tpotce/installer/etc/nginx/tpotweb.conf

############################################
### NGINX T-Pot configuration file by mo ###
############################################

###################################
### Allow for 60 reloads per minute
###################################
limit_req_zone $binary_remote_addr zone=base:1m rate=1r/s;

server {

    #########################
    ### Basic server settings
    #########################
    listen 64297 ssl http2;
    index tpotweb.html;
    ssl_protocols TLSv1.2;
    server_name example.com;
    error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html;


    ##############################################
    ### Remove version number add different header
    ##############################################
    server_tokens off;
    more_set_headers 'Server: apache';


    ##############################################
    ### SSL settings and Cipher Suites
    ##############################################
    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;
    
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE:!SHA:!SHA256';
    ssl_ecdh_curve secp384r1;
    ssl_dhparam /etc/nginx/ssl/dhparam4096.pem;

    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

 
    ####################################
    ### OWASP recommendations / settings
    ####################################

    ### Size Limits & Buffer Overflows 
    ### the size may be configured based on the needs. 
    client_body_buffer_size  100K;
    client_header_buffer_size 1k;
    client_max_body_size 100k;
    large_client_header_buffers 2 1k;

    ### Mitigate Slow HHTP DoS Attack
    ### Timeouts definition ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     5 5;
    send_timeout          10;

    ### X-Frame-Options is to prevent from clickJacking attack
    add_header X-Frame-Options SAMEORIGIN;

    ### disable content-type sniffing on some browsers.
    add_header X-Content-Type-Options nosniff;

    ### This header enables the Cross-site scripting (XSS) filter
    add_header X-XSS-Protection "1; mode=block";

    ### This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";


    ##################################
    ### Restrict access and basic auth
    ##################################

    # satisfy all;
    satisfy any;

    # allow 10.0.0.0/8;
    # allow 172.16.0.0/12;
    # allow 192.168.0.0/16;
    allow 127.0.0.1;
    allow ::1;
    deny  all;

    auth_basic           "closed site";
    auth_basic_user_file /etc/nginx/nginxpasswd;


    ##############################
    ### Limit brute-force attempts
    ##############################
    location = / {
      limit_req zone=base burst=1 nodelay;
    }   


    #################
    ### Proxied sites
    #################

    ### Kibana
    location /kibana/ {
        proxy_pass http://localhost:64296;
        rewrite /kibana/(.*)$ /$1 break;
    }

    ### ES 
    location /es/ {
        proxy_pass http://localhost:64298/;
        rewrite /es/(.*)$ /$1 break;
    }

    ### head standalone 
    location /myhead/ {
        proxy_pass http://localhost:64302/;
        rewrite /myhead/(.*)$ /$1 break;
    }

    ### portainer
    location /ui {
        proxy_pass http://127.0.0.1:64299;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header Host $host;
        proxy_redirect off;
        rewrite /ui/(.*)$ /$1 break;
    }
    ### web tty
    location /wetty {
       proxy_pass http://127.0.0.1:64300/wetty;
    }  

    ### netdata
    location /netdata/ {
        proxy_pass http://localhost:64301;
        rewrite /netdata/(.*)$ /$1 break;
    }

    ### spiderfoot
    location /spiderfoot {
        proxy_pass http://127.0.0.1:64303;
    }

        location /static {
            proxy_pass http://127.0.0.1:64303/spiderfoot/static;
        }

        location /scanviz {
            proxy_pass http://127.0.0.1:64303/spiderfoot/scanviz;
        }
}
tweaking, bugfixes 2016-08-06 22:06:31 +00:00			`############################################`
			`### NGINX T-Pot configuration file by mo ###`
			`############################################`

			`###################################`
			`### Allow for 60 reloads per minute`
			`###################################`
			`limit_req_zone $binary_remote_addr zone=base:1m rate=1r/s;`

			`server {`

			`#########################`
			`### Basic server settings`
			`#########################`
			`listen 64297 ssl http2;`
fix bugs, issues fix an issue with nginx upgrades where index.html was overwritten without asking fix an issue with dashboards where positions were mixed up after removing welcome message and saving as default 2016-10-27 11:11:51 +00:00			`index tpotweb.html;`
tweaking, bugfixes 2016-08-06 22:06:31 +00:00			`ssl_protocols TLSv1.2;`
			`server_name example.com;`
			`error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html;`


			`##############################################`
			`### Remove version number add different header`
			`##############################################`
			`server_tokens off;`
			`more_set_headers 'Server: apache';`


			`##############################################`
			`### SSL settings and Cipher Suites`
			`##############################################`
			`ssl_certificate /etc/nginx/ssl/nginx.crt;`
			`ssl_certificate_key /etc/nginx/ssl/nginx.key;`

			`ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE:!SHA:!SHA256';`
			`ssl_ecdh_curve secp384r1;`
			`ssl_dhparam /etc/nginx/ssl/dhparam4096.pem;`

			`ssl_prefer_server_ciphers on;`
			`ssl_session_cache shared:SSL:10m;`


			`####################################`
			`### OWASP recommendations / settings`
			`####################################`

