Initial commit

2017-12-21 09:02:37 +10:00
parent dc830df253
commit 6e7435c35d
140 changed files with 19554 additions and 0 deletions
--- a/rootfs/etc/nginx/conf.d/default.conf
+++ b/rootfs/etc/nginx/conf.d/default.conf
@ -0,0 +1,38 @@
+# Healthcheck Host which proxies to the Manager,
+# thus the healthcheck ensures both services are running
+server {
+  listen 9876 default;
+  server_name localhost;
+
+  access_log /config/logs/manager.log proxy;
+
+  set $server 127.0.0.1;
+  set $port   81;
+
+  include conf.d/include/block-exploits.conf;
+
+  location /health {
+    access_log  off;
+    include conf.d/include/proxy.conf;
+  }
+
+  location / {
+    return 404;
+  }
+}
+
+# Default 80 Host, which shows a "You are not configured" page
+server {
+  listen 80 default;
+  server_name localhost;
+
+  access_log /config/logs/default.log proxy;
+
+  include conf.d/include/assets.conf;
+  include conf.d/include/block-exploits.conf;
+
+  location / {
+    index index.html;
+    root /var/www/html;
+  }
+}
--- a/rootfs/etc/nginx/conf.d/include/assets.conf
+++ b/rootfs/etc/nginx/conf.d/include/assets.conf
@ -0,0 +1,31 @@
+location ~* ^.*\.(css|js|jpe?g|gif|png|woff|eot|ttf|svg|ico|css\.map|js\.map)$ {
+    if_modified_since off;
+
+    # use the public cache
+    proxy_cache public-cache;
+    proxy_cache_key $host$request_uri;
+
+    # ignore these headers for media
+    proxy_ignore_headers Set-Cookie Cache-Control Expires X-Accel-Expires;
+
+    # cache 200s and also 404s (not ideal but there are a few 404 images for some reason)
+    proxy_cache_valid any 30m;
+    proxy_cache_valid 404 1m;
+
+    # strip this header to avoid If-Modified-Since requests
+    proxy_hide_header Last-Modified;
+    proxy_hide_header Cache-Control;
+    proxy_hide_header Vary;
+
+    proxy_cache_bypass 0;
+    proxy_no_cache 0;
+
+    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_404;
+    proxy_connect_timeout 5s;
+    proxy_read_timeout 45s;
+
+    expires @30m;
+    access_log  off;
+
+    include conf.d/include/proxy.conf;
+}
--- a/rootfs/etc/nginx/conf.d/include/block-exploits.conf
+++ b/rootfs/etc/nginx/conf.d/include/block-exploits.conf
@ -0,0 +1,136 @@
+## Block SQL injections
+set $block_sql_injections 0;
+
+if ($query_string ~ "union.*select.*\(") {
+    set $block_sql_injections 1;
+}
+
+if ($query_string ~ "union.*all.*select.*") {
+    set $block_sql_injections 1;
+}
+
+if ($query_string ~ "concat.*\(") {
+    set $block_sql_injections 1;
+}
+
+if ($block_sql_injections = 1) {
+    return 403;
+}
+
+## Block file injections
+set $block_file_injections 0;
+
+if ($query_string ~ "[a-zA-Z0-9_]=http://") {
+    set $block_file_injections 1;
+}
+
+if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
+    set $block_file_injections 1;
+}
+
+if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
+    set $block_file_injections 1;
+}
+
+if ($block_file_injections = 1) {
+    return 403;
+}
+
+## Block common exploits
+set $block_common_exploits 0;
+
+if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "proc/self/environ") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "base64_(en|de)code\(.*\)") {
+    set $block_common_exploits 1;
+}
+
+if ($block_common_exploits = 1) {
+    return 403;
+}
+
+## Block spam
+set $block_spam 0;
+
+if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
+    set $block_spam 1;
+}
+
+if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
+    set $block_spam 1;
+}
+
+if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
+    set $block_spam 1;
+}
+
+if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
+    set $block_spam 1;
+}
+
+if ($block_spam = 1) {
+    return 403;
+}
+
+## Block user agents
+set $block_user_agents 0;
+
+# Disable Akeeba Remote Control 2.5 and earlier
+if ($http_user_agent ~ "Indy Library") {
+    set $block_user_agents 1;
+}
+
+# Common bandwidth hoggers and hacking tools.
