forked from elisiano/docker-nginx-modsecurity
-
Notifications
You must be signed in to change notification settings - Fork 2
/
nginx.conf
202 lines (151 loc) · 6.11 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
user nginx;
worker_processes 1;
include /etc/nginx/modules-enabled/*;
#load_module modules/ngx_http_geoip2_module.so;
# load_module "modules/ngx_http_geoip_module.so";
load_module /usr/lib/nginx/modules/ngx_http_geoip_module.so;
#load_module modules/ngx_http_geoip_module.so;
load_module /usr/lib/nginx/modules/ngx_stream_geoip_module.so;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
# NGINX Hardening Start
# Reference: https://www.owasp.org/index.php/SCG_WS_nginx
## Size Limits & Buffer Overflows
## the size may be configured based on the needs.
client_body_buffer_size 100K;
client_header_buffer_size 1k;
client_max_body_size 100k;
large_client_header_buffers 2 1k;
# Display nginx Version number in error or http header may result in hacker to search for known vulnerability.
# Therefore, the version number should be removed for every http response.
server_tokens off;
# Mitigating Slow HTTP DoS Attack
## Timeouts definition ##
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
## Timeouts End ##
# NGINX Hardening end
# load_module "modules/ngx_http_geoip_module.so";
# load_module "/etc/nginx/modules/ngx_http_geoip_module.so";
#load_module modules/ngx_http_geoip_module.so;
#load_module "/etc/nginx/modules/ngx_stream_geoip_module.so";
# load_module "modules/ngx_http_geoip_module.so";
geoip_country /etc/nginx/geoip/GeoIP.dat;
geoip_city /etc/nginx/geoip/GeoLiteCity.dat;
# geoip_proxy 192.168.100.0/24;
# geoip_proxy 2001:0db8::/32;
geoip_proxy_recursive on;
proxy_set_header X_COUNTRY_CODE $geoip_country_code;
proxy_set_header X_CITY_COUNTRY_CODE $geoip_city_country_code;
proxy_set_header X_REGION $geoip_region;
proxy_set_header X_CITY $geoip_city;
proxy_set_header X_POSTAL_CODE $geoip_postal_code;
proxy_set_header X_CONTINENT $geoip_city_continent_code;
proxy_set_header X_AREA_CODE $geoip_area_code;
proxy_set_header X_DMA $geoip_dma_code;
# map $geoip_country_code $allowed_country {
# default yes;
# FK no;
# FM no;
# EH no;
# RU no;
# }
# For GDPR Compliance EU Block Start
# Block the EU continent from accessing the site
map $geoip_city_continent_code $allow_visit {
default 1;
EU 0;
}
# GDPR EU Block End
# Rate Limiting Start
geo $limit {
default 1;
# Whitelist Start
10.0.0.0/8 0;
192.168.0.0/24 0;
#White list end
}
map $limit $limit_key {
0 "";
1 $binary_remote_addr;
}
limit_req_zone $limit_key zone=req_zone:10m rate=5r/s;
limit_req_zone $binary_remote_addr zone=req_zone_wl:10m rate=15r/s;
# Rate Limiting End
map $geoip_country_code $target_port {
default 8080;
IN 8081;
US 8082;
RU 8083;
}
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
# keepalive_timeout 65;
gzip on;
server {
# GDPR Start
# Disable logging for EU users
access_log /var/log/nginx/access.log combined if=$allow_visit;
# Block and return 403 error message to EU users
default_type text/plain;
if ($allow_visit = 0) {
return 403 'You are prohibited from visiting this website due to GDPR compliance requirements.';
}
# GDPR End
# Hardening Start
# SSL protocols TLS v1~TLSv1.2 are allowed. Disabed SSLv3
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# enables server-side protection from BEAST attacks
ssl_prefer_server_ciphers on;
# Disabled insecure ciphers suite. For example, MD5, DES, RC4, PSK
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
# -!MEDIUM:exclude encryption cipher suites using 128 bit encryption.
# -!LOW: exclude encryption cipher suites using 64 or 56 bit encryption algorithms
# -!EXPORT: exclude export encryption algorithms including 40 and 56 bits algorithms.
# -!aNULL: exclude the cipher suites offering no authentication. This is currently the anonymous DH algorithms and anonymous ECDH algorithms.
# These cipher suites are vulnerable to a "man in the middle" attack and so their use is normally discouraged.
# -!eNULL:exclude the "NULL" ciphers that is those offering no encryption.
# Because these offer no encryption at all and are a security risk they are disabled unless explicitly included.
# @STRENGTH:sort the current cipher list in order of encryption algorithm key length.
# X-Frame-Options is to prevent from clickJacking attack
add_header X-Frame-Options SAMEORIGIN;
# disable content-type sniffing on some browsers.
add_header X-Content-Type-Options nosniff;
# This header enables the Cross-site scripting (XSS) filter
add_header X-XSS-Protection "1; mode=block";
# This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
# Hardening End
root /www/data;
# proxy_pass http://127.0.0.1:$target_port;
# location /index.html {
location / {
proxy_pass http://127.0.0.1:$target_port/${request_uri};
proxy_set_header Host $host;
proxy_bind $remote_addr transparent;
# health_check is available only in Commercial version
# health_check;
}
# location /main/ {
# alias /$geoip_country/;
# }
# location /images/ {
# }
# location ~ \.(mp3|mp4) {
# root /www/media;
# }
}
include /etc/nginx/conf.d/*.conf;
}