			`### Size Limits & Buffer Overflows`
			`### the size may be configured based on the needs.`
			`client_body_buffer_size 100K;`
			`client_header_buffer_size 1k;`
			`client_max_body_size 100k;`
			`large_client_header_buffers 2 1k;`

			`### Mitigate Slow HHTP DoS Attack`
			`### Timeouts definition ##`
			`client_body_timeout 10;`
			`client_header_timeout 10;`
			`keepalive_timeout 5 5;`
			`send_timeout 10;`

			`### X-Frame-Options is to prevent from clickJacking attack`
			`add_header X-Frame-Options SAMEORIGIN;`

			`### disable content-type sniffing on some browsers.`
			`add_header X-Content-Type-Options nosniff;`

			`### This header enables the Cross-site scripting (XSS) filter`
			`add_header X-XSS-Protection "1; mode=block";`

			`### This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack`
			`add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";`


			`##################################`
			`### Restrict access and basic auth`
			`##################################`
bring dashboards back, tweaking and prepare for beta 2016-10-23 10:34:08 +00:00
			`# satisfy all;`
tweaking, bugfixes 2016-08-06 22:06:31 +00:00			`satisfy any;`

bring dashboards back, tweaking and prepare for beta 2016-10-23 10:34:08 +00:00			`# allow 10.0.0.0/8;`
			`# allow 172.16.0.0/12;`
			`# allow 192.168.0.0/16;`
tweaking, bugfixes 2016-08-06 22:06:31 +00:00			`allow 127.0.0.1;`
			`allow ::1;`
			`deny all;`

			`auth_basic "closed site";`
			`auth_basic_user_file /etc/nginx/nginxpasswd;`


			`##############################`
			`### Limit brute-force attempts`
			`##############################`
			`location = / {`
			`limit_req zone=base burst=1 nodelay;`
			`}`


			`#################`
			`### Proxied sites`
			`#################`

			`### Kibana`
			`location /kibana/ {`
			`proxy_pass http://localhost:64296;`
			`rewrite /kibana/(.*)$ /$1 break;`
			`}`

add working solution for head 2017-02-27 17:42:34 +00:00			`### ES`
			`location /es/ {`
			`proxy_pass http://localhost:64298/;`
			`rewrite /es/(.*)$ /$1 break;`
			`}`

Clean up, add Spiderfoot tpot configs are now stored in /etc/tpot/ tpot related scripts are now stored /usr/share/tpot/bin some scripts are improved some scripts are cleaned of old comments spiderfoot is now part of tpot 2017-04-19 12:22:51 +00:00			`### head standalone`
tweaking, bugfixes 2016-08-06 22:06:31 +00:00			`location /myhead/ {`
starting with elk5 2017-02-26 11:22:56 +00:00			`proxy_pass http://localhost:64302/;`
tweaking, bugfixes 2016-08-06 22:06:31 +00:00			`rewrite /myhead/(.*)$ /$1 break;`
			`}`

Clean up, add Spiderfoot tpot configs are now stored in /etc/tpot/ tpot related scripts are now stored /usr/share/tpot/bin some scripts are improved some scripts are cleaned of old comments spiderfoot is now part of tpot 2017-04-19 12:22:51 +00:00			`### portainer`
tweaking, bugfixes 2016-08-06 22:06:31 +00:00			`location /ui {`
tweak /ui/ location 2016-08-09 03:26:08 +00:00			`proxy_pass http://127.0.0.1:64299;`
tweaking, bugfixes 2016-08-06 22:06:31 +00:00			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
tweak /ui/ location 2016-08-09 03:26:08 +00:00			`proxy_set_header Connection $http_connection;`
tweaking, bugfixes 2016-08-06 22:06:31 +00:00			`proxy_set_header Host $host;`
			`proxy_redirect off;`
			`rewrite /ui/(.*)$ /$1 break;`
			`}`
			`### web tty`
			`location /wetty {`
			`proxy_pass http://127.0.0.1:64300/wetty;`
			`}`

			`### netdata`
			`location /netdata/ {`
			`proxy_pass http://localhost:64301;`
			`rewrite /netdata/(.*)$ /$1 break;`
			`}`

Clean up, add Spiderfoot tpot configs are now stored in /etc/tpot/ tpot related scripts are now stored /usr/share/tpot/bin some scripts are improved some scripts are cleaned of old comments spiderfoot is now part of tpot 2017-04-19 12:22:51 +00:00			`### spiderfoot`
			`location /spiderfoot {`
			`proxy_pass http://127.0.0.1:64303;`
			`}`
tweak /ui/ location 2016-08-09 03:26:08 +00:00
Clean up, add Spiderfoot tpot configs are now stored in /etc/tpot/ tpot related scripts are now stored /usr/share/tpot/bin some scripts are improved some scripts are cleaned of old comments spiderfoot is now part of tpot 2017-04-19 12:22:51 +00:00			`location /static {`
			`proxy_pass http://127.0.0.1:64303/spiderfoot/static;`
			`}`

			`location /scanviz {`
			`proxy_pass http://127.0.0.1:64303/spiderfoot/scanviz;`
			`}`
			`}`