diff --git a/bin/clean.sh b/bin/clean.sh
index 44c805f9..1d5b87e1 100755
--- a/bin/clean.sh
+++ b/bin/clean.sh
@@ -36,6 +36,8 @@ fuLOGROTATE () {
# Ensure correct permissions and ownerships for logrotate to run without issues
chmod 760 /data/ -R
chown tpot:tpot /data -R
+chmod 644 /data/nginx/conf -R
+chmod 644 /data/nginx/cert -R
# Run logrotate with force (-f) first, so the status file can be written and race conditions (with tar) be avoided
logrotate -f -s $mySTATUS $myCONF
@@ -138,6 +140,13 @@ fuMAILONEY () {
chown tpot:tpot /data/mailoney/ -R
}
+# Let's create a function to clean up nginx logs
+fuNGINX () {
+ if [ "$myPERSISTENCE" != "on" ]; then rm /data/nginx/log/*; fi
+ chmod 644 /data/nginx/conf -R
+ chmod 644 /data/nginx/cert -R
+}
+
# Let's create a function to clean up and prepare rdpy data
fuRDPY () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/rdpy/*; fi
@@ -210,6 +219,7 @@ if [ "$myPERSISTENCE" = "on" ];
fuGLASTOPF
fuHONEYTRAP
fuMAILONEY
+ fuNGINX
fuRDPY
fuSPIDERFOOT
fuSURICATA
diff --git a/docker/nginx/Dockerfile b/docker/nginx/Dockerfile
new file mode 100644
index 00000000..f9e4b5a9
--- /dev/null
+++ b/docker/nginx/Dockerfile
@@ -0,0 +1,23 @@
+FROM nginx:alpine
+MAINTAINER MO
+
+# Include dist
+ADD dist/ /root/dist/
+
+# Get and install dependencies & packages
+RUN apk -U upgrade && \
+ apk add bash nginx nginx-mod-http-headers-more procps && \
+
+# Setup configs
+ rm /etc/nginx/conf.d/* /usr/share/nginx/html/* && \
+ cp /root/dist/conf/nginx.conf /etc/nginx/ && \
+ cp -R /root/dist/conf/ssl /etc/nginx/ && \
+ cp /root/dist/conf/tpotweb.conf /etc/nginx/conf.d/ && \
+ cp -R /root/dist/html/ /var/lib/nginx/ && \
+
+# Clean up
+ rm -rf /root/* && \
+ rm -rf /var/cache/apk/*
+
+# Start nginx
+CMD nginx -g 'daemon off;'
diff --git a/docker/nginx/dist/conf/nginx.conf b/docker/nginx/dist/conf/nginx.conf
new file mode 100644
index 00000000..24d24d4d
--- /dev/null
+++ b/docker/nginx/dist/conf/nginx.conf
@@ -0,0 +1,97 @@
+user nginx;
+worker_processes auto;
+pid /run/nginx.pid;
+load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
+
+events {
+ worker_connections 768;
+ # multi_accept on;
+}
+
+http {
+
+ ##
+ # Basic Settings
+ ##
+
+ sendfile on;
+ tcp_nopush on;
+ tcp_nodelay on;
+ keepalive_timeout 65;
+ types_hash_max_size 2048;
+ # server_tokens off;
+
+ # server_names_hash_bucket_size 64;
+ # server_name_in_redirect off;
+
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ ##
+ # SSL Settings
+ ##
+
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+ ssl_prefer_server_ciphers on;
+
+ ##
+ # Logging Settings
+ ##
+
+ log_format le_json '{ "timestamp": "$time_iso8601", '
+ '"src_ip": "$remote_addr", '
+ '"remote_user": "$remote_user", '
+ '"body_bytes_sent": "$body_bytes_sent", '
+ '"request_time": "$request_time", '
+ '"status": "$status", '
+ '"request": "$request", '
+ '"request_method": "$request_method", '
+ '"http_referrer": "$http_referer", '
+ '"http_user_agent": "$http_user_agent" }';
+
+ access_log /var/log/nginx/access.log le_json;
+ error_log /var/log/nginx/error.log;
+
+ ##
+ # Gzip Settings
+ ##
+
+ gzip on;
+ gzip_disable "msie6";
+
+ # gzip_vary on;
+ # gzip_proxied any;
+ # gzip_comp_level 6;
+ # gzip_buffers 16 8k;
+ # gzip_http_version 1.1;
+ # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+ ##
+ # Virtual Host Configs
+ ##
+
+ include /etc/nginx/conf.d/*.conf;
+ include /etc/nginx/sites-enabled/*;
+}
+
+
+#mail {
+# # See sample authentication script at:
+# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+#
+# # auth_http localhost/auth.php;
+# # pop3_capabilities "TOP" "USER";
+# # imap_capabilities "IMAP4rev1" "UIDPLUS";
+#
+# server {
+# listen localhost:110;
+# protocol pop3;
+# proxy on;
+# }
+#
+# server {
+# listen localhost:143;
