templating - started integration into docker image
This commit is contained in:
parent
ec19f93081
commit
a8bc17e836
|
@ -11,11 +11,13 @@ RUN chmod +x /tmp/dependencies.sh && \
|
|||
/tmp/dependencies.sh && \
|
||||
rm -rf /tmp/dependencies.sh
|
||||
|
||||
COPY gen/ /opt/gen
|
||||
COPY entrypoint/ /opt/entrypoint
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY lua/ /usr/local/lib/lua
|
||||
COPY antibot/ /antibot
|
||||
COPY settings.json /opt
|
||||
|
||||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && \
|
||||
|
|
|
@ -11,11 +11,13 @@ RUN chmod +x /tmp/dependencies.sh && \
|
|||
/tmp/dependencies.sh && \
|
||||
rm -rf /tmp/dependencies.sh
|
||||
|
||||
COPY gen/ /opt/gen
|
||||
COPY entrypoint/ /opt/entrypoint
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY lua/ /usr/local/lib/lua
|
||||
COPY antibot/ /antibot
|
||||
COPY settings.json /opt
|
||||
|
||||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && \
|
||||
|
|
|
@ -18,11 +18,13 @@ RUN chmod +x /tmp/dependencies.sh && \
|
|||
/tmp/dependencies.sh && \
|
||||
rm -rf /tmp/dependencies.sh
|
||||
|
||||
COPY gen/ /opt/gen
|
||||
COPY entrypoint/ /opt/entrypoint
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY lua/ /usr/local/lib/lua
|
||||
COPY antibot/ /antibot
|
||||
COPY settings.json /opt
|
||||
|
||||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && \
|
||||
|
|
|
@ -18,11 +18,13 @@ RUN chmod +x /tmp/dependencies.sh && \
|
|||
/tmp/dependencies.sh && \
|
||||
rm -rf /tmp/dependencies.sh
|
||||
|
||||
COPY gen/ /opt/gen
|
||||
COPY entrypoint/ /opt/entrypoint
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY lua/ /usr/local/lib/lua
|
||||
COPY antibot/ /antibot
|
||||
COPY settings.json /opt
|
||||
|
||||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && \
|
||||
|
|
|
@ -11,11 +11,13 @@ RUN chmod +x /tmp/dependencies.sh && \
|
|||
/tmp/dependencies.sh && \
|
||||
rm -rf /tmp/dependencies.sh
|
||||
|
||||
COPY gen/ /opt/gen
|
||||
COPY entrypoint/ /opt/entrypoint
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY lua/ /usr/local/lib/lua
|
||||
COPY antibot/ /antibot
|
||||
COPY settings.json /opt
|
||||
|
||||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && \
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
|
||||
location ~ ^%API_URI%/ping {
|
||||
# todo : if api_uri == "random"
|
||||
location ~ ^{{ API_URI }}/ping {
|
||||
return 444;
|
||||
}
|
||||
|
||||
location ~ ^%API_URI% {
|
||||
location ~ {{ API_URI }} {
|
||||
|
||||
rewrite_by_lua_block {
|
||||
|
||||
local api = require "api"
|
||||
local api_whitelist_ip = {%API_WHITELIST_IP%}
|
||||
local api_uri = "%API_URI%"
|
||||
local api_whitelist_ip = {% raw %}{{% endraw %}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
local api_uri = "{{ API_URI }}"
|
||||
local logger = require "logger"
|
||||
|
||||
if api.is_api_call(api_uri, api_whitelist_ip) then
|
||||
|
|
|
@ -1,8 +1,9 @@
|
|||
# todo : if api_uri == "random"
|
||||
rewrite_by_lua_block {
|
||||
|
||||
local api = require "api"
|
||||
local api_whitelist_ip = {%API_WHITELIST_IP%}
|
||||
local api_uri = "%API_URI%"
|
||||
local api_whitelist_ip = {% raw %}{{% endraw %}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
local api_uri = "{{ API_URI }}"
|
||||
local logger = require "logger"
|
||||
|
||||
if api.is_api_call(api_uri, api_whitelist_ip) then
|
||||
|
|
|
@ -1,4 +0,0 @@
|
|||
open_file_cache %CACHE%;
|
||||
open_file_cache_errors %CACHE_ERRORS%;
|
||||
open_file_cache_min_uses %CACHE_USES%;
|
||||
open_file_cache_valid %CACHE_VALID%;
|
|
@ -5,6 +5,11 @@ geoip2 /etc/nginx/geoip.mmdb {
|
|||
}
|
||||
|
||||
map $geoip2_data_country_code $allowed_country {
|
||||
default %DEFAULT%;
|
||||
%COUNTRY%
|
||||
default {% if WHITELIST_COUNTRY != "" %}no{% else %}yes{% endif %};
|
||||
{% for country in WHITELIST_COUNTRY.split(" ") %}
|
||||
{{ country }} yes;
|
||||
{% endfor %}
|
||||
{% for country in BLACKLIST_COUNTRY.split(" ") %}
|
||||
{{ country }} no;
|
||||
{% endfor %}
|
||||
}
|
||||
|
|
|
@ -3,12 +3,12 @@ init_by_lua_block {
|
|||
local dataloader = require "dataloader"
|
||||
local logger = require "logger"
|
||||
|
||||
local use_proxies = %USE_PROXIES%
|
||||
local use_abusers = %USE_ABUSERS%
|
||||
local use_tor_exit_nodes = %USE_TOR_EXIT_NODES%
|
||||
local use_user_agents = %USE_USER_AGENTS%
|
||||
local use_referrers = %USE_REFERRERS%
|
||||
local use_crowdsec = %USE_CROWDSEC%
|
||||
local use_proxies = {% if has_value("BLOCK_PROXIES", "yes") %}true{% else %}false{% endif %}
|
||||
local use_abusers = {% if has_value("BLOCK_ABUSERS", "yes") %}true{% else %}false{% endif %}
|
||||
local use_tor_exit_nodes = {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}true{% else %}false{% endif %}
|
||||
local use_user_agents = {% if has_value("BLOCK_USER_AGENT", "yes") %}true{% else %}false{% endif %}
|
||||
local use_referrers = {% if has_value("BLOCK_REFERRER", "yes") %}true{% else %}false{% endif %}
|
||||
local use_crowdsec = {% if has_value("USE_CROWDSEC", "yes") %}true{% else %}false{% endif %}
|
||||
|
||||
if use_proxies then
|
||||
dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data)
|
||||
|
|
|
@ -1,11 +1,13 @@
|
|||
listen 0.0.0.0:%HTTPS_PORT% default_server ssl %HTTP2%;
|
||||
listen 0.0.0.0:{{ HTTPS_PORT }} default_server ssl {% if USE_HTTP2 == "yes" %}http2{% endif %};
|
||||
ssl_certificate /etc/nginx/default-cert.pem;
|
||||
ssl_certificate_key /etc/nginx/default-key.pem;
|
||||
ssl_protocols %HTTPS_PROTOCOLS%;
|
||||
ssl_protocols {{ HTTPS_PROTOCOLS }};
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_session_tickets off;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
%SSL_DHPARAM%
|
||||
%SSL_CIPHERS%
|
||||
%LETS_ENCRYPT_WEBROOT%
|
||||
{% if "TLSv1.2" in HTTPS_PROTOCOLS %}
|
||||
ssl_dhparam /etc/nginx/dhparam;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
{% endif %}
|
||||
include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
toto
|
||||
server {
|
||||
%LISTEN_HTTP%
|
||||
{% if LISTEN_HTTP == "yes" %}listen 0.0.0.0:{{ HTTP_PORT }} default_server{% endif %}
|
||||
server_name _;
|
||||
%USE_HTTPS%
|
||||
%MULTISITE_DISABLE_DEFAULT_SERVER%
|
||||
{% if has_value("AUTO_LETS_ENCRYPT", "yes") %}include /etc/nginx/multisite-default-server-https.conf;{% endif %}
|
||||
{% if DISABLE_DEFAULT_SERVER == "yes" %}include /etc/nginx/multisite-disable-default-server.conf;{% endif %}
|
||||
}
|
||||
|
|
|
@ -26,11 +26,11 @@ pcre_jit on;
|
|||
include /etc/nginx/modules/*.conf;
|
||||
|
||||
# max open files for each worker
|
||||
worker_rlimit_nofile %WORKER_RLIMIT_NOFILE%;
|
||||
worker_rlimit_nofile {{ WORKER_RLIMIT_NOFILE }};
|
||||
|
||||
events {
|
||||
# max connections per worker
|
||||
worker_connections %WORKER_CONNECTIONS%;
|
||||
worker_connections {{ WORKER_CONNECTIONS }};
|
||||
|
||||
# epoll seems to be the best on Linux
|
||||
use epoll;
|
||||
|
@ -51,9 +51,9 @@ http {
|
|||
default_type application/octet-stream;
|
||||
|
||||
# write logs to local syslog
|
||||
log_format logf '%LOG_FORMAT%';
|
||||
log_format logf '{{ LOG_FORMAT }}';
|
||||
access_log /var/log/access.log logf;
|
||||
error_log /var/log/error.log %LOG_LEVEL%;
|
||||
error_log /var/log/error.log {{ LOG_LEVEL }};
|
||||
|
||||
# temp paths
|
||||
proxy_temp_path /tmp/proxy_temp;
|
||||
|
@ -72,36 +72,39 @@ http {
|
|||
send_timeout 10;
|
||||
|
||||
# resolvers to use
|
||||
resolver %DNS_RESOLVERS% ipv6=off;
|
||||
resolver {{ DNS_RESOLVERS }} ipv6=off;
|
||||
|
||||
# remove ports when sending redirects
|
||||
port_in_redirect off;
|
||||
|
||||
# lua path and dicts
|
||||
lua_package_path "/usr/local/lib/lua/?.lua;;";
|
||||
%WHITELIST_IP_CACHE%
|
||||
%WHITELIST_REVERSE_CACHE%
|
||||
%BLACKLIST_IP_CACHE%
|
||||
%BLACKLIST_REVERSE_CACHE%
|
||||
%DNSBL_CACHE%
|
||||
%BLOCK_PROXIES%
|
||||
%BLOCK_ABUSERS%
|
||||
%BLOCK_TOR_EXIT_NODES%
|
||||
%BLOCK_USER_AGENTS%
|
||||
%BLOCK_REFERRERS%
|
||||
%BAD_BEHAVIOR%
|
||||
{% if has_value("USE_WHITELIST_IP", "yes") %}lua_shared_dict whitelist_ip_cache 10m;{% endif %}
|
||||
{% if has_value("USE_WHITELIST_REVERSE", "yes") %}lua_shared_dict whitelist_reverse_cache 10m;{% endif %}
|
||||
{% if has_value("USE_BLACKLIST_IP", "yes") %}lua_shared_dict blacklist_ip_cache 10m;{% endif %}
|
||||
{% if has_value("USE_BLACKLIST_REVERSE", "yes") %}lua_shared_dict blacklist_reverse_cache 10m;{% endif %}
|
||||
{% if has_value("USE_DNSBL", "yes") %}lua_shared_dict dnsbl_cache 10m;{% endif %}
|
||||
{% if has_value("BLOCK_PROXIES", "yes") %}lua_shared_dict proxies_data 250m;{% endif %}
|
||||
{% if has_value("BLOCK_ABUSERS", "yes") %}lua_shared_dict abusers_data 50m;{% endif %}
|
||||
{% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}lua_shared_dict tor_exit_nodes_data 1m;{% endif %}
|
||||
{% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_data 1m;{% endif %}
|
||||
{% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_cache 10m;{% endif %}
|
||||
{% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_data 1m;{% endif %}
|
||||
{% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_cache 10m;{% endif %}
|
||||
{% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_ban 10m;{% endif %}
|
||||
{% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_count 10m;{% endif %}
|
||||
|
||||
# shared memory zone for limit_req
|
||||
%LIMIT_REQ_ZONE%
|
||||
{% if has_value("USE_LIMIT_REQ", "yes") %}limit_req_zone $binary_remote_addr$uri zone=limit:{{ LIMIT_REQ_CACHE }} rate={{ LIMIT_REQ_RATE }};{% endif %}
|
||||
|
||||
# shared memory zone for limit_conn
|
||||
%LIMIT_CONN_ZONE%
|
||||
{% if has_value("USE_LIMIT_CONN", "yes") %}limit_conn_zone $binary_remote_addr zone=ddos:{{ LIMIT_CONN_CACHE }};{% endif %}
|
||||
|
||||
# whitelist or blacklist country
|
||||
%USE_COUNTRY%
|
||||
{% if BLACKLIST_COUNTRY != "" or WHITELIST_COUNTRY != "" %}include /etc/nginx/geoip.conf;{% endif %}
|
||||
|
||||
# zone for proxy_cache
|
||||
%PROXY_CACHE_PATH%
|
||||
{% if has_value("USE_PROXY_CACHE", "yes") %}proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:{{ PROXY_CACHE_PATH_ZONE_SIZE }} {{ PROXY_CACHE_PATH_PARAMS }};{% endif %}
|
||||
|
||||
# custom http confs
|
||||
include /http-confs/*.conf;
|
||||
|
