road to multi server block support

confs/site/antibot-captcha.conf

@@ -0,0 +1,40 @@
+location = %ANTIBOT_URI% {
+
+	default_type 'text/html';
+	
+	if ($request_method = GET) {
+		content_by_lua_block {
+			local cookie	= require "cookie"
+			local captcha	= require "captcha"
+			if not cookie.is_set("uri") then
+				return ngx.exit(ngx.HTTP_FORBIDDEN)
+			end
+			local img, res = captcha.get_challenge()
+			cookie.set({captchares = res})
+			local code = captcha.get_code(img, "%ANTIBOT_URI%")
+			ngx.say(code)
+		}
+	}
+	
+	if ($request_method = POST) {
+		access_by_lua_block {
+			local cookie	= require "cookie"
+			local captcha	= require "captcha"
+			if not cookie.is_set("captchares") then
+				return ngx.exit(ngx.HTTP_FORBIDDEN)
+			end
+			ngx.req.read_body()
+			local args, err = ngx.req.get_post_args(1)
+			if err == "truncated" or not args or not args["captcha"] then
+				return ngx.exit(ngx.HTTP_FORBIDDEN)
+			end
+			local captcha_user	= args["captcha"]
+			local check		= captcha.check(captcha_user, cookie.get("captchares"))
+			if not check then
+				return ngx.redirect("%ANTIBOT_URI%")
+			end
+			cookie.set({captcha = "ok"})
+			return ngx.redirect(cookie.get("uri"))
+		}
+	}
+}

confs/site/antibot-javascript.conf

@@ -0,0 +1,39 @@
+location = %ANTIBOT_URI% {
+
+	default_type 'text/html';
+	
+	if ($request_method = GET) {
+		content_by_lua_block {
+			local cookie		= require "cookie"
+			local javascript	= require "javascript"
+			if not cookie.is_set("challenge") then
+				return ngx.exit(ngx.HTTP_FORBIDDEN)
+			end
+			local challenge	= cookie.get("challenge")
+			local code	= javascript.get_code(challenge, "%ANTIBOT_URI%", cookie.get("uri"))
+			ngx.say(code)
+		}
+	}
+	
+	if ($request_method = POST) {
+		content_by_lua_block {
+			local cookie		= require "cookie"
+			local javascript	= require "javascript"
+			if not cookie.is_set("challenge") then
+				return ngx.exit(ngx.HTTP_FORBIDDEN)
+			end
+			ngx.req.read_body()
+			local args, err = ngx.req.get_post_args(1)
+			if err == "truncated" or not args or not args["challenge"] then
+				return ngx.exit(ngx.HTTP_FORBIDDEN)
+			end
+			local challenge	= args["challenge"]
+			local check		= javascript.check(cookie.get("challenge"), challenge)
+			if not check then
+				return ngx.exit(ngx.HTTP_FORBIDDEN)
+			end
+			cookie.set({javascript = "ok"})
+			return ngx.exit(ngx.OK)
+		}
+	}
+}

confs/site/antibot-recaptcha.conf

@@ -0,0 +1,39 @@
+location = %ANTIBOT_URI% {
+
+	default_type 'text/html';
+	
+	if ($request_method = GET) {
+		content_by_lua_block {
+			local cookie	= require "cookie"
+			local recaptcha	= require "recaptcha"
+			if not cookie.is_set("uri") then
+				return ngx.exit(ngx.HTTP_FORBIDDEN)
+			end
+			local code = recaptcha.get_code("%ANTIBOT_URI%", "%ANTIBOT_RECAPTCHA_SITEKEY%")
+			ngx.say(code)
+		}
+	}
+	
+	if ($request_method = POST) {
+		access_by_lua_block {
+			local cookie	= require "cookie"
+			local recaptcha	= require "recaptcha"
+			if not cookie.is_set("uri") then
+				return ngx.exit(ngx.HTTP_FORBIDDEN)
+			end
+			ngx.req.read_body()
+			local args, err = ngx.req.get_post_args(1)
+			if err == "truncated" or not args or not args["token"] then
+				return ngx.exit(ngx.HTTP_FORBIDDEN)
+			end
+			local token	= args["token"]
+			local check	= recaptcha.check(token, "%ANTIBOT_RECAPTCHA_SECRET%")
+			if check < %ANTIBOT_RECAPTCHA_SCORE% then
+				ngx.log(ngx.WARN, "client has recaptcha score of " .. tostring(check))
+				return ngx.exit(ngx.HTTP_FORBIDDEN)
+			end
+			cookie.set({recaptcha = "ok"})
+			return ngx.redirect(cookie.get("uri"))
+		}
+	}
+}

