diff --git a/confs2/site/antibot-captcha.conf b/confs2/site/antibot-captcha.conf index 85d24bf..90905df 100644 --- a/confs2/site/antibot-captcha.conf +++ b/confs2/site/antibot-captcha.conf @@ -1,4 +1,4 @@ -location = %ANTIBOT_URI% { +location = {{ ANTIBOT_URI }} { default_type 'text/html'; @@ -13,7 +13,7 @@ location = %ANTIBOT_URI% { end local img, res = captcha.get_challenge() cookie.set({captchares = res}) - local code = captcha.get_code(img, "%ANTIBOT_URI%") + local code = captcha.get_code(img, "{{ ANTIBOT_URI }}") ngx.say(code) } } @@ -37,7 +37,7 @@ location = %ANTIBOT_URI% { local check = captcha.check(captcha_user, cookie.get("captchares")) if not check then logger.log(ngx.WARN, "ANTIBOT", "captcha fail (4) for " .. ngx.var.remote_addr) - return ngx.redirect("%ANTIBOT_URI%") + return ngx.redirect("{{ ANTIBOT_URI }}") end cookie.set({captcha = "ok"}) return ngx.redirect(cookie.get("uri")) diff --git a/confs2/site/antibot-javascript.conf b/confs2/site/antibot-javascript.conf index 2052b9d..32488af 100644 --- a/confs2/site/antibot-javascript.conf +++ b/confs2/site/antibot-javascript.conf @@ -1,4 +1,4 @@ -location = %ANTIBOT_URI% { +location = {{ ANTIBOT_URI }} { default_type 'text/html'; @@ -12,7 +12,7 @@ location = %ANTIBOT_URI% { return ngx.exit(ngx.HTTP_FORBIDDEN) end local challenge = cookie.get("challenge") - local code = javascript.get_code(challenge, "%ANTIBOT_URI%", cookie.get("uri")) + local code = javascript.get_code(challenge, "{{ ANTIBOT_URI }}", cookie.get("uri")) ngx.say(code) } } diff --git a/confs2/site/antibot-recaptcha.conf b/confs2/site/antibot-recaptcha.conf index d901f36..d7c46ca 100644 --- a/confs2/site/antibot-recaptcha.conf +++ b/confs2/site/antibot-recaptcha.conf @@ -1,4 +1,4 @@ -location = %ANTIBOT_URI% { +location = {{ ANTIBOT_URI }} { default_type 'text/html'; @@ -11,7 +11,7 @@ location = %ANTIBOT_URI% { logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (1) for " .. ngx.var.remote_addr) return ngx.exit(ngx.HTTP_FORBIDDEN) end - local code = recaptcha.get_code("%ANTIBOT_URI%", "%ANTIBOT_RECAPTCHA_SITEKEY%") + local code = recaptcha.get_code("{{ ANTIBOT_URI }}", "{{ ANTIBOT_RECAPTCHA_SITEKEY }}") ngx.say(code) } } @@ -32,8 +32,8 @@ location = %ANTIBOT_URI% { return ngx.exit(ngx.HTTP_FORBIDDEN) end local token = args["token"] - local check = recaptcha.check(token, "%ANTIBOT_RECAPTCHA_SECRET%") - if check < %ANTIBOT_RECAPTCHA_SCORE% then + local check = recaptcha.check(token, "{{ ANTIBOT_RECAPTCHA_SECRET }}") + if check < {{ ANTIBOT_RECAPTCHA_SCORE }} then logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (4) for " .. ngx.var.remote_addr .. " (score = " .. tostring(check) .. ")") return ngx.exit(ngx.HTTP_FORBIDDEN) end diff --git a/confs2/site/auth-basic-sitewide.conf b/confs2/site/auth-basic-sitewide.conf index 6fce64b..c95e643 100644 --- a/confs2/site/auth-basic-sitewide.conf +++ b/confs2/site/auth-basic-sitewide.conf @@ -1,2 +1,2 @@ -auth_basic "%AUTH_BASIC_TEXT%"; -auth_basic_user_file %NGINX_PREFIX%.htpasswd; +auth_basic "{{ AUTH_BASIC_TEXT }}"; +auth_basic_user_file {{ NGINX_PREFIX }}.htpasswd; diff --git a/confs2/site/auth-basic.conf b/confs2/site/auth-basic.conf index f2668ed..648f1dc 100644 --- a/confs2/site/auth-basic.conf +++ b/confs2/site/auth-basic.conf @@ -1,4 +1,4 @@ -location %AUTH_BASIC_LOCATION% { - auth_basic "%AUTH_BASIC_TEXT%"; - auth_basic_user_file %NGINX_PREFIX%.htpasswd; +location {{ AUTH_BASIC_LOCATION }} { + auth_basic "{{ AUTH_BASIC_TEXT }}"; + auth_basic_user_file {{ NGINX_PREFIX }}.htpasswd; } diff --git a/confs2/site/brotli.conf b/confs2/site/brotli.conf index 734513a..f2660e0 100644 --- a/confs2/site/brotli.conf +++ b/confs2/site/brotli.conf @@ -1,4 +1,4 @@ brotli on; -brotli_types %BROTLI_TYPES%; -brotli_comp_level %BROTLI_COMP_LEVEL%; -brotli_min_length %BROTLI_MIN_LENGTH%; +brotli_types {{ BROTLI_TYPES }}; +brotli_comp_level {{ BROTLI_COMP_LEVEL }}; +brotli_min_length {{ BROTLI_MIN_LENGTH }}; diff --git a/confs2/site/client-cache.conf b/confs2/site/client-cache.conf index 21271f7..b23717f 100644 --- a/confs2/site/client-cache.conf +++ b/confs2/site/client-cache.conf @@ -1,6 +1,6 @@ -etag %CLIENT_CACHE_ETAG%; +etag {{ CLIENT_CACHE_ETAG }}; set $cache ""; -if ($uri ~* \.(%CLIENT_CACHE_EXTENSIONS%)$) { - set $cache "%CLIENT_CACHE_CONTROL%"; +if ($uri ~* \.({{ CLIENT_CACHE_EXTENSIONS }})$) { + set $cache "{{ CLIENT_CACHE_CONTROL }}"; } add_header Cache-Control $cache; diff --git a/confs2/site/content-security-policy.conf b/confs2/site/content-security-policy.conf index 11e3338..8b8a61a 100644 --- a/confs2/site/content-security-policy.conf +++ b/confs2/site/content-security-policy.conf @@ -1 +1 @@ -more_set_headers "Content-Security-Policy: %CONTENT_SECURITY_POLICY%"; +more_set_headers "Content-Security-Policy: {{ CONTENT_SECURITY_POLICY }}"; diff --git a/confs2/site/cookie-flags.conf b/confs2/site/cookie-flags.conf index e81ec79..675feb3 100644 --- a/confs2/site/cookie-flags.conf +++ b/confs2/site/cookie-flags.conf @@ -1 +1 @@ -set_cookie_flag %COOKIE_FLAGS%; +set_cookie_flag {{ COOKIE_FLAGS }}{% if COOKIE_AUTO_SECURE_FLAG == "yes" %} Secure{% endif %}; diff --git a/confs2/site/custom-https.conf b/confs2/site/custom-https.conf index 88289a8..03721b5 100644 --- a/confs2/site/custom-https.conf +++ b/confs2/site/custom-https.conf @@ -1,7 +1,9 @@ -listen 0.0.0.0:443 ssl %HTTP2%; -ssl_certificate %HTTPS_CUSTOM_CERT%; -ssl_certificate_key %HTTPS_CUSTOM_KEY%; +listen 0.0.0.0:443 ssl {% if HTTP2 == "yes" %}http2{% endif %}; +ssl_certificate {{ HTTPS_CUSTOM_CERT }}; +ssl_certificate_key {{ HTTPS_CUSTOM_KEY }}; ssl_protocols TLSv1.3; ssl_prefer_server_ciphers off; ssl_session_tickets off; -%STRICT_TRANSPORT_SECURITY% +{% if STRICT_TRANSPORT_SECURITY != "" %} +more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}'; +{% endif %} diff --git a/confs2/site/disable-default-server.conf b/confs2/site/disable-default-server.conf index 104794d..900e58d 100644 --- a/confs2/site/disable-default-server.conf +++ b/confs2/site/disable-default-server.conf @@ -1,3 +1,3 @@ -if ($host !~ ^(%SERVER_NAME%)$) { +if ($host !~ ^({{ SERVER_NAME.replace(" ", "|") }})$) { return 444; } diff --git a/confs2/site/error.conf b/confs2/site/error.conf index af44ffe..7d7a70e 100644 --- a/confs2/site/error.conf +++ b/confs2/site/error.conf @@ -1,7 +1,7 @@ -error_page %CODE% %PAGE%; +error_page {{ CODE }} {{ PAGE }}; -location = %PAGE% { - root %ROOT_FOLDER%; +location = {{ PAGE }} { + root {{ ROOT_FOLDER }}; modsecurity off; internal; } diff --git a/confs2/site/fastcgi.conf b/confs2/site/fastcgi.conf index acd0b38..c4712cc 100644 --- a/confs2/site/fastcgi.conf +++ b/confs2/site/fastcgi.conf @@ -13,7 +13,7 @@ fastcgi_param