Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
5 Commits 3 Branches 18 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
bunkerity ea1dbc617c updated readme
2019-11-22 13:21:06 +00:00
confs
content security policy
2019-08-21 15:01:22 +00:00
scripts
initial work
2019-08-20 21:25:16 +00:00
www
initial work
2019-08-20 21:25:16 +00:00
compile.sh
initial work
2019-08-20 21:25:16 +00:00
Dockerfile
initial work
2019-08-20 21:25:16 +00:00
entrypoint.sh
content security policy
2019-08-21 15:01:22 +00:00
README.md
updated readme
2019-11-22 13:21:06 +00:00

README.md

bunkerized-nginx

nginx based Docker image secure by default.

Main features

  • HTTPS support with transparent Let's Encrypt automation
  • State-of-the-art web security : HTTP headers, php.ini hardening, version leak, ...
  • Integrated ModSecurity WAF with the OWASP Core Rule Set
  • Based on alpine and compiled from source (< 100 MB image)
  • Easy to configure with environment variables

Quickstart guide

Run HTTP server with default settings

docker run -p 80:80 -v /path/to/web/files:/www bunkerity/bunkerized-nginx

Web files are stored in the /www directory, so you need to mount the volume on it.

Run HTTPS server with automated Let's Encrypt

docker run -p 80:80 -p 443:443 -v /path/to/web/files:/www -e SERVER_NAME=www.yourdomain.com -e AUTO_LETS_ENCRYPT=yes bunkerity/bunkerized-nginx

Let's Encrypt needs port 80 to be open to request and sign certificates but nginx will only listen on port 443.

List of variables

nginx security

SERVER_TOKENS Values : on | off Default value : off If set to on, nginx will display server version in Server header and default error pages.

HEADER_SERVER Values : yes | no Default value : no If set to no, nginx will remove the Server header in HTTP responses.

ALLOWED_METHODS Values : allowed HTTP methods separated with | char Default value : GET|POST|HEAD Only the HTTP methods listed here will be accepted by nginx. If not listed, nginx will close the connection.

DISABLE_DEFAULT_SERVER Values : yes | no Default value : no If set to yes, nginx will only respond to HTTP request when the Host header match the SERVER_NAME. For example, it will close the connection if a bot access the site with direct ip.

Security headers

X_FRAME_OPTIONS Values : DENY | SAMEORIGIN | ALLOW-FROM https://www.website.net | ALLOWALL Default value : DENY Policy to be used when the site is displayed through iframe. Can be used to mitigate clickjacking attacks. More info here.

X_XSS_PROTECTION Values : 0 | 1 | 1; mode=block Default value : 1; mode=block Policy to be used when XSS is detected by the browser. Only works with Internet Explorer. More info here.

X_CONTENT_TYPE_OPTIONS Values : nosniff Default value : nosniff Tells the browser to be strict about MIME type. More info here.

REFERRER_POLICY Values : no-referrer | no-referrer-when-downgrade | origin | origin-when-cross-origin | same-origin | strict-origin | strict-origin-when-cross-origin | unsafe-url Default value : no-referrer

TODO : list variables, default value, explanation, ...

TODO

  • File permissions hardening
  • Secure and HttpOnly cookies
  • Custom nginx configuration
  • Custom TLS certificates
  • Documentation
  • Reverse proxy mode
Description
🛡️ Make your web services secure by default !
antibotbunkerized-nginxclamavcrowdseccybersecuritydevopsdevsecopsdnsbldockerhardeninghostingkubernetesletsencryptmodsecuritynginxreverse-proxysecuritysecurity-tuningswarmweb-security
Readme 121 MiB
Languages
Python 30.8%
HTML 19%
JavaScript 12.3%
Shell 10.9%
Lua 10.8%
Other 16.2%