confs/site/auth-basic-sitewide.conf

@@ -0,0 +1,2 @@
+auth_basic "%AUTH_BASIC_TEXT%";
+auth_basic_user_file /etc/nginx/.htpasswd;

confs/site/auth-basic.conf

@@ -0,0 +1,4 @@
+location %AUTH_BASIC_LOCATION% {
+	auth_basic "%AUTH_BASIC_TEXT%";
+	auth_basic_user_file /etc/nginx/.htpasswd; 
+}

confs/site/block-user-agent.conf

@@ -0,0 +1,3 @@
+if ($bad_user_agent = yes) {
+	return 444;
+}

confs/site/content-security-policy.conf

@@ -0,0 +1 @@
+more_set_headers "Content-Security-Policy: %CONTENT_SECURITY_POLICY%";

confs/site/cookie-flags.conf

@@ -0,0 +1 @@
+set_cookie_flag %COOKIE_FLAGS%;

confs/site/custom-https.conf

@@ -0,0 +1,7 @@
+listen 0.0.0.0:443 ssl %HTTP2%;
+ssl_certificate %HTTPS_CUSTOM_CERT%;
+ssl_certificate_key %HTTPS_CUSTOM_KEY%;
+ssl_protocols TLSv1.3;
+ssl_prefer_server_ciphers off;
+ssl_session_tickets off;
+%STRICT_TRANSPORT_SECURITY%

confs/site/disable-default-server.conf

@@ -0,0 +1,3 @@
+if ($host !~ ^(%SERVER_NAME%)$) {
+	return 444;
+}

confs/site/error.conf

@@ -0,0 +1,7 @@
+error_page %CODE% %PAGE%;
+
+location = %PAGE% {
+    root %ROOT_FOLDER%;
+    modsecurity off;
+    internal;
+}

confs/site/feature-policy.conf

@@ -0,0 +1 @@
+more_set_headers "Feature-Policy: %FEATURE_POLICY%";

confs/site/geoip-server.conf

@@ -0,0 +1,3 @@
+if ($allowed_country = no) {
+	return 444;
+}

confs/site/https.conf

@@ -0,0 +1,11 @@
+listen 0.0.0.0:%HTTPS_PORT% ssl %HTTP2%;
+ssl_certificate %HTTPS_CERT%;
+ssl_certificate_key %HTTPS_KEY%;
+ssl_protocols %HTTPS_PROTOCOLS%;
+ssl_prefer_server_ciphers off;
+ssl_session_tickets off;
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;
+%STRICT_TRANSPORT_SECURITY%
+%SSL_DHPARAM%
+%SSL_CIPHERS%

confs/site/limit-req.conf

@@ -0,0 +1,3 @@
+limit_req_status 429;
+limit_req zone=limit burst=%LIMIT_REQ_BURST% nodelay;
+

