mirror of
https://github.com/telekom-security/tpotce.git
synced 2025-04-29 19:58:52 +00:00
d6077792b9
remove portainer remove wetty remove netdata add cockpit tweak fail2ban for cockpit, sshd, nginx update logo to 18.10 remove configs with regard to portainer, wetty, netdata adjust packages for install.sh, preseed
126 lines
3.3 KiB
Text
126 lines
3.3 KiB
Text
############################################
|
|
### NGINX T-Pot configuration file by mo ###
|
|
############################################
|
|
|
|
server {
|
|
|
|
#########################
|
|
### Basic server settings
|
|
#########################
|
|
listen 64297 ssl http2;
|
|
index tpotweb.html;
|
|
ssl_protocols TLSv1.2;
|
|
server_name example.com;
|
|
error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html;
|
|
|
|
|
|
##############################################
|
|
### Remove version number add different header
|
|
##############################################
|
|
server_tokens off;
|
|
more_set_headers 'Server: apache';
|
|
|
|
|
|
##############################################
|
|
### SSL settings and Cipher Suites
|
|
##############################################
|
|
ssl_certificate /etc/nginx/cert/nginx.crt;
|
|
ssl_certificate_key /etc/nginx/cert/nginx.key;
|
|
|
|
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE:!SHA:!SHA256';
|
|
ssl_ecdh_curve secp384r1;
|
|
ssl_dhparam /etc/nginx/ssl/dhparam4096.pem;
|
|
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_cache shared:SSL:10m;
|
|
|
|
|
|
####################################
|
|
### OWASP recommendations / settings
|
|
####################################
|
|
|
|
### Size Limits & Buffer Overflows
|
|
### the size may be configured based on the needs.
|
|
client_body_buffer_size 128k;
|
|
client_header_buffer_size 1k;
|
|
client_max_body_size 256k;
|
|
large_client_header_buffers 2 1k;
|
|
|
|
### Mitigate Slow HHTP DoS Attack
|
|
### Timeouts definition ##
|
|
client_body_timeout 10;
|
|
client_header_timeout 10;
|
|
keepalive_timeout 5 5;
|
|
send_timeout 10;
|
|
|
|
### X-Frame-Options is to prevent from clickJacking attack
|
|
add_header X-Frame-Options SAMEORIGIN;
|
|
|
|
### disable content-type sniffing on some browsers.
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
|
### This header enables the Cross-site scripting (XSS) filter
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
|
|
### This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
|
|
|
|
|
|
##################################
|
|
### Restrict access and basic auth
|
|
##################################
|
|
|
|
# satisfy all;
|
|
satisfy any;
|
|
|
|
# allow 10.0.0.0/8;
|
|
# allow 172.16.0.0/12;
|
|
# allow 192.168.0.0/16;
|
|
allow 127.0.0.1;
|
|
allow ::1;
|
|
deny all;
|
|
|
|
auth_basic "closed site";
|
|
auth_basic_user_file /etc/nginx/nginxpasswd;
|
|
|
|
|
|
#################
|
|
### Proxied sites
|
|
#################
|
|
|
|
### Kibana
|
|
location /kibana/ {
|
|
proxy_pass http://localhost:64296;
|
|
rewrite /kibana/(.*)$ /$1 break;
|
|
}
|
|
|
|
### ES
|
|
location /es/ {
|
|
proxy_pass http://localhost:64298/;
|
|
rewrite /es/(.*)$ /$1 break;
|
|
}
|
|
|
|
### head standalone
|
|
location /myhead/ {
|
|
proxy_pass http://localhost:64302/;
|
|
rewrite /myhead/(.*)$ /$1 break;
|
|
}
|
|
|
|
### spiderfoot
|
|
location /spiderfoot {
|
|
proxy_pass http://127.0.0.1:64303;
|
|
}
|
|
|
|
location /static {
|
|
proxy_pass http://127.0.0.1:64303/spiderfoot/static;
|
|
}
|
|
|
|
location /scanviz {
|
|
proxy_pass http://127.0.0.1:64303/spiderfoot/scanviz;
|
|
}
|
|
|
|
location /scandelete {
|
|
proxy_pass http://127.0.0.1:64303/spiderfoot/scandelete;
|
|
}
|
|
|
|
}
|