REQUEST_SCHEME $scheme; fastcgi_param HTTPS $https if_not_empty; fastcgi_param GATEWAY_INTERFACE CGI/1.1; -fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; +fastcgi_param SERVER_SOFTWARE nginx; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; diff --git a/confs2/site/feature-policy.conf b/confs2/site/feature-policy.conf index 64c6e8e..009a63e 100644 --- a/confs2/site/feature-policy.conf +++ b/confs2/site/feature-policy.conf @@ -1 +1 @@ -more_set_headers "Feature-Policy: %FEATURE_POLICY%"; +more_set_headers "Feature-Policy: {{ FEATURE_POLICY }}"; diff --git a/confs2/site/gzip.conf b/confs2/site/gzip.conf index f0f77fc..3eb755d 100644 --- a/confs2/site/gzip.conf +++ b/confs2/site/gzip.conf @@ -1,4 +1,4 @@ gzip on; -gzip_comp_level %GZIP_COMP_LEVEL%; -gzip_min_length %GZIP_MIN_LENGTH%; -gzip_types %GZIP_TYPES%; +gzip_comp_level {{ GZIP_COMP_LEVEL }}; +gzip_min_length {{ GZIP_MIN_LENGTH }}; +gzip_types {{ GZIP_TYPES }}; diff --git a/confs2/site/https.conf b/confs2/site/https.conf index 5a50735..ce8fc90 100644 --- a/confs2/site/https.conf +++ b/confs2/site/https.conf @@ -1,12 +1,18 @@ -listen 0.0.0.0:%HTTPS_PORT% ssl %HTTP2%; -ssl_certificate %HTTPS_CERT%; -ssl_certificate_key %HTTPS_KEY%; -ssl_protocols %HTTPS_PROTOCOLS%; +listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" }}http2{% endif %}; +ssl_certificate {{ HTTPS_CERT }}; +ssl_certificate_key {{ HTTPS_KEY }}; +ssl_protocols {{ HTTPS_PROTOCOLS }}; ssl_prefer_server_ciphers on; ssl_session_tickets off; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; -%STRICT_TRANSPORT_SECURITY% -%SSL_DHPARAM% -%SSL_CIPHERS% -%LETS_ENCRYPT_WEBROOT% +{% if STRICT_TRANSPORT_SECURITY != "" }} +more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}'; +{% endif %} +{% if "TLSv1.2" in {{ HTTPS_PROTOCOLS }} %} +ssl_dhparam /etc/nginx/dhparam; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +{% endif %} +{% if AUTO_LETS_ENCRYPT %} +include {{ NGINX_PREFIX }}lets-encrypt-webroot.conf; +{% endif %} diff --git a/confs2/site/limit-conn.conf b/confs2/site/limit-conn.conf index 6482ad5..27c9738 100644 --- a/confs2/site/limit-conn.conf +++ b/confs2/site/limit-conn.conf @@ -1 +1 @@ -limit_conn ddos %LIMIT_CONN_MAX%; +limit_conn ddos {{ LIMIT_CONN_MAX }}; diff --git a/confs2/site/limit-req.conf b/confs2/site/limit-req.conf index 395d838..35b88fc 100644 --- a/confs2/site/limit-req.conf +++ b/confs2/site/limit-req.conf @@ -1,3 +1,3 @@ limit_req_status 429; -limit_req zone=limit burst=%LIMIT_REQ_BURST% nodelay; +limit_req zone=limit burst={{ LIMIT_REQ_BURST }} nodelay; diff --git a/confs2/site/log-lua.conf b/confs2/site/log-lua.conf index 13854f3..e45620f 100644 --- a/confs2/site/log-lua.conf +++ b/confs2/site/log-lua.conf @@ -1,12 +1,12 @@ log_by_lua_block { -- bad behavior -local use_bad_behavior = %USE_BAD_BEHAVIOR% +local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %} local behavior = require "behavior" -local bad_behavior_status_codes = {{ BAD_BEHAVIOR_STATUS_CODES }} -local bad_behavior_threshold = %BAD_BEHAVIOR_THRESHOLD% -local bad_behavior_count_time = %BAD_BEHAVIOR_COUNT_TIME% -local bad_behavior_ban_time = %BAD_BEHAVIOR_BAN_TIME% +local bad_behavior_status_codes = {% raw %}{{% endraw %}{% set elements = BAD_BEHAVIOR_STATUS_CODES.