confs/site/main-lua.conf

@@ -0,0 +1,150 @@
+set $session_secret %ANTIBOT_SESSION_SECRET%;
+set $session_check_addr on;
+
+access_by_lua_block {
+
+local use_whitelist_ip		= %USE_WHITELIST_IP%
+local use_whitelist_reverse	= %USE_WHITELIST_REVERSE%
+local use_blacklist_ip		= %USE_BLACKLIST_IP%
+local use_blacklist_reverse	= %USE_BLACKLIST_REVERSE%
+local use_dnsbl			= %USE_DNSBL%
+local use_crowdsec		= %USE_CROWDSEC%
+local use_antibot_cookie	= %USE_ANTIBOT_COOKIE%
+local use_antibot_javascript	= %USE_ANTIBOT_JAVASCRIPT%
+local use_antibot_captcha	= %USE_ANTIBOT_CAPTCHA%
+local use_antibot_recaptcha	= %USE_ANTIBOT_RECAPTCHA%
+
+-- include LUA code
+local whitelist		= require "whitelist"
+local blacklist		= require "blacklist"
+local dnsbl		= require "dnsbl"
+local cookie		= require "cookie"
+local javascript	= require "javascript"
+local captcha		= require "captcha"
+local recaptcha		= require "recaptcha"
+
+-- antibot
+local antibot_uri = "%ANTIBOT_URI%"
+
+-- check if already in whitelist cache
+if use_whitelist_ip and whitelist.ip_cached_ok() then
+	ngx.exit(ngx.OK)
+end
+if use_whitelist_reverse and whitelist.reverse_cached_ok() then
+	ngx.exit(ngx.OK)
+end
+
+-- check if already in blacklist cache
+if use_blacklist_ip and blacklist.ip_cached_ko() then
+	ngx.exit(ngx.HTTP_FORBIDDEN)
+end
+if use_blacklist_reverse and blacklist.reverse_cached_ko() then
+	ngx.exit(ngx.HTTP_FORBIDDEN)
+end
+
+-- check if already in dnsbl cache
+if use_dnsbl and dnsbl.cached_ko() then
+	ngx.exit(ngx.HTTP_FORBIDDEN)
+end
+
+-- check if IP is whitelisted (only if not in cache)
+if use_whitelist_ip and not whitelist.ip_cached() then
+	if whitelist.check_ip() then
+		ngx.exit(ngx.OK)
+	end
+end
+
+-- check if reverse is whitelisted (only if not in cache)
+if use_whitelist_reverse and not whitelist.reverse_cached() then
+	if whitelist.check_reverse() then
+		ngx.exit(ngx.OK)
+	end
+end
+
+-- check if IP is blacklisted (only if not in cache)
+if use_blacklist_ip and not blacklist.ip_cached() then
+	if blacklist.check_ip() then
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- check if reverse is blacklisted (only if not in cache)
+if use_blacklist_reverse and not blacklist.reverse_cached() then
+	if blacklist.check_reverse() then
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- check if IP is in DNSBLs (only if not in cache)
+if use_dnsbl and not dnsbl.cached() then
+	if dnsbl.check() then
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- check if IP is in CrowdSec DB
+if use_crowdsec then
+	local ok, err = require "crowdsec.CrowdSec".allowIp(ngx.var.remote_addr)
+	if ok == nil then
+		ngx.log(ngx.ERR, "[Crowdsec] " .. err)
+	end
+	if not ok then
+		ngx.log(ngx.ERR, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "'")
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- cookie check
+if use_antibot_cookie then
+	if not cookie.is_set("uri") then
+		if ngx.var.request_uri ~= antibot_uri then
+			cookie.set({uri = ngx.var.request_uri})
+			return ngx.redirect(antibot_uri)
+		end
+		return ngx.exit(ngx.HTTP_FORBIDDEN)
+	else
+		if ngx.var.request_uri == antibot_uri then
+			return ngx.redirect(cookie.get("uri"))
+		end
+	end
+end
+
+-- javascript check
+if use_antibot_javascript then
+	if not cookie.is_set("javascript") then
+		if ngx.var.request_uri ~= antibot_uri then
+			cookie.set({uri = ngx.var.request_uri, challenge = javascript.get_challenge()})
+			return ngx.redirect(antibot_uri)
+		end
+	end
+end
+
+-- captcha check
+if use_antibot_captcha then
+	if not cookie.is_set("captcha") then
+		if ngx.var.request_uri ~= antibot_uri and ngx.var.request_uri ~= "/favicon.ico" then
+			cookie.set({uri = ngx.var.request_uri})
+			return ngx.redirect(antibot_uri)
+		end
+	end
+end
+
+-- recaptcha check
+if use_antibot_recaptcha then
+	if not cookie.is_set("recaptcha") then
+		if ngx.var.request_uri ~= antibot_uri and ngx.var.request_uri ~= "/favicon.ico" then
+			cookie.set({uri = ngx.var.request_uri})
+			return ngx.redirect(antibot_uri)
+		end
+	end
+end
+
+ngx.exit(ngx.OK)
+
+}
+
+%INCLUDE_ANTIBOT_JAVASCRIPT%
+
+%INCLUDE_ANTIBOT_CAPTCHA%
+
+%INCLUDE_ANTIBOT_RECAPTCHA%

confs/site/modsecurity-clamav.conf

@@ -0,0 +1,4 @@
+SecUploadDir /tmp
+SecUploadKeepFiles On
+SecRule FILES_TMPNAMES "@inspectFile /opt/scripts/clamav.sh" \
+"phase:2,t:none,deny,msg:'Virus found in uploaded file',id:'399999'"

