templating - road to full jinja2 templates

confs2/site/antibot-captcha.conf

@@ -0,0 +1,46 @@
+location = %ANTIBOT_URI% {
+
+	default_type 'text/html';
+	
+	if ($request_method = GET) {
+		content_by_lua_block {
+			local cookie	= require "cookie"
+			local captcha	= require "captcha"
+			local logger	= require "logger"
+			if not cookie.is_set("uri") then
+				logger.log(ngx.WARN, "ANTIBOT", "captcha fail (1) for " .. ngx.var.remote_addr)
+				return ngx.exit(ngx.HTTP_FORBIDDEN)
+			end
+			local img, res = captcha.get_challenge()
+			cookie.set({captchares = res})
+			local code = captcha.get_code(img, "%ANTIBOT_URI%")
+			ngx.say(code)
+		}
+	}
+	
+	if ($request_method = POST) {
+		access_by_lua_block {
+			local cookie	= require "cookie"
+			local captcha	= require "captcha"
+			local logger	= require "logger"
+			if not cookie.is_set("captchares") then
+				logger.log(ngx.WARN, "ANTIBOT", "captcha fail (2) for " .. ngx.var.remote_addr)
+				return ngx.exit(ngx.HTTP_FORBIDDEN)
+			end
+			ngx.req.read_body()
+			local args, err = ngx.req.get_post_args(1)
+			if err == "truncated" or not args or not args["captcha"] then
+				logger.log(ngx.WARN, "ANTIBOT", "captcha fail (3) for " .. ngx.var.remote_addr)
+				return ngx.exit(ngx.HTTP_FORBIDDEN)
+			end
+			local captcha_user	= args["captcha"]
+			local check		= captcha.check(captcha_user, cookie.get("captchares"))
+			if not check then
+				logger.log(ngx.WARN, "ANTIBOT", "captcha fail (4) for " .. ngx.var.remote_addr)
+				return ngx.redirect("%ANTIBOT_URI%")
+			end
+			cookie.set({captcha = "ok"})
+			return ngx.redirect(cookie.get("uri"))
+		}
+	}
+}

confs2/site/antibot-javascript.conf

@@ -0,0 +1,45 @@
+location = %ANTIBOT_URI% {
+
+	default_type 'text/html';
+	
+	if ($request_method = GET) {
+		content_by_lua_block {
+			local cookie		= require "cookie"
+			local javascript	= require "javascript"
+			local logger		= require "logger"
+			if not cookie.is_set("challenge") then
+				logger.log(ngx.WARN, "ANTIBOT", "javascript fail (1) for " .. ngx.var.remote_addr)
+				return ngx.exit(ngx.HTTP_FORBIDDEN)
+			end
+			local challenge	= cookie.get("challenge")
+			local code	= javascript.get_code(challenge, "%ANTIBOT_URI%", cookie.get("uri"))
+			ngx.say(code)
+		}
+	}
+	
+	if ($request_method = POST) {
+		content_by_lua_block {
+			local cookie		= require "cookie"
+			local javascript	= require "javascript"
+			local logger		= require "logger"
+			if not cookie.is_set("challenge") then
+				logger.log(ngx.WARN, "ANTIBOT", "javascript fail (2) for " .. ngx.var.remote_addr)
+				return ngx.exit(ngx.HTTP_FORBIDDEN)
+			end
+			ngx.req.read_body()
+			local args, err = ngx.req.get_post_args(1)
+			if err == "truncated" or not args or not args["challenge"] then
+				logger.log(ngx.WARN, "ANTIBOT", "javascript fail (3) for " .. ngx.var.remote_addr)
+				return ngx.exit(ngx.HTTP_FORBIDDEN)
+			end
+			local challenge		= args["challenge"]
+			local check		= javascript.check(cookie.get("challenge"), challenge)
+			if not check then
+				logger.log(ngx.WARN, "ANTIBOT", "javascript fail (4) for " .. ngx.var.remote_addr)
+				return ngx.exit(ngx.HTTP_FORBIDDEN)
+			end
+			cookie.set({javascript = "ok"})
+			return ngx.exit(ngx.OK)
+		}
+	}
+}

