tpotce/docker/deprecated/nginx/dist/conf/tpotweb.conf

############################################
### NGINX T-Pot configuration file by mo ###
############################################

server {

    #########################
    ### Basic server settings
    #########################
    listen 64297 ssl http2;
    index tpotweb.html;
    ssl_protocols TLSv1.3;
    server_name example.com;
    error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html;


    ##############################################
    ### Remove version number add different header
    ##############################################
    server_tokens off;
    more_set_headers 'Server: apache';


    ##############################################
    ### SSL settings and Cipher Suites
    ##############################################
    ssl_certificate /etc/nginx/cert/nginx.crt;
    ssl_certificate_key /etc/nginx/cert/nginx.key;
    
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE:!SHA:!SHA256';
    ssl_ecdh_curve secp384r1;
    ssl_dhparam /etc/nginx/ssl/dhparam4096.pem;

    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;


    ####################################
    ### OWASP recommendations / settings
    ####################################

    ### Size Limits & Buffer Overflows 
    ### the size may be configured based on the needs. 
    client_body_buffer_size  128k;
    client_header_buffer_size 1k;
    client_max_body_size 256k;
    large_client_header_buffers 2 1k;

    ### Mitigate Slow HHTP DoS Attack
    ### Timeouts definition ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     5 5;
    send_timeout          10;

    ### X-Frame-Options is to prevent from clickJacking attack
    add_header X-Frame-Options SAMEORIGIN;

    ### disable content-type sniffing on some browsers.
    add_header X-Content-Type-Options nosniff;

    ### This header enables the Cross-site scripting (XSS) filter
    add_header X-XSS-Protection "1; mode=block";

    ### This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";


    ##################################
    ### Restrict access and basic auth
    ##################################

    # satisfy all;
    satisfy any;

    # allow 10.0.0.0/8;
    # allow 172.16.0.0/12;
    # allow 192.168.0.0/16;
    allow 127.0.0.1;
    allow ::1;
    deny  all;

    auth_basic           "closed site";
    auth_basic_user_file /etc/nginx/nginxpasswd;


    #################
    ### Proxied sites
    #################

    ### Kibana
    location /kibana/ {
        proxy_pass http://127.0.0.1:64296;
        rewrite /kibana/(.*)$ /$1 break;
    }

    ### ES 
    location /es/ {
        proxy_pass http://127.0.0.1:64298/;
        rewrite /es/(.*)$ /$1 break;
    }

    ### head standalone 
    location /myhead/ {
        proxy_pass http://127.0.0.1:64302/;
        rewrite /myhead/(.*)$ /$1 break;
    }

    ### CyberChef
    location /cyberchef {
        proxy_pass http://127.0.0.1:64299;
        rewrite ^/cyberchef(.*)$ /$1 break;
    }

    ### spiderfoot
    location /spiderfoot {
        proxy_pass http://127.0.0.1:64303;
    }

        location /static {
            proxy_pass http://127.0.0.1:64303/spiderfoot/static;
        }

        location /scanviz {
            proxy_pass http://127.0.0.1:64303/spiderfoot/scanviz;
        }
        
        location /scandelete {
            proxy_pass http://127.0.0.1:64303/spiderfoot/scandelete;
        }

}
prepare for nginx docker image 2018-02-16 14:17:34 +00:00			`############################################`
			`### NGINX T-Pot configuration file by mo ###`
			`############################################`

			`server {`

			`#########################`
			`### Basic server settings`
			`#########################`
			`listen 64297 ssl http2;`
			`index tpotweb.html;`
pin nginx to tls v1.3 2019-02-26 07:55:42 +00:00			`ssl_protocols TLSv1.3;`
prepare for nginx docker image 2018-02-16 14:17:34 +00:00			`server_name example.com;`
			`error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html;`


			`##############################################`
			`### Remove version number add different header`
			`##############################################`
			`server_tokens off;`
			`more_set_headers 'Server: apache';`


			`##############################################`
			`### SSL settings and Cipher Suites`
			`##############################################`
			`ssl_certificate /etc/nginx/cert/nginx.crt;`
			`ssl_certificate_key /etc/nginx/cert/nginx.key;`

			`ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE:!SHA:!SHA256';`
			`ssl_ecdh_curve secp384r1;`
			`ssl_dhparam /etc/nginx/ssl/dhparam4096.pem;`

			`ssl_prefer_server_ciphers on;`
			`ssl_session_cache shared:SSL:10m;`

continue working on installer remove portainer remove wetty remove netdata add cockpit tweak fail2ban for cockpit, sshd, nginx update logo to 18.10 remove configs with regard to portainer, wetty, netdata adjust packages for install.sh, preseed 2018-06-23 21:23:33 +00:00
prepare for nginx docker image 2018-02-16 14:17:34 +00:00			`####################################`
			`### OWASP recommendations / settings`
			`####################################`

