject requests if bigger than max data size
SecRequestBodyLimitAction Reject
# reject if we can't process the body
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
# be strict with multipart/form-data body
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:400, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
# enable response body checks
SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml application/json
SecResponseBodyLimit 524288
SecResponseBodyLimitAction ProcessPartial
# log usefull stuff
SecAuditEngine {{ MODSECURITY_SEC_AUDIT_ENGINE }}
SecAuditLogType Serial
SecAuditLog /var/log/nginx/modsec_audit.log
# scan uploaded files with clamv
{% if USE_CLAMAV_UPLOAD == "yes" %}
include {{ NGINX_PREFIX }}modsecurity-clamav.conf
{% endif %}
# include OWASP CRS configuration
{% if USE_MODSECURITY_CRS == "yes" %}
include /opt/owasp/crs.conf
# custom CRS configurations before loading rules (exclusions)
{% if is_custom_conf("/modsec-crs-confs") %}
include /modsec-crs-confs/*.conf
{% endif %}
{% if MULTISITE == "yes" and is_custom_conf("/modsec-crs-confs/" + FIRST_SERVER) %}
include /modsec-crs-confs/{{ FIRST_SERVER }}/*.conf
{% endif %}
# include OWASP CRS rules
include /opt/owasp/crs/*.conf
{% endif %}
# custom rules after loading the CRS
{% if is_custom_conf("/modsec-confs") %}
include /modsec-confs/*.conf
{% endif %}
{% if MULTISITE == "yes" and is_custom_conf("/modsec-confs/" + FIRST_SERVER) %}
include /modsec-confs/{{ FIRST_SERVER }}/*.conf
{% endif %}

2
confs2/site/modsecurity.conf
View File

@ -1,2 +0,0 @@
modsecurity on;
modsecurity_rules_file {{ NGINX_PREFIX }}modsecurity-rules.conf;

4
confs2/site/open-file-cache.conf
View File

@ -1,4 +0,0 @@
open_file_cache {{ OPEN_FILE_CACHE }};
open_file_cache_errors {{ OPEN_FILE_CACHE_ERRORS }};
open_file_cache_min_uses {{ OPEN_FILE_CACHE_MIN_USES }};
open_file_cache_valid {{ OPEN_FILE_CACHE_VALID }};

1
confs2/site/permissions-policy.conf
View File

@ -1 +0,0 @@
more_set_headers "Permissions-Policy: {{ PERMISSIONS_POLICY }}";

4
confs2/site/php.conf
View File

@ -1,4 +0,0 @@
location ~ \.php$ {
fastcgi_pass {{ REMOTE_PHP }}:9000;
fastcgi_index index.php;
}

11
confs2/site/proxy-cache.conf
View File

@ -1,11 +0,0 @@
proxy_cache proxycache;
proxy_cache_methods {{ PROXY_CACHE_METHODS }};
proxy_cache_min_uses {{ PROXY_CACHE_MIN_USES }};
proxy_cache_key {{ PROXY_CACHE_KEY }};
proxy_no_cache {{ PROXY_NO_CACHE }};
proxy_cache_bypass {{ PROXY_CACHE_BYPASS }};
{% if PROXY_CACHE_VALID != "" %}
{% for element in PROXY_CACHE_VALID.split(" ") %}
proxy_cache_valid {{ element.split("=")[0] }} {{ element.split("=")[1] }};
{% endfor %}
{% endif %}

8
confs2/site/proxy-real-ip.conf
View File

@ -1,8 +0,0 @@
{% if PROXY_REAL_IP_FROM != "" %}
{% for element in PROXY_REAL_IP_FROM.split(" ") %}
set_real_ip_from {{ element }};
{% endfor %}
{% endif %}
real_ip_header {{ PROXY_REAL_IP_HEADER }};
real_ip_recursive {{ PROXY_REAL_IP_RECURSIVE }};

3
confs2/site/redirect-http-to-https.conf
View File

@ -1,3 +0,0 @@
if ($scheme = http) {
return 301 https://$host$request_uri;
}

1
confs2/site/referrer-policy.conf
View File

@ -1 +0,0 @@
more_set_headers "Referrer-Policy: {{ REFERRER_POLICY }}";

6
confs2/site/reverse-proxy-headers.conf
View File

@ -1,6 +0,0 @@
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;

25
confs2/site/reverse-proxy.conf
View File

@ -1,25 +0,0 @@
{% if USE_REVERSE_PROXY == "yes" %}
{% for k, v in all.items() %}
{% if k.startswith("REVERSE_PROXY_URL") %}
{% set url = v %}
{% set host = all[k.replace("URL", "HOST")] if k.replace("URL", "HOST") in all else "" %}
{% set ws = all[k.replace("URL", "WS")] if k.replace("URL", "WS") in all else "" %}
{% set headers = all[k.replace("URL", "HEADERS")] if k.replace("URL", "HEADERS") in all else "" %}
location {{ url }} {% raw %}{{% endraw %}
etag off;
proxy_pass {{ host }};
include {{ NGINX_PREFIX }}reverse-proxy-headers.conf;
{% if ws == "yes" %}
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
{% endif %}
{% if headers != "" %}
{% for header in headers.split(";") %}
proxy_set_header {{ header }};
{% endfor %}
{% endif %}
{% raw %}}{% endraw %}
{% endif %}
{% endfor %}
{% endif %}

3
confs2/site/serve-files.conf
View File

@ -1,3 +0,0 @@
root {{ ROOT_FOLDER }}/{{ FIRST_SERVER }};
index index.html index.php;
try_files $uri $uri/ =404;