@ -110,11 +113,19 @@ http {
|
|||
include /etc/nginx/init-lua.conf;
|
||||
|
||||
# default server when MULTISITE=yes
|
||||
%MULTISITE_DEFAULT_SERVER%
|
||||
{% if MULTISITE == "yes" %}include /etc/nginx/multisite-default-server.conf;{% endif %}
|
||||
|
||||
# server config(s)
|
||||
%INCLUDE_SERVER%
|
||||
{% if SWARM_MODE == "no" %}
|
||||
{% if MULTISITE == "yes" %}
|
||||
{% for server_name in SERVER_NAME.split(" ") %}
|
||||
include /etc/nginx/{{ server_name }}/server.conf;
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
include /etc/nginx/server.conf;
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
# API
|
||||
%USE_API%
|
||||
{% if USE_API == "yes" %}include /etc/nginx/api.conf;{% endif %}
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
location = %ANTIBOT_URI% {
|
||||
location = {{ ANTIBOT_URI }} {
|
||||
|
||||
default_type 'text/html';
|
||||
|
||||
|
@ -13,7 +13,7 @@ location = %ANTIBOT_URI% {
|
|||
end
|
||||
local img, res = captcha.get_challenge()
|
||||
cookie.set({captchares = res})
|
||||
local code = captcha.get_code(img, "%ANTIBOT_URI%")
|
||||
local code = captcha.get_code(img, "{{ ANTIBOT_URI }}")
|
||||
ngx.say(code)
|
||||
}
|
||||
}
|
||||
|
@ -37,7 +37,7 @@ location = %ANTIBOT_URI% {
|
|||
local check = captcha.check(captcha_user, cookie.get("captchares"))
|
||||
if not check then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "captcha fail (4) for " .. ngx.var.remote_addr)
|
||||
return ngx.redirect("%ANTIBOT_URI%")
|
||||
return ngx.redirect("{{ ANTIBOT_URI }}")
|
||||
end
|
||||
cookie.set({captcha = "ok"})
|
||||
return ngx.redirect(cookie.get("uri"))
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
location = %ANTIBOT_URI% {
|
||||
location = {{ ANTIBOT_URI }} {
|
||||
|
||||
default_type 'text/html';
|
||||
|
||||
|
@ -12,7 +12,7 @@ location = %ANTIBOT_URI% {
|
|||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
local challenge = cookie.get("challenge")
|
||||
local code = javascript.get_code(challenge, "%ANTIBOT_URI%", cookie.get("uri"))
|
||||
local code = javascript.get_code(challenge, "{{ ANTIBOT_URI }}", cookie.get("uri"))
|
||||
ngx.say(code)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
location = %ANTIBOT_URI% {
|
||||
location = {{ ANTIBOT_URI }} {
|
||||
|
||||
default_type 'text/html';
|
||||
|
||||
|
@ -11,7 +11,7 @@ location = %ANTIBOT_URI% {
|
|||
logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (1) for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
local code = recaptcha.get_code("%ANTIBOT_URI%", "%ANTIBOT_RECAPTCHA_SITEKEY%")
|
||||
local code = recaptcha.get_code("{{ ANTIBOT_URI }}", "{{ ANTIBOT_RECAPTCHA_SITEKEY }}")
|
||||
ngx.say(code)
|
||||
}
|
||||
}
|
||||
|
@ -32,8 +32,8 @@ location = %ANTIBOT_URI% {
|
|||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
local token = args["token"]
|
||||
local check = recaptcha.check(token, "%ANTIBOT_RECAPTCHA_SECRET%")
|
||||
if check < %ANTIBOT_RECAPTCHA_SCORE% then
|
||||
local check = recaptcha.check(token, "{{ ANTIBOT_RECAPTCHA_SECRET }}")
|
||||
if check < {{ ANTIBOT_RECAPTCHA_SCORE }} then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (4) for " .. ngx.var.remote_addr .. " (score = " .. tostring(check) .. ")")
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
auth_basic "%AUTH_BASIC_TEXT%";
|
||||
auth_basic_user_file %NGINX_PREFIX%.htpasswd;
|
||||
auth_basic "{{ AUTH_BASIC_TEXT }}";
|
||||
auth_basic_user_file {{ NGINX_PREFIX }}htpasswd;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
location %AUTH_BASIC_LOCATION% {
|
||||
auth_basic "%AUTH_BASIC_TEXT%";
|
||||
auth_basic_user_file %NGINX_PREFIX%.htpasswd;
|
||||
location {{ AUTH_BASIC_LOCATION }} {
|
||||
auth_basic "{{ AUTH_BASIC_TEXT }}";
|
||||
auth_basic_user_file {{ NGINX_PREFIX }}htpasswd;
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
brotli on;
|
||||
brotli_types %BROTLI_TYPES%;
|
||||
brotli_comp_level %BROTLI_COMP_LEVEL%;
|
||||
brotli_min_length %BROTLI_MIN_LENGTH%;
|
||||
brotli_types {{ BROTLI_TYPES }};
|
||||
brotli_comp_level {{ BROTLI_COMP_LEVEL }};
|
||||
brotli_min_length {{ BROTLI_MIN_LENGTH }};
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
etag %CLIENT_CACHE_ETAG%;
|
||||
etag {{ CLIENT_CACHE_ETAG }};
|
||||
set $cache "";
|
||||
if ($uri ~* \.(%CLIENT_CACHE_EXTENSIONS%)$) {
|
||||
set $cache "%CLIENT_CACHE_CONTROL%";
|
||||
if ($uri ~* \.({{ CLIENT_CACHE_EXTENSIONS }})$) {
|
||||
set $cache "{{ CLIENT_CACHE_CONTROL }}";
|
||||
}
|
||||
add_header Cache-Control $cache;
|
||||
|
|
|
@ -1 +1 @@
|
|||
more_set_headers "Content-Security-Policy: %CONTENT_SECURITY_POLICY%";
|
||||
more_set_headers "Content-Security-Policy: {{ CONTENT_SECURITY_POLICY }}";
|
||||
|
|
|
@ -1 +1 @@
|
|||
set_cookie_flag %COOKIE_FLAGS%;
|
||||
set_cookie_flag {{ COOKIE_FLAGS }}{% if COOKIE_AUTO_SECURE_FLAG == "yes" %} Secure{% endif %};
|
||||
|
|
|
@ -1,7 +1,9 @@
|
|||
listen 0.0.0.0:443 ssl %HTTP2%;
|
||||
ssl_certificate %HTTPS_CUSTOM_CERT%;
|
||||
ssl_certificate_key %HTTPS_CUSTOM_KEY%;
|
||||
listen 0.0.0.0:443 ssl {% if HTTP2 == "yes" %}http2{% endif %};
|
||||
ssl_certificate {{ HTTPS_CUSTOM_CERT }};
|
||||
ssl_certificate_key {{ HTTPS_CUSTOM_KEY }};
|
||||
ssl_protocols TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_session_tickets off;
|
||||
%STRICT_TRANSPORT_SECURITY%
|
||||
{% if STRICT_TRANSPORT_SECURITY != "" %}
|
||||
more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}';
|
||||
{% endif %}
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
if ($host !~ ^(%SERVER_NAME%)$) {
|
||||
if ($host !~ ^({{ SERVER_NAME.replace(" ", "|") }})$) {
|
||||
return 444;
|
||||
}
|
||||
|
|
|
@ -1,7 +1,13 @@
|
|||
error_page %CODE% %PAGE%;
|
||||
{% if ERRORS != "" %}
|
||||
{% for element in ERRORS.split(" ") %}
|
||||
{% set code = element.split("=")[0] %}
|
||||
{% set page = element.split("=")[1] %}
|
||||
error_page {{ code }} {{ page }};
|
||||
|
||||
location = %PAGE% {
|
||||
root %ROOT_FOLDER%;
|
||||
location = {{ page }} {
|
||||
root {{ ROOT_FOLDER }};
|
||||
modsecurity off;
|
||||
internal;
|
||||
}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
|
|
@ -13,7 +13,7 @@ fastcgi_param REQUEST_SCHEME $scheme;
|
|||
fastcgi_param HTTPS $https if_not_empty;
|
||||
|
||||
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
|
||||
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
|
||||
fastcgi_param SERVER_SOFTWARE nginx;
|
||||
|
||||
fastcgi_param REMOTE_ADDR $remote_addr;
|
||||
fastcgi_param REMOTE_PORT $remote_port;
|
||||
|
|
|
@ -1 +1 @@
|
|||
more_set_headers "Feature-Policy: %FEATURE_POLICY%";
|
||||
more_set_headers "Feature-Policy: {{ FEATURE_POLICY }}";
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
gzip on;
|
||||
gzip_comp_level %GZIP_COMP_LEVEL%;
|
||||
gzip_min_length %GZIP_MIN_LENGTH%;
|
||||
gzip_types %GZIP_TYPES%;
|
||||
gzip_comp_level {{ GZIP_COMP_LEVEL }};
|
||||
gzip_min_length {{ GZIP_MIN_LENGTH }};
|
||||
gzip_types {{ GZIP_TYPES }};
|
||||
|
|
|
@ -1,12 +1,18 @@
|
|||
listen 0.0.0.0:%HTTPS_PORT% ssl %HTTP2%;
|
||||
ssl_certificate %HTTPS_CERT%;
|
||||
ssl_certificate_key %HTTPS_KEY%;
|
||||
ssl_protocols %HTTPS_PROTOCOLS%;
|
||||
listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %};
|
||||
ssl_certificate {{ HTTPS_CERT }};
|
||||
ssl_certificate_key {{ HTTPS_KEY }};
|
||||
ssl_protocols {{ HTTPS_PROTOCOLS }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_tickets off;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
%STRICT_TRANSPORT_SECURITY%
|
||||
%SSL_DHPARAM%
|
||||
%SSL_CIPHERS%
|
||||
%LETS_ENCRYPT_WEBROOT%
|
||||
{% if STRICT_TRANSPORT_SECURITY != "" %}
|
||||
more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}';
|
||||
{% endif %}
|
||||
{% if "TLSv1.2" in HTTPS_PROTOCOLS %}
|
||||
ssl_dhparam /etc/nginx/dhparam;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
{% endif %}
|
||||
{% if AUTO_LETS_ENCRYPT %}
|
||||
include {{ NGINX_PREFIX }}lets-encrypt-webroot.conf;
|
||||
{% endif %}
|
||||
|
|
|
@ -1 +1 @@
|
|||
limit_conn ddos %LIMIT_CONN_MAX%;
|
||||
limit_conn ddos {{ LIMIT_CONN_MAX }};
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
limit_req_status 429;
|
||||
limit_req zone=limit burst=%LIMIT_REQ_BURST% nodelay;
|
||||
limit_req zone=limit burst={{ LIMIT_REQ_BURST }} nodelay;
|
||||
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
log_by_lua_block {
|
||||
|
||||
-- bad behavior
|
||||
local use_bad_behavior = %USE_BAD_BEHAVIOR%
|
||||
local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %}
|
||||
local behavior = require "behavior"
|
||||
local bad_behavior_status_codes = {%BAD_BEHAVIOR_STATUS_CODES%}
|
||||
local bad_behavior_threshold = %BAD_BEHAVIOR_THRESHOLD%
|
||||
local bad_behavior_count_time = %BAD_BEHAVIOR_COUNT_TIME%
|
||||
local bad_behavior_ban_time = %BAD_BEHAVIOR_BAN_TIME%
|
||||
local bad_behavior_status_codes = {% raw %}{{% endraw %}{% set elements = BAD_BEHAVIOR_STATUS_CODES.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
local bad_behavior_threshold = {{ BAD_BEHAVIOR_THRESHOLD }}
|
||||
local bad_behavior_count_time = {{ BAD_BEHAVIOR_COUNT_TIME }}
|
||||
local bad_behavior_ban_time = {{ BAD_BEHAVIOR_BAN_TIME }}
|
||||
|
||||
if use_bad_behavior then
|
||||
behavior.count(bad_behavior_status_codes, bad_behavior_threshold, bad_behavior_count_time, bad_behavior_ban_time)
|
||||
|
|
|
@ -1,51 +1,55 @@
|
|||
set $session_secret %ANTIBOT_SESSION_SECRET%;
|
||||
{% if ANTIBOT_SESSION_SECRET == "random" %}
|
||||
set $session_secret {{ random(32) }} ;
|
||||
{% else %}
|
||||
set $session_secret {{ ANTIBOT_SESSION_SECRET }};
|
||||
{% endif %}
|
||||
set $session_check_addr on;
|
||||
|
||||
access_by_lua_block {
|
||||
|
||||
-- let's encrypt
|
||||
local use_lets_encrypt = %USE_LETS_ENCRYPT%
|
||||
local use_lets_encrypt = {% if AUTO_LETS_ENCRYPT == "yes" %}true{% else %}false{% endif %}
|
||||
|
||||
-- external blacklists
|
||||
local use_user_agents = %USE_USER_AGENTS%
|
||||
local use_proxies = %USE_PROXIES%
|
||||
local use_abusers = %USE_ABUSERS%
|
||||
local use_tor_exit_nodes = %USE_TOR_EXIT_NODES%
|
||||
local use_referrers = %USE_REFERRERS%
|
||||
local use_user_agents = {% if BLOCK_USER_AGENT == "yes" %}true{% else %}false{% endif %}
|
||||
