mirror of
				https://github.com/telekom-security/tpotce.git
				synced 2025-10-23 00:34:43 +00:00 
			
		
		
		
	
		
			
	
	
		
			153 lines
		
	
	
	
		
			4 KiB
		
	
	
	
		
			Text
		
	
	
	
	
	
		
		
			
		
	
	
			153 lines
		
	
	
	
		
			4 KiB
		
	
	
	
		
			Text
		
	
	
	
	
	
|   | ############################################ | ||
|  | ### NGINX T-Pot configuration file by mo ### | ||
|  | ############################################ | ||
|  | 
 | ||
|  | server { | ||
|  | 
 | ||
|  |     ######################### | ||
|  |     ### Basic server settings | ||
|  |     ######################### | ||
|  |     listen 64297 ssl http2; | ||
|  |     #index tpotweb.html; | ||
|  |     index index.php; | ||
|  |     ssl_protocols TLSv1.3; | ||
|  |     server_name example.com; | ||
|  |     error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html; | ||
|  |     root /var/lib/nginx/html/public; | ||
|  | 
 | ||
|  | 
 | ||
|  |     ############################################## | ||
|  |     ### Remove version number add different header | ||
|  |     ############################################## | ||
|  |     server_tokens off; | ||
|  |     more_set_headers 'Server: apache'; | ||
|  | 
 | ||
|  | 
 | ||
|  |     ############################################## | ||
|  |     ### SSL settings and Cipher Suites | ||
|  |     ############################################## | ||
|  |     ssl_certificate /etc/nginx/cert/nginx.crt; | ||
|  |     ssl_certificate_key /etc/nginx/cert/nginx.key; | ||
|  |      | ||
|  |     ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE:!SHA:!SHA256'; | ||
|  |     ssl_ecdh_curve secp384r1; | ||
|  |     ssl_dhparam /etc/nginx/ssl/dhparam4096.pem; | ||
|  | 
 | ||
|  |     ssl_prefer_server_ciphers on; | ||
|  |     ssl_session_cache shared:SSL:10m; | ||
|  | 
 | ||
|  | 
 | ||
|  |     #################################### | ||
|  |     ### OWASP recommendations / settings | ||
|  |     #################################### | ||
|  | 
 | ||
|  |     ### Size Limits & Buffer Overflows  | ||
|  |     ### the size may be configured based on the needs.  | ||
|  |     client_body_buffer_size  128k; | ||
|  |     client_header_buffer_size 1k; | ||
|  |     client_max_body_size 2M; | ||
|  |     large_client_header_buffers 2 1k; | ||
|  | 
 | ||
|  |     ### Mitigate Slow HHTP DoS Attack | ||
|  |     ### Timeouts definition ## | ||
|  |     client_body_timeout   10; | ||
|  |     client_header_timeout 10; | ||
|  |     keepalive_timeout     5 5; | ||
|  |     send_timeout          10; | ||
|  | 
 | ||
|  |     ### X-Frame-Options is to prevent from clickJacking attack | ||
|  |     add_header X-Frame-Options SAMEORIGIN; | ||
|  | 
 | ||
|  |     ### disable content-type sniffing on some browsers. | ||
|  |     add_header X-Content-Type-Options nosniff; | ||
|  | 
 | ||
|  |     ### This header enables the Cross-site scripting (XSS) filter | ||
|  |     add_header X-XSS-Protection "1; mode=block"; | ||
|  | 
 | ||
|  |     ### This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack | ||
|  |     add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; | ||
|  | 
 | ||
|  | 
 | ||
|  |     ################################## | ||
|  |     ### Restrict access and basic auth | ||
|  |     ################################## | ||
|  | 
 | ||
|  |     # satisfy all; | ||
|  |     satisfy any; | ||
|  | 
 | ||
|  |     # allow 10.0.0.0/8; | ||
|  |     # allow 172.16.0.0/12; | ||
|  |     # allow 192.168.0.0/16; | ||
|  |     allow 127.0.0.1; | ||
|  |     allow ::1; | ||
|  |     deny  all; | ||
|  | 
 | ||
|  |     auth_basic           "closed site"; | ||
|  |     auth_basic_user_file /etc/nginx/nginxpasswd; | ||
|  | 
 | ||
|  | 
 | ||
|  |     ############ | ||
|  |     ### Heimdall | ||
|  |     ############ | ||
|  | 
 | ||
|  |     location / { | ||
|  |         auth_basic           "closed site"; | ||
|  |         auth_basic_user_file /etc/nginx/nginxpasswd; | ||
|  |         try_files $uri $uri/ /index.php?$query_string; | ||
|  |     } | ||
|  | 
 | ||
|  |     location ~ \.php$ { | ||
|  |         fastcgi_split_path_info ^(.+\.php)(/.+)$; | ||
|  |         fastcgi_pass 127.0.0.1:64304; | ||
|  |         fastcgi_index index.php; | ||
|  |         include fastcgi_params; | ||
|  |         fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name; | ||
|  |     } | ||
|  | 
 | ||
|  |     ################# | ||
|  |     ### Proxied sites | ||
|  |     ################# | ||
|  | 
 | ||
|  |     ### Kibana | ||
|  |     location /kibana/ { | ||
|  |         proxy_pass http://127.0.0.1:64296; | ||
|  |         rewrite /kibana/(.*)$ /$1 break; | ||
|  |     } | ||
|  | 
 | ||
|  |     ### ES  | ||
|  |     location /es/ { | ||
|  |         proxy_pass http://127.0.0.1:64298/; | ||
|  |         rewrite /es/(.*)$ /$1 break; | ||
|  |     } | ||
|  | 
 | ||
|  |     ### head standalone  | ||
|  |     location /myhead/ { | ||
|  |         proxy_pass http://127.0.0.1:64302/; | ||
|  |         rewrite /myhead/(.*)$ /$1 break; | ||
|  |     } | ||
|  | 
 | ||
|  |     ### CyberChef | ||
|  |     location /cyberchef { | ||
|  |         proxy_pass http://127.0.0.1:64299; | ||
|  |         rewrite ^/cyberchef(.*)$ /$1 break; | ||
|  |     } | ||
|  | 
 | ||
|  |     ### spiderfoot | ||
|  |     location /spiderfoot { | ||
|  |         proxy_pass http://127.0.0.1:64303; | ||
|  |     } | ||
|  | 
 | ||
|  |         location /static { | ||
|  |             proxy_pass http://127.0.0.1:64303/spiderfoot/static; | ||
|  |         } | ||
|  | 
 | ||
|  |         location /scanviz { | ||
|  |             proxy_pass http://127.0.0.1:64303/spiderfoot/scanviz; | ||
|  |         } | ||
|  |          | ||
|  |         location /scandelete { | ||
|  |             proxy_pass http://127.0.0.1:64303/spiderfoot/scandelete; | ||
|  |         } | ||
|  | 
 | ||
|  | } |