+# protocol imap;
+# proxy on;
+# }
+#}
diff --git a/docker/nginx/dist/conf/ssl/dhparam4096.pem b/docker/nginx/dist/conf/ssl/dhparam4096.pem
new file mode 100644
index 00000000..78cbf6d7
--- /dev/null
+++ b/docker/nginx/dist/conf/ssl/dhparam4096.pem
@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEAiHmfakVLOStSULBdaTbZY/zeFyEeQ19GY9Z5CJg06dIIgIzhxk9L
+4xsQdQk8giKOjP6SfX0ZgF5CYaurQ3ljYlP0UlAQQo9+fEErbqj3hCzAxtIpd6Yj
+SV6zFdnSjwxWuKAPPywiQNljnHH+Y1KBdbl5VQ9gC3ehtaLo1A4y8q96f6fC5rGU
+nfgw4lTxLvPD7NwaOdFTCyK8tTxvUGNJIvf7805IxZ0BvAiBuVaXStaMcqf5BHLP
+fYpvIiVaCrtto4elu18nL0tf2CN5n9ai4hlr0nPmNrE/Zrrur78Re5F4Ien9kr4d
+xabXvVJJQa9j2NdQO7vk7Cz/dAIiqt/1XKFhll4TTYBqrFVXIwF+FNx636zyOjcO
+nlZk/V+IL/UTPnZOv2PGt5+WetvJJubi6B9XgOgVLduI07woAp5qnRJJt6fJW1aA
+M86By6WLy5P31Py6eFj8nYgj1V703XgQ5lESKYpeVgqA0bh7daNzOCoGQvvUKlTP
+RTu6fs7clw5ta4yYUyvuIKTngH5yGBNdTuP0GWo6Y+Dy1BctVwl2xSw+FhYeuIf/
+EB2A3129H59HhbWyNH337+1dfntHfQRXBsT0YSyDxPurI5/FNGcmw+GZEYk4BB8j
+g7TwH3GBjbKnjnr7SnhanqmWgybgQw6oR9gDC399eR4LiOk9sbxpX1MCAQI=
+-----END DH PARAMETERS-----
diff --git a/docker/nginx/dist/conf/ssl/gen-cert.sh b/docker/nginx/dist/conf/ssl/gen-cert.sh
new file mode 100644
index 00000000..388e51ee
--- /dev/null
+++ b/docker/nginx/dist/conf/ssl/gen-cert.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# Got root?
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" != "root" ]
+ then
+ echo "Need to run as root ..."
+ exit
+fi
+
+openssl req -nodes -x509 -sha512 -newkey rsa:8192 -keyout "nginx.key" -out "nginx.crt" -days 3650
+
diff --git a/docker/nginx/dist/conf/ssl/gen-dhparam.sh b/docker/nginx/dist/conf/ssl/gen-dhparam.sh
new file mode 100644
index 00000000..b4af43e6
--- /dev/null
+++ b/docker/nginx/dist/conf/ssl/gen-dhparam.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Got root?
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" != "root" ]
+ then
+ echo "Need to run as root ..."
+ exit
+fi
+
+if [ "$1" = "2048" ] || [ "$1" = "4096" ] || [ "$1" = "8192" ]
+ then
+ openssl dhparam -outform PEM -out dhparam$1.pem $1
+ else
+ echo "Usage: ./gen-dhparam [2048, 4096, 8192]..."
+fi
diff --git a/docker/nginx/dist/conf/tpotweb.conf b/docker/nginx/dist/conf/tpotweb.conf
new file mode 100644
index 00000000..f11a2efe
--- /dev/null
+++ b/docker/nginx/dist/conf/tpotweb.conf
@@ -0,0 +1,155 @@
+############################################
+### NGINX T-Pot configuration file by mo ###
+############################################
+
+###################################
+### Allow for 60 reloads per minute
+###################################
+limit_req_zone $binary_remote_addr zone=base:1m rate=1r/s;
+
+server {
+
+ #########################
+ ### Basic server settings
+ #########################
+ listen 64297 ssl http2;
+ index tpotweb.html;
+ ssl_protocols TLSv1.2;
+ server_name example.com;
+ error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html;
+
+
+ ##############################################
+ ### Remove version number add different header
+ ##############################################
+ server_tokens off;
+ more_set_headers 'Server: apache';
+
+
+ ##############################################
+ ### SSL settings and Cipher Suites
+ ##############################################
+ ssl_certificate /etc/nginx/cert/nginx.crt;
+ ssl_certificate_key /etc/nginx/cert/nginx.key;
+
+ ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE:!SHA:!SHA256';
+ ssl_ecdh_curve secp384r1;
+ ssl_dhparam /etc/nginx/ssl/dhparam4096.pem;
+
+ ssl_prefer_server_ciphers on;
+ ssl_session_cache shared:SSL:10m;
+
+
+ ####################################
+ ### OWASP recommendations / settings
+ ####################################
+
+ ### Size Limits & Buffer Overflows
+ ### the size may be configured based on the needs.