local use_proxies = {% if BLOCK_PROXIES == "yes" %}true{% else %}false{% endif %}
|
||||
local use_abusers = {% if BLOCK_ABUSERS == "yes" %}true{% else %}false{% endif %}
|
||||
local use_tor_exit_nodes = {% if BLOCK_TOR_EXIT_NODE == "yes" %}true{% else %}false{% endif %}
|
||||
local use_referrers = {% if BLOCK_REFERRER == "yes" %}true{% else %}false{% endif %}
|
||||
|
||||
-- countries
|
||||
local use_country = %USE_COUNTRY%
|
||||
local use_country = {% if WHITELIST_COUNTRY != "" or BLACKLIST_COUNTRY != "" %}true{% else %}false{% endif %}
|
||||
|
||||
-- crowdsec
|
||||
local use_crowdsec = %USE_CROWDSEC%
|
||||
local use_crowdsec = {% if USE_CROWDSEC == "yes" %}true{% else %}false{% endif %}
|
||||
|
||||
-- antibot
|
||||
local use_antibot_cookie = %USE_ANTIBOT_COOKIE%
|
||||
local use_antibot_javascript = %USE_ANTIBOT_JAVASCRIPT%
|
||||
local use_antibot_captcha = %USE_ANTIBOT_CAPTCHA%
|
||||
local use_antibot_recaptcha = %USE_ANTIBOT_RECAPTCHA%
|
||||
local use_antibot_cookie = {% if USE_ANTIBOT == "cookie" %}true{% else %}false{% endif %}
|
||||
local use_antibot_javascript = {% if USE_ANTIBOT == "javascript" %}true{% else %}false{% endif %}
|
||||
local use_antibot_captcha = {% if USE_ANTIBOT == "captcha" %}true{% else %}false{% endif %}
|
||||
local use_antibot_recaptcha = {% if USE_ANTIBOT == "recaptcha" %}true{% else %}false{% endif %}
|
||||
|
||||
-- resolvers
|
||||
local dns_resolvers = {%DNS_RESOLVERS%}
|
||||
local dns_resolvers = {% raw %}{{% endraw %}{% set elements = DNS_RESOLVERS.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
|
||||
-- whitelist
|
||||
local use_whitelist_ip = %USE_WHITELIST_IP%
|
||||
local use_whitelist_reverse = %USE_WHITELIST_REVERSE%
|
||||
local whitelist_ip_list = {%WHITELIST_IP_LIST%}
|
||||
local whitelist_reverse_list = {%WHITELIST_REVERSE_LIST%}
|
||||
local use_whitelist_ip = {% if USE_WHITELIST_IP == "yes" %}true{% else %}false{% endif %}
|
||||
local use_whitelist_reverse = {% if USE_WHITELIST_REVERSE == "yes" %}true{% else %}false{% endif %}
|
||||
local whitelist_ip_list = {% raw %}{{% endraw %}{% set elements = WHITELIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
local whitelist_reverse_list = {% raw %}{{% endraw %}{% set elements = WHITELIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
|
||||
-- blacklist
|
||||
local use_blacklist_ip = %USE_BLACKLIST_IP%
|
||||
local use_blacklist_reverse = %USE_BLACKLIST_REVERSE%
|
||||
local blacklist_ip_list = {%BLACKLIST_IP_LIST%}
|
||||
local blacklist_reverse_list = {%BLACKLIST_REVERSE_LIST%}
|
||||
local use_blacklist_ip = {% if USE_BLACKLIST_IP == "yes" %}true{% else %}false{% endif %}
|
||||
local use_blacklist_reverse = {% if USE_BLACKLIST_REVERSE == "yes" %}true{% else %}false{% endif %}
|
||||
local blacklist_ip_list = {% raw %}{{% endraw %}{% set elements = BLACKLIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
local blacklist_reverse_list = {% raw %}{{% endraw %}{% set elements = BLACKLIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
|
||||
-- dnsbl
|
||||
local use_dnsbl = %USE_DNSBL%
|
||||
local dnsbl_list = {%DNSBL_LIST%}
|
||||
local use_dnsbl = {% if USE_DNSBL == "yes" %}true{% else %}false{% endif %}
|
||||
local dnsbl_list = {% raw %}{{% endraw %}{% set elements = DNSBL_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
|
||||
-- bad behavior
|
||||
local use_bad_behavior = %USE_BAD_BEHAVIOR%
|
||||
local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %}
|
||||
|
||||
-- include LUA code
|
||||
local whitelist = require "whitelist"
|
||||
|
@ -60,9 +64,9 @@ local behavior = require "behavior"
|
|||
local logger = require "logger"
|
||||
|
||||
-- user variables
|
||||
local antibot_uri = "%ANTIBOT_URI%"
|
||||
local whitelist_user_agent = {%WHITELIST_USER_AGENT%}
|
||||
local whitelist_uri = {%WHITELIST_URI%}
|
||||
local antibot_uri = "{{ ANTIBOT_URI }}"
|
||||
local whitelist_user_agent = {% raw %}{{% endraw %}{% set elements = WHITELIST_USER_AGENT.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
local whitelist_uri = {% raw %}{{% endraw %}{% set elements = WHITELIST_URI.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
|
||||
-- check if already in whitelist cache
|
||||
if use_whitelist_ip and whitelist.ip_cached_ok() then
|
||||
|
@ -291,8 +295,10 @@ ngx.exit(ngx.OK)
|
|||
|
||||
}
|
||||
|
||||
%INCLUDE_ANTIBOT_JAVASCRIPT%
|
||||
|
||||
%INCLUDE_ANTIBOT_CAPTCHA%
|
||||
|
||||
%INCLUDE_ANTIBOT_RECAPTCHA%
|
||||
{% if USE_ANTIBOT == "javascript" %}
|
||||
include {{ NGINX_PREFIX }}antibot-javascript.conf;
|
||||
{% elif USE_ANTIBOT == "captcha" %}
|
||||
include {{ NGINX_PREFIX }}antibot-captcha.conf;
|
||||
{% elif USE_ANTIBOT == "recaptcha" %}
|
||||
include {{ NGINX_PREFIX }}antibot-recaptcha.conf;
|
||||
{% endif %}
|
||||
|
|
|
@ -49,17 +49,35 @@ SecResponseBodyLimit 524288
|
|||
SecResponseBodyLimitAction ProcessPartial
|
||||
|
||||
# log usefull stuff
|
||||
SecAuditEngine %MODSECURITY_SEC_AUDIT_ENGINE%
|
||||
SecAuditEngine {{ MODSECURITY_SEC_AUDIT_ENGINE }}
|
||||
SecAuditLogType Serial
|
||||
SecAuditLog /var/log/nginx/modsec_audit.log
|
||||
|
||||
# scan uploaded files with clamv
|
||||
%USE_CLAMAV_UPLOAD%
|
||||
{% if USE_CLAMAV_UPLOAD == "yes" %}
|
||||
include {{ NGINX_PREFIX }}modsecurity-clamav.conf
|
||||
{% endif %}
|
||||
|
||||
# include OWASP CRS configuration
|
||||
{% if USE_MODSECURITY_CRS == "yes" %}
|
||||
include /opt/owasp/crs.conf
|
||||
|
||||
# custom CRS configurations before loading rules (exclusions)
|
||||
{% if is_custom_conf("/modsec-crs-confs") %}
|
||||
include /modsec-crs-confs/*.conf
|
||||
{% endif %}
|
||||
{% if MULTISITE == "yes" and is_custom_conf("/modsec-crs-confs/" + FIRST_SERVER) %}
|
||||
include /modsec-crs-confs/{{ FIRST_SERVER }}/*.conf
|
||||
{% endif %}
|
||||
|
||||
# include OWASP CRS rules
|
||||
%MODSECURITY_INCLUDE_CRS%
|
||||
%MODSECURITY_INCLUDE_CUSTOM_CRS%
|
||||
%MODSECURITY_INCLUDE_CRS_RULES%
|
||||
include /opt/owasp/crs/*.conf
|
||||
{% endif %}
|
||||
|
||||
# include custom rules
|
||||
%MODSECURITY_INCLUDE_CUSTOM_RULES%
|
||||
# custom rules after loading the CRS
|
||||
{% if is_custom_conf("/modsec-confs") %}
|
||||
include /modsec-confs/*.conf
|
||||
{% endif %}
|
||||
{% if MULTISITE == "yes" and is_custom_conf("/modsec-confs/" + FIRST_SERVER) %}
|
||||
include /modsec-confs/{{ FIRST_SERVER }}/*.conf
|
||||
{% endif %}
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
modsecurity on;
|
||||
modsecurity_rules_file %MODSEC_RULES_FILE%;
|
||||
modsecurity_rules_file {{ NGINX_PREFIX }}modsecurity-rules.conf;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
open_file_cache %OPEN_FILE_CACHE%;
|
||||
open_file_cache_errors %OPEN_FILE_CACHE_ERRORS%;
|
||||
open_file_cache_min_uses %OPEN_FILE_CACHE_MIN_USES%;
|
||||
open_file_cache_valid %OPEN_FILE_CACHE_VALID%;
|
||||
open_file_cache {{ OPEN_FILE_CACHE }};
|
||||
open_file_cache_errors {{ OPEN_FILE_CACHE_ERRORS }};
|
||||
open_file_cache_min_uses {{ OPEN_FILE_CACHE_MIN_USES }};
|
||||
open_file_cache_valid {{ OPEN_FILE_CACHE_VALID }};
|
||||
|
|
|
@ -1 +1 @@
|
|||
more_set_headers "Permissions-Policy: %PERMISSIONS_POLICY%";
|
||||
more_set_headers "Permissions-Policy: {{ PERMISSIONS_POLICY }}";
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
location ~ \.php$ {
|
||||
fastcgi_pass %REMOTE_PHP%:9000;
|
||||
fastcgi_pass {{ REMOTE_PHP }}:9000;
|
||||
fastcgi_index index.php;
|
||||
}
|
||||
|
|
|
@ -1,7 +1,11 @@
|
|||
proxy_cache proxycache;
|
||||
proxy_cache_methods %PROXY_CACHE_METHODS%;
|
||||
proxy_cache_min_uses %PROXY_CACHE_MIN_USES%;
|
||||
proxy_cache_key %PROXY_CACHE_KEY%;
|
||||
proxy_no_cache %PROXY_NO_CACHE%;
|
||||
proxy_cache_bypass %PROXY_CACHE_BYPASS%;
|
||||
%PROXY_CACHE_VALID%
|
||||
proxy_cache_methods {{ PROXY_CACHE_METHODS }};
|
||||
proxy_cache_min_uses {{ PROXY_CACHE_MIN_USES }};
|
||||
proxy_cache_key {{ PROXY_CACHE_KEY }};
|
||||
proxy_no_cache {{ PROXY_NO_CACHE }};
|
||||
proxy_cache_bypass {{ PROXY_CACHE_BYPASS }};
|
||||
{% if PROXY_CACHE_VALID != "" %}
|
||||
{% for element in PROXY_CACHE_VALID.split(" ") %}
|
||||
proxy_cache_valid {{ element.split("=")[0] }} {{ element.split("=")[1] }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
|
|
@ -1,4 +1,8 @@
|
|||
%PROXY_REAL_IP_FROM%
|
||||
real_ip_header %PROXY_REAL_IP_HEADER%;
|
||||
real_ip_recursive %PROXY_REAL_IP_RECURSIVE%;
|
||||
{% if PROXY_REAL_IP_FROM != "" %}
|
||||
{% for element in PROXY_REAL_IP_FROM.split(" ") %}
|
||||
set_real_ip_from {{ element }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
real_ip_header {{ PROXY_REAL_IP_HEADER }};
|
||||
real_ip_recursive {{ PROXY_REAL_IP_RECURSIVE }};
|
||||
|
||||
|
|
|
@ -1 +1 @@
|
|||
more_set_headers "Referrer-Policy: %REFERRER_POLICY%";
|
||||
more_set_headers "Referrer-Policy: {{ REFERRER_POLICY }}";
|
||||
|
|
|
@ -1,7 +1,25 @@
|
|||
location %REVERSE_PROXY_URL% {
|
||||
{% if USE_REVERSE_PROXY == "yes" %}
|
||||
{% for k, v in all.items() %}
|
||||
{% if k.startswith("REVERSE_PROXY_URL") %}
|
||||
{% set url = v %}
|
||||
{% set host = all[k.replace("URL", "HOST")] if k.replace("URL", "HOST") in all else "" %}
|
||||
{% set ws = all[k.replace("URL", "WS")] if k.replace("URL", "WS") in all else "" %}
|
||||
{% set headers = all[k.replace("URL", "HEADERS")] if k.replace("URL", "HEADERS") in all else "" %}
|
||||
location {{ url }} {% raw %}{{% endraw %}
|
||||
etag off;
|
||||
proxy_pass %REVERSE_PROXY_HOST%;
|
||||
%REVERSE_PROXY_HEADERS%
|
||||
%REVERSE_PROXY_WS%
|
||||
%REVERSE_PROXY_CUSTOM_HEADERS%
|
||||
}
|
||||
proxy_pass {{ host }};
|
||||
include {{ NGINX_PREFIX }}reverse-proxy-headers.conf;
|
||||
{% if ws == "yes" %}
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
{% endif %}
|
||||
{% if headers != "" %}
|
||||
{% for header in headers.split(";") %}
|
||||
proxy_set_header {{ header }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% raw %}}{% endraw %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
root %ROOT_FOLDER%;
|
||||
root {{ ROOT_FOLDER }}/{{ FIRST_SERVER }};
|
||||
index index.html index.php;
|
||||
try_files $uri $uri/ =404;
|
||||
|
|
|
@ -1,41 +1,177 @@
|
|||
%PRE_SERVER_CONF%
|
||||
# custom config before server block
|
||||
include /pre-server-confs/*.conf;