confs2/site/antibot-recaptcha.conf

@@ -0,0 +1,44 @@
+location = %ANTIBOT_URI% {
+
+	default_type 'text/html';
+	
+	if ($request_method = GET) {
+		content_by_lua_block {
+			local cookie	= require "cookie"
+			local recaptcha	= require "recaptcha"
+			local loggger	= require "logger"
+			if not cookie.is_set("uri") then
+				logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (1) for " .. ngx.var.remote_addr)
+				return ngx.exit(ngx.HTTP_FORBIDDEN)
+			end
+			local code = recaptcha.get_code("%ANTIBOT_URI%", "%ANTIBOT_RECAPTCHA_SITEKEY%")
+			ngx.say(code)
+		}
+	}
+	
+	if ($request_method = POST) {
+		access_by_lua_block {
+			local cookie	= require "cookie"
+			local recaptcha	= require "recaptcha"
+			local logger	= require "logger"
+			if not cookie.is_set("uri") then
+				logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (2) for " .. ngx.var.remote_addr)
+				return ngx.exit(ngx.HTTP_FORBIDDEN)
+			end
+			ngx.req.read_body()
+			local args, err = ngx.req.get_post_args(1)
+			if err == "truncated" or not args or not args["token"] then
+				logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (3) for " .. ngx.var.remote_addr)
+				return ngx.exit(ngx.HTTP_FORBIDDEN)
+			end
+			local token	= args["token"]
+			local check	= recaptcha.check(token, "%ANTIBOT_RECAPTCHA_SECRET%")
+			if check < %ANTIBOT_RECAPTCHA_SCORE% then
+				logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (4) for " .. ngx.var.remote_addr .. " (score = " .. tostring(check) .. ")")
+				return ngx.exit(ngx.HTTP_FORBIDDEN)
+			end
+			cookie.set({recaptcha = "ok"})
+			return ngx.redirect(cookie.get("uri"))
+		}
+	}
+}

confs2/site/auth-basic-sitewide.conf

@@ -0,0 +1,2 @@
+auth_basic "%AUTH_BASIC_TEXT%";
+auth_basic_user_file %NGINX_PREFIX%.htpasswd;

confs2/site/auth-basic.conf

@@ -0,0 +1,4 @@
+location %AUTH_BASIC_LOCATION% {
+	auth_basic "%AUTH_BASIC_TEXT%";
+	auth_basic_user_file %NGINX_PREFIX%.htpasswd; 
+}

confs2/site/brotli.conf

@@ -0,0 +1,4 @@
+brotli on;
+brotli_types %BROTLI_TYPES%;
+brotli_comp_level %BROTLI_COMP_LEVEL%;
+brotli_min_length %BROTLI_MIN_LENGTH%;

confs2/site/client-cache.conf

@@ -0,0 +1,6 @@
+etag %CLIENT_CACHE_ETAG%;
+set $cache "";
+if ($uri ~* \.(%CLIENT_CACHE_EXTENSIONS%)$) {
+	set $cache "%CLIENT_CACHE_CONTROL%";
+}
+add_header Cache-Control $cache;

confs2/site/content-security-policy.conf

@@ -0,0 +1 @@
+more_set_headers "Content-Security-Policy: %CONTENT_SECURITY_POLICY%";

confs2/site/cookie-flags.conf

@@ -0,0 +1 @@
+set_cookie_flag %COOKIE_FLAGS%;

confs2/site/custom-https.conf

@@ -0,0 +1,7 @@
+listen 0.0.0.0:443 ssl %HTTP2%;
+ssl_certificate %HTTPS_CUSTOM_CERT%;
+ssl_certificate_key %HTTPS_CUSTOM_KEY%;
+ssl_protocols TLSv1.3;
+ssl_prefer_server_ciphers off;
+ssl_session_tickets off;
+%STRICT_TRANSPORT_SECURITY%

confs2/site/disable-default-server.conf

@@ -0,0 +1,3 @@
+if ($host !~ ^(%SERVER_NAME%)$) {
+	return 444;
+}

confs2/site/error.conf

@@ -0,0 +1,7 @@
+error_page %CODE% %PAGE%;
+
+location = %PAGE% {
+    root %ROOT_FOLDER%;
+    modsecurity off;
+    internal;
+}

confs2/site/fastcgi.conf

@@ -0,0 +1,25 @@
+fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;

confs2/site/feature-policy.conf

@@ -0,0 +1 @@
+more_set_headers "Feature-Policy: %FEATURE_POLICY%";

