############################################ ### NGINX T-Pot configuration file by mo ### ############################################ server { ######################### ### Basic server settings ######################### listen 64297 ssl http2; index index.html; ssl_protocols TLSv1.3; server_name example.com; error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html; root /var/lib/nginx/html; add_header Cache-Control "public, max-age=604800"; ############################################## ### Remove version number add different header ############################################## server_tokens off; ############################################## ### SSL settings and Cipher Suites ############################################## ssl_certificate /etc/nginx/cert/nginx.crt; ssl_certificate_key /etc/nginx/cert/nginx.key; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE:!SHA:!SHA256'; ssl_ecdh_curve secp384r1; ssl_dhparam /etc/nginx/ssl/dhparam4096.pem; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; #################################### ### OWASP recommendations / settings #################################### ### Size Limits & Buffer Overflows ### the size may be configured based on the needs. client_body_buffer_size 128k; client_header_buffer_size 1k; client_max_body_size 2M; ### Changed from OWASP recommendations: "2 1k" to "2 1280" (So 1.2k) ### When you pass though potentially another reverse proxy/load balancer ### in front of tpotce you can introduce more headers than normal and ### therefore you can exceed the allowed header buffer of 1k. ### An 280 extra bytes seems to be working for most use-cases. ### And still keeping it close to OWASP's recommendation. large_client_header_buffers 2 1280; ### Mitigate Slow HHTP DoS Attack ### Timeouts definition ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 5 5; send_timeout 10; ### X-Frame-Options is to prevent from clickJacking attack add_header X-Frame-Options SAMEORIGIN; ### disable content-type sniffing on some browsers. add_header X-Content-Type-Options nosniff; ### This header enables the Cross-site scripting (XSS) filter add_header X-XSS-Protection "1; mode=block"; ### This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; # add_header 'Content-Security-Policy' 'upgrade-insecure-requests'; ################################## ### Restrict access and basic auth ################################## # satisfy all; satisfy any; # allow 10.0.0.0/8; # allow 172.16.0.0/12; # allow 192.168.0.0/16; allow 127.0.0.1; allow ::1; deny all; auth_basic "closed site"; auth_basic_user_file /etc/nginx/nginxpasswd; ############################# ### T-Pot Landing Page & Apps ############################# location / { set_by_lua_block $index_file { return "index.html"; } auth_basic "closed site"; auth_basic_user_file /etc/nginx/nginxpasswd; index $index_file; try_files $uri $uri/ /$index_file; } location /elasticvue { index index.html; alias /var/lib/nginx/html/esvue/; try_files $uri $uri/ /elasticvue/index.html; } location /cyberchef { index index.html; alias /var/lib/nginx/html/cyberchef/; try_files $uri $uri/ /cyberchef/index.html; } ################# ### Proxied sites ################# ### Kibana location /kibana/ { set_by_lua_block $kibana { local tpot_ostype = os.getenv("TPOT_OSTYPE") if tpot_ostype == "mac" or tpot_ostype == "win" then return "http://kibana:5601"; else return "http://127.0.0.1:64296"; end } proxy_pass $kibana; rewrite /kibana/(.*)$ /$1 break; } ### ES location /es/ { set_by_lua_block $elasticsearch { local tpot_ostype = os.getenv("TPOT_OSTYPE") if tpot_ostype == "mac" or tpot_ostype == "win" then return "http://elasticsearch:9200"; else return "http://127.0.0.1:64298"; end } proxy_pass $elasticsearch; rewrite /es/(.*)$ /$1 break; } ### Map location /map/ { set_by_lua_block $map_web { local tpot_ostype = os.getenv("TPOT_OSTYPE") if tpot_ostype == "mac" or tpot_ostype == "win" then return "http://map_web:64299"; else return "http://127.0.0.1:64299"; end } proxy_pass $map_web; rewrite /map/(.*)$ /$1 break; proxy_read_timeout 7200s; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $http_host; proxy_redirect http:// https://; } location /websocket { set_by_lua_block $map_web { local tpot_ostype = os.getenv("TPOT_OSTYPE") if tpot_ostype == "mac" or tpot_ostype == "win" then return "http://map_web:64299"; else return "http://127.0.0.1:64299"; end } proxy_pass $map_web; proxy_read_timeout 7200s; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $http_host; proxy_redirect http:// https://; } ### Spiderfoot set_by_lua_block $spiderfoot_backend { local tpot_ostype = os.getenv("TPOT_OSTYPE") if tpot_ostype == "mac" or tpot_ostype == "win" then return "http://spiderfoot:8080"; else return "http://127.0.0.1:64303"; end } location /spiderfoot/ { proxy_pass $spiderfoot_backend; proxy_set_header Host $http_host; proxy_redirect http:// https://; } location ~ ^/(static|scanviz|scandelete|scaninfo) { proxy_pass $spiderfoot_backend/spiderfoot/$1$is_args$args; } }