|
||||
{% if MULTISITE == "yes" %}
|
||||
include /pre-server-confs/{{ FIRST_SERVER }}/*.conf;
|
||||
{% endif %}
|
||||
|
||||
server {
|
||||
%FASTCGI_PATH%
|
||||
%SERVER_CONF%
|
||||
%PROXY_REAL_IP%
|
||||
%INCLUDE_LUA%
|
||||
%USE_MODSECURITY%
|
||||
%LISTEN_HTTP%
|
||||
%USE_HTTPS%
|
||||
%REDIRECT_HTTP_TO_HTTPS%
|
||||
server_name %SERVER_NAME%;
|
||||
%DISABLE_DEFAULT_SERVER%
|
||||
%SERVE_FILES%
|
||||
if ($request_method !~ ^(%ALLOWED_METHODS%)$)
|
||||
{
|
||||
|
||||
# FastCGI variables
|
||||
{% if REMOTE_PHP != "" %}
|
||||
include {{ NGINX_PREFIX }}fastcgi.conf;
|
||||
{% endif %}
|
||||
|
||||
# custom config
|
||||
include /server-confs/*.conf;
|
||||
{% if MULTISITE == "yes" %}
|
||||
include /server-confs/{{ FIRST_SERVER }}/*.conf;
|
||||
{% endif %}
|
||||
|
||||
# proxy real IP
|
||||
{% if PROXY_REAL_IP == "yes" %}
|
||||
include {{ NGINX_PREFIX }}proxy-real-ip.conf;
|
||||
{% endif %}
|
||||
|
||||
# include LUA files
|
||||
include {{ NGINX_PREFIX }}main-lua.conf;
|
||||
include {{ NGINX_PREFIX }}log-lua.conf;
|
||||
|
||||
# ModSecurity
|
||||
{% if USE_MODSECURITY == "yes" %}
|
||||
include {{ NGINX_PREFIX }}modsecurity.conf;
|
||||
{% endif %}
|
||||
|
||||
# HTTP listen
|
||||
{% if LISTEN_HTTP == "yes" %}
|
||||
listen 0.0.0.0:{{ HTTP_PORT }};
|
||||
{% endif %}
|
||||
|
||||
# HTTPS listen + config
|
||||
{% if AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_HTTPS == "yes" or GENERATE_SELF_SIGNED_SSL == "yes" %}
|
||||
include {{ NGINX_PREFIX }}https.conf;
|
||||
{% endif %}
|
||||
|
||||
# HTTP to HTTPS
|
||||
{% if REDIRECT_HTTP_TO_HTTPS == "yes" %}
|
||||
include {{ NGINX_PREFIX }}redirect-http-to-https.conf;
|
||||
{% endif %}
|
||||
|
||||
# server name (vhost)
|
||||
server_name {{ SERVER_NAME }};
|
||||
|
||||
# disable default server
|
||||
{% if DISABLE_DEFAULT_SERVER == "yes" and MULTISITE != "yes" %}
|
||||
include {{ NGINX_PREFIX }}disable-default-server.conf;
|
||||
{% endif %}
|
||||
|
||||
# serve local files
|
||||
{% if SERVE_FILES == "yes" %}
|
||||
include {{ NGINX_PREFIX}}serve-files.conf;
|
||||
{% endif %}
|
||||
|
||||
# allowed HTTP methods
|
||||
if ($request_method !~ ^({{ ALLOWED_METHODS }})$) {
|
||||
return 405;
|
||||
}
|
||||
%LIMIT_REQ%
|
||||
%LIMIT_CONN%
|
||||
%AUTH_BASIC%
|
||||
%REMOVE_HEADERS%
|
||||
%X_FRAME_OPTIONS%
|
||||
%X_XSS_PROTECTION%
|
||||
%X_CONTENT_TYPE_OPTIONS%
|
||||
%CONTENT_SECURITY_POLICY%
|
||||
%REFERRER_POLICY%
|
||||
%FEATURE_POLICY%
|
||||
%PERMISSIONS_POLICY%
|
||||
%COOKIE_FLAGS%
|
||||
%ERRORS%
|
||||
%USE_CLIENT_CACHE%
|
||||
%USE_GZIP%
|
||||
%USE_BROTLI%
|
||||
client_max_body_size %MAX_CLIENT_SIZE%;
|
||||
server_tokens %SERVER_TOKENS%;
|
||||
%USE_OPEN_FILE_CACHE%
|
||||
%USE_PROXY_CACHE%
|
||||
%USE_REVERSE_PROXY%
|
||||
%USE_PHP%
|
||||
|
||||
# requests limiting
|
||||
{% if USE_LIMIT_REQ == "yes" %}
|
||||
include {{ NGINX_PREFIX }}limit-req.conf;
|
||||
{% endif %}
|
||||
|
||||
# connections limiting
|
||||
{% if USE_LIMIT_CONN == "yes" %}
|
||||
include {{ NGINX_PREFIX }}limit-conn.conf;
|
||||
{% endif %}
|
||||
|
||||
# auth basic
|
||||
{% if USE_AUTH_BASIC == "yes" %}
|
||||
{% if AUTH_BASIC_LOCATION == "sitewide" %}
|
||||
include {{ NGINX_PREFIX }}auth-basic-sitewide.conf;
|
||||
{% else %}
|
||||
include {{ NGINX_PREFIX }}auth-basic.conf;
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
# remove headers
|
||||
{% if REMOVE_HEADERS != "" %}
|
||||
{% for header in REMOVE_HEADERS.split(" ") %}
|
||||
more_clear_headers '{{ header }}';
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
# X-Frame-Option header
|
||||
{% if X_FRAME_OPTIONS != "" %}
|
||||
include {{ NGINX_PREFIX }}x-frame-options.conf;
|
||||
{% endif %}
|
||||
|
||||
# X-XSS-Protection header
|
||||
{% if X_XSS_PROTECTION != "" %}
|
||||
include {{ NGINX_PREFIX }}x-xss-protection.conf;
|
||||
{% endif %}
|
||||
|
||||
# X-Content-Type header
|
||||
{% if X_CONTENT_TYPE_OPTIONS != "" %}
|
||||
include {{ NGINX_PREFIX }}x-content-type-options.conf;
|
||||
{% endif %}
|
||||
|
||||
# Content-Security-Policy header
|
||||
{% if CONTENT_SECURITY_POLICY != "" %}
|
||||
include {{ NGINX_PREFIX }}content-security-policy.conf;
|
||||
{% endif %}
|
||||
|
||||
# Referrer-Policy header
|
||||
{% if REFERRER_POLICY != "" %}
|
||||
include {{ NGINX_PREFIX }}referrer-policy.conf;
|
||||
{% endif %}
|
||||
|
||||
# Feature-Policy header
|
||||
{% if FEATURE_POLICY != "" %}
|
||||
include {{ NGINX_PREFIX }}feature-policy.conf;
|
||||
{% endif %}
|
||||
|
||||
# Permissions-Policy header
|
||||
{% if PERMISSIONS_POLICY != "" %}
|
||||
include {{ NGINX_PREFIX }}permissions-policy.conf;
|
||||
{% endif %}
|
||||
|
||||
# cookie flags
|
||||
{% if COOKIE_FLAGS != "" %}
|
||||
include {{ NGINX_PREFIX }}cookie-flags.conf;
|
||||
{% endif %}
|
||||
|
||||
# custom errors
|
||||
include {{ NGINX_PREFIX }}error.conf;
|
||||
|
||||
# client caching
|
||||
{% if USE_CLIENT_CACHE == "yes" %}
|
||||
include {{ NGINX_PREFIX }}client-cache.conf;
|
||||
{% endif %}
|
||||
|
||||
# gzip compression
|
||||
{% if USE_GZIP == "yes" %}
|
||||
include {{ NGINX_PREFIX }}gzip.conf;
|
||||
{% endif %}
|
||||
|
||||
# brotli compression
|
||||
{% if USE_GZIP == "yes" %}
|
||||
include {{ NGINX_PREFIX }}gzip.conf;
|
||||
{% endif %}
|
||||
|
||||
# maximum body size
|
||||
client_max_body_size {{ MAX_CLIENT_SIZE }};
|
||||
|
||||
# enable/disable showing version
|
||||
server_tokens {{ SERVER_TOKENS }};
|
||||
|
||||
# open file caching
|
||||
{% if USE_OPEN_FILE_CACHE == "yes" %}
|
||||
include {{ NGINX_PREFIX }}open-file-cache.conf;
|
||||
{% endif %}
|
||||
|
||||
# proxy caching
|
||||
{% if USE_PROXY_CACHE == "yes" %}
|
||||
include {{ NGINX_PREFIX }}proxy-cache.conf;
|
||||
{% endif %}
|
||||
|
||||
# reverse proxy
|
||||
{% if USE_REVERSE_PROXY == "yes" %}
|
||||
include {{ NGINX_PREFIX }}reverse-proxy.conf;
|
||||
{% endif %}
|
||||
|
||||
# remote PHP
|
||||
{% if REMOTE_PHP != "" %}
|
||||
include {{ NGINX_PREFIX }}php.conf;
|
||||
{% endif %}
|
||||
|
||||
}
|
||||
|
|
|
@ -1 +1 @@
|
|||
more_set_headers "X-Content-Type-Options: %X_CONTENT_TYPE_OPTIONS%";
|
||||
more_set_headers "X-Content-Type-Options: {{ X_CONTENT_TYPE_OPTIONS }}";
|
||||
|
|
|
@ -1 +1 @@
|
|||
more_set_headers "X-Frame-Options: %X_FRAME_OPTIONS%";
|
||||
more_set_headers "X-Frame-Options: {{ X_FRAME_OPTIONS }}";
|
||||
|
|
|
@ -1 +1 @@
|
|||
more_set_headers "X-XSS-Protection: %X_XSS_PROTECTION%";
|
||||
more_set_headers "X-XSS-Protection: {{ X_XSS_PROTECTION }}";
|
||||
|
|
|
@ -1,32 +0,0 @@
|
|||
# todo : if api_uri == "random"
|
||||
location ~ ^{{ API_URI }}/ping {
|
||||
return 444;
|
||||
}
|
||||
|
||||
location ~ {{ API_URI }} {
|
||||
|
||||
rewrite_by_lua_block {
|
||||
|
||||
local api = require "api"
|
||||
local api_whitelist_ip = {% raw %}{{% endraw %}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
local api_uri = "{{ API_URI }}"
|
||||
local logger = require "logger"
|
||||
|
||||
if api.is_api_call(api_uri, api_whitelist_ip) then
|
||||
ngx.header.content_type = 'text/plain'
|
||||
if api.do_api_call(api_uri) then
|
||||
logger.log(ngx.NOTICE, "API", "API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
|
||||
ngx.say("ok")
|
||||
else
|
||||
logger.log(ngx.WARN, "API", "API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr)
|
||||
ngx.say("ko")
|
||||
end
|
||||
|
||||
ngx.exit(ngx.HTTP_OK)
|
||||
|
||||
end
|
||||
|
||||
ngx.exit(ngx.OK)
|
||||
}
|
||||
|
||||
}
|
|
@ -1,24 +0,0 @@
|
|||
# todo : if api_uri == "random"
|
||||
rewrite_by_lua_block {
|
||||
|
||||
local api = require "api"
|
||||
local api_whitelist_ip = {% raw %}{{% endraw %}{% set elements = API_WHITELIST_IP.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
local api_uri = "{{ API_URI }}"
|
||||
local logger = require "logger"
|
||||
|
||||
if api.is_api_call(api_uri, api_whitelist_ip) then
|
||||
ngx.header.content_type = 'text/plain'
|
||||
if api.do_api_call(api_uri) then
|
||||
logger.log(ngx.NOTICE, "API", "API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
|
||||
ngx.say("ok")
|
||||
else
|
||||
logger.log(ngx.WARN, "API", "API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr)
|
||||
ngx.say("ko")
|
||||
end
|
||||
|
||||
ngx.exit(ngx.HTTP_OK)
|
||||
|
||||
end
|
||||
|
||||
ngx.exit(ngx.OK)
|
||||
}
|
|
@ -1,8 +0,0 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||
-----END DH PARAMETERS-----
|
|
@ -1,15 +0,0 @@
|
|||
geoip2 /etc/nginx/geoip.mmdb {
|
||||
auto_reload 5m;
|
||||
$geoip2_metadata_country_build metadata build_epoch;
|
||||
$geoip2_data_country_code country iso_code;
|
||||
}
|
||||
|
||||
map $geoip2_data_country_code $allowed_country {
|
||||
default {% if WHITELIST_COUNTRY != "" %}no{% else %}yes{% endif %};
|
||||
{% for country in WHITELIST_COUNTRY.split(" ") %}
|
||||
{{ country }} yes;
|
||||
{% endfor %}
|
||||
{% for country in BLACKLIST_COUNTRY.split(" ") %}
|
||||
{{ country }} no;
|
||||
{% endfor %}
|
||||
}
|
|
@ -1,43 +0,0 @@
|
|||
init_by_lua_block {
|
||||
|
||||
local dataloader = require "dataloader"
|
||||
local logger = require "logger"
|
||||
|
||||
local use_proxies = {% if USE_PROXIES == "yes" %}true{% else %}false{% endif %}
|
||||
local use_abusers = {% if USE_ABUSERS == "yes" %}true{% else %}false{% endif %}
|
||||
local use_tor_exit_nodes = {% if USE_TOR_EXIT_NODES == "yes" %}true{% else %}false{% endif %}
|
||||
local use_user_agents = {% if USE_USER_AGENTS == "yes" %}true{% else %}false{% endif %}
|
||||
local use_referrers = {% if USE_REFERRERS == "yes" %}true{% else %}false{% endif %}
|
||||
local use_crowdsec = {% if USE_CROWDSEC == "yes" %}true{% else %}false{% endif %}
|
||||
|
||||
if use_proxies then
|
||||
dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data)
|
||||
end
|
||||
|
||||
if use_abusers then
|
||||
dataloader.load_ip("/etc/nginx/abusers.list", ngx.shared.abusers_data)
|
||||
end
|
||||
|
||||
if use_tor_exit_nodes then
|
||||
dataloader.load_ip("/etc/nginx/tor-exit-nodes.list", ngx.shared.tor_exit_nodes_data)
|
||||
end
|
||||
|
||||
if use_user_agents then
|
||||
dataloader.load_raw("/etc/nginx/user-agents.list", ngx.shared.user_agents_data)
|
||||
end
|
||||
|
||||
if use_referrers then
|
||||