confs2/site/gzip.conf

@@ -0,0 +1,4 @@
+gzip on;
+gzip_comp_level %GZIP_COMP_LEVEL%;
+gzip_min_length %GZIP_MIN_LENGTH%;
+gzip_types %GZIP_TYPES%;

confs2/site/https.conf

@@ -0,0 +1,12 @@
+listen 0.0.0.0:%HTTPS_PORT% ssl %HTTP2%;
+ssl_certificate %HTTPS_CERT%;
+ssl_certificate_key %HTTPS_KEY%;
+ssl_protocols %HTTPS_PROTOCOLS%;
+ssl_prefer_server_ciphers on;
+ssl_session_tickets off;
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;
+%STRICT_TRANSPORT_SECURITY%
+%SSL_DHPARAM%
+%SSL_CIPHERS%
+%LETS_ENCRYPT_WEBROOT%

confs2/site/lets-encrypt-webroot.conf

@@ -0,0 +1,3 @@
+location ~ ^/.well-known/acme-challenge/ {
+	root /acme-challenge;
+}

confs2/site/limit-conn.conf

@@ -0,0 +1 @@
+limit_conn ddos %LIMIT_CONN_MAX%;

confs2/site/limit-req.conf

@@ -0,0 +1,3 @@
+limit_req_status 429;
+limit_req zone=limit burst=%LIMIT_REQ_BURST% nodelay;
+

confs2/site/log-lua.conf

@@ -0,0 +1,15 @@
+log_by_lua_block {
+
+-- bad behavior
+local use_bad_behavior		= %USE_BAD_BEHAVIOR%
+local behavior			= require "behavior"
+local bad_behavior_status_codes = {{ BAD_BEHAVIOR_STATUS_CODES }}
+local bad_behavior_threshold    = %BAD_BEHAVIOR_THRESHOLD%
+local bad_behavior_count_time   = %BAD_BEHAVIOR_COUNT_TIME%
+local bad_behavior_ban_time     = %BAD_BEHAVIOR_BAN_TIME%
+
+if use_bad_behavior then
+	behavior.count(bad_behavior_status_codes, bad_behavior_threshold, bad_behavior_count_time, bad_behavior_ban_time)
+end
+
+}