+ client_body_buffer_size 100K;
+ client_header_buffer_size 1k;
+ client_max_body_size 100k;
+ large_client_header_buffers 2 1k;
+
+ ### Mitigate Slow HHTP DoS Attack
+ ### Timeouts definition ##
+ client_body_timeout 10;
+ client_header_timeout 10;
+ keepalive_timeout 5 5;
+ send_timeout 10;
+
+ ### X-Frame-Options is to prevent from clickJacking attack
+ add_header X-Frame-Options SAMEORIGIN;
+
+ ### disable content-type sniffing on some browsers.
+ add_header X-Content-Type-Options nosniff;
+
+ ### This header enables the Cross-site scripting (XSS) filter
+ add_header X-XSS-Protection "1; mode=block";
+
+ ### This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
+ add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
+
+
+ ##################################
+ ### Restrict access and basic auth
+ ##################################
+
+ # satisfy all;
+ satisfy any;
+
+ # allow 10.0.0.0/8;
+ # allow 172.16.0.0/12;
+ # allow 192.168.0.0/16;
+ allow 127.0.0.1;
+ allow ::1;
+ deny all;
+
+ auth_basic "closed site";
+ auth_basic_user_file /etc/nginx/nginxpasswd;
+
+
+ ##############################
+ ### Limit brute-force attempts
+ ##############################
+ location = / {
+ limit_req zone=base burst=1 nodelay;
+ }
+
+
+ #################
+ ### Proxied sites
+ #################
+
+ ### Kibana
+ location /kibana/ {
+ proxy_pass http://localhost:64296;
+ rewrite /kibana/(.*)$ /$1 break;
+ }
+
+ ### ES
+ location /es/ {
+ proxy_pass http://localhost:64298/;
+ rewrite /es/(.*)$ /$1 break;
+ }
+
+ ### head standalone
+ location /myhead/ {
+ proxy_pass http://localhost:64302/;
+ rewrite /myhead/(.*)$ /$1 break;
+ }
+
+ ### portainer
+ location /ui {
+ proxy_pass http://127.0.0.1:64299;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection $http_connection;
+ proxy_set_header Host $host;
+ proxy_redirect off;
+ rewrite /ui/(.*)$ /$1 break;
+ }
+ ### web tty
+ location /wetty {
+ proxy_pass http://127.0.0.1:64300/wetty;
+ }
+
+ ### netdata
+ location /netdata/ {
+ proxy_pass http://localhost:64301;
+ rewrite /netdata/(.*)$ /$1 break;
+ }
+
+ ### spiderfoot
+ location /spiderfoot {
+ proxy_pass http://127.0.0.1:64303;
+ }
+
+ location /static {
+ proxy_pass http://127.0.0.1:64303/spiderfoot/static;
+ }
+
+ location /scanviz {
+ proxy_pass http://127.0.0.1:64303/spiderfoot/scanviz;
+ }
+}
diff --git a/docker/nginx/dist/html/error.html b/docker/nginx/dist/html/error.html
new file mode 100644
index 00000000..e69de29b
diff --git a/docker/nginx/dist/html/favicon.ico b/docker/nginx/dist/html/favicon.ico
new file mode 100644
index 00000000..a40c2372
Binary files /dev/null and b/docker/nginx/dist/html/favicon.ico differ
diff --git a/docker/nginx/dist/html/navbar.html b/docker/nginx/dist/html/navbar.html
new file mode 100644
index 00000000..d3b311a8
--- /dev/null
+++ b/docker/nginx/dist/html/navbar.html
@@ -0,0 +1,21 @@
+
+
+
+
+
+ T-Pot
+
+
+
+
+
+ Home
+ Kibana
+ ES Head
+ Netdata
+ Spiderfoot
+ Portainer
+ WebTTY
+
+
+
diff --git a/docker/nginx/dist/html/style.css b/docker/nginx/dist/html/style.css
new file mode 100644
index 00000000..2696a613
--- /dev/null
+++ b/docker/nginx/dist/html/style.css
@@ -0,0 +1,17 @@
+.btn {
+ -webkit-border-radius: 0;
+ -moz-border-radius: 0;
+ border-radius: 0px;
+ font-family: Arial;
+ color: #ffffff;
+ font-size: 12px;
+ background: #E20074;
+ padding: 2px 30px 2px 30px;
+ text-decoration: none;
+}
+
+.btn:hover {
+ background: #c2c2c2;
+ text-decoration: none;
+}
+
diff --git a/docker/nginx/dist/html/tpotweb.html b/docker/nginx/dist/html/tpotweb.html
new file mode 100644
index 00000000..6f3a0146
--- /dev/null
+++ b/docker/nginx/dist/html/tpotweb.html
@@ -0,0 +1,15 @@
+
+
+
+
+
+ T-Pot
+
+
+
+
diff --git a/docker/nginx/docker-compose.yml b/docker/nginx/docker-compose.yml
new file mode 100644
index 00000000..caa60698
--- /dev/null
+++ b/docker/nginx/docker-compose.yml
@@ -0,0 +1,20 @@
+# T-Pot (Standard)
+# For docker-compose ...
