Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

docs improvement + road to v1.2.5

Browse Source
This commit is contained in:
bunkerity 2021-05-14 15:41:15 +02:00
parent 61c08fb97b
commit 288b8eb851
No known key found for this signature in database
GPG Key ID: 3D80806F12602A7C
5 changed files with 47 additions and 1124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1134
README.md
View File

File diff suppressed because it is too large Load Diff

4
docs/introduction.md
View File

@ -6,13 +6,13 @@
nginx Docker image secure by default. nginx Docker image secure by default.
Avoid the hassle of following security best practices each time you need a web server or reverse proxy. Bunkerized-nginx provides generic security configs, settings and tools so you don't need to do it yourself. Avoid the hassle of following security best practices "by hand" each time you need a web server or reverse proxy. Bunkerized-nginx provides generic security configs, settings and tools so you don't need to do it yourself.
Non-exhaustive list of features : Non-exhaustive list of features :
- HTTPS support with transparent Let's Encrypt automation - HTTPS support with transparent Let's Encrypt automation
- State-of-the-art web security : HTTP security headers, prevent leaks, TLS hardening, ... - State-of-the-art web security : HTTP security headers, prevent leaks, TLS hardening, ...
- Integrated ModSecurity WAF with the OWASP Core Rule Set - Integrated ModSecurity WAF with the OWASP Core Rule Set
- Automatic ban of strange behaviors with fail2ban - Automatic ban of strange behaviors
- Antibot challenge through cookie, javascript, captcha or recaptcha v3 - Antibot challenge through cookie, javascript, captcha or recaptcha v3
- Block TOR, proxies, bad user-agents, countries, ... - Block TOR, proxies, bad user-agents, countries, ...
- Block known bad IP with DNSBL and CrowdSec - Block known bad IP with DNSBL and CrowdSec

14
docs/quickstart_guide.md
View File

@ -6,18 +6,24 @@
docker run -p 80:8080 -v /path/to/web/files:/www:ro bunkerity/bunkerized-nginx docker run -p 80:8080 -v /path/to/web/files:/www:ro bunkerity/bunkerized-nginx
``` ```
Web files are stored in the /www directory, the container will serve files from there. Please note that *bunkerized-nginx* doesn't run as root but with an unprivileged user with UID/GID 101 therefore you should set the rights of */path/to/web/files* accordingly. Web files are stored in the /www directory, the container will serve files from there. Please note that *bunkerized-nginx* doesn't run as root but as an unprivileged user with UID/GID 101 therefore you should set the rights of */path/to/web/files* accordingly.
## In combination with PHP ## In combination with PHP
```shell ```shell
docker network create mynet docker network create mynet
```
```shell
docker run --network mynet \ docker run --network mynet \
-p 80:8080 \ -p 80:8080 \
-v /path/to/web/files:/www:ro \ -v /path/to/web/files:/www:ro \
-e REMOTE_PHP=myphp \ -e REMOTE_PHP=myphp \
-e REMOTE_PHP_PATH=/app \ -e REMOTE_PHP_PATH=/app \
bunkerity/bunkerized-nginx bunkerity/bunkerized-nginx
```
```shell
docker run --network mynet \ docker run --network mynet \
--name myphp \ --name myphp \
-v /path/to/web/files:/app \ -v /path/to/web/files:/app \
@ -39,7 +45,7 @@ docker run -p 80:8080 \
bunkerity/bunkerized-nginx bunkerity/bunkerized-nginx
``` ```
Certificates are stored in the /etc/letsencrypt directory, you should save it on your local drive. Please note that *bunkerized-nginx* doesn't run as root but with an unprivileged user with UID/GID 101 therefore you should set the rights of */where/to/save/certificates* accordingly. Certificates are stored in the /etc/letsencrypt directory, you should save it on your local drive. Please note that *bunkerized-nginx* doesn't run as root but as an unprivileged user with UID/GID 101 therefore you should set the rights of */where/to/save/certificates* accordingly.
If you don't want your webserver to listen on HTTP add the environment variable `LISTEN_HTTP` with a *no* value (e.g. HTTPS only). But Let's Encrypt needs the port 80 to be opened so redirecting the port is mandatory. If you don't want your webserver to listen on HTTP add the environment variable `LISTEN_HTTP` with a *no* value (e.g. HTTPS only). But Let's Encrypt needs the port 80 to be opened so redirecting the port is mandatory.
@ -81,7 +87,7 @@ docker run -p 80:8080 \
The `PROXY_REAL_IP` environment variable, when set to *yes*, activates the [ngx_http_realip_module](https://nginx.org/en/docs/http/ngx_http_realip_module.html) to get the real client IP from the reverse proxy. The `PROXY_REAL_IP` environment variable, when set to *yes*, activates the [ngx_http_realip_module](https://nginx.org/en/docs/http/ngx_http_realip_module.html) to get the real client IP from the reverse proxy.
See [this section](#reverse-proxy) if you need to tweak some values (trusted ip/network, header, ...). See [this section](https://bunkerized-nginx.readthedocs.io/en/latest/environment_variables.html#reverse-proxy) if you need to tweak some values (trusted ip/network, header, ...).
## Multisite ## Multisite
@ -197,7 +203,7 @@ docker run --network mynet \
-l bunkerized-nginx.SERVER_NAME=app2.domain.com \ -l bunkerized-nginx.SERVER_NAME=app2.domain.com \
-l bunkerized-nginx.USE_REVERSE_PROXY=yes \ -l bunkerized-nginx.USE_REVERSE_PROXY=yes \
-l bunkerized-nginx.REVERSE_PROXY_URL=/ \ -l bunkerized-nginx.REVERSE_PROXY_URL=/ \
-l bunkerized-nginx.REVERSE_PROXY_HOST=http://anotherapp -l bunkerized-nginx.REVERSE_PROXY_HOST=http://anotherapp \
tutum/hello-world tutum/hello-world
``` ```

