diff --git a/Dockerfile b/Dockerfile index c9611e3..641979c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,8 +8,9 @@ RUN chmod +x /tmp/compile.sh && \ COPY entrypoint.sh /opt/entrypoint.sh COPY confs/ /opt/confs COPY scripts/ /opt/scripts +COPY misc/GeoLite2-Country.mmdb /etc/nginx/geoip.mmdb -RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl && \ +RUN apk --no-cache add php7-fpm php7-session certbot libstdc++ libmaxminddb geoip pcre yajl && \ chmod +x /opt/entrypoint.sh /opt/scripts/* && \ mkdir /www && \ adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx diff --git a/README.md b/README.md index fc1cfd5..b2e1bea 100644 --- a/README.md +++ b/README.md @@ -28,9 +28,9 @@ Let's Encrypt needs port 80 to be open to request and sign certificates but ngin ## List of variables ### nginx security -*SERVER_TOKENS* -Values : on | off -Default value : off +*SERVER_TOKENS* +Values : on | off +Default value : off If set to on, nginx will display server version in Server header and default error pages. *HEADER_SERVER* @@ -76,7 +76,6 @@ Default value : no-referrer ## TODO - File permissions hardening -- Secure and HttpOnly cookies - Custom nginx configuration - Custom TLS certificates - Documentation diff --git a/compile.sh b/compile.sh index 1a34b9b..2ee1bd6 100644 --- a/compile.sh +++ b/compile.sh @@ -24,12 +24,14 @@ git clone https://github.com/SpiderLabs/ModSecurity-nginx.git git clone https://github.com/openresty/headers-more-nginx-module.git # geoip git clone https://github.com/leev/ngx_http_geoip2_module.git +# cookie +git clone https://github.com/AirisX/nginx_cookie_flag_module.git # compile and install nginx cd /tmp git clone https://github.com/nginx/nginx.git cd nginx -./auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --modules-path=/usr/lib/nginx/modules --with-file-aio --with-http_ssl_module --with-http_v2_module --add-module=/tmp/ModSecurity-nginx --add-module=/tmp/headers-more-nginx-module --add-module=/tmp/ngx_http_geoip2_module +./auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --modules-path=/usr/lib/nginx/modules --with-file-aio --with-http_ssl_module --with-http_v2_module --add-module=/tmp/ModSecurity-nginx --add-module=/tmp/headers-more-nginx-module --add-module=/tmp/ngx_http_geoip2_module --add-module=/tmp/nginx_cookie_flag_module make -j $NTASK make install diff --git a/confs/cookie-flags.conf b/confs/cookie-flags.conf new file mode 100644 index 0000000..e81ec79 --- /dev/null +++ b/confs/cookie-flags.conf @@ -0,0 +1 @@ +set_cookie_flag %COOKIE_FLAGS%; diff --git a/confs/server.conf b/confs/server.conf index 88302c0..14766b1 100644 --- a/confs/server.conf +++ b/confs/server.conf @@ -22,5 +22,6 @@ server { %FEATURE_POLICY% %BLOCK_COUNTRY% %BLOCK_USER_AGENT% + %COOKIE_FLAGS% %ERRORS% } diff --git a/entrypoint.sh b/entrypoint.sh index 2d49e4d..2ce6c0d 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -55,6 +55,7 @@ PHP_UPLOAD_MAX_FILESIZE="${PHP_UPLOAD_MAX_FILESIZE:-10M}" PHP_DISABLE_FUNCTIONS="${PHP_DISABLE_FUNCTIONS:-system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo}" USE_MODSECURITY="${USE_MODSECURITY:-yes}" CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY:-default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; reflected-xss block; base-uri 'self'; referrer no-referrer}" +COOKIE_FLAGS="${COOKIE_FLAGS:-* HttpOnly}" # replace values replace_in_file "/etc/nginx/nginx.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE" @@ -142,9 +143,9 @@ else fi replace_in_file "/etc/nginx/server.conf" "%SERVER_NAME%" "$SERVER_NAME" replace_in_file "/etc/nginx/server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS" -if [ ! -f /etc/nginx/geoip.mmdb ] ; then - /opt/scripts/geolite.sh -fi +#if [ ! -f /etc/nginx/geoip.mmdb ] ; then +# /opt/scripts/geolite.sh +#fi if [ "$BLOCK_COUNTRY" != "" ] ; then replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;" replace_in_file "/etc/nginx/geoip.conf" "%BLOCK_COUNTRY%" "$(echo $BLOCK_COUNTRY | sed 's/ / no;\n/g') no;" @@ -222,6 +223,12 @@ if [ "$CONTENT_SECURITY_POLICY" != "" ] ; then else replace_in_file "/etc/nginx/server.conf" "%CONTENT_SECURITY_POLICY%" "" fi +if [ "$COOKIE_FLAGS" != "" ] ; then + replace_in_file "/etc/nginx/server.conf" "%COOKIE_FLAGS%" "include /etc/nginx/cookie-flags.conf;" + replace_in_file "/etc/nginx/cookie-flags.conf" "%COOKIE_FLAGS%" "$COOKIE_FLAGS" +else + replace_in_file "/etc/nginx/server.conf" "%COOKIE_FLAGS%" "" +fi # start PHP diff --git a/scripts/geolite.sh b/scripts/geolite.sh index 36c059a..722a4aa 100644 --- a/scripts/geolite.sh +++ b/scripts/geolite.sh @@ -1,5 +1,6 @@ #!/bin/sh +# wget "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=&suffix=tar.gz" -O toto.tar.gz wget -O /etc/nginx/geoip.mmdb.gz https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.mmdb.gz gunzip -f /etc/nginx/geoip.mmdb.gz if [ -f /run/nginx/nginx.pid ] ; then