Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

realip, minor fixes and README

Browse Source
This commit is contained in:
bunkerity 2020-06-02 22:39:17 +02:00
parent a2be2e8ae1
commit b83111ad17
4 changed files with 38 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
README.md
View File

@ -11,6 +11,9 @@ nginx based Docker image secure by default.
- Based on alpine and compiled from source - Based on alpine and compiled from source
- Easy to configure with environment variables - Easy to configure with environment variables
## Live demo
You can find a live demo at https://demo-nginx.bunkerity.com.
## Quickstart guide ## Quickstart guide
### Run HTTP server with default settings ### Run HTTP server with default settings
@ -35,20 +38,22 @@ Here you have three environment variables :
- REDIRECT_HTTP_TO_HTTPS : enable HTTP to HTTPS redirection - REDIRECT_HTTP_TO_HTTPS : enable HTTP to HTTPS redirection
### Reverse proxy ### Reverse proxy
You can setup a reverse proxy by adding your own custom configurations at http level. You can setup a reverse proxy by adding your own custom configurations at server context.
For example, this is a dummy reverse proxy configuration : For example, this is a dummy reverse proxy configuration :
```shell ```shell
location / {
if ($host = www.website1.com) { if ($host = www.website1.com) {
proxy_pass http://192.168.42.10 proxy_pass http://192.168.42.10$request_uri;
} }
if ($host = www.website2.com) { if ($host = www.website2.com) {
proxy_pass http://192.168.42.11 proxy_pass http://192.168.42.11$request_uri;
}
} }
``` ```
All files in /http-confs inside the container will be included at http level. You can simply mount a volume where your config files are located : All files (ending with .conf) in /server-confs inside the container will be included at server context. You can simply mount a volume where your config files are located :
```shell ```shell
docker run -p 80:80 -e SERVER_NAME="www.website1.com www.website2.com" -e SERVE_FILES=no -e DISABLE_DEFAULT_SERVER=yes -v /path/to/http/conf:/http-confs bunkerity/bunkerized-nginx docker run -p 80:80 -e SERVER_NAME="www.website1.com www.website2.com" -e SERVE_FILES=no -e DISABLE_DEFAULT_SERVER=yes -v /path/to/server/conf:/server-confs bunkerity/bunkerized-nginx
``` ```
Here you have three environment variables : Here you have three environment variables :
@ -96,7 +101,7 @@ Sets the maximum body size before nginx returns a 413 error code.
Setting to 0 means "infinite" body size. Setting to 0 means "infinite" body size.
`SERVER_NAME` `SERVER_NAME`
Values : *<first name> <second name> ...* Values : *&lt;first name&gt; &lt;second name&gt; ...*
Default value : *www.bunkerity.com* Default value : *www.bunkerity.com*
Sets the host names of the webserver separated with spaces. This must match the Host header sent by clients. Sets the host names of the webserver separated with spaces. This must match the Host header sent by clients.
Useful when used with `AUTO_LETSENCRYPT=yes` and/or `DISABLE_DEFAULT_SERVER=yes`. Useful when used with `AUTO_LETSENCRYPT=yes` and/or `DISABLE_DEFAULT_SERVER=yes`.
@ -169,14 +174,14 @@ Policy to be used for the Referer header.
More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy). More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy).
`FEATURE_POLICY` `FEATURE_POLICY`
Values : *<directive> <allow list>* Values : *&lt;directive&gt; &lt;allow list&gt;*
Default value : *accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'* Default value : *accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'*
Tells the browser which features can be used on the website. Tells the browser which features can be used on the website.
More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy). More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy).
`COOKIE_FLAGS` `COOKIE_FLAGS`
Values : ** HttpOnly* | *MyCookie secure SameSite* | *...* Values : *\* HttpOnly* | *MyCookie secure SameSite* | *...*
Default value : ** HttpOnly* Default value : *\* HttpOnly*
Adds some security to the cookies set by the server. Adds some security to the cookies set by the server.
Accepted value can be found [here](https://github.com/AirisX/nginx_cookie_flag_module). Accepted value can be found [here](https://github.com/AirisX/nginx_cookie_flag_module).
@ -187,14 +192,14 @@ Tells the browser to use exclusively HTTPS instead of HTTP when communicating wi
More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security). More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security).
`CONTENT_SECURITY_POLICY` `CONTENT_SECURITY_POLICY`
Values : *<directive 1>; <directive 2>; ...* Values : *\<directive 1\>; \<directive 2\>; ...*
Default value : *default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; reflected-xss block; base-uri 'self'; referrer no-referrer* Default value : *default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; reflected-xss block; base-uri 'self'; referrer no-referrer*
Policy to be used when loading resources (scripts, forms, frames, ...). Policy to be used when loading resources (scripts, forms, frames, ...).
More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy). More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).
### Blocking ### Blocking
`BLOCK_COUNTRY` `BLOCK_COUNTRY`
Values : *<country code 1> <country code 2> ...* Values : *\<country code 1\> \<country code 2\> ...*
Default value : Default value :
Block some countries from accessing your website. Use 2 letters country code separated with space. Block some countries from accessing your website. Use 2 letters country code separated with space.
@ -226,7 +231,7 @@ Default value : *no*
If set to yes, the PHP version will be sent within the X-Powered-By header. If set to yes, the PHP version will be sent within the X-Powered-By header.
`PHP_OPEN_BASEDIR` `PHP_OPEN_BASEDIR`
Values : *<directory>* Values : *\<directory\>*
Default value : */www/* Default value : */www/*
Limits access to files within the given directory. For example include() or fopen() calls outside the directory will fail. Limits access to files within the given directory. For example include() or fopen() calls outside the directory will fail.
@ -251,7 +256,7 @@ Default value : *10M*
Sets the maximum file size allowed when uploading files. Sets the maximum file size allowed when uploading files.
`PHP_DISABLE_FUNCTIONS` `PHP_DISABLE_FUNCTIONS`
Values : *<function 1>, <function 2> ...* Values : *\<function 1\>, \<function 2\> ...*
Default value : *system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo* Default value : *system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo*
List of PHP functions blacklisted separated with commas. They can't be used anywhere in PHP code. List of PHP functions blacklisted separated with commas. They can't be used anywhere in PHP code.
@ -264,7 +269,7 @@ Instead of using iptables which is not possible inside a container, fail2ban wil
If a number (`FAIL2BAN_MAXRETRY`) of "strange" HTTP codes (`FAIL2BAN_STATUS_CODES`) is found between a time interval (`FAIL2BAN_FINDTIME`) then the originating IP address will be ban for a specific period of time (`FAIL2BAN_BANTIME`). If a number (`FAIL2BAN_MAXRETRY`) of "strange" HTTP codes (`FAIL2BAN_STATUS_CODES`) is found between a time interval (`FAIL2BAN_FINDTIME`) then the originating IP address will be ban for a specific period of time (`FAIL2BAN_BANTIME`).
`FAIL2BAN_STATUS_CODES` `FAIL2BAN_STATUS_CODES`
Values : <HTTP status codes separated with | char> Values : *\<HTTP status codes separated with | char\>*
Default value : *400|401|403|404|405|444* Default value : *400|401|403|404|405|444*
List of "strange" error codes that fail2ban will search for. List of "strange" error codes that fail2ban will search for.
@ -279,7 +284,7 @@ Default : value : *60*
The time interval, in seconds, to search for "strange" HTTP status codes. The time interval, in seconds, to search for "strange" HTTP status codes.
`FAIL2BAN_MAXRETRY` `FAIL2BAN_MAXRETRY`
Values : *<any positive integer>* Values : *\<any positive integer\>*
Default : value : *10* Default : value : *10*
The number of "strange" HTTP status codes to find between the time interval. The number of "strange" HTTP status codes to find between the time interval.
@ -300,10 +305,8 @@ Default value : *yes*
If set to yes, ClamAV will automatically remove the detected files. If set to yes, ClamAV will automatically remove the detected files.
## TODO ## TODO
- demo website, securityheaders results, ssl results
- Default CSP - Default CSP
- Custom Dockerfile based on bunkerized-nginx - Custom Dockerfile based on bunkerized-nginx
- Test with custom confs reverse proxy
- Documentation - Documentation
- Custom TLS certificates - Custom TLS certificates
- HSTS preload, HPKP - HSTS preload, HPKP

