tpotce/installer/etc/nginx/tpotweb.conf

############################################
### NGINX T-Pot configuration file by mo ###
############################################

###################################
### Allow for 60 reloads per minute
###################################
limit_req_zone $binary_remote_addr zone=base:1m rate=1r/s;

server {

    #########################
    ### Basic server settings
    #########################
    listen 64297 ssl http2;
    index tpotweb.html;
    ssl_protocols TLSv1.2;
    server_name example.com;
    error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html;


    ##############################################
    ### Remove version number add different header
    ##############################################
    server_tokens off;
    more_set_headers 'Server: apache';


    ##############################################
    ### SSL settings and Cipher Suites
    ##############################################
    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;
    
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE:!SHA:!SHA256';
    ssl_ecdh_curve secp384r1;
    ssl_dhparam /etc/nginx/ssl/dhparam4096.pem;

    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

 
    ####################################
    ### OWASP recommendations / settings
    ####################################

    ### Size Limits & Buffer Overflows 
    ### the size may be configured based on the needs. 
    client_body_buffer_size  100K;
    client_header_buffer_size 1k;
    client_max_body_size 100k;
    large_client_header_buffers 2 1k;

    ### Mitigate Slow HHTP DoS Attack
    ### Timeouts definition ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     5 5;
    send_timeout          10;

    ### X-Frame-Options is to prevent from clickJacking attack
    add_header X-Frame-Options SAMEORIGIN;

    ### disable content-type sniffing on some browsers.
    add_header X-Content-Type-Options nosniff;

    ### This header enables the Cross-site scripting (XSS) filter
    add_header X-XSS-Protection "1; mode=block";

    ### This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";


    ##################################
    ### Restrict access and basic auth
    ##################################

    # satisfy all;
    satisfy any;

    # allow 10.0.0.0/8;
    # allow 172.16.0.0/12;
    # allow 192.168.0.0/16;
    allow 127.0.0.1;
    allow ::1;
    deny  all;

    auth_basic           "closed site";
    auth_basic_user_file /etc/nginx/nginxpasswd;


    ##############################
    ### Limit brute-force attempts
    ##############################
    location = / {
      limit_req zone=base burst=1 nodelay;
    }   


    #################
    ### Proxied sites
    #################

    ### Kibana
    location /kibana/ {
        proxy_pass http://localhost:64296;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        rewrite /kibana/(.*)$ /$1 break;
    }

    ### Head plugin
    location /myhead/ {
        proxy_pass http://localhost:64298/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        rewrite /myhead/(.*)$ /$1 break;
    }

    ### ui-for-docker
    location /ui {
        proxy_pass http://127.0.0.1:64299;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header Host $host;
        proxy_redirect off;
        rewrite /ui/(.*)$ /$1 break;
    }
    ### web tty
    location /wetty {
       proxy_pass http://127.0.0.1:64300/wetty;
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       proxy_read_timeout 43200000;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header Host $http_host;
       proxy_set_header X-NginX-Proxy true;
    }  

    ### netdata
    location /netdata/ {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:64301;
        proxy_http_version 1.1;
        proxy_pass_request_headers on;
        proxy_set_header Connection "keep-alive";
        proxy_store off;
        rewrite /netdata/(.*)$ /$1 break;
    }

}