############################################
### NGINX T-Pot configuration file by mo ###
############################################

server {

    #########################
    ### Basic server settings
    #########################
    listen 64294 ssl http2;
    index index.html;
    ssl_protocols TLSv1.3;
    server_name example.com;
    error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html;
    root /var/lib/nginx/html;
    add_header Cache-Control "public, max-age=604800";

    ##############################################
    ### Remove version number add different header
    ##############################################
    server_tokens off;


    ##############################################
    ### SSL settings and Cipher Suites
    ##############################################
    ssl_certificate /etc/nginx/cert/nginx.crt;
    ssl_certificate_key /etc/nginx/cert/nginx.key;

    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE:!SHA:!SHA256';
    ssl_ecdh_curve secp384r1;
    ssl_dhparam /etc/nginx/ssl/dhparam4096.pem;

    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;


    ####################################
    ### OWASP recommendations / settings
    ####################################

    ### Size Limits & Buffer Overflows
    ### the size may be configured based on the needs.
    client_body_buffer_size  128k;
    client_header_buffer_size 1k;
    client_max_body_size 2M;
    
    ### Changed from OWASP recommendations: "2 1k" to "2 1280" (So 1.2k)
    ### When you pass though potentially another reverse proxy/load balancer
    ### in front of tpotce you can introduce more headers than normal and
    ### therefore you can exceed the allowed header buffer of 1k.
    ### An 280 extra bytes seems to be working for most use-cases.
    ### And still keeping it close to OWASP's recommendation.
    large_client_header_buffers 2 1280;

    ### Mitigate Slow HHTP DoS Attack
    ### Timeouts definition ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     5 5;
    send_timeout          10;

    ### X-Frame-Options is to prevent from clickJacking attack
    add_header X-Frame-Options SAMEORIGIN;

    ### disable content-type sniffing on some browsers.
    add_header X-Content-Type-Options nosniff;

    ### This header enables the Cross-site scripting (XSS) filter
    add_header X-XSS-Protection "1; mode=block";

    ### This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
#    add_header 'Content-Security-Policy' 'upgrade-insecure-requests';

    ##################################
    ### Restrict access and basic auth
    ##################################

    # satisfy all;
    satisfy any;

    # allow 10.0.0.0/8;
    # allow 172.16.0.0/12;
    # allow 192.168.0.0/16;
    allow 127.0.0.1;
    allow ::1;
    deny  all;

    auth_basic           "closed site";
    auth_basic_user_file /etc/nginx/lswebpasswd;

    ################################################
    ### T-Pot Hive Logstash HTTP Input Reverse Proxy
    ################################################

    location / {
         set_by_lua_block $logstash {
            local tpot_ostype = os.getenv("TPOT_OSTYPE")
            if tpot_ostype == "mac" or tpot_ostype == "win" then
                return "http://logstash:64305";
            else
                return "http://127.0.0.1:64305";
            end
        }
        access_log off;
        error_log /var/log/nginx/lsweb_error.log;
        proxy_pass $logstash;
    }
}