15
docs/security_tuning.md
View File

@ -35,11 +35,12 @@ If you have security constraints (e.g : local network, custom PKI, ...) you can
- `CUSTOM_HTTPS_CERT=/path/inside/container/to/cert.pem` - `CUSTOM_HTTPS_CERT=/path/inside/container/to/cert.pem`
- `CUSTOM_HTTPS_KEY=/path/inside/container/to/key.pem` - `CUSTOM_HTTPS_KEY=/path/inside/container/to/key.pem`
Here is a dummy example on how to use custom certificates : Here is a an example on how to use custom certificates :
```shell ```shell
$ ls /etc/ssl/my-web-app $ ls /etc/ssl/my-web-app
cert.pem key.pem cert.pem key.pem
$ docker run -p 80:8080 \ $ docker run -p 80:8080 \
-p 443:8443 \ -p 443:8443 \
-v /etc/ssl/my-web-app:/certs:ro \ -v /etc/ssl/my-web-app:/certs:ro \
@ -63,7 +64,7 @@ $ docker run -p 80:8080 \
## Headers ## Headers
Some important HTTP headers related to client security are sent with a default value. Sometimes it can break a web application or can be tuned to provide even more security. The complete list is available [here](#TODO). Some important HTTP headers related to client security are sent with a default value. Sometimes it can break a web application or can be tuned to provide even more security. The complete list is available [here](https://bunkerized-nginx.readthedocs.io/en/latest/environment_variables.html#security-headers).
You can also remove headers (e.g. : too verbose ones) by using the `REMOVE_HEADERS` environment variable which takes a list of header name separated with space (default value = `Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version`). You can also remove headers (e.g. : too verbose ones) by using the `REMOVE_HEADERS` environment variable which takes a list of header name separated with space (default value = `Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version`).
@ -115,7 +116,7 @@ That kind of security measure is implemented and enabled by default in bunkerize
Attackers will certainly use automated tools to exploit/find some vulnerabilities on your web service. One countermeasure is to challenge the users to detect if it looks like a bot. It might be effective against script kiddies or "lazy" attackers. Attackers will certainly use automated tools to exploit/find some vulnerabilities on your web service. One countermeasure is to challenge the users to detect if it looks like a bot. It might be effective against script kiddies or "lazy" attackers.
You can use the `USE_ANTIBOT` environment variable to add that kind of checks whenever a new client is connecting. The available challenges are : `cookie`, `javascript`, `captcha` and `recaptcha`. More info [here](#TODO). You can use the `USE_ANTIBOT` environment variable to add that kind of checks whenever a new client is connecting. The available challenges are : `cookie`, `javascript`, `captcha` and `recaptcha`. More info [here](https://bunkerized-nginx.readthedocs.io/en/latest/environment_variables.html#antibot).
## External blacklists ## External blacklists
@ -136,7 +137,7 @@ If you want to give it a try, you have a concrete example on how to use CrowdSec
Sometimes script kiddies or lazy attackers don't put a "legitimate" value inside the **User-Agent** HTTP header so we can block them. This is controlled with the `BLOCK_USER_AGENT=yes` environment variable. The blacklist is composed of two files from [here](https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list) and [here](https://raw.githubusercontent.com/JayBizzle/Crawler-Detect/master/raw/Crawlers.txt). Sometimes script kiddies or lazy attackers don't put a "legitimate" value inside the **User-Agent** HTTP header so we can block them. This is controlled with the `BLOCK_USER_AGENT=yes` environment variable. The blacklist is composed of two files from [here](https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list) and [here](https://raw.githubusercontent.com/JayBizzle/Crawler-Detect/master/raw/Crawlers.txt).
