Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-10-31 04:22:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
tpotce/docker/nginx/dist/conf/tpotweb.conf
t3chn0m4g3 e43e8277fc tweaking nginx, ddospot: 
- Remove ddospot from standard
- Add ddospot only to tarpit
- Decouple nginx from host mode, only export tcp/64297, tcp/64294
- Adjust editions accordingly
- Keep LUA settings in Nginx config for now, just in case we find a different use case
2024-12-09 17:38:25 +01:00

208 lines
6.3 KiB
Text
Raw Blame History

############################################
### NGINX T-Pot configuration file by mo ###
############################################
server {
#########################
### Basic server settings
#########################
listen 64297 ssl;
http2 on;
index index.html;
ssl_protocols TLSv1.3;
server_name example.com;
error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html;
root /var/lib/nginx/html;
add_header Cache-Control "public, max-age=604800";
##############################################
### Remove version number add different header
##############################################
server_tokens off;
##############################################
### SSL settings and Cipher Suites
##############################################
ssl_certificate /etc/nginx/cert/nginx.crt;
ssl_certificate_key /etc/nginx/cert/nginx.key;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE:!SHA:!SHA256';
ssl_ecdh_curve secp384r1;
ssl_dhparam /etc/nginx/ssl/dhparam4096.pem;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
####################################
### OWASP recommendations / settings
####################################
### Size Limits & Buffer Overflows
### the size may be configured based on the needs.
client_body_buffer_size 128k;
client_header_buffer_size 1k;
client_max_body_size 2M;
### Changed from OWASP recommendations: "2 1k" to "2 1280" (So 1.2k)
### When you pass though potentially another reverse proxy/load balancer
### in front of tpotce you can introduce more headers than normal and
### therefore you can exceed the allowed header buffer of 1k.
### An 280 extra bytes seems to be working for most use-cases.
### And still keeping it close to OWASP's recommendation.
large_client_header_buffers 2 1280;
### Mitigate Slow HHTP DoS Attack
### Timeouts definition ##
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
### X-Frame-Options is to prevent from clickJacking attack
add_header X-Frame-Options SAMEORIGIN;
### disable content-type sniffing on some browsers.
add_header X-Content-Type-Options nosniff;
### This header enables the Cross-site scripting (XSS) filter
add_header X-XSS-Protection "1; mode=block";
### This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
# add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
##################################
### Restrict access and basic auth
##################################
# satisfy all;
satisfy any;
# allow 10.0.0.0/8;
# allow 172.16.0.0/12;
# allow 192.168.0.0/16;
allow 127.0.0.1;
allow ::1;
deny all;
auth_basic "closed site";
auth_basic_user_file /etc/nginx/nginxpasswd;
#############################
### T-Pot Landing Page & Apps
#############################
location / {
set_by_lua_block $index_file {
return "index.html";
}
auth_basic "closed site";
auth_basic_user_file /etc/nginx/nginxpasswd;
index $index_file;
try_files $uri $uri/ /$index_file;
}
location /elasticvue {
index index.html;
alias /var/lib/nginx/html/esvue/;
try_files $uri $uri/ /elasticvue/index.html;
}
location /cyberchef {
index index.html;
alias /var/lib/nginx/html/cyberchef/;
try_files $uri $uri/ /cyberchef/index.html;
}
#################
### Proxied sites
#################
### Kibana
location /kibana/ {
set_by_lua_block $kibana {
local tpot_ostype = os.getenv("TPOT_OSTYPE")
if tpot_ostype == "mac" or tpot_ostype == "win" then
return "http://kibana:5601";
else
return "http://kibana:5601";
end
}
proxy_pass $kibana;
rewrite /kibana/(.*)$ /$1 break;
}
### ES
location /es/ {
set_by_lua_block $elasticsearch {
local tpot_ostype = os.getenv("TPOT_OSTYPE")
if tpot_ostype == "mac" or tpot_ostype == "win" then
return "http://elasticsearch:9200";
else
return "http://elasticsearch:9200";
end
}
proxy_pass $elasticsearch;
rewrite /es/(.*)$ /$1 break;
}
### Map
location /map/ {
set_by_lua_block $map_web {
local tpot_ostype = os.getenv("TPOT_OSTYPE")
if tpot_ostype == "mac" or tpot_ostype == "win" then
return "http://map_web:64299";
else
return "http://map_web:64299";
end
}
proxy_pass $map_web;
rewrite /map/(.*)$ /$1 break;
proxy_read_timeout 7200s;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_redirect http:// https://;
}
location /websocket {
set_by_lua_block $map_web {
local tpot_ostype = os.getenv("TPOT_OSTYPE")
if tpot_ostype == "mac" or tpot_ostype == "win" then
return "http://map_web:64299";
else
return "http://map_web:64299";
end
}
proxy_pass $map_web;
proxy_read_timeout 7200s;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_redirect http:// https://;
}
### Spiderfoot
set_by_lua_block $spiderfoot_backend {
local tpot_ostype = os.getenv("TPOT_OSTYPE")
if tpot_ostype == "mac" or tpot_ostype == "win" then
return "http://spiderfoot:8080";
else
return "http://spiderfoot:8080";
end
}
location /spiderfoot/ {
proxy_pass $spiderfoot_backend;
proxy_set_header Host $http_host;
proxy_redirect http:// https://;
}
location ~ ^/(static|scanviz|scandelete|scaninfo) {
proxy_pass $spiderfoot_backend/spiderfoot/$1$is_args$args;
}
}
Reference in a new issue View git blame Copy permalink