tpotce/docker/heimdall/dist/conf/tpotweb.conf

############################################
### NGINX T-Pot configuration file by mo ###
############################################

server {

    #########################
    ### Basic server settings
    #########################
    listen 64297 ssl http2;
    #index tpotweb.html;
    index index.php;
    ssl_protocols TLSv1.3;
    server_name example.com;
    error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html;
    root /var/lib/nginx/html/public;


    ##############################################
    ### Remove version number add different header
    ##############################################
    server_tokens off;
    more_set_headers 'Server: apache';


    ##############################################
    ### SSL settings and Cipher Suites
    ##############################################
    ssl_certificate /etc/nginx/cert/nginx.crt;
    ssl_certificate_key /etc/nginx/cert/nginx.key;
    
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE:!SHA:!SHA256';
    ssl_ecdh_curve secp384r1;
    ssl_dhparam /etc/nginx/ssl/dhparam4096.pem;

    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;


    ####################################
    ### OWASP recommendations / settings
    ####################################

    ### Size Limits & Buffer Overflows 
    ### the size may be configured based on the needs. 
    client_body_buffer_size  128k;
    client_header_buffer_size 1k;
    client_max_body_size 2M;
    large_client_header_buffers 2 1k;

    ### Mitigate Slow HHTP DoS Attack
    ### Timeouts definition ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     5 5;
    send_timeout          10;

    ### X-Frame-Options is to prevent from clickJacking attack
    add_header X-Frame-Options SAMEORIGIN;

    ### disable content-type sniffing on some browsers.
    add_header X-Content-Type-Options nosniff;

    ### This header enables the Cross-site scripting (XSS) filter
    add_header X-XSS-Protection "1; mode=block";

    ### This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";


    ##################################
    ### Restrict access and basic auth
    ##################################

    # satisfy all;
    satisfy any;

    # allow 10.0.0.0/8;
    # allow 172.16.0.0/12;
    # allow 192.168.0.0/16;
    allow 127.0.0.1;
    allow ::1;
    deny  all;

    auth_basic           "closed site";
    auth_basic_user_file /etc/nginx/nginxpasswd;


    ############
    ### Heimdall
    ############

    location / {
        auth_basic           "closed site";
        auth_basic_user_file /etc/nginx/nginxpasswd;
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass 127.0.0.1:64304;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    #################
    ### Proxied sites
    #################

    ### Kibana
    location /kibana/ {
        proxy_pass http://127.0.0.1:64296;
        rewrite /kibana/(.*)$ /$1 break;
    }

    ### ES 
    location /es/ {
        proxy_pass http://127.0.0.1:64298/;
        rewrite /es/(.*)$ /$1 break;
    }

    ### head standalone 
    location /myhead/ {
        proxy_pass http://127.0.0.1:64302/;
        rewrite /myhead/(.*)$ /$1 break;
    }

    ### CyberChef
    location /cyberchef {
        proxy_pass http://127.0.0.1:64299;
        rewrite ^/cyberchef(.*)$ /$1 break;
    }

    ### spiderfoot
    location /spiderfoot {
        proxy_pass http://127.0.0.1:64303;
    }

        location /static {
            proxy_pass http://127.0.0.1:64303/spiderfoot/static;
        }

        location /scanviz {
            proxy_pass http://127.0.0.1:64303/spiderfoot/scanviz;
        }
        
        location /scandelete {
            proxy_pass http://127.0.0.1:64303/spiderfoot/scandelete;
        }

        location /scaninfo {
            proxy_pass http://127.0.0.1:64303/spiderfoot/scaninfo;
        }

}
start working on new landing page 2020-01-24 02:21:33 +00:00			`############################################`
			`### NGINX T-Pot configuration file by mo ###`
			`############################################`

			`server {`

			`#########################`
			`### Basic server settings`
			`#########################`
			`listen 64297 ssl http2;`
			`#index tpotweb.html;`
			`index index.php;`
			`ssl_protocols TLSv1.3;`
			`server_name example.com;`
			`error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html;`
			`root /var/lib/nginx/html/public;`


			`##############################################`
			`### Remove version number add different header`
			`##############################################`
			`server_tokens off;`
			`more_set_headers 'Server: apache';`


			`##############################################`
			`### SSL settings and Cipher Suites`
			`##############################################`
			`ssl_certificate /etc/nginx/cert/nginx.crt;`
			`ssl_certificate_key /etc/nginx/cert/nginx.key;`

			`ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE:!SHA:!SHA256';`
			`ssl_ecdh_curve secp384r1;`
			`ssl_dhparam /etc/nginx/ssl/dhparam4096.pem;`

			`ssl_prefer_server_ciphers on;`
			`ssl_session_cache shared:SSL:10m;`


			`####################################`
			`### OWASP recommendations / settings`
			`####################################`

			`### Size Limits & Buffer Overflows`
			`### the size may be configured based on the needs.`
			`client_body_buffer_size 128k;`
			`client_header_buffer_size 1k;`
			`client_max_body_size 2M;`
			`large_client_header_buffers 2 1k;`

			`### Mitigate Slow HHTP DoS Attack`
			`### Timeouts definition ##`
			`client_body_timeout 10;`
			`client_header_timeout 10;`
			`keepalive_timeout 5 5;`
			`send_timeout 10;`

			`### X-Frame-Options is to prevent from clickJacking attack`
			`add_header X-Frame-Options SAMEORIGIN;`

			`### disable content-type sniffing on some browsers.`
			`add_header X-Content-Type-Options nosniff;`

			`### This header enables the Cross-site scripting (XSS) filter`
			`add_header X-XSS-Protection "1; mode=block";`

			`### This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack`
			`add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";`


			`##################################`
			`### Restrict access and basic auth`
			`##################################`

			`# satisfy all;`
			`satisfy any;`

			`# allow 10.0.0.0/8;`
			`# allow 172.16.0.0/12;`
			`# allow 192.168.0.0/16;`
			`allow 127.0.0.1;`
			`allow ::1;`
			`deny all;`

			`auth_basic "closed site";`
			`auth_basic_user_file /etc/nginx/nginxpasswd;`


			`############`
			`### Heimdall`
			`############`

			`location / {`
			`auth_basic "closed site";`
			`auth_basic_user_file /etc/nginx/nginxpasswd;`
			`try_files $uri $uri/ /index.php?$query_string;`
			`}`

			`location ~ \.php$ {`
			`fastcgi_split_path_info ^(.+\.php)(/.+)$;`
			`fastcgi_pass 127.0.0.1:64304;`
			`fastcgi_index index.php;`
			`include fastcgi_params;`
			`fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;`
			`}`

			`#################`
			`### Proxied sites`
			`#################`

			`### Kibana`
			`location /kibana/ {`
			`proxy_pass http://127.0.0.1:64296;`
			`rewrite /kibana/(.*)$ /$1 break;`
			`}`

			`### ES`
			`location /es/ {`
			`proxy_pass http://127.0.0.1:64298/;`
			`rewrite /es/(.*)$ /$1 break;`
			`}`

			`### head standalone`
			`location /myhead/ {`
			`proxy_pass http://127.0.0.1:64302/;`
			`rewrite /myhead/(.*)$ /$1 break;`
			`}`

			`### CyberChef`
			`location /cyberchef {`
			`proxy_pass http://127.0.0.1:64299;`
			`rewrite ^/cyberchef(.*)$ /$1 break;`
			`}`

			`### spiderfoot`
			`location /spiderfoot {`
			`proxy_pass http://127.0.0.1:64303;`
			`}`

			`location /static {`
			`proxy_pass http://127.0.0.1:64303/spiderfoot/static;`
			`}`

			`location /scanviz {`
			`proxy_pass http://127.0.0.1:64303/spiderfoot/scanviz;`
			`}`

			`location /scandelete {`
			`proxy_pass http://127.0.0.1:64303/spiderfoot/scandelete;`
			`}`

bump spiderfoot to 3.1 final Fix Spiderfoot issue not showing current scan 2020-08-13 09:06:49 +00:00			`location /scaninfo {`
			`proxy_pass http://127.0.0.1:64303/spiderfoot/scaninfo;`
			`}`

start working on new landing page 2020-01-24 02:21:33 +00:00			`}`