diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2eea525 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.env \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..66db550 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,3 @@ +FROM nginx:stable + +COPY ./includes/ /etc/nginx/includes \ No newline at end of file diff --git a/docker-compose.yaml b/docker-compose.yaml new file mode 100644 index 0000000..a695421 --- /dev/null +++ b/docker-compose.yaml @@ -0,0 +1,19 @@ +networks: + proxy: + name: ${PROXY_NETWORK-proxy} + +services: + nginx: + build: ./ + restart: unless-stopped + networks: + - proxy + ports: + - 80:80 + - 443:443 + volumes: + - ${VOLUME_PATH}/conf.d:/etc/nginx/conf.d + # - ${VOLUME_PATH}/etc/nginx/sites-available:/etc/nginx/sites-available + # - ${VOLUME_PATH}/etc/nginx/sites-enabled:/etc/nginx/sites-enabled + - ${VOLUME_PATH}/etc/letsencrypt:/etc/letsencrypt + - ${VOLUME_PATH}/tmp:/tmp diff --git a/example.env b/example.env new file mode 100644 index 0000000..e4f1f55 --- /dev/null +++ b/example.env @@ -0,0 +1,6 @@ +# Docker settings +VOLUME_PATH=/data/nginx +PROXY_NETWORK=proxy + +# Nginx settings +NGINX_TAG=stable \ No newline at end of file diff --git a/includes/block-exploits.conf b/includes/block-exploits.conf new file mode 100644 index 0000000..8339a61 --- /dev/null +++ b/includes/block-exploits.conf @@ -0,0 +1,98 @@ +## Block common exploits +set $block_common_exploits 0; + +if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { + set $block_common_exploits 1; +} + +if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { + set $block_common_exploits 1; +} + +if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { + set $block_common_exploits 1; +} + +if ($query_string ~ "proc/self/environ") { + set $block_common_exploits 1; +} + +if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { + set $block_common_exploits 1; +} + +if ($query_string ~ "base64_(en|de)code\(.*\)") { + set $block_common_exploits 1; +} + +if ($block_common_exploits = 1) { + return 403; +} + +## Block spam +set $block_spam 0; + +if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") { + set $block_spam 1; +} + +if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") { + set $block_spam 1; +} + +if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") { + set $block_spam 1; +} + +if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") { + set $block_spam 1; +} + +if ($block_spam = 1) { + return 403; +} + +## Block user agents +set $block_user_agents 0; + +# Disable Akeeba Remote Control 2.5 and earlier +if ($http_user_agent ~ "Indy Library") { + set $block_user_agents 1; +} + +# Common bandwidth hoggers and hacking tools. +if ($http_user_agent ~ "libwww-perl") { + set $block_user_agents 1; +} + +if ($http_user_agent ~ "GetRight") { + set $block_user_agents 1; +} + +if ($http_user_agent ~ "GetWeb!") { + set $block_user_agents 1; +} + +if ($http_user_agent ~ "Go!Zilla") { + set $block_user_agents 1; +} + +if ($http_user_agent ~ "Download Demon") { + set $block_user_agents 1; +} + +if ($http_user_agent ~ "Go-Ahead-Got-It") { + set $block_user_agents 1; +} + +if ($http_user_agent ~ "TurnitinBot") { + set $block_user_agents 1; +} + +if ($http_user_agent ~ "GrabNet") { + set $block_user_agents 1; +} + +if ($block_user_agents = 1) { + return 403; +} \ No newline at end of file diff --git a/includes/proxy.conf b/includes/proxy.conf new file mode 100644 index 0000000..c0cafc7 --- /dev/null +++ b/includes/proxy.conf @@ -0,0 +1,7 @@ +add_header X-Served-By $host; +proxy_set_header Host $host; +proxy_set_header X-Forwarded-Scheme $scheme; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-For $remote_addr; +proxy_set_header X-Real-IP $remote_addr; +proxy_pass $forward_scheme://$server:$port$request_uri; \ No newline at end of file diff --git a/includes/ssl.conf b/includes/ssl.conf new file mode 100644 index 0000000..f1f1c46 --- /dev/null +++ b/includes/ssl.conf @@ -0,0 +1,13 @@ +ssl_session_timeout 5m; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; +ssl_protocols TLSv1.2 TLSv1.3; +# Ciphers from https://owasp.deteact.com/cheat/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html#openssl +ssl_ciphers 'TLS_AES_256_GCM_SHA384: +TLS_CHACHA20_POLY1305_SHA256: +TLS_AES_128_GCM_SHA256: +DHE-RSA-AES256-GCM-SHA384: +DHE-RSA-AES128-GCM-SHA256: +ECDHE-RSA-AES256-GCM-SHA384: +ECDHE-RSA-AES128-GCM-SHA256'; +ssl_prefer_server_ciphers on; \ No newline at end of file