realip, minor fixes and README

README.md

@@ -11,6 +11,9 @@ nginx based Docker image secure by default.
 - Based on alpine and compiled from source
 - Easy to configure with environment variables
 
+## Live demo
+You can find a live demo at https://demo-nginx.bunkerity.com.
+
 ## Quickstart guide
 
 ### Run HTTP server with default settings
@@ -35,20 +38,22 @@ Here you have three environment variables :
 - REDIRECT_HTTP_TO_HTTPS : enable HTTP to HTTPS redirection
 
 ### Reverse proxy
-You can setup a reverse proxy by adding your own custom configurations at http level.  
+You can setup a reverse proxy by adding your own custom configurations at server context.  
 For example, this is a dummy reverse proxy configuration :  
 ```shell
-if ($host = www.website1.com) {
-	proxy_pass http://192.168.42.10
-}
+location / {
+	if ($host = www.website1.com) {
+		proxy_pass http://192.168.42.10$request_uri;
+	}
 
-if ($host = www.website2.com) {
-	proxy_pass http://192.168.42.11
+	if ($host = www.website2.com) {
+		proxy_pass http://192.168.42.11$request_uri;
+	}
 }
 ```
-All files in /http-confs inside the container will be included at http level. You can simply mount a volume where your config files are located :  
+All files (ending with .conf) in /server-confs inside the container will be included at server context. You can simply mount a volume where your config files are located :  
 ```shell
-docker run -p 80:80 -e SERVER_NAME="www.website1.com www.website2.com" -e SERVE_FILES=no -e DISABLE_DEFAULT_SERVER=yes -v /path/to/http/conf:/http-confs bunkerity/bunkerized-nginx
+docker run -p 80:80 -e SERVER_NAME="www.website1.com www.website2.com" -e SERVE_FILES=no -e DISABLE_DEFAULT_SERVER=yes -v /path/to/server/conf:/server-confs bunkerity/bunkerized-nginx
 ```
 
 Here you have three environment variables :
@@ -96,7 +101,7 @@ Sets the maximum body size before nginx returns a 413 error code.
 Setting to 0 means "infinite" body size.
 
 `SERVER_NAME`  
-Values : *<first name> <second name> ...*  
+Values : *&lt;first name&gt; &lt;second name&gt; ...*  
 Default value : *www.bunkerity.com*  
 Sets the host names of the webserver separated with spaces. This must match the Host header sent by clients.  
 Useful when used with `AUTO_LETSENCRYPT=yes` and/or `DISABLE_DEFAULT_SERVER=yes`.
@@ -169,37 +174,37 @@ Policy to be used for the Referer header.
 More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy).
 
 `FEATURE_POLICY`  
-Values : *<directive> <allow list>*  
+Values : *&lt;directive&gt; &lt;allow list&gt;*  
 Default value : *accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'*  
 Tells the browser which features can be used on the website.  
 More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy).
 
 `COOKIE_FLAGS`  
-Values : ** HttpOnly* | *MyCookie secure SameSite* | *...*  
-Default value : ** HttpOnly*  
+Values : *\* HttpOnly* | *MyCookie secure SameSite* | *...*  
+Default value : *\* HttpOnly*  
 Adds some security to the cookies set by the server.  
 Accepted value can be found [here](https://github.com/AirisX/nginx_cookie_flag_module).
 
 `STRICT_TRANSPORT_POLICY`  
-Values : *max-age=expireTime [; includeSubDomains] [; preload]*
+Values : *max-age=expireTime [; includeSubDomains] [; preload]*  
 Default value : *max-age=31536000*  
 Tells the browser to use exclusively HTTPS instead of HTTP when communicating with the server.  
 More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security).
 
 `CONTENT_SECURITY_POLICY`  
-Values : *<directive 1>; <directive 2>; ...*
+Values : *\<directive 1\>; \<directive 2\>; ...*  
 Default value : *default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; reflected-xss block; base-uri 'self'; referrer no-referrer*  
 Policy to be used when loading resources (scripts, forms, frames, ...).  
 More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).
 
 ### Blocking
 `BLOCK_COUNTRY`  
-Values : *<country code 1> <country code 2> ...*  
+Values : *\<country code 1\> \<country code 2\> ...*  
 Default value :  
 Block some countries from accessing your website. Use 2 letters country code separated with space.
 
 `BLOCK_USER_AGENT`  
-Values : *yes* | *no*
+Values : *yes* | *no*  
 Default value : *yes*
 If set to yes, block clients with "bad" user agent.  
 Blacklist can be found [here](https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list).
@@ -226,45 +231,45 @@ Default value : *no*
 If set to yes, the PHP version will be sent within the X-Powered-By header.
 
 `PHP_OPEN_BASEDIR`  
-Values : *<directory>*  
+Values : *\<directory\>*  
 Default value : */www/*  
 Limits access to files within the given directory. For example include() or fopen() calls outside the directory will fail.
 
 `PHP_ALLOW_URL_FOPEN`  
-Values : *yes* | *no*
-Default value : *no*
+Values : *yes* | *no*  
+Default value : *no*  
 If set to yes, allows using url in fopen() calls (i.e. : ftp://, http://, ...). 
 
