Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

choose connection and nofile numbers, increase error_log level to get modsecurity rules, add MODSECURITY_SEC_AUDIT_ENGINE var

Browse Source
This commit is contained in:
bunkerity 2021-05-05 17:38:22 +02:00
parent ba4185a42e
commit 009d6fb5ae
No known key found for this signature in database
GPG Key ID: 3D80806F12602A7C
5 changed files with 17 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
confs/global/nginx.conf
View File

@ -25,9 +25,12 @@ pcre_jit on;
# config files for dynamic modules # config files for dynamic modules
include /etc/nginx/modules/*.conf; include /etc/nginx/modules/*.conf;
# max open files for each worker
worker_rlimit_nofile %WORKER_RLIMIT_NOFILE%;
events { events {
# max connections per worker # max connections per worker
worker_connections 1024; worker_connections %WORKER_CONNECTIONS%;
# epoll seems to be the best on Linux # epoll seems to be the best on Linux
use epoll; use epoll;
@ -50,7 +53,7 @@ http {
# write logs to local syslog # write logs to local syslog
log_format logf '%LOG_FORMAT%'; log_format logf '%LOG_FORMAT%';
access_log syslog:server=unix:/tmp/log,nohostname,facility=local0,severity=notice logf; access_log syslog:server=unix:/tmp/log,nohostname,facility=local0,severity=notice logf;
error_log syslog:server=unix:/tmp/log,nohostname,facility=local0 notice; error_log syslog:server=unix:/tmp/log,nohostname,facility=local0 info;
# temp paths # temp paths
proxy_temp_path /tmp/proxy_temp; proxy_temp_path /tmp/proxy_temp;
@ -63,8 +66,8 @@ http {
reset_timedout_connection on; reset_timedout_connection on;
# timeouts # timeouts
client_body_timeout 12; client_body_timeout 10;
client_header_timeout 12; client_header_timeout 10;
keepalive_timeout 15; keepalive_timeout 15;
send_timeout 10; send_timeout 10;

2
confs/site/modsecurity-rules.conf
View File

@ -49,7 +49,7 @@ SecResponseBodyLimit 524288
SecResponseBodyLimitAction ProcessPartial SecResponseBodyLimitAction ProcessPartial
# log usefull stuff # log usefull stuff
SecAuditEngine RelevantOnly SecAuditEngine %MODSECURITY_SEC_AUDIT_ENGINE%
SecAuditLogType Serial SecAuditLogType Serial
SecAuditLog /var/log/nginx/modsec_audit.log SecAuditLog /var/log/nginx/modsec_audit.log

4
entrypoint/defaults.sh
View File

@ -6,6 +6,8 @@ HTTP_PORT="${HTTP_PORT-8080}"
HTTPS_PORT="${HTTPS_PORT-8443}" HTTPS_PORT="${HTTPS_PORT-8443}"
MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}" MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}"
SERVER_TOKENS="${SERVER_TOKENS-off}" SERVER_TOKENS="${SERVER_TOKENS-off}"
WORKER_CONNECTIONS="${WORKER_CONNECTIONS-1024}"
WORKER_RLIMIT_NOFILE="${WORKER_RLIMIT_NOFILE-2048}"
USE_CLIENT_CACHE="${USE_CLIENT_CACHE-no}" USE_CLIENT_CACHE="${USE_CLIENT_CACHE-no}"
CLIENT_CACHE_EXTENSIONS="${CLIENT_CACHE_EXTENSIONS-jpg|jpeg|png|bmp|ico|svg|tif|css|js|otf|ttf|eot|woff|woff2}" CLIENT_CACHE_EXTENSIONS="${CLIENT_CACHE_EXTENSIONS-jpg|jpeg|png|bmp|ico|svg|tif|css|js|otf|ttf|eot|woff|woff2}"
CLIENT_CACHE_CONTROL="${CLIENT_CACHE_CONTROL-public, max-age=15552000}" CLIENT_CACHE_CONTROL="${CLIENT_CACHE_CONTROL-public, max-age=15552000}"
@ -62,6 +64,7 @@ HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.2 TLSv1.3}"
STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}" STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}"
USE_MODSECURITY="${USE_MODSECURITY-yes}" USE_MODSECURITY="${USE_MODSECURITY-yes}"
USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}" USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}"
MODSECURITY_SEC_AUDIT_ENGINE="${MODSECURITY_SEC_AUDIT_ENGINE-RelevantOnly}"
CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self';}" CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self';}"
COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly SameSite=Lax}" COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly SameSite=Lax}"
COOKIE_AUTO_SECURE_FLAG="${COOKIE_AUTO_SECURE_FLAG-yes}" COOKIE_AUTO_SECURE_FLAG="${COOKIE_AUTO_SECURE_FLAG-yes}"
@ -131,3 +134,4 @@ USE_API="${USE_API-no}"
API_URI="${API_URI-random}" API_URI="${API_URI-random}"
API_WHITELIST_IP="${API_WHITELIST_IP-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}" API_WHITELIST_IP="${API_WHITELIST_IP-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
SWARM_MODE="${SWARM_MODE-no}" SWARM_MODE="${SWARM_MODE-no}"

4
entrypoint/global-config.sh
View File

@ -224,3 +224,7 @@ if [ "$USE_API" = "yes" ] ; then
else else
replace_in_file "/etc/nginx/nginx.conf" "%USE_API%" "" replace_in_file "/etc/nginx/nginx.conf" "%USE_API%" ""
fi fi
# performance tuning
replace_in_file "/etc/nginx/nginx.conf" "%WORKER_CONNECTIONS%" "$WORKER_CONNECTIONS"
replace_in_file "/etc/nginx/nginx.conf" "%WORKER_RLIMIT_NOFILE%" "$WORKER_RLIMIT_NOFILE"

1
entrypoint/site-config.sh
View File

@ -394,6 +394,7 @@ fi
if [ "$USE_MODSECURITY" = "yes" ] ; then if [ "$USE_MODSECURITY" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}modsecurity.conf" "%MODSEC_RULES_FILE%" "${NGINX_PREFIX}modsecurity-rules.conf" replace_in_file "${NGINX_PREFIX}modsecurity.conf" "%MODSEC_RULES_FILE%" "${NGINX_PREFIX}modsecurity-rules.conf"
replace_in_file "${NGINX_PREFIX}server.conf" "%USE_MODSECURITY%" "include ${NGINX_PREFIX}modsecurity.conf;" replace_in_file "${NGINX_PREFIX}server.conf" "%USE_MODSECURITY%" "include ${NGINX_PREFIX}modsecurity.conf;"
replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_SEC_AUDIT_ENGINE%" "$MODSECURITY_SEC_AUDIT_ENGINE"
if [ "$MULTISITE" != "yes" ] ; then if [ "$MULTISITE" != "yes" ] ; then
modsec_custom="" modsec_custom=""
if ls /modsec-confs/*.conf > /dev/null 2>&1 ; then if ls /modsec-confs/*.conf > /dev/null 2>&1 ; then