177
confs2/site/server.conf
View File

@ -1,177 +0,0 @@
# custom config before server block
include /pre-server-confs/*.conf;
{% if MULTISITE == "yes" %}
include /pre-server-confs/{{ FIRST_SERVER }}/*.conf;
{% endif %}
server {
# FastCGI variables
{% if REMOTE_PHP != "" %}
include {{ NGINX_PREFIX }}fastcgi.conf;
{% endif %}
# custom config
include /server-confs/*.conf;
{% if MULTISITE == "yes" %}
include /server-confs/{{ FIRST_SERVER }}/*.conf;
{% endif %}
# proxy real IP
{% if PROXY_REAL_IP == "yes" %}
include {{ NGINX_PREFIX }}proxy-real-ip.conf;
{% endif %}
# include LUA files
include {{ NGINX_PREFIX }}main-lua.conf;
include {{ NGINX_PREFIX }}log-lua.conf;
# ModSecurity
{% if USE_MODSECURITY == "yes" %}
include {{ NGINX_PREFIX }}modsecurity.conf;
{% endif %}
# HTTP listen
{% if LISTEN_HTTP == "yes" %}
listen 0.0.0.0:{{ HTTP_PORT }};
{% endif %}
# HTTPS listen + config
{% if AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_HTTPS == "yes" or GENERATE_SELF_SIGNED_SSL == "yes" %}
include {{ NGINX_PREFIX }}https.conf;
{% endif %}
# HTTP to HTTPS
{% if REDIRECT_HTTP_TO_HTTPS == "yes" %}
include {{ NGINX_PREFIX }}redirect-http-to-https.conf;
{% endif %}
# server name (vhost)
server_name {{ SERVER_NAME }};
# disable default server
{% if DISABLE_DEFAULT_SERVER == "yes" and MULTISITE != "yes" %}
include {{ NGINX_PREFIX }}disable-default-server.conf;
{% endif %}
# serve local files
{% if SERVE_FILES == "yes" %}
include {{ NGINX_PREFIX}}serve-files.conf;
{% endif %}
# allowed HTTP methods
if ($request_method !~ ^({{ ALLOWED_METHODS }})$) {
return 405;
}
# requests limiting
{% if USE_LIMIT_REQ == "yes" %}
include {{ NGINX_PREFIX }}limit-req.conf;
{% endif %}
# connections limiting
{% if USE_LIMIT_CONN == "yes" %}
include {{ NGINX_PREFIX }}limit-conn.conf;
{% endif %}
# auth basic
{% if USE_AUTH_BASIC == "yes" %}
{% if AUTH_BASIC_LOCATION == "sitewide" %}
include {{ NGINX_PREFIX }}auth-basic-sitewide.conf;
{% else %}
include {{ NGINX_PREFIX }}auth-basic.conf;
{% endif %}
{% endif %}
# remove headers
{% if REMOVE_HEADERS != "" %}
{% for header in REMOVE_HEADERS.split(" ") %}
more_clear_headers '{{ header }}';
{% endfor %}
{% endif %}
# X-Frame-Option header
{% if X_FRAME_OPTIONS != "" %}
include {{ NGINX_PREFIX }}x-frame-options.conf;
{% endif %}
# X-XSS-Protection header
{% if X_XSS_PROTECTION != "" %}
include {{ NGINX_PREFIX }}x-xss-protection.conf;
{% endif %}
# X-Content-Type header
{% if X_CONTENT_TYPE != "" %}
include {{ NGINX_PREFIX }}x-content-type.conf;
{% endif %}
# Content-Security-Policy header
{% if CONTENT_SECURITY_POLICY != "" %}
include {{ NGINX_PREFIX }}content-security-policy.conf;
{% endif %}
# Referrer-Policy header
{% if REFERRER_POLICY != "" %}
include {{ NGINX_PREFIX }}referrer-policy.conf;
{% endif %}
# Feature-Policy header
{% if FEATURE_POLICY != "" %}
include {{ NGINX_PREFIX }}feature-policy.conf;
{% endif %}
# Permissions-Policy header
{% if PERMISSIONS_POLICY != "" %}
include {{ NGINX_PREFIX }}permissions-policy.conf;
{% endif %}
# cookie flags
{% if COOKIE_FLAGS != "" %}
include {{ NGINX_PREFIX }}cookie-flags.conf;
{% endif %}
# custom errors
include {{ NGINX_PREFIX }}error.conf;
# client caching
{% if USE_CLIENT_CACHE == "yes" %}
include {{ NGINX_PREFIX }}client-cache.conf;
{% endif %}
# gzip compression
{% if USE_GZIP == "yes" %}
include {{ NGINX_PREFIX }}gzip.conf;
{% endif %}
# brotli compression
{% if USE_GZIP == "yes" %}
include {{ NGINX_PREFIX }}gzip.conf;
{% endif %}
# maximum body size
client_max_body_size {{ MAX_CLIENT_SIZE }};
# enable/disable showing version
server_tokens {{ SERVER_TOKENS }};
# open file caching
{% if USE_OPEN_FILE_CACHE == "yes" %}
include {{ NGINX_PREFIX }}open-file-cache.conf;
{% endif %}
# proxy caching
{% if USE_PROXY_CACHE == "yes" %}
include {{ NGINX_PREFIX }}proxy-cache.conf;
{% endif %}
# reverse proxy
{% if USE_REVERSE_PROXY == "yes" %}
include {{ NGINX_PREFIX }}reverse-proxy.conf;
{% endif %}
# remote PHP
{% if REMOTE_PHP != "" %}
include {{ NGINX_PREFIX }}php.conf;
{% endif %}
}

1
confs2/site/x-content-type-options.conf
View File

@ -1 +0,0 @@
more_set_headers "X-Content-Type-Options: {{ X_CONTENT_TYPE_OPTIONS }}";

Some files were not shown because too many files have changed in this diff Show More