Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

cookie flags and maxmind update

Browse Source
This commit is contained in:
bunkerity 2020-01-02 16:13:44 +00:00
parent ea1dbc617c
commit 1b5f6deb22
7 changed files with 21 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Dockerfile
View File

@ -8,8 +8,9 @@ RUN chmod +x /tmp/compile.sh && \
COPY entrypoint.sh /opt/entrypoint.sh COPY entrypoint.sh /opt/entrypoint.sh
COPY confs/ /opt/confs COPY confs/ /opt/confs
COPY scripts/ /opt/scripts COPY scripts/ /opt/scripts
COPY misc/GeoLite2-Country.mmdb /etc/nginx/geoip.mmdb
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl && \ RUN apk --no-cache add php7-fpm php7-session certbot libstdc++ libmaxminddb geoip pcre yajl && \
chmod +x /opt/entrypoint.sh /opt/scripts/* && \ chmod +x /opt/entrypoint.sh /opt/scripts/* && \
mkdir /www && \ mkdir /www && \
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx

1
README.md
View File

@ -76,7 +76,6 @@ Default value : no-referrer
## TODO ## TODO
- File permissions hardening - File permissions hardening
- Secure and HttpOnly cookies
- Custom nginx configuration - Custom nginx configuration
- Custom TLS certificates - Custom TLS certificates
- Documentation - Documentation

4
compile.sh
View File

@ -24,12 +24,14 @@ git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
git clone https://github.com/openresty/headers-more-nginx-module.git git clone https://github.com/openresty/headers-more-nginx-module.git
# geoip # geoip
git clone https://github.com/leev/ngx_http_geoip2_module.git git clone https://github.com/leev/ngx_http_geoip2_module.git
# cookie
git clone https://github.com/AirisX/nginx_cookie_flag_module.git
# compile and install nginx # compile and install nginx
cd /tmp cd /tmp
git clone https://github.com/nginx/nginx.git git clone https://github.com/nginx/nginx.git
cd nginx cd nginx
./auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --modules-path=/usr/lib/nginx/modules --with-file-aio --with-http_ssl_module --with-http_v2_module --add-module=/tmp/ModSecurity-nginx --add-module=/tmp/headers-more-nginx-module --add-module=/tmp/ngx_http_geoip2_module ./auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --modules-path=/usr/lib/nginx/modules --with-file-aio --with-http_ssl_module --with-http_v2_module --add-module=/tmp/ModSecurity-nginx --add-module=/tmp/headers-more-nginx-module --add-module=/tmp/ngx_http_geoip2_module --add-module=/tmp/nginx_cookie_flag_module
make -j $NTASK make -j $NTASK
make install make install

1
confs/cookie-flags.conf Normal file
View File

@ -0,0 +1 @@
set_cookie_flag %COOKIE_FLAGS%;

1
confs/server.conf
View File

@ -22,5 +22,6 @@ server {
%FEATURE_POLICY% %FEATURE_POLICY%
%BLOCK_COUNTRY% %BLOCK_COUNTRY%
%BLOCK_USER_AGENT% %BLOCK_USER_AGENT%
%COOKIE_FLAGS%
%ERRORS% %ERRORS%
} }

13
entrypoint.sh
View File

@ -55,6 +55,7 @@ PHP_UPLOAD_MAX_FILESIZE="${PHP_UPLOAD_MAX_FILESIZE:-10M}"
PHP_DISABLE_FUNCTIONS="${PHP_DISABLE_FUNCTIONS:-system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo}" PHP_DISABLE_FUNCTIONS="${PHP_DISABLE_FUNCTIONS:-system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo}"
USE_MODSECURITY="${USE_MODSECURITY:-yes}" USE_MODSECURITY="${USE_MODSECURITY:-yes}"
CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY:-default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; reflected-xss block; base-uri 'self'; referrer no-referrer}" CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY:-default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; reflected-xss block; base-uri 'self'; referrer no-referrer}"
COOKIE_FLAGS="${COOKIE_FLAGS:-* HttpOnly}"
# replace values # replace values
replace_in_file "/etc/nginx/nginx.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE" replace_in_file "/etc/nginx/nginx.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE"
@ -142,9 +143,9 @@ else
fi fi
replace_in_file "/etc/nginx/server.conf" "%SERVER_NAME%" "$SERVER_NAME" replace_in_file "/etc/nginx/server.conf" "%SERVER_NAME%" "$SERVER_NAME"
replace_in_file "/etc/nginx/server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS" replace_in_file "/etc/nginx/server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS"
if [ ! -f /etc/nginx/geoip.mmdb ] ; then #if [ ! -f /etc/nginx/geoip.mmdb ] ; then
/opt/scripts/geolite.sh # /opt/scripts/geolite.sh
fi #fi
if [ "$BLOCK_COUNTRY" != "" ] ; then if [ "$BLOCK_COUNTRY" != "" ] ; then
replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;" replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;"
replace_in_file "/etc/nginx/geoip.conf" "%BLOCK_COUNTRY%" "$(echo $BLOCK_COUNTRY | sed 's/ / no;\n/g') no;" replace_in_file "/etc/nginx/geoip.conf" "%BLOCK_COUNTRY%" "$(echo $BLOCK_COUNTRY | sed 's/ / no;\n/g') no;"
@ -222,6 +223,12 @@ if [ "$CONTENT_SECURITY_POLICY" != "" ] ; then
else else
replace_in_file "/etc/nginx/server.conf" "%CONTENT_SECURITY_POLICY%" "" replace_in_file "/etc/nginx/server.conf" "%CONTENT_SECURITY_POLICY%" ""
fi fi
if [ "$COOKIE_FLAGS" != "" ] ; then
replace_in_file "/etc/nginx/server.conf" "%COOKIE_FLAGS%" "include /etc/nginx/cookie-flags.conf;"
replace_in_file "/etc/nginx/cookie-flags.conf" "%COOKIE_FLAGS%" "$COOKIE_FLAGS"
else
replace_in_file "/etc/nginx/server.conf" "%COOKIE_FLAGS%" ""
fi
# start PHP # start PHP

1
scripts/geolite.sh
View File

@ -1,5 +1,6 @@
#!/bin/sh #!/bin/sh
# wget "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=&suffix=tar.gz" -O toto.tar.gz
wget -O /etc/nginx/geoip.mmdb.gz https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.mmdb.gz wget -O /etc/nginx/geoip.mmdb.gz https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.mmdb.gz
gunzip -f /etc/nginx/geoip.mmdb.gz gunzip -f /etc/nginx/geoip.mmdb.gz
if [ -f /run/nginx/nginx.pid ] ; then if [ -f /run/nginx/nginx.pid ] ; then