			`### Size Limits & Buffer Overflows`
			`### the size may be configured based on the needs.`
continue working on installer remove portainer remove wetty remove netdata add cockpit tweak fail2ban for cockpit, sshd, nginx update logo to 18.10 remove configs with regard to portainer, wetty, netdata adjust packages for install.sh, preseed 2018-06-23 21:23:33 +00:00			`client_body_buffer_size 128k;`
prepare for nginx docker image 2018-02-16 14:17:34 +00:00			`client_header_buffer_size 1k;`
continue working on installer remove portainer remove wetty remove netdata add cockpit tweak fail2ban for cockpit, sshd, nginx update logo to 18.10 remove configs with regard to portainer, wetty, netdata adjust packages for install.sh, preseed 2018-06-23 21:23:33 +00:00			`client_max_body_size 256k;`
prepare for nginx docker image 2018-02-16 14:17:34 +00:00			`large_client_header_buffers 2 1k;`

			`### Mitigate Slow HHTP DoS Attack`
			`### Timeouts definition ##`
			`client_body_timeout 10;`
			`client_header_timeout 10;`
			`keepalive_timeout 5 5;`
			`send_timeout 10;`

			`### X-Frame-Options is to prevent from clickJacking attack`
			`add_header X-Frame-Options SAMEORIGIN;`

			`### disable content-type sniffing on some browsers.`
			`add_header X-Content-Type-Options nosniff;`

			`### This header enables the Cross-site scripting (XSS) filter`
			`add_header X-XSS-Protection "1; mode=block";`

			`### This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack`
			`add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";`


			`##################################`
			`### Restrict access and basic auth`
			`##################################`

			`# satisfy all;`
			`satisfy any;`

			`# allow 10.0.0.0/8;`
			`# allow 172.16.0.0/12;`
			`# allow 192.168.0.0/16;`
			`allow 127.0.0.1;`
			`allow ::1;`
			`deny all;`

			`auth_basic "closed site";`
			`auth_basic_user_file /etc/nginx/nginxpasswd;`


			`#################`
			`### Proxied sites`
			`#################`

			`### Kibana`
			`location /kibana/ {`
Fix IPv6 error fix an error where upstream site is not found while trying to connect with both IPv4 and IPv6. Setting `localhost` to `127.0.0.1` fixes it. 2018-06-26 08:19:35 +00:00			`proxy_pass http://127.0.0.1:64296;`
prepare for nginx docker image 2018-02-16 14:17:34 +00:00			`rewrite /kibana/(.*)$ /$1 break;`
			`}`

			`### ES`
			`location /es/ {`
Fix IPv6 error fix an error where upstream site is not found while trying to connect with both IPv4 and IPv6. Setting `localhost` to `127.0.0.1` fixes it. 2018-06-26 08:19:35 +00:00			`proxy_pass http://127.0.0.1:64298/;`
prepare for nginx docker image 2018-02-16 14:17:34 +00:00			`rewrite /es/(.*)$ /$1 break;`
			`}`

			`### head standalone`
			`location /myhead/ {`
Fix IPv6 error fix an error where upstream site is not found while trying to connect with both IPv4 and IPv6. Setting `localhost` to `127.0.0.1` fixes it. 2018-06-26 08:19:35 +00:00			`proxy_pass http://127.0.0.1:64302/;`
prepare for nginx docker image 2018-02-16 14:17:34 +00:00			`rewrite /myhead/(.*)$ /$1 break;`
			`}`

add cyberchef as tool 2018-07-12 09:03:33 +00:00			`### CyberChef`
			`location /cyberchef {`
			`proxy_pass http://127.0.0.1:64299;`
			`rewrite ^/cyberchef(.*)$ /$1 break;`
			`}`

prepare for nginx docker image 2018-02-16 14:17:34 +00:00			`### spiderfoot`
			`location /spiderfoot {`
			`proxy_pass http://127.0.0.1:64303;`
			`}`

			`location /static {`
			`proxy_pass http://127.0.0.1:64303/spiderfoot/static;`
			`}`

			`location /scanviz {`
			`proxy_pass http://127.0.0.1:64303/spiderfoot/scanviz;`
			`}`
prepare some fixes, tweaking 2018-03-29 20:56:11 +00:00
			`location /scandelete {`
			`proxy_pass http://127.0.0.1:64303/spiderfoot/scandelete;`
			`}`
continue working on installer remove portainer remove wetty remove netdata add cockpit tweak fail2ban for cockpit, sshd, nginx update logo to 18.10 remove configs with regard to portainer, wetty, netdata adjust packages for install.sh, preseed 2018-06-23 21:23:33 +00:00
prepare for nginx docker image 2018-02-16 14:17:34 +00:00			`}`