mirror of
https://github.com/telekom-security/tpotce.git
synced 2025-07-02 01:27:27 -04:00
add logstash http_input support for nginx
remove cockpit support entirely cleanup / housekeeping
This commit is contained in:
110
docker/nginx/dist/conf/lsweb.conf
vendored
Normal file
110
docker/nginx/dist/conf/lsweb.conf
vendored
Normal file
@ -0,0 +1,110 @@
|
||||
############################################
|
||||
### NGINX T-Pot configuration file by mo ###
|
||||
############################################
|
||||
|
||||
server {
|
||||
|
||||
#########################
|
||||
### Basic server settings
|
||||
#########################
|
||||
listen 64294 ssl http2;
|
||||
index index.html;
|
||||
ssl_protocols TLSv1.3;
|
||||
server_name example.com;
|
||||
error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html;
|
||||
root /var/lib/nginx/html;
|
||||
add_header Cache-Control "public, max-age=604800";
|
||||
|
||||
##############################################
|
||||
### Remove version number add different header
|
||||
##############################################
|
||||
server_tokens off;
|
||||
|
||||
|
||||
##############################################
|
||||
### SSL settings and Cipher Suites
|
||||
##############################################
|
||||
ssl_certificate /etc/nginx/cert/nginx.crt;
|
||||
ssl_certificate_key /etc/nginx/cert/nginx.key;
|
||||
|
||||
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE:!SHA:!SHA256';
|
||||
ssl_ecdh_curve secp384r1;
|
||||
ssl_dhparam /etc/nginx/ssl/dhparam4096.pem;
|
||||
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
|
||||
|
||||
####################################
|
||||
### OWASP recommendations / settings
|
||||
####################################
|
||||
|
||||
### Size Limits & Buffer Overflows
|
||||
### the size may be configured based on the needs.
|
||||
client_body_buffer_size 128k;
|
||||
client_header_buffer_size 1k;
|
||||
client_max_body_size 2M;
|
||||
|
||||
### Changed from OWASP recommendations: "2 1k" to "2 1280" (So 1.2k)
|
||||
### When you pass though potentially another reverse proxy/load balancer
|
||||
### in front of tpotce you can introduce more headers than normal and
|
||||
### therefore you can exceed the allowed header buffer of 1k.
|
||||
### An 280 extra bytes seems to be working for most use-cases.
|
||||
### And still keeping it close to OWASP's recommendation.
|
||||
large_client_header_buffers 2 1280;
|
||||
|
||||
### Mitigate Slow HHTP DoS Attack
|
||||
### Timeouts definition ##
|
||||
client_body_timeout 10;
|
||||
client_header_timeout 10;
|
||||
keepalive_timeout 5 5;
|
||||
send_timeout 10;
|
||||
|
||||
### X-Frame-Options is to prevent from clickJacking attack
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
|
||||
### disable content-type sniffing on some browsers.
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
|
||||
### This header enables the Cross-site scripting (XSS) filter
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
|
||||
### This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
|
||||
# add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
|
||||
|
||||
##################################
|
||||
### Restrict access and basic auth
|
||||
##################################
|
||||
|
||||
# satisfy all;
|
||||
satisfy any;
|
||||
|
||||
# allow 10.0.0.0/8;
|
||||
# allow 172.16.0.0/12;
|
||||
# allow 192.168.0.0/16;
|
||||
allow 127.0.0.1;
|
||||
allow ::1;
|
||||
deny all;
|
||||
|
||||
auth_basic "closed site";
|
||||
auth_basic_user_file /etc/nginx/lswebpasswd;
|
||||
|
||||
################################################
|
||||
### T-Pot Hive Logstash HTTP Input Reverse Proxy
|
||||
################################################
|
||||
|
||||
location / {
|
||||
set_by_lua_block $logstash {
|
||||
local tpot_ostype = os.getenv("TPOT_OSTYPE")
|
||||
if tpot_ostype == "mac" or tpot_ostype == "win" then
|
||||
return "http://logstash:64305";
|
||||
else
|
||||
return "http://127.0.0.1:64305";
|
||||
end
|
||||
}
|
||||
access_log off;
|
||||
error_log /var/log/nginx/lsweb_error.log;
|
||||
proxy_pass $logstash;
|
||||
}
|
||||
}
|
Reference in New Issue
Block a user