 `PHP_ALLOW_URL_INCLUDE`  
-Values : *yes* | *no*
-Default value : *no*
+Values : *yes* | *no*  
+Default value : *no*  
 If set to yes, allows using url in include() calls (i.e. : ftp://, http://, ...). 
 
 `PHP_FILE_UPLOADS`  
-Values : *yes* | *no*
-Default value : *yes*
+Values : *yes* | *no*  
+Default value : *yes*  
 If set to yes, allows clients to upload files.
 
 `PHP_UPLOAD_MAX_FILESIZE`  
-Values : *<size in bytes>* | *XM*
+Values : *<size in bytes>* | *XM*  
 Default value : *10M*  
 Sets the maximum file size allowed when uploading files.
 
 `PHP_DISABLE_FUNCTIONS`  
-Values : *<function 1>, <function 2> ...*  
+Values : *\<function 1\>, \<function 2\> ...*  
 Default value : *system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo*  
 List of PHP functions blacklisted separated with commas. They can't be used anywhere in PHP code.
 
 ### Fail2ban
-`USE_FAIL2BAN` 
+`USE_FAIL2BAN`  
 Values : *yes* | *no*  
 Default value : *yes*  
 If set to yes, fail2ban will be used to block users getting too much "strange" HTTP codes in a period of time.  
 Instead of using iptables which is not possible inside a container, fail2ban will dynamically update nginx to ban/unban IP addresses.  
 If a number (`FAIL2BAN_MAXRETRY`) of "strange" HTTP codes (`FAIL2BAN_STATUS_CODES`) is found between a time interval (`FAIL2BAN_FINDTIME`) then the originating IP address will be ban for a specific period of time (`FAIL2BAN_BANTIME`).
 
-`FAIL2BAN_STATUS_CODES` 
-Values : <HTTP status codes separated with | char>  
+`FAIL2BAN_STATUS_CODES`   
+Values : *\<HTTP status codes separated with | char\>*  
 Default value : *400|401|403|404|405|444*  
 List of "strange" error codes that fail2ban will search for.  
 
@@ -279,11 +284,11 @@ Default : value : *60*
 The time interval, in seconds, to search for "strange" HTTP status codes.  
 
 `FAIL2BAN_MAXRETRY`  
-Values : *<any positive integer>*  
+Values : *\<any positive integer\>*  
 Default : value : *10*  
 The number of "strange" HTTP status codes to find between the time interval.  
 
-### ClamAV
+### ClamAV  
 `USE_CLAMAV_UPLOAD`  
 Values : *yes* | *no*  
 Default value : *yes*  
@@ -300,10 +305,8 @@ Default value : *yes*
 If set to yes, ClamAV will automatically remove the detected files.  
 
 ## TODO
-- demo website, securityheaders results, ssl results 
 - Default CSP
 - Custom Dockerfile based on bunkerized-nginx
-- Test with custom confs reverse proxy
 - Documentation
 - Custom TLS certificates
 - HSTS preload, HPKP

compile.sh

@@ -31,7 +31,7 @@ git clone https://github.com/AirisX/nginx_cookie_flag_module.git
 cd /tmp
 git clone https://github.com/nginx/nginx.git
 cd nginx
-./auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --modules-path=/usr/lib/nginx/modules --with-file-aio --with-http_ssl_module --with-http_v2_module --add-module=/tmp/ModSecurity-nginx --add-module=/tmp/headers-more-nginx-module --add-module=/tmp/ngx_http_geoip2_module --add-module=/tmp/nginx_cookie_flag_module
+./auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --modules-path=/usr/lib/nginx/modules --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --add-module=/tmp/ModSecurity-nginx --add-module=/tmp/headers-more-nginx-module --add-module=/tmp/ngx_http_geoip2_module --add-module=/tmp/nginx_cookie_flag_module
 make -j $NTASK
 make install
 

confs/modsecurity-rules.conf

@@ -55,7 +55,7 @@ SecAuditLogType Serial
 SecAuditLog /var/log/modsec_audit.log
 
 # scan uploaded files with clamv
-%USE_CLAMAV_UPLOAD%"
+%USE_CLAMAV_UPLOAD%
 
 # include custom rules
 %MODSECURITY_INCLUDE_CUSTOM_RULES%

entrypoint.sh

@@ -81,7 +81,7 @@ CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-object-src 'none'; frame-ance
 COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly}"
 SERVE_FILES="${SERVE_FILES-yes}"
 WRITE_ACCESS="${WRITE_ACCESS-no}"
-REDIRECT_HTTP_TO_HTTPS="${REDIRECT_HTTP_TO_HTTPS-yes}"
+REDIRECT_HTTP_TO_HTTPS="${REDIRECT_HTTP_TO_HTTPS-no}"
 LISTEN_HTTP="${LISTEN_HTTP-yes}"
 USE_FAIL2BAN="${USE_FAIL2BAN-yes}"
 FAIL2BAN_STATUS_CODES="${FAIL2BAN_STATUS_CODES-400|401|403|404|405|444}"