confs2/site/main-lua.conf

@@ -0,0 +1,298 @@
+set $session_secret %ANTIBOT_SESSION_SECRET%;
+set $session_check_addr on;
+
+access_by_lua_block {
+
+-- let's encrypt
+local use_lets_encrypt		= %USE_LETS_ENCRYPT%
+
+-- external blacklists
+local use_user_agents		= %USE_USER_AGENTS%
+local use_proxies		= %USE_PROXIES%
+local use_abusers		= %USE_ABUSERS%
+local use_tor_exit_nodes	= %USE_TOR_EXIT_NODES%
+local use_referrers		= %USE_REFERRERS%
+
+-- countries
+local use_country		= %USE_COUNTRY%
+
+-- crowdsec
+local use_crowdsec		= %USE_CROWDSEC%
+
+-- antibot
+local use_antibot_cookie	= %USE_ANTIBOT_COOKIE%
+local use_antibot_javascript	= %USE_ANTIBOT_JAVASCRIPT%
+local use_antibot_captcha	= %USE_ANTIBOT_CAPTCHA%
+local use_antibot_recaptcha	= %USE_ANTIBOT_RECAPTCHA%
+
+-- resolvers
+local dns_resolvers		= {{ DNS_RESOLVERS }}
+
+-- whitelist
+local use_whitelist_ip		= %USE_WHITELIST_IP%
+local use_whitelist_reverse	= %USE_WHITELIST_REVERSE%
+local whitelist_ip_list		= {{ WHITELIST_IP_LIST }}
+local whitelist_reverse_list	= {{ WHITELIST_REVERSE_LIST }}
+
+-- blacklist
+local use_blacklist_ip		= %USE_BLACKLIST_IP%
+local use_blacklist_reverse	= %USE_BLACKLIST_REVERSE%
+local blacklist_ip_list		= {{ BLACKLIST_IP_LIST }}
+local blacklist_reverse_list	= {{ BLACKLIST_REVERSE_LIST }}
+
+-- dnsbl
+local use_dnsbl			= %USE_DNSBL%
+local dnsbl_list		= {{ DNSBL_LIST }}
+
+-- bad behavior
+local use_bad_behavior		= %USE_BAD_BEHAVIOR%
+
+-- include LUA code
+local whitelist			= require "whitelist"
+local blacklist			= require "blacklist"
+local dnsbl			= require "dnsbl"
+local cookie			= require "cookie"
+local javascript		= require "javascript"
+local captcha			= require "captcha"
+local recaptcha			= require "recaptcha"
+local iputils			= require "resty.iputils"
+local behavior			= require "behavior"
+local logger			= require "logger"
+
+-- user variables
+local antibot_uri		= "%ANTIBOT_URI%"
+local whitelist_user_agent	= {{ WHITELIST_USER_AGENT }}
+local whitelist_uri		= {{ WHITELIST_URI }}
+
+-- check if already in whitelist cache
+if use_whitelist_ip and whitelist.ip_cached_ok() then
+	ngx.exit(ngx.OK)
+end
+if use_whitelist_reverse and whitelist.reverse_cached_ok() then
+	ngx.exit(ngx.OK)
+end
+
+-- check if already in blacklist cache
+if use_blacklist_ip and blacklist.ip_cached_ko() then
+	ngx.exit(ngx.HTTP_FORBIDDEN)
+end
+if use_blacklist_reverse and blacklist.reverse_cached_ko() then
+	ngx.exit(ngx.HTTP_FORBIDDEN)
+end
+
+-- check if already in dnsbl cache
+if use_dnsbl and dnsbl.cached_ko() then
+	ngx.exit(ngx.HTTP_FORBIDDEN)
+end
+
+-- check if IP is whitelisted (only if not in cache)
+if use_whitelist_ip and not whitelist.ip_cached() then
+	if whitelist.check_ip(whitelist_ip_list) then
+		ngx.exit(ngx.OK)
+	end
+end
+
+-- check if reverse is whitelisted (only if not in cache)
+if use_whitelist_reverse and not whitelist.reverse_cached() then
+	if whitelist.check_reverse(whitelist_reverse_list) then
+		ngx.exit(ngx.OK)
+	end
+end
+
+-- check if URI is whitelisted
+for k, v in pairs(whitelist_uri) do
+	if ngx.var.request_uri == v then
+		logger.log(ngx.NOTICE, "WHITELIST", "URI " .. v .. " is whitelisted")
+		ngx.exit(ngx.OK)
+	end
+end
+
+-- check if it's certbot
+if use_lets_encrypt and string.match(ngx.var.request_uri, "^/.well-known/acme-challenge/") then
+	logger.log(ngx.INFO, "LETSENCRYPT", "got a visit from Let's Encrypt")
+	ngx.exit(ngx.OK)
+end
+
+-- check if IP is blacklisted (only if not in cache)
+if use_blacklist_ip and not blacklist.ip_cached() then
+	if blacklist.check_ip(blacklist_ip_list) then
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- check if reverse is blacklisted (only if not in cache)
+if use_blacklist_reverse and not blacklist.reverse_cached() then
+	if blacklist.check_reverse(blacklist_reverse_list, dns_resolvers) then
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- check if IP is banned because of "bad behavior"
+if use_bad_behavior and behavior.is_banned() then
+	logger.log(ngx.WARN, "BEHAVIOR", "IP " .. ngx.var.remote_addr .. " is banned because of bad behavior")
+	ngx.exit(ngx.HTTP_FORBIDDEN)
+end
+
+-- check if IP is in proxies list
+if use_proxies then
+	local value, flags = ngx.shared.proxies_data:get(iputils.ip2bin(ngx.var.remote_addr))
+	if value ~= nil then
+		logger.log(ngx.WARN, "PROXIES", "IP " .. ngx.var.remote_addr .. " is in proxies list")
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- check if IP is in abusers list
+if use_abusers then
+	local value, flags = ngx.shared.abusers_data:get(iputils.ip2bin(ngx.var.remote_addr))