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} +local bad_behavior_threshold = {{ BAD_BEHAVIOR_THRESHOLD }} +local bad_behavior_count_time = {{ BAD_BEHAVIOR_COUNT_TIME }} +local bad_behavior_ban_time = {{ BAD_BEHAVIOR_BAN_TIME }} if use_bad_behavior then behavior.count(bad_behavior_status_codes, bad_behavior_threshold, bad_behavior_count_time, bad_behavior_ban_time) diff --git a/confs2/site/main-lua.conf b/confs2/site/main-lua.conf index 3ea0b57..270eeb7 100644 --- a/confs2/site/main-lua.conf +++ b/confs2/site/main-lua.conf @@ -1,51 +1,51 @@ -set $session_secret %ANTIBOT_SESSION_SECRET%; +set $session_secret {{ ANTIBOT_SESSION_SECRET }}; set $session_check_addr on; access_by_lua_block { -- let's encrypt -local use_lets_encrypt = %USE_LETS_ENCRYPT% +local use_lets_encrypt = {% if AUTO_LETS_ENCRYPT == "yes" %}true{% else %}false{% endif %} -- external blacklists -local use_user_agents = %USE_USER_AGENTS% -local use_proxies = %USE_PROXIES% -local use_abusers = %USE_ABUSERS% -local use_tor_exit_nodes = %USE_TOR_EXIT_NODES% -local use_referrers = %USE_REFERRERS% +local use_user_agents = {% if BLOCK_USER_AGENT == "yes" %}true{% else %}false{% endif %} +local use_proxies = {% if BLOCK_PROXIES == "yes" %}true{% else %}false{% endif %} +local use_abusers = {% if BLOCK_ABUSERS == "yes" %}true{% else %}false{% endif %} +local use_tor_exit_nodes = {% if BLOCK_TOR_EXIT_NODE == "yes" %}true{% else %}false{% endif %} +local use_referrers = {% if BLOCK_REFERRER == "yes" %}true{% else %}false{% endif %} -- countries -local use_country = %USE_COUNTRY% +local use_country = {% if WHITELIST_COUNTRY != "" or BLACKLIST_COUNTRY != "" %}true{% else %}false{% endif %} -- crowdsec -local use_crowdsec = %USE_CROWDSEC% +local use_crowdsec = {% if USE_CROWDSEC == "yes" %}true{% else %}false{% endif %} -- antibot -local use_antibot_cookie = %USE_ANTIBOT_COOKIE% -local use_antibot_javascript = %USE_ANTIBOT_JAVASCRIPT% -local use_antibot_captcha = %USE_ANTIBOT_CAPTCHA% -local use_antibot_recaptcha = %USE_ANTIBOT_RECAPTCHA% +local use_antibot_cookie = {% if USE_ANTIBOT == "cookie" %}true{% else %}false{% endif %} +local use_antibot_javascript = {% if USE_ANTIBOT == "javascript" %}true{% else %}false{% endif %} +local use_antibot_captcha = {% if USE_ANTIBOT == "captcha" %}true{% else %}false{% endif %} +local use_antibot_recaptcha = {% if USE_ANTIBOT == "recaptcha" %}true{% else %}false{% endif %} -- resolvers -local dns_resolvers = {{ DNS_RESOLVERS }} +local dns_resolvers = {% raw %}{{% endraw %}{% set elements = DNS_RESOLVERS.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} -- whitelist -local use_whitelist_ip = %USE_WHITELIST_IP% -local use_whitelist_reverse = %USE_WHITELIST_REVERSE% -local whitelist_ip_list = {{ WHITELIST_IP_LIST }} -local whitelist_reverse_list = {{ WHITELIST_REVERSE_LIST }} +local use_whitelist_ip = {% if USE_WHITELIST_IP == "yes" %}true{% else %}false{% endif %} +local use_whitelist_reverse = {% if USE_WHITELIST_REVERSE == "yes %}true{% else %}false{% endif %} +local whitelist_ip_list = {% raw %}{{% endraw %}{% set elements = WHITELIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} +local whitelist_reverse_list = {% raw %}{{% endraw %}{% set elements = WHITELIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} -- blacklist -local use_blacklist_ip = %USE_BLACKLIST_IP% -local use_blacklist_reverse = %USE_BLACKLIST_REVERSE% -local blacklist_ip_list = {{ BLACKLIST_IP_LIST }} -local blacklist_reverse_list = {{ BLACKLIST_REVERSE_LIST }} +local use_blacklist_ip = {% if USE_BLACKLIST_IP == "yes" %}true{% else %}false{% endif %} +local use_blacklist_reverse = {% if USE_BLACKLIST_REVERSE == "yes %}true{% else %}false{% endif %} +local blacklist_ip_list = {% raw %}{{% endraw %}{% set elements = BLACKLIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} +local blacklist_reverse_list = {% raw %}{{% endraw %}{% set elements = BLACKLIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} -- dnsbl -local use_dnsbl = %USE_DNSBL% -local dnsbl_list = {{ DNSBL_LIST }} +local use_dnsbl = {% if USE_DNSBL == "yes" %}true{% else %}false{% endif %} +local dnsbl_list = {% raw %}{{% endraw %}{% set elements = DNSBL_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} -- bad behavior -local use_bad_behavior = %USE_BAD_BEHAVIOR% +local use_bad_behavior = {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %} -- include LUA code local whitelist = require "whitelist" @@ -60,9 +60,9 @@ local behavior = require "behavior" local logger = require "logger" -- user variables -local antibot_uri = "%ANTIBOT_URI%" -local whitelist_user_agent = {{ WHITELIST_USER_AGENT }} -local whitelist_uri = {{ WHITELIST_URI }} +local antibot_uri = "{{ ANTIBOT_URI }}" +local whitelist_user_agent = {% raw %}{{% endraw %}{% set elements = WHITELIST_USER_AGENT.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} +local whitelist_uri = {% raw %}{{% endraw %}{% set elements = WHITELIST_URI.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %} -- check if already in whitelist cache if use_whitelist_ip and whitelist.ip_cached_ok() then @@ -291,8 +291,10 @@ ngx.exit(ngx.OK) } -%INCLUDE_ANTIBOT_JAVASCRIPT% - -%INCLUDE_ANTIBOT_CAPTCHA% - -%INCLUDE_ANTIBOT_RECAPTCHA% +{% if USE_ANTIBOT == "javascript" %} +include {{ NGINX_PREFIX }}antibot-javascript.conf; +{% elif USE_ANTIBOT == "captcha" %} +include {{ NGINX_PREFIX }}antibot-captcha.conf; +{% elif USE_ANTIBOT == "recaptcha" %} +include {{ NGINX_PREFIX }}antibot-recaptcha.conf; +{% endif %} diff --git a/confs2/site/modsecurity-rules.conf b/confs2/site/modsecurity-rules.conf index 9efdcf5..d0dd42f 100644 --- a/confs2/site/modsecurity-rules.conf +++ b/confs2/site/modsecurity-rules.conf @@ -49,17 +49,22 @@ SecResponseBodyLimit 524288 SecResponseBodyLimitAction ProcessPartial # log usefull stuff -SecAuditEngine %MODSECURITY_SEC_AUDIT_ENGINE% +SecAuditEngine {{ MODSECURITY_SEC_AUDIT_ENGINE }} SecAuditLogType Serial SecAuditLog /var/log/nginx/modsec_audit.log # scan uploaded files with clamv -%USE_CLAMAV_UPLOAD% +{% if USE_CLAMAV_UPLOAD == "yes" %} +include {{ NGINX_PREFIX }}modsecurity-clamav.conf +{% endif %} # include OWASP CRS rules -%MODSECURITY_INCLUDE_CRS% -%MODSECURITY_INCLUDE_CUSTOM_CRS% -%MODSECURITY_INCLUDE_CRS_RULES% +{% if USE_MODSECURITY_CRS == "yes" %} +include /opt/owasp/crs.conf +# TODO : include without errors ? +#{{ MODSECURITY_INCLUDE_CUSTOM_CRS }} +include /opt/owasp/crs/*.conf +{% endif %} -# include custom rules -%MODSECURITY_INCLUDE_CUSTOM_RULES% +# TODO : include custom rules +# {{ MODSECURITY_INCLUDE_CUSTOM_RULES }} diff --git a/confs2/site/modsecurity.conf b/confs2/site/modsecurity.conf index b30c0f8..380aa21 100644 --- a/confs2/site/modsecurity.conf +++ b/confs2/site/modsecurity.conf @@ -1,2 +1,2 @@ modsecurity on; -modsecurity_rules_file %MODSEC_RULES_FILE%; +modsecurity_rules_file {{ NGINX_PREFIX }}modsecurity-rules.conf; diff --git a/confs2/site/open-file-cache.conf b/confs2/site/open-file-cache.conf index 8324dcd..0c2fb01 100644 --- a/confs2/site/open-file-cache.conf +++ b/confs2/site/open-file-cache.conf @@ -1,4 +1,4 @@ -open_file_cache %OPEN_FILE_CACHE%; -open_file_cache_errors %OPEN_FILE_CACHE_ERRORS%; -open_file_cache_min_uses %OPEN_FILE_CACHE_MIN_USES%; -open_file_cache_valid %OPEN_FILE_CACHE_VALID%; +open_file_cache {{ OPEN_FILE_CACHE }}; +open_file_cache_errors {{ OPEN_FILE_CACHE_ERRORS }}; +open_file_cache_min_uses {{ OPEN_FILE_CACHE_MIN_USES }}; +open_file_cache_valid {{ OPEN_FILE_CACHE_VALID }}; diff --git a/confs2/site/permissions-policy.conf b/confs2/site/permissions-policy.conf index 3877b8d..6bafbe0 100644 --- a/confs2/site/permissions-policy.conf +++ b/confs2/site/permissions-policy.conf @@ -1 +1 @@ -more_set_headers "Permissions-Policy: %PERMISSIONS_POLICY%"; +more_set_headers "Permissions-Policy: {{ PERMISSIONS_POLICY }}"; diff --git a/confs2/site/php.conf b/confs2/site/php.conf index 950b986..0d746e8 100644 --- a/confs2/site/php.conf +++ b/confs2/site/php.conf @@ -1,4 +1,4 @@ location ~ \.php$ { - fastcgi_pass %REMOTE_PHP%:9000; + fastcgi_pass {{ REMOTE_PHP }}:9000; fastcgi_index index.php; } diff --git a/confs2/site/proxy-cache.conf b/confs2/site/proxy-cache.conf index 37b4a17..0daf86d 100644 --- a/confs2/site/proxy-cache.conf +++ b/confs2/site/proxy-cache.conf @@ -1,7 +1,11 @@ proxy_cache proxycache; -proxy_cache_methods %PROXY_CACHE_METHODS%; -proxy_cache_min_uses %PROXY_CACHE_MIN_USES%; -proxy_cache_key %PROXY_CACHE_KEY%; -proxy_no_cache %PROXY_NO_CACHE%; -proxy_cache_bypass %PROXY_CACHE_BYPASS%; -%PROXY_CACHE_VALID% +proxy_cache_methods {{ PROXY_CACHE_METHODS }}; +proxy_cache_min_uses {{ PROXY_CACHE_MIN_USES }}; +proxy_cache_key {{ PROXY_CACHE_KEY }}; +proxy_no_cache {{ PROXY_NO_CACHE }}; +proxy_cache_bypass {{ PROXY_CACHE_BYPASS }}; +{% if PROXY_CACHE_VALID != "" %} +{% for element in PROXY_CACHE_VALID.split(" ") %} +proxy_cache_valid {{ element.split("=")[0] }} {{ element.split("=")[1] }}; +{% endfor %} +{% endif %} diff --git a/confs2/site/proxy-real-ip.conf b/confs2/site/proxy-real-ip.conf index 4d972c4..490576a 100644 --- a/confs2/site/proxy-real-ip.conf +++ b/confs2/site/proxy-real-ip.conf @@ -1,4 +1,8 @@ -%PROXY_REAL_IP_FROM% -real_ip_header %PROXY_REAL_IP_HEADER%; -real_ip_recursive %PROXY_REAL_IP_RECURSIVE%; +{% if PROXY_REAL_IP_FROM != "" %} + {% for element in PROXY_REAL_IP_FROM.split(" ") %} +set_real_ip_from {{ element }}; + {% endfor %} +{% endif %} +real_ip_header {{ PROXY_REAL_IP_HEADER }}; +real_ip_recursive {{ PROXY_REAL_IP_RECURSIVE }}; diff --git a/confs2/site/referrer-policy.conf b/confs2/site/referrer-policy.conf index e0dea36..b163485 100644 --- a/confs2/site/referrer-policy.conf +++ b/confs2/site/referrer-policy.conf @@ -1 +1 @@ -more_set_headers "Referrer-Policy: %REFERRER_POLICY%"; +more_set_headers "Referrer-Policy: {{ REFERRER_POLICY }}"; diff --git a/confs2/site/reverse-proxy.conf b/confs2/site/reverse-proxy.conf index 2db7d08..bef8844 100644 --- a/confs2/site/reverse-proxy.conf +++ b/confs2/site/reverse-proxy.conf @@ -1,7 +1,7 @@ -location %REVERSE_PROXY_URL% { +location {{ REVERSE_PROXY_URL }} { etag off; - proxy_pass %REVERSE_PROXY_HOST%; - %REVERSE_PROXY_HEADERS% - %REVERSE_PROXY_WS% - %REVERSE_PROXY_CUSTOM_HEADERS% + proxy_pass {{ REVERSE_PROXY_HOST }}; + {{ REVERSE_PROXY_HEADERS }} + {{ REVERSE_PROXY_WS }} + {{ REVERSE_PROXY_CUSTOM_HEADERS }} } diff --git a/confs2/site/serve-files.conf b/confs2/site/serve-files.conf index d920e93..4cf51be 100644 --- a/confs2/site/serve-files.conf +++ b/confs2/site/serve-files.conf @@ -1,3 +1,3 @@ -root %ROOT_FOLDER%; +root {{ ROOT_FOLDER }}/{{ FIRST_SERVER }}; index index.html index.php; try_files $uri $uri/ =404; diff --git a/confs2/site/server.conf b/confs2/site/server.conf index 9c619b3..654da93 100644 --- a/confs2/site/server.conf +++ b/confs2/site/server.conf @@ -1,41 +1,176 @@ -%PRE_SERVER_CONF% +# custom config before server block +include /pre-server-confs/*.conf; +{% if MULTISITE == "yes" %} +include /pre-server-confs/{{ FIRST_SERVER }}/*.conf; +{% endif %} server { - %FASTCGI_PATH% - %SERVER_CONF% - %PROXY_REAL_IP% - %INCLUDE_LUA% - %USE_MODSECURITY% - %LISTEN_HTTP% - %USE_HTTPS% - %REDIRECT_HTTP_TO_HTTPS% - server_name %SERVER_NAME%; - %DISABLE_DEFAULT_SERVER% - %SERVE_FILES% - if ($request_method !~ ^(%ALLOWED_METHODS%)$) - { + + # FastCGI variables +{% if REMOTE_PHP != "" %} + include {{ NGINX_PREFIX }}fastcgi.conf; +{% endif %} + + # custom config + include /server-confs/*.conf; +{% if MULTISITE == "yes" %} + include /server-confs/{{ FIRST_SERVER }}/*.conf; +{% endif %} + + # proxy real IP +{% if PROXY_REAL_IP == "yes" %} + include {{ NGINX_PREFIX }}proxy-real-ip.conf; +{% endif %} + + # include LUA files + include {{ NGINX_PREFIX }}main-lua.conf; + include {{ NGINX_PREFIX }}log-lua.conf; + + # ModSecurity +{% if USE_MODSECURITY == "yes" }} + include {{ NGINX_PREFIX }}modsecurity.conf; +{% endif %} + + # HTTP listen +{% if LISTEN_HTTP == "yes" }} + listen 0.0.0.0:{{ HTTP_PORT }}; +{% endif %} + + # HTTPS listen + config +{% if AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_HTTPS == "yes" or GENERATE_SELF_SIGNED_SSL == "yes" %} + include {{ NGINX_PREFIX }}https.conf; +{% endif %} + + # HTTP to HTTPS +{% if REDIRECT_HTTP_TO_HTTPS == "yes" %} + include {{ NGINX_PREFIX }}redirect-http-to-https.conf; +{% endif %} + + # server name (vhost) + server_name {{ SERVER_NAME }}; + + # disable default server +{% if DISABLE_DEFAULT_SERVER == "yes" and MULTISITE != "yes" %} + include {{ NGINX_PREFIX }}disable-default-server.conf; +{% endif %} + + # serve local files +{% if SERVE_FILES == "yes" %} + include {{ NGINX_PREFIX}}serve-files.conf; +{% endif %} + + # allowed HTTP methods + if ($request_method !~ ^({{ ALLOWED_METHODS }})$) { return 405; } - %LIMIT_REQ% - %LIMIT_CONN% - %AUTH_BASIC% - %REMOVE_HEADERS% - %X_FRAME_OPTIONS% - %X_XSS_PROTECTION% - %X_CONTENT_TYPE_OPTIONS% - %CONTENT_SECURITY_POLICY% - %REFERRER_POLICY% - %FEATURE_POLICY% - %PERMISSIONS_POLICY% - %COOKIE_FLAGS% - %ERRORS% - %USE_CLIENT_CACHE% - %USE_GZIP% - %USE_BROTLI% - client_max_body_size %MAX_CLIENT_SIZE%; - server_tokens %SERVER_TOKENS%; - %USE_OPEN_FILE_CACHE% - %USE_PROXY_CACHE% - %USE_REVERSE_PROXY% - %USE_PHP% + + # requests limiting +{% if USE_LIMIT_REQ == "yes" %} + include {{ NGINX_PREFIX }}limit-req.conf; +{% endif %} + + # connections limiting +{% if USE_LIMIT_CONN == "yes" %} + include {{ NGINX_PREFIX }}limit-conn.conf; +{% endif %} + + # auth basic +{% if