dataloader.load_raw("/etc/nginx/referrers.list", ngx.shared.referrers_data)
|
||||
end
|
||||
|
||||
if use_crowdsec then
|
||||
local cs = require "crowdsec.CrowdSec"
|
||||
local ok, err = cs.init("/etc/nginx/crowdsec.conf")
|
||||
if ok == nil then
|
||||
logger.log(ngx.ERR, "CROWDSEC", err)
|
||||
error()
|
||||
end
|
||||
logger.log(ngx.ERR, "CROWDSEC", "*NOT AN ERROR* initialisation done")
|
||||
end
|
||||
|
||||
}
|
|
@ -1,13 +0,0 @@
|
|||
listen 0.0.0.0:{{ HTTPS_PORT }} default_server ssl {% if USE_HTTP2 == "yes" %}http2{% endif %};
|
||||
ssl_certificate /etc/nginx/default-cert.pem;
|
||||
ssl_certificate_key /etc/nginx/default-key.pem;
|
||||
ssl_protocols {{ HTTPS_PROTOCOLS }};
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_session_tickets off;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
{% if "TLSv1.2" in HTTPS_PROTOCOLS %}
|
||||
ssl_dhparam /etc/nginx/dhparam;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
{% endif %}
|
||||
include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;
|
|
@ -1,3 +0,0 @@
|
|||
location ~ ^/.well-known/acme-challenge/ {
|
||||
root /acme-challenge;
|
||||
}
|
|
@ -1,7 +0,0 @@
|
|||
toto
|
||||
server {
|
||||
{% if LISTEN_HTTP == "yes" %}listen 0.0.0.0:{{ HTTP_PORT }} default_server{% endif %}
|
||||
server_name _;
|
||||
{% if has_value("AUTO_LETS_ENCRYPT", "yes") %}include /etc/nginx/multisite-default-server-https.conf;{% endif %}
|
||||
{% if DISABLE_DEFAULT_SERVER == "yes" %}include /etc/nginx/multisite-disable-default-server.conf;{% endif %}
|
||||
}
|
|
@ -1,3 +0,0 @@
|
|||
location / {
|
||||
return 444;
|
||||
}
|
|
@ -1,30 +0,0 @@
|
|||
load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
|
||||
|
||||
daemon on;
|
||||
|
||||
pid /tmp/nginx-temp.pid;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
use epoll;
|
||||
}
|
||||
|
||||
http {
|
||||
proxy_temp_path /tmp/proxy_temp;
|
||||
client_body_temp_path /tmp/client_temp;
|
||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||
scgi_temp_path /tmp/scgi_temp;
|
||||
lua_package_path "/usr/local/lib/lua/?.lua;;";
|
||||
server {
|
||||
listen 0.0.0.0:%HTTP_PORT% default_server;
|
||||
server_name _;
|
||||
location ~ ^/.well-known/acme-challenge/ {
|
||||
root /acme-challenge;
|
||||
}
|
||||
%USE_API%
|
||||
location / {
|
||||
return 444;
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,131 +0,0 @@
|
|||
# /etc/nginx/nginx.conf
|
||||
|
||||
# load dynamic modules
|
||||
load_module /usr/lib/nginx/modules/ngx_http_cookie_flag_filter_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;
|
||||
|
||||
# run in foreground
|
||||
daemon off;
|
||||
|
||||
# PID file
|
||||
pid /tmp/nginx.pid;
|
||||
|
||||
# worker number = CPU core(s)
|
||||
worker_processes auto;
|
||||
|
||||
# faster regexp
|
||||
pcre_jit on;
|
||||
|
||||
# config files for dynamic modules
|
||||
include /etc/nginx/modules/*.conf;
|
||||
|
||||
# max open files for each worker
|
||||
worker_rlimit_nofile {{ WORKER_RLIMIT_NOFILE }};
|
||||
|
||||
events {
|
||||
# max connections per worker
|
||||
worker_connections {{ WORKER_CONNECTIONS }};
|
||||
|
||||
# epoll seems to be the best on Linux
|
||||
use epoll;
|
||||
}
|
||||
|
||||
http {
|
||||
# zero copy within the kernel
|
||||
sendfile on;
|
||||
|
||||
# send packets only if filled
|
||||
tcp_nopush on;
|
||||
|
||||
# remove 200ms delay
|
||||
tcp_nodelay on;
|
||||
|
||||
# load mime types and set default one
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
# write logs to local syslog
|
||||
log_format logf '{{ LOG_FORMAT }}';
|
||||
access_log /var/log/access.log logf;
|
||||
error_log /var/log/error.log {{ LOG_LEVEL }};
|
||||
|
||||
# temp paths
|
||||
proxy_temp_path /tmp/proxy_temp;
|
||||
client_body_temp_path /tmp/client_temp;
|
||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||
scgi_temp_path /tmp/scgi_temp;
|
||||
|
||||
# close connections in FIN_WAIT1 state
|
||||
reset_timedout_connection on;
|
||||
|
||||
# timeouts
|
||||
client_body_timeout 10;
|
||||
client_header_timeout 10;
|
||||
keepalive_timeout 15;
|
||||
send_timeout 10;
|
||||
|
||||
# resolvers to use
|
||||
resolver {{ DNS_RESOLVERS }} ipv6=off;
|
||||
|
||||
# remove ports when sending redirects
|
||||
port_in_redirect off;
|
||||
|
||||
# lua path and dicts
|
||||
lua_package_path "/usr/local/lib/lua/?.lua;;";
|
||||
{% if has_value("USE_WHITELIST_IP", "yes") %}lua_shared_dict whitelist_ip_cache 10m;{% endif %}
|
||||
{% if has_value("USE_WHITELIST_REVERSE", "yes") %}lua_shared_dict whitelist_reverse_cache 10m;{% endif %}
|
||||
{% if has_value("USE_BLACKLIST_IP", "yes") %}lua_shared_dict blacklist_ip_cache 10m;{% endif %}
|
||||
{% if has_value("USE_BLACKLIST_REVERSE", "yes") %}lua_shared_dict blacklist_reverse_cache 10m;{% endif %}
|
||||
{% if has_value("USE_DNSBL", "yes") %}lua_shared_dict dnsbl_cache 10m;{% endif %}
|
||||
{% if has_value("BLOCK_PROXIES", "yes") %}lua_shared_dict proxies_data 250m;{% endif %}
|
||||
{% if has_value("BLOCK_ABUSERS", "yes") %}lua_shared_dict abusers_data 50m;{% endif %}
|
||||
{% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}lua_shared_dict tor_exit_nodes_data 1m;{% endif %}
|
||||
{% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_data 1m;{% endif %}
|
||||
{% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_cache 10m;{% endif %}
|
||||
{% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_data 1m;{% endif %}
|
||||
{% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_cache 10m;{% endif %}
|
||||
{% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_ban 10m;{% endif %}
|
||||
{% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_count 10m;{% endif %}
|
||||
|
||||
# shared memory zone for limit_req
|
||||
{% if has_value("USE_LIMIT_REQ", "yes") %}limit_req_zone $binary_remote_addr$uri zone=limit:{{ LIMIT_REQ_CACHE }} rate={{ LIMIT_REQ_RATE }};{% endif %}
|
||||
|
||||
# shared memory zone for limit_conn
|
||||
{% if has_value("USE_LIMIT_CONN", "yes") %}limit_conn_zone $binary_remote_addr zone=ddos:{{ LIMIT_CONN_CACHE }};{% endif %}
|
||||
|
||||
# whitelist or blacklist country
|
||||
{% if BLACKLIST_COUNTRY != "" or WHITELIST_COUNTRY != "" %}include /etc/nginx/geoip.conf;{% endif %}
|
||||
|
||||
# zone for proxy_cache
|
||||
{% if has_value("USE_PROXY_CACHE", "yes") %}proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:{{ PROXY_CACHE_PATH_ZONE_SIZE }} {{ PROXY_CACHE_PATH_PARAMS }};{% endif %}
|
||||
|
||||
# custom http confs
|
||||
include /http-confs/*.conf;
|
||||
|
||||
# LUA init block
|
||||
include /etc/nginx/init-lua.conf;
|
||||
|
||||
# default server when MULTISITE=yes
|
||||
{% if MULTISITE == "yes" %}include /etc/nginx/multisite-default-server.conf;{% endif %}
|
||||
|
||||
# server config(s)
|
||||
{% if SWARM_MODE == "no" %}
|
||||
{% if MULTISITE == "yes" %}
|
||||
{% for server_name in SERVER_NAME.split(" ") %}
|
||||
include /etc/nginx/{{ server_name }}/server.conf;
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
include /etc/nginx/server.conf;
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
# API
|
||||
{% if USE_API == "yes" %}include /etc/nginx/api.conf;{% endif %}
|
||||
}
|
|
@ -1,46 +0,0 @@
|
|||
location = {{ ANTIBOT_URI }} {
|
||||
|
||||
default_type 'text/html';
|
||||
|
||||
if ($request_method = GET) {
|
||||
content_by_lua_block {
|
||||
local cookie = require "cookie"
|
||||
local captcha = require "captcha"
|
||||
local logger = require "logger"
|
||||
if not cookie.is_set("uri") then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "captcha fail (1) for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
local img, res = captcha.get_challenge()
|
||||
cookie.set({captchares = res})
|
||||
local code = captcha.get_code(img, "{{ ANTIBOT_URI }}")
|
||||
ngx.say(code)
|
||||
}
|
||||
}
|
||||
|
||||
if ($request_method = POST) {
|
||||
access_by_lua_block {
|
||||
local cookie = require "cookie"
|
||||
local captcha = require "captcha"
|
||||
local logger = require "logger"
|
||||
if not cookie.is_set("captchares") then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "captcha fail (2) for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
ngx.req.read_body()
|
||||
local args, err = ngx.req.get_post_args(1)
|
||||
if err == "truncated" or not args or not args["captcha"] then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "captcha fail (3) for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
local captcha_user = args["captcha"]
|
||||
local check = captcha.check(captcha_user, cookie.get("captchares"))
|
||||
if not check then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "captcha fail (4) for " .. ngx.var.remote_addr)
|
||||
return ngx.redirect("{{ ANTIBOT_URI }}")
|
||||
end
|
||||
cookie.set({captcha = "ok"})
|
||||
return ngx.redirect(cookie.get("uri"))
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,45 +0,0 @@
|
|||
location = {{ ANTIBOT_URI }} {
|
||||
|
||||
default_type 'text/html';
|
||||
|
||||
if ($request_method = GET) {
|
||||
content_by_lua_block {
|
||||
local cookie = require "cookie"
|
||||
local javascript = require "javascript"
|
||||
local logger = require "logger"
|
||||
if not cookie.is_set("challenge") then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "javascript fail (1) for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
local challenge = cookie.get("challenge")
|
||||
local code = javascript.get_code(challenge, "{{ ANTIBOT_URI }}", cookie.get("uri"))
|
||||
ngx.say(code)
|
||||
}
|
||||
}
|
||||
|
||||
if ($request_method = POST) {
|
||||
content_by_lua_block {
|
||||
local cookie = require "cookie"
|
||||
local javascript = require "javascript"
|
||||
local logger = require "logger"
|
||||
if not cookie.is_set("challenge") then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "javascript fail (2) for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
ngx.req.read_body()
|
||||
local args, err = ngx.req.get_post_args(1)
|
||||
if err == "truncated" or not args or not args["challenge"] then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "javascript fail (3) for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
local challenge = args["challenge"]
|
||||