+	if value ~= nil then
+		logger.log(ngx.WARN, "ABUSERS", "IP " .. ngx.var.remote_addr .. " is in abusers list")
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- check if IP is in TOR exit nodes list
+if use_tor_exit_nodes then
+	local value, flags = ngx.shared.tor_exit_nodes_data:get(iputils.ip2bin(ngx.var.remote_addr))
+	if value ~= nil then
+		logger.log(ngx.WARN, "TOR", "IP " .. ngx.var.remote_addr .. " is in TOR exit nodes list")
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- check if user-agent is allowed
+if use_user_agents and ngx.var.http_user_agent ~= nil then
+	local whitelisted = false
+	for k, v in pairs(whitelist_user_agent) do
+		if string.match(ngx.var.http_user_agent, v) then
+			logger.log(ngx.NOTICE, "WHITELIST", "User-Agent " .. ngx.var.http_user_agent .. " is whitelisted")
+			whitelisted = true
+			break
+		end
+	end
+	if not whitelisted then
+		local value, flags = ngx.shared.user_agents_cache:get(ngx.var.http_user_agent)
+		if value == nil then
+			local patterns = ngx.shared.user_agents_data:get_keys(0)
+			for i, pattern in ipairs(patterns) do
+				if string.match(ngx.var.http_user_agent, pattern) then
+					value = "ko"
+					ngx.shared.user_agents_cache:set(ngx.var.http_user_agent, "ko", 86400)
+					break
+				end
+			end
+			if value == nil then
+				value = "ok"
+				ngx.shared.user_agents_cache:set(ngx.var.http_user_agent, "ok", 86400)
+			end
+		end
+		if value == "ko" then
+			logger.log(ngx.WARN, "USER-AGENT", "User-Agent " .. ngx.var.http_user_agent .. " is blacklisted")
+			ngx.exit(ngx.HTTP_FORBIDDEN)
+		end
+	end
+end
+
+-- check if referrer is allowed
+if use_referrer and ngx.var.http_referer ~= nil then
+	local value, flags = ngx.shared.referrers_cache:get(ngx.var.http_referer)
+	if value == nil then
+		local patterns = ngx.shared.referrers_data:get_keys(0)
+		for i, pattern in ipairs(patterns) do
+			if string.match(ngx.var.http_referer, pattern) then
+				value = "ko"
+				ngx.shared.referrers_cache:set(ngx.var.http_referer, "ko", 86400)
+				break
+			end
+		end
+		if value == nil then
+			value = "ok"
+			ngx.shared.referrers_cache:set(ngx.var.http_referer, "ok", 86400)
+		end
+	end
+	if value == "ko" then
+		logger.log(ngx.WARN, "REFERRER", "Referrer " .. ngx.var.http_referer .. " is blacklisted")
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- check if country is allowed
+if use_country and ngx.var.allowed_country == "no" then
+	logger.log(ngx.WARN, "COUNTRY", "Country of " .. ngx.var.remote_addr .. " is blacklisted")
+	ngx.exit(ngx.HTTP_FORBIDDEN)
+end
+
+-- check if IP is in DNSBLs (only if not in cache)
+if use_dnsbl and not dnsbl.cached() then
+	if dnsbl.check(dnsbl_list, dns_resolvers) then
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- check if IP is in CrowdSec DB
+if use_crowdsec then
+	local ok, err = require "crowdsec.CrowdSec".allowIp(ngx.var.remote_addr)
+	if ok == nil then
+		logger.log(ngx.ERR, "CROWDSEC", err)
+	end
+	if not ok then
+		logger.log(ngx.WARN, "CROWDSEC", "denied " .. ngx.var.remote_addr)
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
+-- cookie check
+if use_antibot_cookie and ngx.var.uri ~= "/favicon.ico" then
+	if not cookie.is_set("uri") then
+		if ngx.var.request_uri ~= antibot_uri then
+			cookie.set({uri = ngx.var.request_uri})
+			return ngx.redirect(antibot_uri)
+		end
+		logger.log(ngx.WARN, "ANTIBOT", "cookie fail for " .. ngx.var.remote_addr)
+		return ngx.exit(ngx.HTTP_FORBIDDEN)
+	else
+		if ngx.var.request_uri == antibot_uri then
+			return ngx.redirect(cookie.get("uri"))
+		end
+	end
+end
+
+-- javascript check
+if use_antibot_javascript and ngx.var.uri ~= "/favicon.ico" then
+	if not cookie.is_set("javascript") then
+		if ngx.var.request_uri ~= antibot_uri then
+			cookie.set({uri = ngx.var.request_uri, challenge = javascript.get_challenge()})
+			return ngx.redirect(antibot_uri)
+		end
+	end
+end
+
+-- captcha check
+if use_antibot_captcha and ngx.var.uri ~= "/favicon.ico" then
+	if not cookie.is_set("captcha") then
+		if ngx.var.request_uri ~= antibot_uri then
+			cookie.set({uri = ngx.var.request_uri})
+			return ngx.redirect(antibot_uri)
+		end
+	end
+end
+
+-- recaptcha check
+if use_antibot_recaptcha and ngx.var.uri ~= "/favicon.ico" then
+	if not cookie.is_set("recaptcha") then
+		if ngx.var.request_uri ~= antibot_uri then
+			cookie.set({uri = ngx.var.request_uri})
+			return ngx.redirect(antibot_uri)
+		end
+	end
+end
+
+ngx.exit(ngx.OK)
+
+}
+
+%INCLUDE_ANTIBOT_JAVASCRIPT%
+
+%INCLUDE_ANTIBOT_CAPTCHA%
+
+%INCLUDE_ANTIBOT_RECAPTCHA%

