mirror of
https://github.com/telekom-security/tpotce.git
synced 2025-11-03 22:12:53 +00:00
132 lines
3.5 KiB
Text
132 lines
3.5 KiB
Text
############################################
|
|
### NGINX T-Pot configuration file by mo ###
|
|
############################################
|
|
|
|
server {
|
|
|
|
#########################
|
|
### Basic server settings
|
|
#########################
|
|
listen 64297 ssl http2;
|
|
index tpotweb.html;
|
|
ssl_protocols TLSv1.3;
|
|
server_name example.com;
|
|
error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html;
|
|
|
|
|
|
##############################################
|
|
### Remove version number add different header
|
|
##############################################
|
|
server_tokens off;
|
|
more_set_headers 'Server: apache';
|
|
|
|
|
|
##############################################
|
|
### SSL settings and Cipher Suites
|
|
##############################################
|
|
ssl_certificate /etc/nginx/cert/nginx.crt;
|
|
ssl_certificate_key /etc/nginx/cert/nginx.key;
|
|
|
|
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE:!SHA:!SHA256';
|
|
ssl_ecdh_curve secp384r1;
|
|
ssl_dhparam /etc/nginx/ssl/dhparam4096.pem;
|
|
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_cache shared:SSL:10m;
|
|
|
|
|
|
####################################
|
|
### OWASP recommendations / settings
|
|
####################################
|
|
|
|
### Size Limits & Buffer Overflows
|
|
### the size may be configured based on the needs.
|
|
client_body_buffer_size 128k;
|
|
client_header_buffer_size 1k;
|
|
client_max_body_size 256k;
|
|
large_client_header_buffers 2 1k;
|
|
|
|
### Mitigate Slow HHTP DoS Attack
|
|
### Timeouts definition ##
|
|
client_body_timeout 10;
|
|
client_header_timeout 10;
|
|
keepalive_timeout 5 5;
|
|
send_timeout 10;
|
|
|
|
### X-Frame-Options is to prevent from clickJacking attack
|
|
add_header X-Frame-Options SAMEORIGIN;
|
|
|
|
### disable content-type sniffing on some browsers.
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
|
### This header enables the Cross-site scripting (XSS) filter
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
|
|
### This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
|
|
|
|
|
|
##################################
|
|
### Restrict access and basic auth
|
|
##################################
|
|
|
|
# satisfy all;
|
|
satisfy any;
|
|
|
|
# allow 10.0.0.0/8;
|
|
# allow 172.16.0.0/12;
|
|
# allow 192.168.0.0/16;
|
|
allow 127.0.0.1;
|
|
allow ::1;
|
|
deny all;
|
|
|
|
auth_basic "closed site";
|
|
auth_basic_user_file /etc/nginx/nginxpasswd;
|
|
|
|
|
|
#################
|
|
### Proxied sites
|
|
#################
|
|
|
|
### Kibana
|
|
location /kibana/ {
|
|
proxy_pass http://127.0.0.1:64296;
|
|
rewrite /kibana/(.*)$ /$1 break;
|
|
}
|
|
|
|
### ES
|
|
location /es/ {
|
|
proxy_pass http://127.0.0.1:64298/;
|
|
rewrite /es/(.*)$ /$1 break;
|
|
}
|
|
|
|
### head standalone
|
|
location /myhead/ {
|
|
proxy_pass http://127.0.0.1:64302/;
|
|
rewrite /myhead/(.*)$ /$1 break;
|
|
}
|
|
|
|
### CyberChef
|
|
location /cyberchef {
|
|
proxy_pass http://127.0.0.1:64299;
|
|
rewrite ^/cyberchef(.*)$ /$1 break;
|
|
}
|
|
|
|
### spiderfoot
|
|
location /spiderfoot {
|
|
proxy_pass http://127.0.0.1:64303;
|
|
}
|
|
|
|
location /static {
|
|
proxy_pass http://127.0.0.1:64303/spiderfoot/static;
|
|
}
|
|
|
|
location /scanviz {
|
|
proxy_pass http://127.0.0.1:64303/spiderfoot/scanviz;
|
|
}
|
|
|
|
location /scandelete {
|
|
proxy_pass http://127.0.0.1:64303/spiderfoot/scandelete;
|
|
}
|
|
|
|
}
|