local check = javascript.check(cookie.get("challenge"), challenge)
|
||||
if not check then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "javascript fail (4) for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
cookie.set({javascript = "ok"})
|
||||
return ngx.exit(ngx.OK)
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,44 +0,0 @@
|
|||
location = {{ ANTIBOT_URI }} {
|
||||
|
||||
default_type 'text/html';
|
||||
|
||||
if ($request_method = GET) {
|
||||
content_by_lua_block {
|
||||
local cookie = require "cookie"
|
||||
local recaptcha = require "recaptcha"
|
||||
local loggger = require "logger"
|
||||
if not cookie.is_set("uri") then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (1) for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
local code = recaptcha.get_code("{{ ANTIBOT_URI }}", "{{ ANTIBOT_RECAPTCHA_SITEKEY }}")
|
||||
ngx.say(code)
|
||||
}
|
||||
}
|
||||
|
||||
if ($request_method = POST) {
|
||||
access_by_lua_block {
|
||||
local cookie = require "cookie"
|
||||
local recaptcha = require "recaptcha"
|
||||
local logger = require "logger"
|
||||
if not cookie.is_set("uri") then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (2) for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
ngx.req.read_body()
|
||||
local args, err = ngx.req.get_post_args(1)
|
||||
if err == "truncated" or not args or not args["token"] then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (3) for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
local token = args["token"]
|
||||
local check = recaptcha.check(token, "{{ ANTIBOT_RECAPTCHA_SECRET }}")
|
||||
if check < {{ ANTIBOT_RECAPTCHA_SCORE }} then
|
||||
logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (4) for " .. ngx.var.remote_addr .. " (score = " .. tostring(check) .. ")")
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
cookie.set({recaptcha = "ok"})
|
||||
return ngx.redirect(cookie.get("uri"))
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,2 +0,0 @@
|
|||
auth_basic "{{ AUTH_BASIC_TEXT }}";
|
||||
auth_basic_user_file {{ NGINX_PREFIX }}htpasswd;
|
|
@ -1,4 +0,0 @@
|
|||
location {{ AUTH_BASIC_LOCATION }} {
|
||||
auth_basic "{{ AUTH_BASIC_TEXT }}";
|
||||
auth_basic_user_file {{ NGINX_PREFIX }}htpasswd;
|
||||
}
|
|
@ -1,4 +0,0 @@
|
|||
brotli on;
|
||||
brotli_types {{ BROTLI_TYPES }};
|
||||
brotli_comp_level {{ BROTLI_COMP_LEVEL }};
|
||||
brotli_min_length {{ BROTLI_MIN_LENGTH }};
|
|
@ -1,6 +0,0 @@
|
|||
etag {{ CLIENT_CACHE_ETAG }};
|
||||
set $cache "";
|
||||
if ($uri ~* \.({{ CLIENT_CACHE_EXTENSIONS }})$) {
|
||||
set $cache "{{ CLIENT_CACHE_CONTROL }}";
|
||||
}
|
||||
add_header Cache-Control $cache;
|
|
@ -1 +0,0 @@
|
|||
more_set_headers "Content-Security-Policy: {{ CONTENT_SECURITY_POLICY }}";
|
|
@ -1 +0,0 @@
|
|||
set_cookie_flag {{ COOKIE_FLAGS }}{% if COOKIE_AUTO_SECURE_FLAG == "yes" %} Secure{% endif %};
|
|
@ -1,9 +0,0 @@
|
|||
listen 0.0.0.0:443 ssl {% if HTTP2 == "yes" %}http2{% endif %};
|
||||
ssl_certificate {{ HTTPS_CUSTOM_CERT }};
|
||||
ssl_certificate_key {{ HTTPS_CUSTOM_KEY }};
|
||||
ssl_protocols TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_session_tickets off;
|
||||
{% if STRICT_TRANSPORT_SECURITY != "" %}
|
||||
more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}';
|
||||
{% endif %}
|
|
@ -1,3 +0,0 @@
|
|||
if ($host !~ ^({{ SERVER_NAME.replace(" ", "|") }})$) {
|
||||
return 444;
|
||||
}
|
|
@ -1,13 +0,0 @@
|
|||
{% if ERRORS != "" %}
|
||||
{% for element in ERRORS.split(" ") %}
|
||||
{% set code = element.split("=")[0] %}
|
||||
{% set page = element.split("=")[1] %}
|
||||
error_page {{ code }} {{ page }};
|
||||
|
||||
location = {{ page }} {
|
||||
root {{ ROOT_FOLDER }};
|
||||
modsecurity off;
|
||||
internal;
|
||||
}
|
||||
{% endfor %}
|
||||
{% endif %}
|
|
@ -1,25 +0,0 @@
|
|||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param QUERY_STRING $query_string;
|
||||
fastcgi_param REQUEST_METHOD $request_method;
|
||||
fastcgi_param CONTENT_TYPE $content_type;
|
||||
fastcgi_param CONTENT_LENGTH $content_length;
|
||||
|
||||
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
|
||||
fastcgi_param REQUEST_URI $request_uri;
|
||||
fastcgi_param DOCUMENT_URI $document_uri;
|
||||
fastcgi_param DOCUMENT_ROOT $document_root;
|
||||
fastcgi_param SERVER_PROTOCOL $server_protocol;
|
||||
fastcgi_param REQUEST_SCHEME $scheme;
|
||||
fastcgi_param HTTPS $https if_not_empty;
|
||||
|
||||
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
|
||||
fastcgi_param SERVER_SOFTWARE nginx;
|
||||
|
||||
fastcgi_param REMOTE_ADDR $remote_addr;
|
||||
fastcgi_param REMOTE_PORT $remote_port;
|
||||
fastcgi_param SERVER_ADDR $server_addr;
|
||||
fastcgi_param SERVER_PORT $server_port;
|
||||
fastcgi_param SERVER_NAME $server_name;
|
||||
|
||||
# PHP only, required if PHP was built with --enable-force-cgi-redirect
|
||||
fastcgi_param REDIRECT_STATUS 200;
|
|
@ -1 +0,0 @@
|
|||
more_set_headers "Feature-Policy: {{ FEATURE_POLICY }}";
|
|
@ -1,4 +0,0 @@
|
|||
gzip on;
|
||||
gzip_comp_level {{ GZIP_COMP_LEVEL }};
|
||||
gzip_min_length {{ GZIP_MIN_LENGTH }};
|
||||
gzip_types {{ GZIP_TYPES }};
|
|
@ -1,18 +0,0 @@
|
|||
listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %};
|
||||
ssl_certificate {{ HTTPS_CERT }};
|
||||
ssl_certificate_key {{ HTTPS_KEY }};
|
||||
ssl_protocols {{ HTTPS_PROTOCOLS }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_tickets off;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
{% if STRICT_TRANSPORT_SECURITY != "" %}
|
||||
more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}';
|
||||
{% endif %}
|
||||
{% if "TLSv1.2" in HTTPS_PROTOCOLS %}
|
||||
ssl_dhparam /etc/nginx/dhparam;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
{% endif %}
|
||||
{% if AUTO_LETS_ENCRYPT %}
|
||||
include {{ NGINX_PREFIX }}lets-encrypt-webroot.conf;
|
||||
{% endif %}
|
|
@ -1,3 +0,0 @@
|
|||
location ~ ^/.well-known/acme-challenge/ {
|
||||
root /acme-challenge;
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
limit_conn ddos {{ LIMIT_CONN_MAX }};
|
|
@ -1,3 +0,0 @@
|
|||
limit_req_status 429;
|
||||
limit_req zone=limit burst={{ LIMIT_REQ_BURST }} nodelay;
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
log_by_lua_block {
|
||||
|
||||
-- bad behavior
|
||||
local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %}
|
||||
local behavior = require "behavior"
|
||||
local bad_behavior_status_codes = {% raw %}{{% endraw %}{% set elements = BAD_BEHAVIOR_STATUS_CODES.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
local bad_behavior_threshold = {{ BAD_BEHAVIOR_THRESHOLD }}
|
||||
local bad_behavior_count_time = {{ BAD_BEHAVIOR_COUNT_TIME }}
|
||||
local bad_behavior_ban_time = {{ BAD_BEHAVIOR_BAN_TIME }}
|
||||
|
||||
if use_bad_behavior then
|
||||
behavior.count(bad_behavior_status_codes, bad_behavior_threshold, bad_behavior_count_time, bad_behavior_ban_time)
|
||||
end
|
||||
|
||||
}
|
|
@ -1,304 +0,0 @@
|
|||
{% if ANTIBOT_SESSION_SECRET == "random" %}
|
||||
set $session_secret {{ random(32) }} ;
|
||||
{% else %}
|
||||
set $session_secret {{ ANTIBOT_SESSION_SECRET }};
|
||||
{% endif %}
|
||||
set $session_check_addr on;
|
||||
|
||||
access_by_lua_block {
|
||||
|
||||
-- let's encrypt
|
||||
local use_lets_encrypt = {% if AUTO_LETS_ENCRYPT == "yes" %}true{% else %}false{% endif %}
|
||||
|
||||
-- external blacklists
|
||||
local use_user_agents = {% if BLOCK_USER_AGENT == "yes" %}true{% else %}false{% endif %}
|
||||
local use_proxies = {% if BLOCK_PROXIES == "yes" %}true{% else %}false{% endif %}
|
||||
local use_abusers = {% if BLOCK_ABUSERS == "yes" %}true{% else %}false{% endif %}
|
||||
local use_tor_exit_nodes = {% if BLOCK_TOR_EXIT_NODE == "yes" %}true{% else %}false{% endif %}
|
||||
local use_referrers = {% if BLOCK_REFERRER == "yes" %}true{% else %}false{% endif %}
|
||||
|
||||
-- countries
|
||||
local use_country = {% if WHITELIST_COUNTRY != "" or BLACKLIST_COUNTRY != "" %}true{% else %}false{% endif %}
|
||||
|
||||
-- crowdsec
|
||||
local use_crowdsec = {% if USE_CROWDSEC == "yes" %}true{% else %}false{% endif %}
|
||||
|
||||
-- antibot
|
||||
local use_antibot_cookie = {% if USE_ANTIBOT == "cookie" %}true{% else %}false{% endif %}
|
||||
local use_antibot_javascript = {% if USE_ANTIBOT == "javascript" %}true{% else %}false{% endif %}
|
||||
local use_antibot_captcha = {% if USE_ANTIBOT == "captcha" %}true{% else %}false{% endif %}
|
||||
local use_antibot_recaptcha = {% if USE_ANTIBOT == "recaptcha" %}true{% else %}false{% endif %}
|
||||
|
||||
-- resolvers
|
||||
local dns_resolvers = {% raw %}{{% endraw %}{% set elements = DNS_RESOLVERS.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
|
||||
-- whitelist
|
||||
local use_whitelist_ip = {% if USE_WHITELIST_IP == "yes" %}true{% else %}false{% endif %}
|
||||
local use_whitelist_reverse = {% if USE_WHITELIST_REVERSE == "yes" %}true{% else %}false{% endif %}
|
||||
local whitelist_ip_list = {% raw %}{{% endraw %}{% set elements = WHITELIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
local whitelist_reverse_list = {% raw %}{{% endraw %}{% set elements = WHITELIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
|
||||
-- blacklist
|
||||
local use_blacklist_ip = {% if USE_BLACKLIST_IP == "yes" %}true{% else %}false{% endif %}
|
||||
local use_blacklist_reverse = {% if USE_BLACKLIST_REVERSE == "yes" %}true{% else %}false{% endif %}
|
||||
local blacklist_ip_list = {% raw %}{{% endraw %}{% set elements = BLACKLIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
local blacklist_reverse_list = {% raw %}{{% endraw %}{% set elements = BLACKLIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
|
||||
-- dnsbl
|
||||
local use_dnsbl = {% if USE_DNSBL == "yes" %}true{% else %}false{% endif %}
|
||||
local dnsbl_list = {% raw %}{{% endraw %}{% set elements = DNSBL_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
|
||||
-- bad behavior
|
||||
local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %}
|
||||
|
||||
-- include LUA code
|
||||
local whitelist = require "whitelist"
|
||||
local blacklist = require "blacklist"
|
||||
local dnsbl = require "dnsbl"
|
||||
local cookie = require "cookie"
|
||||
local javascript = require "javascript"
|