confs2/site/modsecurity-clamav.conf

@@ -0,0 +1,4 @@
+SecUploadDir /tmp
+SecUploadKeepFiles On
+SecRule FILES_TMPNAMES "@inspectFile /opt/scripts/clamav.sh" \
+"phase:2,t:none,deny,msg:'Virus found in uploaded file',id:'399999'"

confs2/site/modsecurity-rules.conf

@@ -0,0 +1,65 @@
+# process rules with disruptive actions
+SecRuleEngine On
+
+# allow body checks
+SecRequestBodyAccess On
+
+# enable XML parsing
+SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
+     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+
+# enable JSON parsing
+SecRule REQUEST_HEADERS:Content-Type "application/json" \
+     "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+
+# maximum data size
+SecRequestBodyLimit 13107200
+SecRequestBodyNoFilesLimit 131072
+
+# reject requests if bigger than max data size
+SecRequestBodyLimitAction Reject
+
+# reject if we can't process the body
+SecRule REQBODY_ERROR "!@eq 0" \
+"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+
+# be strict with multipart/form-data body
+SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+"id:'200003',phase:2,t:none,log,deny,status:400, \
+msg:'Multipart request body failed strict validation: \
+PE %{REQBODY_PROCESSOR_ERROR}, \
+BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+DB %{MULTIPART_DATA_BEFORE}, \
+DA %{MULTIPART_DATA_AFTER}, \
+HF %{MULTIPART_HEADER_FOLDING}, \
+LF %{MULTIPART_LF_LINE}, \
+SM %{MULTIPART_MISSING_SEMICOLON}, \
+IQ %{MULTIPART_INVALID_QUOTING}, \
+IP %{MULTIPART_INVALID_PART}, \
+IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
+    "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+# enable response body checks
+SecResponseBodyAccess On
+SecResponseBodyMimeType text/plain text/html text/xml application/json
+SecResponseBodyLimit 524288
+SecResponseBodyLimitAction ProcessPartial
+
+# log usefull stuff
+SecAuditEngine %MODSECURITY_SEC_AUDIT_ENGINE%
+SecAuditLogType Serial
+SecAuditLog /var/log/nginx/modsec_audit.log
+
+# scan uploaded files with clamv
+%USE_CLAMAV_UPLOAD%
+
+# include OWASP CRS rules
+%MODSECURITY_INCLUDE_CRS%
+%MODSECURITY_INCLUDE_CUSTOM_CRS%
+%MODSECURITY_INCLUDE_CRS_RULES%
+
+# include custom rules
+%MODSECURITY_INCLUDE_CUSTOM_RULES%

confs2/site/modsecurity.conf

@@ -0,0 +1,2 @@
+modsecurity on;
+modsecurity_rules_file %MODSEC_RULES_FILE%;

confs2/site/open-file-cache.conf

@@ -0,0 +1,4 @@
+open_file_cache %OPEN_FILE_CACHE%;
+open_file_cache_errors %OPEN_FILE_CACHE_ERRORS%;
+open_file_cache_min_uses %OPEN_FILE_CACHE_MIN_USES%;
+open_file_cache_valid %OPEN_FILE_CACHE_VALID%;

confs2/site/permissions-policy.conf

@@ -0,0 +1 @@
+more_set_headers "Permissions-Policy: %PERMISSIONS_POLICY%";

