############################################ ### NGINX T-Pot configuration file by mo ### ############################################ ################################### ### Allow for 60 reloads per minute ################################### limit_req_zone $binary_remote_addr zone=base:1m rate=1r/s; server { ######################### ### Basic server settings ######################### listen 64297 ssl http2; index tpotweb.html; ssl_protocols TLSv1.2; server_name example.com; error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html; ############################################## ### Remove version number add different header ############################################## server_tokens off; more_set_headers 'Server: apache'; ############################################## ### SSL settings and Cipher Suites ############################################## ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE:!SHA:!SHA256'; ssl_ecdh_curve secp384r1; ssl_dhparam /etc/nginx/ssl/dhparam4096.pem; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; #################################### ### OWASP recommendations / settings #################################### ### Size Limits & Buffer Overflows ### the size may be configured based on the needs. client_body_buffer_size 100K; client_header_buffer_size 1k; client_max_body_size 100k; large_client_header_buffers 2 1k; ### Mitigate Slow HHTP DoS Attack ### Timeouts definition ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 5 5; send_timeout 10; ### X-Frame-Options is to prevent from clickJacking attack add_header X-Frame-Options SAMEORIGIN; ### disable content-type sniffing on some browsers. add_header X-Content-Type-Options nosniff; ### This header enables the Cross-site scripting (XSS) filter add_header X-XSS-Protection "1; mode=block"; ### This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; ################################## ### Restrict access and basic auth ################################## # satisfy all; satisfy any; # allow 10.0.0.0/8; # allow 172.16.0.0/12; # allow 192.168.0.0/16; allow 127.0.0.1; allow ::1; deny all; auth_basic "closed site"; auth_basic_user_file /etc/nginx/nginxpasswd; ############################## ### Limit brute-force attempts ############################## location = / { limit_req zone=base burst=1 nodelay; } ################# ### Proxied sites ################# ### Kibana location /kibana/ { proxy_pass http://localhost:64296; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; rewrite /kibana/(.*)$ /$1 break; } ### Head plugin location /myhead/ { proxy_pass http://localhost:64298/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; rewrite /myhead/(.*)$ /$1 break; } ### ui-for-docker location /ui { proxy_pass http://127.0.0.1:64299; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header Host $host; proxy_redirect off; rewrite /ui/(.*)$ /$1 break; } ### web tty location /wetty { proxy_pass http://127.0.0.1:64300/wetty; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 43200000; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; } ### netdata location /netdata/ { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://localhost:64301; proxy_http_version 1.1; proxy_pass_request_headers on; proxy_set_header Connection "keep-alive"; proxy_store off; rewrite /netdata/(.*)$ /$1 break; } }