Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

cookie flags and maxmind update

Browse Source
This commit is contained in:
bunkerity 2020-01-02 16:13:44 +00:00
parent ea1dbc617c
commit 1b5f6deb22
7 changed files with 21 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Dockerfile
View File

@ -8,8 +8,9 @@ RUN chmod +x /tmp/compile.sh && \
COPY entrypoint.sh /opt/entrypoint.sh COPY entrypoint.sh /opt/entrypoint.sh
COPY confs/ /opt/confs COPY confs/ /opt/confs
COPY scripts/ /opt/scripts COPY scripts/ /opt/scripts
COPY misc/GeoLite2-Country.mmdb /etc/nginx/geoip.mmdb
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl && \ RUN apk --no-cache add php7-fpm php7-session certbot libstdc++ libmaxminddb geoip pcre yajl && \
chmod +x /opt/entrypoint.sh /opt/scripts/* && \ chmod +x /opt/entrypoint.sh /opt/scripts/* && \
mkdir /www && \ mkdir /www && \
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx

7
README.md
View File

@ -28,9 +28,9 @@ Let's Encrypt needs port 80 to be open to request and sign certificates but ngin
## List of variables ## List of variables
### nginx security ### nginx security
*SERVER_TOKENS* *SERVER_TOKENS*
Values : on | off Values : on | off
Default value : off Default value : off
If set to on, nginx will display server version in Server header and default error pages. If set to on, nginx will display server version in Server header and default error pages.
*HEADER_SERVER* *HEADER_SERVER*
@ -76,7 +76,6 @@ Default value : no-referrer
## TODO ## TODO
- File permissions hardening - File permissions hardening
- Secure and HttpOnly cookies
- Custom nginx configuration - Custom nginx configuration
- Custom TLS certificates - Custom TLS certificates
- Documentation - Documentation

4
compile.sh
View File

@ -24,12 +24,14 @@ git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
git clone https://github.com/openresty/headers-more-nginx-module.git git clone https://github.com/openresty/headers-more-nginx-module.git
# geoip # geoip
git clone https://github.com/leev/ngx_http_geoip2_module.git git clone https://github.com/leev/ngx_http_geoip2_module.git
# cookie
git clone https://github.com/AirisX/nginx_cookie_flag_module.git
# compile and install nginx # compile and install nginx
cd /tmp cd /tmp
git clone https://github.com/nginx/nginx.git git clone https://github.com/nginx/nginx.git
cd nginx cd nginx
./auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --modules-path=/usr/lib/nginx/modules --with-file-aio --with-http_ssl_module --with-http_v2_module --add-module=/tmp/ModSecurity-nginx --add-module=/tmp/headers-more-nginx-module --add-module=/tmp/ngx_http_geoip2_module ./auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --modules-path=/usr/lib/nginx/modules --with-file-aio --with-http_ssl_module --with-http_v2_module --add-module=/tmp/ModSecurity-nginx --add-module=/tmp/headers-more-nginx-module --add-module=/tmp/ngx_http_geoip2_module --add-module=/tmp/nginx_cookie_flag_module
make -j $NTASK make -j $NTASK
make install make install

1
confs/cookie-flags.conf Normal file
View File

@ -0,0 +1 @@
set_cookie_flag %COOKIE_FLAGS%;

1
confs/server.conf
View File

@ -22,5 +22,6 @@ server {
%FEATURE_POLICY% %FEATURE_POLICY%
%BLOCK_COUNTRY% %BLOCK_COUNTRY%
%BLOCK_USER_AGENT% %BLOCK_USER_AGENT%
%COOKIE_FLAGS%
%ERRORS% %ERRORS%
} }

13
entrypoint.sh
View File

@ -55,6 +55,7 @@ PHP_UPLOAD_MAX_FILESIZE="${PHP_UPLOAD_MAX_FILESIZE:-10M}"
PHP_DISABLE_FUNCTIONS="${PHP_DISABLE_FUNCTIONS:-system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo}" PHP_DISABLE_FUNCTIONS="${PHP_DISABLE_FUNCTIONS:-system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo}"
USE_MODSECURITY="${USE_MODSECURITY:-yes}" USE_MODSECURITY="${USE_MODSECURITY:-yes}"
CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY:-default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; reflected-xss block; base-uri 'self'; referrer no-referrer}" CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY:-default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; reflected-xss block; base-uri 'self'; referrer no-referrer}"
COOKIE_FLAGS="${COOKIE_FLAGS:-* HttpOnly}"
# replace values # replace values
replace_in_file "/etc/nginx/nginx.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE" replace_in_file "/etc/nginx/nginx.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE"
@ -142,9 +143,9 @@ else
fi fi
replace_in_file "/etc/nginx/server.conf" "%SERVER_NAME%" "$SERVER_NAME" replace_in_file "/etc/nginx/server.conf" "%SERVER_NAME%" "$SERVER_NAME"
replace_in_file "/etc/nginx/server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS" replace_in_file "/etc/nginx/server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS"
if [ ! -f /etc/nginx/geoip.mmdb ] ; then #if [ ! -f /etc/nginx/geoip.mmdb ] ; then
/opt/scripts/geolite.sh # /opt/scripts/geolite.sh
fi #fi
if [ "$BLOCK_COUNTRY" != "" ] ; then if [ "$BLOCK_COUNTRY" != "" ] ; then
replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;" replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;"
replace_in_file "/etc/nginx/geoip.conf" "%BLOCK_COUNTRY%" "$(echo $BLOCK_COUNTRY | sed 's/ / no;\n/g') no;" replace_in_file "/etc/nginx/geoip.conf" "%BLOCK_COUNTRY%" "$(echo $BLOCK_COUNTRY | sed 's/ / no;\n/g') no;"
@ -222,6 +223,12 @@ if [ "$CONTENT_SECURITY_POLICY" != "" ] ; then
else else
replace_in_file "/etc/nginx/server.conf" "%CONTENT_SECURITY_POLICY%" "" replace_in_file "/etc/nginx/server.conf" "%CONTENT_SECURITY_POLICY%" ""
fi fi
if [ "$COOKIE_FLAGS" != "" ] ; then
replace_in_file "/etc/nginx/server.conf" "%COOKIE_FLAGS%" "include /etc/nginx/cookie-flags.conf;"
replace_in_file "/etc/nginx/cookie-flags.conf" "%COOKIE_FLAGS%" "$COOKIE_FLAGS"
else
replace_in_file "/etc/nginx/server.conf" "%COOKIE_FLAGS%" ""
fi
# start PHP # start PHP

1
scripts/geolite.sh
View File

@ -1,5 +1,6 @@
#!/bin/sh #!/bin/sh
# wget "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=&suffix=tar.gz" -O toto.tar.gz
wget -O /etc/nginx/geoip.mmdb.gz https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.mmdb.gz wget -O /etc/nginx/geoip.mmdb.gz https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.mmdb.gz
gunzip -f /etc/nginx/geoip.mmdb.gz gunzip -f /etc/nginx/geoip.mmdb.gz
if [ -f /run/nginx/nginx.pid ] ; then if [ -f /run/nginx/nginx.pid ] ; then