confs2/site/php.conf

@@ -0,0 +1,4 @@
+location ~ \.php$ {
+	fastcgi_pass      %REMOTE_PHP%:9000;
+	fastcgi_index     index.php;
+}

confs2/site/proxy-cache.conf

@@ -0,0 +1,7 @@
+proxy_cache proxycache;
+proxy_cache_methods %PROXY_CACHE_METHODS%;
+proxy_cache_min_uses %PROXY_CACHE_MIN_USES%;
+proxy_cache_key %PROXY_CACHE_KEY%;
+proxy_no_cache %PROXY_NO_CACHE%;
+proxy_cache_bypass %PROXY_CACHE_BYPASS%;
+%PROXY_CACHE_VALID%

confs2/site/proxy-real-ip.conf

@@ -0,0 +1,4 @@
+%PROXY_REAL_IP_FROM%
+real_ip_header %PROXY_REAL_IP_HEADER%;
+real_ip_recursive %PROXY_REAL_IP_RECURSIVE%;
+

confs2/site/redirect-http-to-https.conf

@@ -0,0 +1,3 @@
+if ($scheme = http) {
+	return 301 https://$host$request_uri;
+}

confs2/site/referrer-policy.conf

@@ -0,0 +1 @@
+more_set_headers "Referrer-Policy: %REFERRER_POLICY%";

confs2/site/reverse-proxy-headers.conf

@@ -0,0 +1,6 @@
+proxy_set_header Host $host;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Protocol $scheme;
+proxy_set_header X-Forwarded-Host $http_host;

confs2/site/reverse-proxy.conf

@@ -0,0 +1,7 @@
+location %REVERSE_PROXY_URL% {
+	etag off;
+	proxy_pass %REVERSE_PROXY_HOST%;
+	%REVERSE_PROXY_HEADERS%
+	%REVERSE_PROXY_WS%
+	%REVERSE_PROXY_CUSTOM_HEADERS%
+}

confs2/site/serve-files.conf

@@ -0,0 +1,3 @@
+root %ROOT_FOLDER%;
+index index.html index.php;
+try_files $uri $uri/ =404;

confs2/site/server.conf

@@ -0,0 +1,41 @@
+%PRE_SERVER_CONF%
+
+server {
+	%FASTCGI_PATH%
+	%SERVER_CONF%
+	%PROXY_REAL_IP%
+	%INCLUDE_LUA%
+	%USE_MODSECURITY%
+	%LISTEN_HTTP%
+	%USE_HTTPS%
+	%REDIRECT_HTTP_TO_HTTPS%
+	server_name %SERVER_NAME%;
+	%DISABLE_DEFAULT_SERVER%
+	%SERVE_FILES%
+	if ($request_method !~ ^(%ALLOWED_METHODS%)$)
+	{
+		return 405;
+	}
+	%LIMIT_REQ%
+	%LIMIT_CONN%
+	%AUTH_BASIC%
+	%REMOVE_HEADERS%
+	%X_FRAME_OPTIONS%
+	%X_XSS_PROTECTION%
+	%X_CONTENT_TYPE_OPTIONS%
+	%CONTENT_SECURITY_POLICY%
+	%REFERRER_POLICY%
+	%FEATURE_POLICY%
+	%PERMISSIONS_POLICY%
+	%COOKIE_FLAGS%
+	%ERRORS%
+	%USE_CLIENT_CACHE%
+	%USE_GZIP%
+	%USE_BROTLI%
+	client_max_body_size %MAX_CLIENT_SIZE%;
+	server_tokens %SERVER_TOKENS%;
+	%USE_OPEN_FILE_CACHE%
+	%USE_PROXY_CACHE%
+	%USE_REVERSE_PROXY%
+	%USE_PHP%
+}

confs2/site/x-content-type-options.conf

@@ -0,0 +1 @@
+more_set_headers "X-Content-Type-Options: %X_CONTENT_TYPE_OPTIONS%";

confs2/site/x-frame-options.conf

@@ -0,0 +1 @@
+more_set_headers "X-Frame-Options: %X_FRAME_OPTIONS%";

confs2/site/x-xss-protection.conf

@@ -0,0 +1 @@
+more_set_headers "X-XSS-Protection: %X_XSS_PROTECTION%";