+version: '2.2'
+
+services:
+
+# nginx service
+ nginx:
+ container_name: nginx
+ restart: always
+ network_mode: "host"
+ # cap_add:
+ # - NET_BIND_SERVICE
+ ports:
+ - "64297:64297"
+ image: "dtagdevsec/nginx:1710"
+ volumes:
+ - /data/nginx/cert/:/etc/nginx/cert/
+ - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd
+ - /data/nginx/log/:/var/log/nginx/
diff --git a/etc/compose/all.yml b/etc/compose/all.yml
index 130af3aa..93bc8b16 100644
--- a/etc/compose/all.yml
+++ b/etc/compose/all.yml
@@ -242,6 +242,19 @@ services:
- /sys:/host/sys:ro
- /var/run/docker.sock:/var/run/docker.sock
+# Nginx service
+ nginx:
+ container_name: nginx
+ restart: always
+ network_mode: "host"
+ ports:
+ - "64297:64297"
+ image: "dtagdevsec/nginx:1710"
+ volumes:
+ - /data/nginx/cert/:/etc/nginx/cert/
+ - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd
+ - /data/nginx/log/:/var/log/nginx/
+
# Rdpy service
rdpy:
container_name: rdpy
diff --git a/etc/compose/industrial.yml b/etc/compose/industrial.yml
index 29262782..6ad66cb3 100644
--- a/etc/compose/industrial.yml
+++ b/etc/compose/industrial.yml
@@ -130,6 +130,19 @@ services:
- /sys:/host/sys:ro
- /var/run/docker.sock:/var/run/docker.sock
+# Nginx service
+ nginx:
+ container_name: nginx
+ restart: always
+ network_mode: "host"
+ ports:
+ - "64297:64297"
+ image: "dtagdevsec/nginx:1710"
+ volumes:
+ - /data/nginx/cert/:/etc/nginx/cert/
+ - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd
+ - /data/nginx/log/:/var/log/nginx/
+
# Spiderfoot service
spiderfoot:
container_name: spiderfoot
diff --git a/etc/compose/tpot.yml b/etc/compose/tpot.yml
index 20b50675..cbf6a00f 100644
--- a/etc/compose/tpot.yml
+++ b/etc/compose/tpot.yml
@@ -212,6 +212,19 @@ services:
- /sys:/host/sys:ro
- /var/run/docker.sock:/var/run/docker.sock
+# Nginx service
+ nginx:
+ container_name: nginx
+ restart: always
+ network_mode: "host"
+ ports:
+ - "64297:64297"
+ image: "dtagdevsec/nginx:1710"
+ volumes:
+ - /data/nginx/cert/:/etc/nginx/cert/
+ - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd
+ - /data/nginx/log/:/var/log/nginx/
+
# Rdpy service
rdpy:
container_name: rdpy
diff --git a/etc/logrotate/logrotate.conf b/etc/logrotate/logrotate.conf
index 85d889bb..5d1ac1f0 100644
--- a/etc/logrotate/logrotate.conf
+++ b/etc/logrotate/logrotate.conf
@@ -21,6 +21,7 @@
/data/honeytrap/attacks.tgz
/data/honeytrap/downloads.tgz
/data/mailoney/log/commands.log
+/data/nginx/log/*.log
/data/p0f/log/p0f.json
/data/rdpy/log/rdpy.log
/data/suricata/log/*.log