+if ($http_user_agent ~ "libwww-perl") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "GetRight") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "GetWeb!") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Go!Zilla") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Download Demon") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Go-Ahead-Got-It") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "TurnitinBot") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "GrabNet") {
+    set $block_user_agents 1;
+}
+
+if ($block_user_agents = 1) {
+    return 403;
+}
--- a/rootfs/etc/nginx/conf.d/include/force-ssl.conf
+++ b/rootfs/etc/nginx/conf.d/include/force-ssl.conf
@ -0,0 +1,3 @@
+if ($scheme = "http") {
+    return 301 https://$host$request_uri;
+}
--- a/rootfs/etc/nginx/conf.d/include/proxy.conf
+++ b/rootfs/etc/nginx/conf.d/include/proxy.conf
@ -0,0 +1,6 @@
+add_header       X-Served-By $host;
+proxy_set_header Host $host;
+proxy_set_header X-Forwarded-Scheme $scheme;
+proxy_set_header X-Forwarded-Protocol $scheme;
+proxy_set_header X-Forwarded-For $remote_addr;
+proxy_pass       http://$server:$port;
--- a/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf
+++ b/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf
@ -0,0 +1,12 @@
+ssl_session_timeout 5m;
+ssl_session_cache shared:SSL:50m;
+
+# intermediate configuration. tweak to your needs.
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-
+ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AE
+S128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+ssl_prefer_server_ciphers on;
+
+# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+add_header Strict-Transport-Security max-age=15768000;
--- a/rootfs/etc/nginx/nginx.conf
+++ b/rootfs/etc/nginx/nginx.conf
@ -0,0 +1,55 @@
+# run nginx in foreground
+daemon off;
+
+user root;
+
+# Set number of worker processes automatically based on number of CPU cores.
+worker_processes auto;
+
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
+error_log /config/logs/error.log warn;
+
+# Includes files with directives to load dynamic modules.
+include /etc/nginx/modules/*.conf;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+  include                   /etc/nginx/mime.types;
+  default_type              application/octet-stream;
+  sendfile                  on;
+  server_tokens             off;
+  tcp_nopush                on;
+  tcp_nodelay               on;
+  client_body_temp_path     /tmp/nginx/body 1 2;
+  keepalive_timeout         65;
+  ssl_prefer_server_ciphers on;
+  gzip                      on;
+  proxy_ignore_client_abort off;
+  client_max_body_size      2000m;
+  proxy_http_version        1.1;
+  proxy_set_header          X-Forwarded-Scheme $scheme;
+  proxy_set_header          X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header          Accept-Encoding "";
+  proxy_cache               off;
+  proxy_cache_path          /var/lib/nginx/cache/public  levels=1:2 keys_zone=public-cache:30m max_size=192m;
+  proxy_cache_path          /var/lib/nginx/cache/private levels=1:2 keys_zone=private-cache:5m max_size=1024m;
+
+  # MISS
+  # BYPASS
+  # EXPIRED - expired, request was passed to backend
+  # UPDATING - expired, stale response was used due to proxy/fastcgi_cache_use_stale updating
+  # STALE - expired, stale response was used due to proxy/fastcgi_cache_use_stale
+  # HIT
+  # - (dash) - request never reached to upstream module. Most likely it was processed at Nginx-level only (e.g. forbidden, redirects, etc) (Ref: Mail Thread
+  log_format proxy '[$time_local] $upstream_cache_status $upstream_status $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] [Sent-to $server] "$http_user_agent" "$http_referer"';
+
+  access_log /config/logs/default.log proxy;
+
+  include /etc/nginx/conf.d/*.conf;
+  include /config/nginx/*.conf;
+}