confs/site/modsecurity-rules.conf

@@ -0,0 +1,66 @@
+# process rules with disruptive actions
+SecRuleEngine On
+
+# allow body checks
+SecRequestBodyAccess On
+
+# enable XML parsing
+SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
+     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+
+# enable JSON parsing
+SecRule REQUEST_HEADERS:Content-Type "application/json" \
+     "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+
+# maximum data size
+SecRequestBodyLimit 13107200
+SecRequestBodyNoFilesLimit 131072
+
+# reject requests if bigger than max data size
+SecRequestBodyLimitAction Reject
+
+# reject if we can't process the body
+SecRule REQBODY_ERROR "!@eq 0" \
+"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+
+# be strict with multipart/form-data body
+SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+"id:'200003',phase:2,t:none,log,deny,status:400, \
+msg:'Multipart request body failed strict validation: \
+PE %{REQBODY_PROCESSOR_ERROR}, \
+BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+DB %{MULTIPART_DATA_BEFORE}, \
+DA %{MULTIPART_DATA_AFTER}, \
+HF %{MULTIPART_HEADER_FOLDING}, \
+LF %{MULTIPART_LF_LINE}, \
+SM %{MULTIPART_MISSING_SEMICOLON}, \
+IQ %{MULTIPART_INVALID_QUOTING}, \
+IP %{MULTIPART_INVALID_PART}, \
+IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
+    "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+# enable response body checks
+SecResponseBodyAccess On
+SecResponseBodyMimeType text/plain text/html text/xml application/json
+SecResponseBodyLimit 524288
+SecResponseBodyLimitAction ProcessPartial
+
+# log usefull stuff
+SecAuditEngine RelevantOnly
+SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+SecAuditLogType Serial
+SecAuditLog /var/log/nginx/modsec_audit.log
+
+# scan uploaded files with clamv
+%USE_CLAMAV_UPLOAD%
+
+# include OWASP CRS rules
+%MODSECURITY_INCLUDE_CRS%
+%MODSECURITY_INCLUDE_CUSTOM_CRS%
+%MODSECURITY_INCLUDE_CRS_RULES%
+
+# include custom rules
+%MODSECURITY_INCLUDE_CUSTOM_RULES%

confs/site/modsecurity.conf

@@ -0,0 +1,2 @@
+modsecurity on;
+modsecurity_rules_file /etc/nginx/modsecurity-rules.conf;

confs/site/php.conf

@@ -0,0 +1,5 @@
+location ~ \.php$ {
+	fastcgi_pass      %REMOTE_PHP%:9000;
+	fastcgi_index     index.php;
+	include           fastcgi.conf;
+}

confs/site/proxy-real-ip.conf

@@ -0,0 +1,4 @@
+%PROXY_REAL_IP_FROM%
+real_ip_header %PROXY_REAL_IP_HEADER%;
+real_ip_recursive %PROXY_REAL_IP_RECURSIVE%;
+

confs/site/redirect-http-to-https.conf

@@ -0,0 +1,3 @@
+if ($scheme = http) {
+	return 301 https://$host$request_uri;
+}

confs/site/referrer-policy.conf

@@ -0,0 +1 @@
+more_set_headers "Referrer-Policy: %REFERRER_POLICY%";

confs/site/serve-files.conf

@@ -0,0 +1,3 @@
+root %ROOT_FOLDER%;
+index index.html index.php;
+try_files $uri $uri/ =404;

confs/site/server.conf

@@ -0,0 +1,34 @@
+server {
+	include /server-confs/*.conf;
+	include /etc/nginx/main-lua.conf;
+	%PROXY_REAL_IP%
+	%USE_MODSECURITY%
+	%LISTEN_HTTP%
+	%USE_HTTPS%
+	%REDIRECT_HTTP_TO_HTTPS%
+	server_name %SERVER_NAME%;
+	%DISABLE_DEFAULT_SERVER%
+	%SERVE_FILES%
+	if ($request_method !~ ^(%ALLOWED_METHODS%)$)
+	{
+		return 405;
+	}
+	%LIMIT_REQ%
+	%AUTH_BASIC%
+	%USE_PHP%
+	%HEADER_SERVER%
+	%X_FRAME_OPTIONS%
+	%X_XSS_PROTECTION%
+	%X_CONTENT_TYPE_OPTIONS%
+	%CONTENT_SECURITY_POLICY%
+	%REFERRER_POLICY%
+	%FEATURE_POLICY%
+	%BLOCK_COUNTRY%
+	%BLOCK_USER_AGENT%
+	%BLOCK_TOR_EXIT_NODE%
+	%BLOCK_PROXIES%
+	%BLOCK_ABUSERS%
+	%COOKIE_FLAGS%
+	%ERRORS%
+	%USE_FAIL2BAN%
+}

confs/site/x-content-type-options.conf

@@ -0,0 +1 @@
+more_set_headers "X-Content-Type-Options: %X_CONTENT_TYPE_OPTIONS%";

confs/site/x-frame-options.conf

@@ -0,0 +1 @@
+more_set_headers "X-Frame-Options: %X_FRAME_OPTIONS%";

confs/site/x-xss-protection.conf

@@ -0,0 +1 @@
+more_set_headers "X-XSS-Protection: %X_XSS_PROTECTION%";