||||
local captcha = require "captcha"
|
||||
local recaptcha = require "recaptcha"
|
||||
local iputils = require "resty.iputils"
|
||||
local behavior = require "behavior"
|
||||
local logger = require "logger"
|
||||
|
||||
-- user variables
|
||||
local antibot_uri = "{{ ANTIBOT_URI }}"
|
||||
local whitelist_user_agent = {% raw %}{{% endraw %}{% set elements = WHITELIST_USER_AGENT.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
local whitelist_uri = {% raw %}{{% endraw %}{% set elements = WHITELIST_URI.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
|
||||
|
||||
-- check if already in whitelist cache
|
||||
if use_whitelist_ip and whitelist.ip_cached_ok() then
|
||||
ngx.exit(ngx.OK)
|
||||
end
|
||||
if use_whitelist_reverse and whitelist.reverse_cached_ok() then
|
||||
ngx.exit(ngx.OK)
|
||||
end
|
||||
|
||||
-- check if already in blacklist cache
|
||||
if use_blacklist_ip and blacklist.ip_cached_ko() then
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
if use_blacklist_reverse and blacklist.reverse_cached_ko() then
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
|
||||
-- check if already in dnsbl cache
|
||||
if use_dnsbl and dnsbl.cached_ko() then
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
|
||||
-- check if IP is whitelisted (only if not in cache)
|
||||
if use_whitelist_ip and not whitelist.ip_cached() then
|
||||
if whitelist.check_ip(whitelist_ip_list) then
|
||||
ngx.exit(ngx.OK)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if reverse is whitelisted (only if not in cache)
|
||||
if use_whitelist_reverse and not whitelist.reverse_cached() then
|
||||
if whitelist.check_reverse(whitelist_reverse_list) then
|
||||
ngx.exit(ngx.OK)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if URI is whitelisted
|
||||
for k, v in pairs(whitelist_uri) do
|
||||
if ngx.var.request_uri == v then
|
||||
logger.log(ngx.NOTICE, "WHITELIST", "URI " .. v .. " is whitelisted")
|
||||
ngx.exit(ngx.OK)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if it's certbot
|
||||
if use_lets_encrypt and string.match(ngx.var.request_uri, "^/.well-known/acme-challenge/") then
|
||||
logger.log(ngx.INFO, "LETSENCRYPT", "got a visit from Let's Encrypt")
|
||||
ngx.exit(ngx.OK)
|
||||
end
|
||||
|
||||
-- check if IP is blacklisted (only if not in cache)
|
||||
if use_blacklist_ip and not blacklist.ip_cached() then
|
||||
if blacklist.check_ip(blacklist_ip_list) then
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if reverse is blacklisted (only if not in cache)
|
||||
if use_blacklist_reverse and not blacklist.reverse_cached() then
|
||||
if blacklist.check_reverse(blacklist_reverse_list, dns_resolvers) then
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if IP is banned because of "bad behavior"
|
||||
if use_bad_behavior and behavior.is_banned() then
|
||||
logger.log(ngx.WARN, "BEHAVIOR", "IP " .. ngx.var.remote_addr .. " is banned because of bad behavior")
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
|
||||
-- check if IP is in proxies list
|
||||
if use_proxies then
|
||||
local value, flags = ngx.shared.proxies_data:get(iputils.ip2bin(ngx.var.remote_addr))
|
||||
if value ~= nil then
|
||||
logger.log(ngx.WARN, "PROXIES", "IP " .. ngx.var.remote_addr .. " is in proxies list")
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if IP is in abusers list
|
||||
if use_abusers then
|
||||
local value, flags = ngx.shared.abusers_data:get(iputils.ip2bin(ngx.var.remote_addr))
|
||||
if value ~= nil then
|
||||
logger.log(ngx.WARN, "ABUSERS", "IP " .. ngx.var.remote_addr .. " is in abusers list")
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if IP is in TOR exit nodes list
|
||||
if use_tor_exit_nodes then
|
||||
local value, flags = ngx.shared.tor_exit_nodes_data:get(iputils.ip2bin(ngx.var.remote_addr))
|
||||
if value ~= nil then
|
||||
logger.log(ngx.WARN, "TOR", "IP " .. ngx.var.remote_addr .. " is in TOR exit nodes list")
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if user-agent is allowed
|
||||
if use_user_agents and ngx.var.http_user_agent ~= nil then
|
||||
local whitelisted = false
|
||||
for k, v in pairs(whitelist_user_agent) do
|
||||
if string.match(ngx.var.http_user_agent, v) then
|
||||
logger.log(ngx.NOTICE, "WHITELIST", "User-Agent " .. ngx.var.http_user_agent .. " is whitelisted")
|
||||
whitelisted = true
|
||||
break
|
||||
end
|
||||
end
|
||||
if not whitelisted then
|
||||
local value, flags = ngx.shared.user_agents_cache:get(ngx.var.http_user_agent)
|
||||
if value == nil then
|
||||
local patterns = ngx.shared.user_agents_data:get_keys(0)
|
||||
for i, pattern in ipairs(patterns) do
|
||||
if string.match(ngx.var.http_user_agent, pattern) then
|
||||
value = "ko"
|
||||
ngx.shared.user_agents_cache:set(ngx.var.http_user_agent, "ko", 86400)
|
||||
break
|
||||
end
|
||||
end
|
||||
if value == nil then
|
||||
value = "ok"
|
||||
ngx.shared.user_agents_cache:set(ngx.var.http_user_agent, "ok", 86400)
|
||||
end
|
||||
end
|
||||
if value == "ko" then
|
||||
logger.log(ngx.WARN, "USER-AGENT", "User-Agent " .. ngx.var.http_user_agent .. " is blacklisted")
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
-- check if referrer is allowed
|
||||
if use_referrer and ngx.var.http_referer ~= nil then
|
||||
local value, flags = ngx.shared.referrers_cache:get(ngx.var.http_referer)
|
||||
if value == nil then
|
||||
local patterns = ngx.shared.referrers_data:get_keys(0)
|
||||
for i, pattern in ipairs(patterns) do
|
||||
if string.match(ngx.var.http_referer, pattern) then
|
||||
value = "ko"
|
||||
ngx.shared.referrers_cache:set(ngx.var.http_referer, "ko", 86400)
|
||||
break
|
||||
end
|
||||
end
|
||||
if value == nil then
|
||||
value = "ok"
|
||||
ngx.shared.referrers_cache:set(ngx.var.http_referer, "ok", 86400)
|
||||
end
|
||||
end
|
||||
if value == "ko" then
|
||||
logger.log(ngx.WARN, "REFERRER", "Referrer " .. ngx.var.http_referer .. " is blacklisted")
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if country is allowed
|
||||
if use_country and ngx.var.allowed_country == "no" then
|
||||
logger.log(ngx.WARN, "COUNTRY", "Country of " .. ngx.var.remote_addr .. " is blacklisted")
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
|
||||
-- check if IP is in DNSBLs (only if not in cache)
|
||||
if use_dnsbl and not dnsbl.cached() then
|
||||
if dnsbl.check(dnsbl_list, dns_resolvers) then
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if IP is in CrowdSec DB
|
||||
if use_crowdsec then
|
||||
local ok, err = require "crowdsec.CrowdSec".allowIp(ngx.var.remote_addr)
|
||||
if ok == nil then
|
||||
logger.log(ngx.ERR, "CROWDSEC", err)
|
||||
end
|
||||
if not ok then
|
||||
logger.log(ngx.WARN, "CROWDSEC", "denied " .. ngx.var.remote_addr)
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
||||
-- cookie check
|
||||
if use_antibot_cookie and ngx.var.uri ~= "/favicon.ico" then
|
||||
if not cookie.is_set("uri") then
|
||||
if ngx.var.request_uri ~= antibot_uri then
|
||||
cookie.set({uri = ngx.var.request_uri})
|
||||
return ngx.redirect(antibot_uri)
|
||||
end
|
||||
logger.log(ngx.WARN, "ANTIBOT", "cookie fail for " .. ngx.var.remote_addr)
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
else
|
||||
if ngx.var.request_uri == antibot_uri then
|
||||
return ngx.redirect(cookie.get("uri"))
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
-- javascript check
|
||||
if use_antibot_javascript and ngx.var.uri ~= "/favicon.ico" then
|
||||
if not cookie.is_set("javascript") then
|
||||
if ngx.var.request_uri ~= antibot_uri then
|
||||
cookie.set({uri = ngx.var.request_uri, challenge = javascript.get_challenge()})
|
||||
return ngx.redirect(antibot_uri)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
-- captcha check
|
||||
if use_antibot_captcha and ngx.var.uri ~= "/favicon.ico" then
|
||||
if not cookie.is_set("captcha") then
|
||||
if ngx.var.request_uri ~= antibot_uri then
|
||||
cookie.set({uri = ngx.var.request_uri})
|
||||
return ngx.redirect(antibot_uri)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
-- recaptcha check
|
||||
if use_antibot_recaptcha and ngx.var.uri ~= "/favicon.ico" then
|
||||
if not cookie.is_set("recaptcha") then
|
||||
if ngx.var.request_uri ~= antibot_uri then
|
||||
cookie.set({uri = ngx.var.request_uri})
|
||||
return ngx.redirect(antibot_uri)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
ngx.exit(ngx.OK)
|
||||
|
||||
}
|
||||
|
||||
{% if USE_ANTIBOT == "javascript" %}
|
||||
include {{ NGINX_PREFIX }}antibot-javascript.conf;
|
||||
{% elif USE_ANTIBOT == "captcha" %}
|
||||
include {{ NGINX_PREFIX }}antibot-captcha.conf;
|
||||
{% elif USE_ANTIBOT == "recaptcha" %}
|
||||
include {{ NGINX_PREFIX }}antibot-recaptcha.conf;
|
||||
{% endif %}
|
|
@ -1,4 +0,0 @@
|
|||
SecUploadDir /tmp
|
||||
SecUploadKeepFiles On
|
||||
SecRule FILES_TMPNAMES "@inspectFile /opt/scripts/clamav.sh" \
|
||||
"phase:2,t:none,deny,msg:'Virus found in uploaded file',id:'399999'"
|
|
@ -1,83 +0,0 @@
|
|||
# process rules with disruptive actions
|
||||
SecRuleEngine On
|
||||
|
||||
# allow body checks
|
||||
SecRequestBodyAccess On
|
||||
|
||||
# enable XML parsing
|
||||
SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
|
||||
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
|
||||
|
||||
# enable JSON parsing
|
||||
SecRule REQUEST_HEADERS:Content-Type "application/json" \
|
||||
"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
|
||||
|
||||
# maximum data size
|
||||
SecRequestBodyLimit 13107200
|
||||
SecRequestBodyNoFilesLimit 131072
|
||||
|
||||
# reject requests if bigger than max data size
|
||||
SecRequestBodyLimitAction Reject
|
||||
|
||||
# reject if we can't process the body
|
||||
SecRule REQBODY_ERROR "!@eq 0" \
|
||||
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
|
||||
|
||||
# be strict with multipart/form-data body
|
||||
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
|
||||
"id:'200003',phase:2,t:none,log,deny,status:400, \
|
||||
msg:'Multipart request body failed strict validation: \
|
||||
PE %{REQBODY_PROCESSOR_ERROR}, \
|
||||
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
|
||||
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