USE_AUTH_BASIC == "yes" %} + {% if AUTH_BASIC_LOCATION == "sitewide" %} + include {{ NGINX_PREFIX }}auth-basic-sitewide.conf; + {% else %} + include {{ NGINX_PREFIX }}auth-basic.conf; + {% endif %} +{% endif %} + + # remove headers +{% if REMOVE_HEADERS != "" %} + {% for header in REMOVE_HEADERS.split(" ") %} + more_clear_headers '{{ header }}'; + {% endfor %} +{% endif %} + + # X-Frame-Option header +{% if X_FRAME_OPTIONS != "" %} + include {{ NGINX_PREFIX }}x-frame-options.conf; +{% endif %} + + # X-XSS-Protection header +{% if X_XSS_PROTECTION != "" %} + include {{ NGINX_PREFIX }}x-xss-protection.conf; +{% endif %} + + # X-Content-Type header +{% if X_CONTENT_TYPE != "" %} + include {{ NGINX_PREFIX }}x-content-type.conf; +{% endif %} + + # Content-Security-Policy header +{% if CONTENT_SECURITY_POLICY != "" %} + include {{ NGINX_PREFIX }}content-security-policy.conf; +{% endif %} + + # Referrer-Policy header +{% if REFERRER_POLICY != "" %} + include {{ NGINX_PREFIX }}referrer-policy.conf; +{% endif %} + + # Feature-Policy header +{% if FEATURE_POLICY != "" %} + include {{ NGINX_PREFIX }}feature-policy.conf; +{% endif %} + + # Permissions-Policy header +{% if PERMISSIONS_POLICY != "" %} + include {{ NGINX_PREFIX }}permissions-policy.conf; +{% endif %} + + # cookie flags +{% if COOKIE_FLAGS != "" %} + include {{ NGINX_PREFIX }}cookie-flags.conf; +{% endif %} + + # TODO : ERRORS + + # client caching +{% if USE_CLIENT_CACHE == "yes" %} + include {{ NGINX_PREFIX }}client-cache.conf; +{% endif %} + + # gzip compression +{% if USE_GZIP == "yes" %} + include {{ NGINX_PREFIX }}gzip.conf; +{% endif %} + + # brotli compression +{% if USE_GZIP == "yes" %} + include {{ NGINX_PREFIX }}gzip.conf; +{% endif %} + + # maximum body size + client_max_body_size {{ MAX_CLIENT_SIZE }}; + + # enable/disable showing version + server_tokens {{ SERVER_TOKENS }}; + + # open file caching +{% if USE_OPEN_FILE_CACHE == "yes" %} + include {{ NGINX_PREFIX }}open-file-cache.conf; +{% endif %} + + # proxy caching +{% if USE_PROXY_CACHE == "yes" %} + include {{ NGINX_PREFIX }}proxy-cache.conf; +{% endif %} + + # reverse proxy +{% if USE_REVERSE_PROXY == "yes" %} + include {{ NGINX_PREFIX }}reverse-proxy-*.conf; +{% endif %} + + # remote PHP +{% if REMOTE_PHP != "" %} + include {{ NGINX_PREFIX }}php.conf; +{% endif %} + } diff --git a/confs2/site/x-content-type-options.conf b/confs2/site/x-content-type-options.conf index 7bd59ef..9a6e6f3 100644 --- a/confs2/site/x-content-type-options.conf +++ b/confs2/site/x-content-type-options.conf @@ -1 +1 @@ -more_set_headers "X-Content-Type-Options: %X_CONTENT_TYPE_OPTIONS%"; +more_set_headers "X-Content-Type-Options: {{ X_CONTENT_TYPE_OPTIONS }}"; diff --git a/confs2/site/x-frame-options.conf b/confs2/site/x-frame-options.conf index 52be218..fb928d1 100644 --- a/confs2/site/x-frame-options.conf +++ b/confs2/site/x-frame-options.conf @@ -1 +1 @@ -more_set_headers "X-Frame-Options: %X_FRAME_OPTIONS%"; +more_set_headers "X-Frame-Options: {{ X_FRAME_OPTIONS }}"; diff --git a/confs2/site/x-xss-protection.conf b/confs2/site/x-xss-protection.conf index 1394cb4..b48d0f3 100644 --- a/confs2/site/x-xss-protection.conf +++ b/confs2/site/x-xss-protection.conf @@ -1 +1 @@ -more_set_headers "X-XSS-Protection: %X_XSS_PROTECTION%"; +more_set_headers "X-XSS-Protection: {{ X_XSS_PROTECTION }}";