If a legitimate User-Agent is blacklisted, you can use the `WHITELIST_USER_AGENT` while still keeping the `BLOCK_USER_AGENT=yes` (more info [here](#TODO)). If a legitimate User-Agent is blacklisted, you can use the `WHITELIST_USER_AGENT` while still keeping the `BLOCK_USER_AGENT=yes` (more info [here](https://bunkerized-nginx.readthedocs.io/en/latest/environment_variables.html#custom-whitelisting)).
### TOR exit nodes ### TOR exit nodes
@ -194,9 +195,9 @@ Adding extra security can sometimes trigger false positives. Also, it might be n
Here is the list of related environment variables and their default value : Here is the list of related environment variables and their default value :
- `USE_WHITELIST_IP=yes` : enable/disable whitelisting by IP address - `USE_WHITELIST_IP=yes` : enable/disable whitelisting by IP address
- `WHITELIST_IP_LIST=23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8` : list of IP addresses and/or network CIDR blocks to whitelist (default contains the IP addresses of the [DuckDuckGo crawler](https://help.duckduckgo.com/duckduckgo-help-pages/results/duckduckbot/)). - `WHITELIST_IP_LIST=23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8` : list of IP addresses and/or network CIDR blocks to whitelist (default contains the IP addresses of the [DuckDuckGo crawler](https://help.duckduckgo.com/duckduckgo-help-pages/results/duckduckbot/))
- `USE_WHITELIST_REVERSE=yes` : enable/disable whitelisting by reverse DNS - `USE_WHITELIST_REVERSE=yes` : enable/disable whitelisting by reverse DNS
- `WHITELIST_REVERSE_LIST=.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net` : the list of reverse DNS suffixes to trust (default contains the list of major search engines crawlers). - `WHITELIST_REVERSE_LIST=.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net` : the list of reverse DNS suffixes to trust (default contains the list of major search engines crawlers)
## Blacklisting ## Blacklisting
@ -206,7 +207,7 @@ Here is the list of related environment variables and their default value :
- `USE_BLACKLIST_IP=yes` : enable/disable blacklisting by IP address - `USE_BLACKLIST_IP=yes` : enable/disable blacklisting by IP address
- `BLACKLIST_IP_LIST=` : list of IP addresses and/or network CIDR blocks to blacklist - `BLACKLIST_IP_LIST=` : list of IP addresses and/or network CIDR blocks to blacklist
- `USE_BLACKLIST_REVERSE=yes` : enable/disable blacklisting by reverse DNS - `USE_BLACKLIST_REVERSE=yes` : enable/disable blacklisting by reverse DNS
- `BLACKLIST_REVERSE_LIST=.shodan.io` : the list of reverse DNS suffixes to never trust. - `BLACKLIST_REVERSE_LIST=.shodan.io` : the list of reverse DNS suffixes to never trust
## Container hardening ## Container hardening

4
docs/troubleshooting.md
View File

@ -6,7 +6,7 @@ When troubleshooting, the logs are your best friends. We try our best to provide
## Permissions ## Permissions
Don't forget that bunkerized-nginx runs as an unprivileged user with UID/GID 101. Double check the permissions of files and folders for each volumes (see the [volumes list](#TODO)). Don't forget that bunkerized-nginx runs as an unprivileged user with UID/GID 101. Double check the permissions of files and folders for each volumes (see the [volumes list](https://bunkerized-nginx.readthedocs.io/en/latest/volumes.html)).
## ModSecurity ## ModSecurity
@ -29,5 +29,5 @@ It's a common case that a bot gets flagged as suspicious and can't access your w
- `WHITELIST_URI` - `WHITELIST_URI`
- `WHITELIST_USER_AGENT` - `WHITELIST_USER_AGENT`
More information [here](#). More information [here](https://bunkerized-nginx.readthedocs.io/en/latest/environment_variables.html#custom-whitelisting).