|
||||
DB %{MULTIPART_DATA_BEFORE}, \
|
||||
DA %{MULTIPART_DATA_AFTER}, \
|
||||
HF %{MULTIPART_HEADER_FOLDING}, \
|
||||
LF %{MULTIPART_LF_LINE}, \
|
||||
SM %{MULTIPART_MISSING_SEMICOLON}, \
|
||||
IQ %{MULTIPART_INVALID_QUOTING}, \
|
||||
IP %{MULTIPART_INVALID_PART}, \
|
||||
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
|
||||
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
|
||||
SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
|
||||
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
|
||||
|
||||
# enable response body checks
|
||||
SecResponseBodyAccess On
|
||||
SecResponseBodyMimeType text/plain text/html text/xml application/json
|
||||
SecResponseBodyLimit 524288
|
||||
SecResponseBodyLimitAction ProcessPartial
|
||||
|
||||
# log usefull stuff
|
||||
SecAuditEngine {{ MODSECURITY_SEC_AUDIT_ENGINE }}
|
||||
SecAuditLogType Serial
|
||||
SecAuditLog /var/log/nginx/modsec_audit.log
|
||||
|
||||
# scan uploaded files with clamv
|
||||
{% if USE_CLAMAV_UPLOAD == "yes" %}
|
||||
include {{ NGINX_PREFIX }}modsecurity-clamav.conf
|
||||
{% endif %}
|
||||
|
||||
# include OWASP CRS configuration
|
||||
{% if USE_MODSECURITY_CRS == "yes" %}
|
||||
include /opt/owasp/crs.conf
|
||||
|
||||
# custom CRS configurations before loading rules (exclusions)
|
||||
{% if is_custom_conf("/modsec-crs-confs") %}
|
||||
include /modsec-crs-confs/*.conf
|
||||
{% endif %}
|
||||
{% if MULTISITE == "yes" and is_custom_conf("/modsec-crs-confs/" + FIRST_SERVER) %}
|
||||
include /modsec-crs-confs/{{ FIRST_SERVER }}/*.conf
|
||||
{% endif %}
|
||||
|
||||
# include OWASP CRS rules
|
||||
include /opt/owasp/crs/*.conf
|
||||
{% endif %}
|
||||
|
||||
# custom rules after loading the CRS
|
||||
{% if is_custom_conf("/modsec-confs") %}
|
||||
include /modsec-confs/*.conf
|
||||
{% endif %}
|
||||
{% if MULTISITE == "yes" and is_custom_conf("/modsec-confs/" + FIRST_SERVER) %}
|
||||
include /modsec-confs/{{ FIRST_SERVER }}/*.conf
|
||||
{% endif %}
|
|
@ -1,2 +0,0 @@
|
|||
modsecurity on;
|
||||
modsecurity_rules_file {{ NGINX_PREFIX }}modsecurity-rules.conf;
|
|
@ -1,4 +0,0 @@
|
|||
open_file_cache {{ OPEN_FILE_CACHE }};
|
||||
open_file_cache_errors {{ OPEN_FILE_CACHE_ERRORS }};
|
||||
open_file_cache_min_uses {{ OPEN_FILE_CACHE_MIN_USES }};
|
||||
open_file_cache_valid {{ OPEN_FILE_CACHE_VALID }};
|
|
@ -1 +0,0 @@
|
|||
more_set_headers "Permissions-Policy: {{ PERMISSIONS_POLICY }}";
|
|
@ -1,4 +0,0 @@
|
|||
location ~ \.php$ {
|
||||
fastcgi_pass {{ REMOTE_PHP }}:9000;
|
||||
fastcgi_index index.php;
|
||||
}
|
|
@ -1,11 +0,0 @@
|
|||
proxy_cache proxycache;
|
||||
proxy_cache_methods {{ PROXY_CACHE_METHODS }};
|
||||
proxy_cache_min_uses {{ PROXY_CACHE_MIN_USES }};
|
||||
proxy_cache_key {{ PROXY_CACHE_KEY }};
|
||||
proxy_no_cache {{ PROXY_NO_CACHE }};
|
||||
proxy_cache_bypass {{ PROXY_CACHE_BYPASS }};
|
||||
{% if PROXY_CACHE_VALID != "" %}
|
||||
{% for element in PROXY_CACHE_VALID.split(" ") %}
|
||||
proxy_cache_valid {{ element.split("=")[0] }} {{ element.split("=")[1] }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
|
@ -1,8 +0,0 @@
|
|||
{% if PROXY_REAL_IP_FROM != "" %}
|
||||
{% for element in PROXY_REAL_IP_FROM.split(" ") %}
|
||||
set_real_ip_from {{ element }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
real_ip_header {{ PROXY_REAL_IP_HEADER }};
|
||||
real_ip_recursive {{ PROXY_REAL_IP_RECURSIVE }};
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
if ($scheme = http) {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
more_set_headers "Referrer-Policy: {{ REFERRER_POLICY }}";
|
|
@ -1,6 +0,0 @@
|
|||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Protocol $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
|
@ -1,25 +0,0 @@
|
|||
{% if USE_REVERSE_PROXY == "yes" %}
|
||||
{% for k, v in all.items() %}
|
||||
{% if k.startswith("REVERSE_PROXY_URL") %}
|
||||
{% set url = v %}
|
||||
{% set host = all[k.replace("URL", "HOST")] if k.replace("URL", "HOST") in all else "" %}
|
||||
{% set ws = all[k.replace("URL", "WS")] if k.replace("URL", "WS") in all else "" %}
|
||||
{% set headers = all[k.replace("URL", "HEADERS")] if k.replace("URL", "HEADERS") in all else "" %}
|
||||
location {{ url }} {% raw %}{{% endraw %}
|
||||
etag off;
|
||||
proxy_pass {{ host }};
|
||||
include {{ NGINX_PREFIX }}reverse-proxy-headers.conf;
|
||||
{% if ws == "yes" %}
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
{% endif %}
|
||||
{% if headers != "" %}
|
||||
{% for header in headers.split(";") %}
|
||||
proxy_set_header {{ header }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% raw %}}{% endraw %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
|
@ -1,3 +0,0 @@
|
|||
root {{ ROOT_FOLDER }}/{{ FIRST_SERVER }};
|
||||
index index.html index.php;
|
||||
try_files $uri $uri/ =404;
|
|
@ -1,177 +0,0 @@
|
|||
# custom config before server block
|
||||
include /pre-server-confs/*.conf;
|
||||
{% if MULTISITE == "yes" %}
|
||||
include /pre-server-confs/{{ FIRST_SERVER }}/*.conf;
|
||||
{% endif %}
|
||||
|
||||
server {
|
||||
|
||||
# FastCGI variables
|
||||
{% if REMOTE_PHP != "" %}
|
||||
include {{ NGINX_PREFIX }}fastcgi.conf;
|
||||
{% endif %}
|
||||
|
||||
# custom config
|
||||
include /server-confs/*.conf;
|
||||
{% if MULTISITE == "yes" %}
|
||||
include /server-confs/{{ FIRST_SERVER }}/*.conf;
|
||||
{% endif %}
|
||||
|
||||
# proxy real IP
|
||||
{% if PROXY_REAL_IP == "yes" %}
|
||||
include {{ NGINX_PREFIX }}proxy-real-ip.conf;
|
||||
{% endif %}
|
||||
|
||||
# include LUA files
|
||||
include {{ NGINX_PREFIX }}main-lua.conf;
|
||||
include {{ NGINX_PREFIX }}log-lua.conf;
|
||||
|
||||
# ModSecurity
|
||||
{% if USE_MODSECURITY == "yes" %}
|
||||
include {{ NGINX_PREFIX }}modsecurity.conf;
|
||||
{% endif %}
|
||||
|
||||
# HTTP listen
|
||||
{% if LISTEN_HTTP == "yes" %}
|
||||
listen 0.0.0.0:{{ HTTP_PORT }};
|
||||
{% endif %}
|
||||
|
||||
# HTTPS listen + config
|
||||
{% if AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_HTTPS == "yes" or GENERATE_SELF_SIGNED_SSL == "yes" %}
|
||||
include {{ NGINX_PREFIX }}https.conf;
|
||||
{% endif %}
|
||||
|
||||
# HTTP to HTTPS
|
||||
{% if REDIRECT_HTTP_TO_HTTPS == "yes" %}
|
||||
include {{ NGINX_PREFIX }}redirect-http-to-https.conf;
|
||||
{% endif %}
|
||||
|
||||
# server name (vhost)
|
||||
server_name {{ SERVER_NAME }};
|
||||
|
||||
# disable default server
|
||||
{% if DISABLE_DEFAULT_SERVER == "yes" and MULTISITE != "yes" %}
|
||||
include {{ NGINX_PREFIX }}disable-default-server.conf;
|
||||
{% endif %}
|
||||
|
||||
# serve local files
|
||||
{% if SERVE_FILES == "yes" %}
|
||||
include {{ NGINX_PREFIX}}serve-files.conf;
|
||||
{% endif %}
|
||||
|
||||
# allowed HTTP methods
|
||||
if ($request_method !~ ^({{ ALLOWED_METHODS }})$) {
|
||||
return 405;
|
||||
}
|
||||
|
||||
# requests limiting
|
||||
{% if USE_LIMIT_REQ == "yes" %}
|
||||
include {{ NGINX_PREFIX }}limit-req.conf;
|
||||
{% endif %}
|
||||
|
||||
# connections limiting
|
||||
{% if USE_LIMIT_CONN == "yes" %}
|
||||
include {{ NGINX_PREFIX }}limit-conn.conf;
|
||||
{% endif %}
|
||||
|
||||
# auth basic
|
||||
{% if USE_AUTH_BASIC == "yes" %}
|
||||
{% if AUTH_BASIC_LOCATION == "sitewide" %}
|
||||
include {{ NGINX_PREFIX }}auth-basic-sitewide.conf;
|
||||
{% else %}
|
||||
include {{ NGINX_PREFIX }}auth-basic.conf;
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
# remove headers
|
||||
{% if REMOVE_HEADERS != "" %}
|
||||
{% for header in REMOVE_HEADERS.split(" ") %}
|
||||
more_clear_headers '{{ header }}';
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
# X-Frame-Option header
|
||||
{% if X_FRAME_OPTIONS != "" %}
|
||||
include {{ NGINX_PREFIX }}x-frame-options.conf;
|
||||
{% endif %}
|
||||
|
||||
# X-XSS-Protection header
|
||||
{% if X_XSS_PROTECTION != "" %}
|
||||
include {{ NGINX_PREFIX }}x-xss-protection.conf;
|
||||
{% endif %}
|
||||
|
||||
# X-Content-Type header
|
||||
{% if X_CONTENT_TYPE != "" %}
|
||||
include {{ NGINX_PREFIX }}x-content-type.conf;
|
||||
{% endif %}
|
||||
|
||||
# Content-Security-Policy header
|
||||
{% if CONTENT_SECURITY_POLICY != "" %}
|
||||
include {{ NGINX_PREFIX }}content-security-policy.conf;
|
||||
{% endif %}
|
||||
|
||||
# Referrer-Policy header
|
||||
{% if REFERRER_POLICY != "" %}
|
||||
include {{ NGINX_PREFIX }}referrer-policy.conf;
|
||||
{% endif %}
|
||||
|
||||
# Feature-Policy header
|
||||
{% if FEATURE_POLICY != "" %}
|
||||
include {{ NGINX_PREFIX }}feature-policy.conf;
|
||||
{% endif %}
|
||||
|
||||
# Permissions-Policy header
|
||||
{% if PERMISSIONS_POLICY != "" %}
|
||||
include {{ NGINX_PREFIX }}permissions-policy.conf;
|
||||
{% endif %}
|
||||
|
||||
# cookie flags
|
||||
{% if COOKIE_FLAGS != "" %}
|
||||
include {{ NGINX_PREFIX }}cookie-flags.conf;
|
||||
{% endif %}
|
||||
|
||||
# custom errors
|
||||
include {{ NGINX_PREFIX }}error.conf;
|
||||
|
||||
# client caching
|
||||
{% if USE_CLIENT_CACHE == "yes" %}
|
||||
include {{ NGINX_PREFIX }}client-cache.conf;
|
||||
{% endif %}
|
||||
|
||||
# gzip compression
|
||||
{% if USE_GZIP == "yes" %}
|
||||
include {{ NGINX_PREFIX }}gzip.conf;
|
||||
{% endif %}
|
||||
|
||||
# brotli compression
|
||||
{% if USE_GZIP == "yes" %}
|
||||
include {{ NGINX_PREFIX }}gzip.conf;
|
||||
{% endif %}
|
||||
|
||||
# maximum body size
|
||||
client_max_body_size {{ MAX_CLIENT_SIZE }};
|
||||
|
||||
# enable/disable showing version
|
||||
server_tokens {{ SERVER_TOKENS }};
|
||||
|
||||
# open file caching
|
||||
{% if USE_OPEN_FILE_CACHE == "yes" %}
|
||||
include {{ NGINX_PREFIX }}open-file-cache.conf;
|
||||
{% endif %}
|
||||
|
||||
# proxy caching
|
||||
{% if USE_PROXY_CACHE == "yes" %}
|
||||
include {{ NGINX_PREFIX }}proxy-cache.conf;
|
||||
{% endif %}
|
||||
|
||||
# reverse proxy
|
||||
{% if USE_REVERSE_PROXY == "yes" %}
|
||||
include {{ NGINX_PREFIX }}reverse-proxy.conf;
|
||||
{% endif %}
|
||||
|
||||
# remote PHP
|
||||
{% if REMOTE_PHP != "" %}
|
||||
include {{ NGINX_PREFIX }}php.conf;
|
||||
{% endif %}
|
||||
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
more_set_headers "X-Content-Type-Options: {{ X_CONTENT_TYPE_OPTIONS }}";
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue