add logstash http_input support for nginx

remove cockpit support entirely cleanup / housekeeping
2025-07-02 01:27:27 -04:00 · 2024-01-05 21:31:13 +01:00
parent 0f7dc73f1a
commit 7ba5567e70
14 changed files with 128 additions and 162 deletions
--- a/docker/nginx/dist/conf/lsweb.conf
+++ b/docker/nginx/dist/conf/lsweb.conf
@ -0,0 +1,110 @@
+############################################
+### NGINX T-Pot configuration file by mo ###
+############################################
+
+server {
+
+    #########################
+    ### Basic server settings
+    #########################
+    listen 64294 ssl http2;
+    index index.html;
+    ssl_protocols TLSv1.3;
+    server_name example.com;
+    error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html;
+    root /var/lib/nginx/html;
+    add_header Cache-Control "public, max-age=604800";
+
+    ##############################################
+    ### Remove version number add different header
+    ##############################################
+    server_tokens off;
+
+
+    ##############################################
+    ### SSL settings and Cipher Suites
+    ##############################################
+    ssl_certificate /etc/nginx/cert/nginx.crt;
+    ssl_certificate_key /etc/nginx/cert/nginx.key;
+
+    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE:!SHA:!SHA256';
+    ssl_ecdh_curve secp384r1;
+    ssl_dhparam /etc/nginx/ssl/dhparam4096.pem;
+
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+
+
+    ####################################
+    ### OWASP recommendations / settings
+    ####################################
+
+    ### Size Limits & Buffer Overflows
+    ### the size may be configured based on the needs.
+    client_body_buffer_size  128k;
+    client_header_buffer_size 1k;
+    client_max_body_size 2M;
+    
+    ### Changed from OWASP recommendations: "2 1k" to "2 1280" (So 1.2k)
+    ### When you pass though potentially another reverse proxy/load balancer
+    ### in front of tpotce you can introduce more headers than normal and
+    ### therefore you can exceed the allowed header buffer of 1k.
+    ### An 280 extra bytes seems to be working for most use-cases.
+    ### And still keeping it close to OWASP's recommendation.
+    large_client_header_buffers 2 1280;
+
+    ### Mitigate Slow HHTP DoS Attack
+    ### Timeouts definition ##
+    client_body_timeout   10;
+    client_header_timeout 10;
+    keepalive_timeout     5 5;
+    send_timeout          10;
+
+    ### X-Frame-Options is to prevent from clickJacking attack
+    add_header X-Frame-Options SAMEORIGIN;
+
+    ### disable content-type sniffing on some browsers.
+    add_header X-Content-Type-Options nosniff;
+
+    ### This header enables the Cross-site scripting (XSS) filter
+    add_header X-XSS-Protection "1; mode=block";
+
+    ### This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
+    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
+#    add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
+
+    ##################################
+    ### Restrict access and basic auth
+    ##################################
+
+    # satisfy all;
+    satisfy any;
+
+    # allow 10.0.0.0/8;
+    # allow 172.16.0.0/12;
+    # allow 192.168.0.0/16;
+    allow 127.0.0.1;
+    allow ::1;
+    deny  all;
+
+    auth_basic           "closed site";
+    auth_basic_user_file /etc/nginx/lswebpasswd;
+
+    ################################################
+    ### T-Pot Hive Logstash HTTP Input Reverse Proxy
+    ################################################
+
+    location / {
+         set_by_lua_block $logstash {
+            local tpot_ostype = os.getenv("TPOT_OSTYPE")
+            if tpot_ostype == "mac" or tpot_ostype == "win" then
+                return "http://logstash:64305";
+            else
+                return "http://127.0.0.1:64305";
+            end
+        }
+        access_log off;
+        error_log /var/log/nginx/lsweb_error.log;
+        proxy_pass $logstash;
+    }
+}
--- a/docker/nginx/dist/conf/nginx.conf
+++ b/docker/nginx/dist/conf/nginx.conf
@ -6,7 +6,6 @@ load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
 load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;

 # OS ENV variables need to be defined here, so Lua can use them
-env COCKPIT;
 env TPOT_OSTYPE;

 # Both modules are needed for Lua, in this exact order
@ -36,7 +35,7 @@ http {
 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;

-        ##
+    ##
 	# Compression
 	##

--- a/docker/nginx/dist/conf/tpotweb.conf
+++ b/docker/nginx/dist/conf/tpotweb.conf
@ -96,12 +96,7 @@ server {

    location / {
        set_by_lua_block $index_file {
-            local cockpit = os.getenv("COCKPIT")
-            if cockpit == "false" then
-                return "index_light.html"
-            else
-                return "index.html"
-            end
+              return "index.html";
        }
        auth_basic           "closed site";
        auth_basic_user_file /etc/nginx/nginxpasswd;
@ -149,6 +144,7 @@ server {
                return "http://127.0.0.1:64298";
            end
        }
+
        proxy_pass $elasticsearch;
        rewrite /es/(.*)$ /$1 break;
    }