realip, minor fixes and README

2020-06-02 22:39:17 +02:00 · 2020-06-02 22:39:17 +02:00 · b83111ad17
commit b83111ad17
parent a2be2e8ae1
4 changed files with 38 additions and 35 deletions
--- a/README.md
+++ b/README.md
@ -11,6 +11,9 @@ nginx based Docker image secure by default.
 - Based on alpine and compiled from source
 - Easy to configure with environment variables

+## Live demo
+You can find a live demo at https://demo-nginx.bunkerity.com.
+
 ## Quickstart guide

 ### Run HTTP server with default settings
@ -35,20 +38,22 @@ Here you have three environment variables :
 - REDIRECT_HTTP_TO_HTTPS : enable HTTP to HTTPS redirection

 ### Reverse proxy
-You can setup a reverse proxy by adding your own custom configurations at http level.  
+You can setup a reverse proxy by adding your own custom configurations at server context.  
 For example, this is a dummy reverse proxy configuration :  
 ```shell
-if ($host = www.website1.com) {
-	proxy_pass http://192.168.42.10
-}
+location / {
+	if ($host = www.website1.com) {
+		proxy_pass http://192.168.42.10$request_uri;
+	}

-if ($host = www.website2.com) {
-	proxy_pass http://192.168.42.11
+	if ($host = www.website2.com) {
+		proxy_pass http://192.168.42.11$request_uri;
+	}
 }
 ```
-All files in /http-confs inside the container will be included at http level. You can simply mount a volume where your config files are located :  
+All files (ending with .conf) in /server-confs inside the container will be included at server context. You can simply mount a volume where your config files are located :  
 ```shell
-docker run -p 80:80 -e SERVER_NAME="www.website1.com www.website2.com" -e SERVE_FILES=no -e DISABLE_DEFAULT_SERVER=yes -v /path/to/http/conf:/http-confs bunkerity/bunkerized-nginx
+docker run -p 80:80 -e SERVER_NAME="www.website1.com www.website2.com" -e SERVE_FILES=no -e DISABLE_DEFAULT_SERVER=yes -v /path/to/server/conf:/server-confs bunkerity/bunkerized-nginx
 ```

 Here you have three environment variables :
@ -96,7 +101,7 @@ Sets the maximum body size before nginx returns a 413 error code.
 Setting to 0 means "infinite" body size.

 `SERVER_NAME`  
-Values : *<first name> <second name> ...*  
+Values : *&lt;first name&gt; &lt;second name&gt; ...*  
 Default value : *www.bunkerity.com*  
 Sets the host names of the webserver separated with spaces. This must match the Host header sent by clients.  
 Useful when used with `AUTO_LETSENCRYPT=yes` and/or `DISABLE_DEFAULT_SERVER=yes`.
@ -169,14 +174,14 @@ Policy to be used for the Referer header.
 More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy).

 `FEATURE_POLICY`  
-Values : *<directive> <allow list>*  
+Values : *&lt;directive&gt; &lt;allow list&gt;*  
 Default value : *accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'*  
 Tells the browser which features can be used on the website.  
 More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy).

 `COOKIE_FLAGS`  
-Values : ** HttpOnly* | *MyCookie secure SameSite* | *...*  
-Default value : ** HttpOnly*  
+Values : *\* HttpOnly* | *MyCookie secure SameSite* | *...*  
+Default value : *\* HttpOnly*  
 Adds some security to the cookies set by the server.  
 Accepted value can be found [here](https://github.com/AirisX/nginx_cookie_flag_module).

@ -187,14 +192,14 @@ Tells the browser to use exclusively HTTPS instead of HTTP when communicating wi
 More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security).

 `CONTENT_SECURITY_POLICY`  
-Values : *<directive 1>; <directive 2>; ...*
+Values : *\<directive 1\>; \<directive 2\>; ...*  
 Default value : *default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; reflected-xss block; base-uri 'self'; referrer no-referrer*  
 Policy to be used when loading resources (scripts, forms, frames, ...).  
 More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).

 ### Blocking
 `BLOCK_COUNTRY`  
-Values : *<country code 1> <country code 2> ...*  
+Values : *\<country code 1\> \<country code 2\> ...*  
 Default value :  
 Block some countries from accessing your website. Use 2 letters country code separated with space.

@ -226,7 +231,7 @@ Default value : *no*
 If set to yes, the PHP version will be sent within the X-Powered-By header.

 `PHP_OPEN_BASEDIR`  
-Values : *<directory>*  
+Values : *\<directory\>*  
 Default value : */www/*  
 Limits access to files within the given directory. For example include() or fopen() calls outside the directory will fail.

@ -251,7 +256,7 @@ Default value : *10M*
 Sets the maximum file size allowed when uploading files.

 `PHP_DISABLE_FUNCTIONS`  
-Values : *<function 1>, <function 2> ...*  
+Values : *\<function 1\>, \<function 2\> ...*  
 Default value : *system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo*  
 List of PHP functions blacklisted separated with commas. They can't be used anywhere in PHP code.

@ -264,7 +269,7 @@ Instead of using iptables which is not possible inside a container, fail2ban wil
 If a number (`FAIL2BAN_MAXRETRY`) of "strange" HTTP codes (`FAIL2BAN_STATUS_CODES`) is found between a time interval (`FAIL2BAN_FINDTIME`) then the originating IP address will be ban for a specific period of time (`FAIL2BAN_BANTIME`).

 `FAIL2BAN_STATUS_CODES`   
-Values : <HTTP status codes separated with | char>  
+Values : *\<HTTP status codes separated with | char\>*  
 Default value : *400|401|403|404|405|444*  
 List of "strange" error codes that fail2ban will search for.  

@ -279,7 +284,7 @@ Default : value : *60*
 The time interval, in seconds, to search for "strange" HTTP status codes.  

 `FAIL2BAN_MAXRETRY`  
-Values : *<any positive integer>*  
+Values : *\<any positive integer\>*  
 Default : value : *10*  
 The number of "strange" HTTP status codes to find between the time interval.  

@ -300,10 +305,8 @@ Default value : *yes*
 If set to yes, ClamAV will automatically remove the detected files.  

 ## TODO
- demo website, securityheaders results, ssl results 
 - Default CSP
 - Custom Dockerfile based on bunkerized-nginx
- Test with custom confs reverse proxy
 - Documentation
 - Custom TLS certificates
 - HSTS preload, HPKP
--- a/compile.sh
+++ b/compile.sh
@ -31,7 +31,7 @@ git clone https://github.com/AirisX/nginx_cookie_flag_module.git
 cd /tmp
 git clone https://github.com/nginx/nginx.git
 cd nginx
-./auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --modules-path=/usr/lib/nginx/modules --with-file-aio --with-http_ssl_module --with-http_v2_module --add-module=/tmp/ModSecurity-nginx --add-module=/tmp/headers-more-nginx-module --add-module=/tmp/ngx_http_geoip2_module --add-module=/tmp/nginx_cookie_flag_module
+./auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --modules-path=/usr/lib/nginx/modules --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --add-module=/tmp/ModSecurity-nginx --add-module=/tmp/headers-more-nginx-module --add-module=/tmp/ngx_http_geoip2_module --add-module=/tmp/nginx_cookie_flag_module
 make -j $NTASK
 make install

--- a/confs/modsecurity-rules.conf
+++ b/confs/modsecurity-rules.conf
@ -55,7 +55,7 @@ SecAuditLogType Serial
 SecAuditLog /var/log/modsec_audit.log

 # scan uploaded files with clamv
-%USE_CLAMAV_UPLOAD%"
+%USE_CLAMAV_UPLOAD%

 # include custom rules
 %MODSECURITY_INCLUDE_CUSTOM_RULES%
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -81,7 +81,7 @@ CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-object-src 'none'; frame-ance
 COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly}"
 SERVE_FILES="${SERVE_FILES-yes}"
 WRITE_ACCESS="${WRITE_ACCESS-no}"
-REDIRECT_HTTP_TO_HTTPS="${REDIRECT_HTTP_TO_HTTPS-yes}"
+REDIRECT_HTTP_TO_HTTPS="${REDIRECT_HTTP_TO_HTTPS-no}"
 LISTEN_HTTP="${LISTEN_HTTP-yes}"
 USE_FAIL2BAN="${USE_FAIL2BAN-yes}"
 FAIL2BAN_STATUS_CODES="${FAIL2BAN_STATUS_CODES-400|401|403|404|405|444}"