2
compile.sh
View File

@ -31,7 +31,7 @@ git clone https://github.com/AirisX/nginx_cookie_flag_module.git
cd /tmp cd /tmp
git clone https://github.com/nginx/nginx.git git clone https://github.com/nginx/nginx.git
cd nginx cd nginx
./auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --modules-path=/usr/lib/nginx/modules --with-file-aio --with-http_ssl_module --with-http_v2_module --add-module=/tmp/ModSecurity-nginx --add-module=/tmp/headers-more-nginx-module --add-module=/tmp/ngx_http_geoip2_module --add-module=/tmp/nginx_cookie_flag_module ./auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --modules-path=/usr/lib/nginx/modules --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --add-module=/tmp/ModSecurity-nginx --add-module=/tmp/headers-more-nginx-module --add-module=/tmp/ngx_http_geoip2_module --add-module=/tmp/nginx_cookie_flag_module
make -j $NTASK make -j $NTASK
make install make install

2
confs/modsecurity-rules.conf
View File

@ -55,7 +55,7 @@ SecAuditLogType Serial
SecAuditLog /var/log/modsec_audit.log SecAuditLog /var/log/modsec_audit.log
# scan uploaded files with clamv # scan uploaded files with clamv
%USE_CLAMAV_UPLOAD%" %USE_CLAMAV_UPLOAD%
# include custom rules # include custom rules
%MODSECURITY_INCLUDE_CUSTOM_RULES% %MODSECURITY_INCLUDE_CUSTOM_RULES%

2
entrypoint.sh
View File

@ -81,7 +81,7 @@ CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-object-src 'none'; frame-ance
COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly}" COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly}"
SERVE_FILES="${SERVE_FILES-yes}" SERVE_FILES="${SERVE_FILES-yes}"
WRITE_ACCESS="${WRITE_ACCESS-no}" WRITE_ACCESS="${WRITE_ACCESS-no}"
REDIRECT_HTTP_TO_HTTPS="${REDIRECT_HTTP_TO_HTTPS-yes}" REDIRECT_HTTP_TO_HTTPS="${REDIRECT_HTTP_TO_HTTPS-no}"
LISTEN_HTTP="${LISTEN_HTTP-yes}" LISTEN_HTTP="${LISTEN_HTTP-yes}"
USE_FAIL2BAN="${USE_FAIL2BAN-yes}" USE_FAIL2BAN="${USE_FAIL2BAN-yes}"
FAIL2BAN_STATUS_CODES="${FAIL2BAN_STATUS_CODES-400|401|403|404|405|444}" FAIL2BAN_STATUS_CODES="${FAIL2BAN_STATUS_CODES-400|401|403|404|405|444}"