include protective configs for nginx

2025-12-13 07:45:54 +00:00 · 2022-01-06 07:55:09 +01:00 · 2022-01-06 07:55:09 +01:00 · c563bd58f7
commit c563bd58f7
parent 2281e791b8
4 changed files with 67 additions and 2 deletions
--- a/deployment/bare_metal/install.sh
+++ b/deployment/bare_metal/install.sh
@ -63,6 +63,8 @@ sudo rm default
 sudo ln -s /home/gradido/gradido/deployment/bare_metal/nginx/sites-available/gradido.conf gradido.conf
 cd /etc/nginx/sites-available
 sudo ln -s /home/gradido/gradido/deployment/bare_metal/nginx/sites-available/gradido.conf gradido.conf
+cd /etc/nginx
+sudo ln -s /home/gradido/gradido/deployment/bare_metal/nginx/common common

 # Install yarn
 sudo apt-get install -y curl
--- a/deployment/bare_metal/nginx/common/protect.conf
+++ b/deployment/bare_metal/nginx/common/protect.conf
@ -0,0 +1,54 @@
+# Deny access to readme.(txt|html) or license.(txt|html) or example.(txt|html) and other common git related files
+location ~*  \"/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)\" {
+    deny all;
+}
+# Deny access to backup extensions & log files
+location ~* \"\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$\" {
+    deny all;
+}
+# deny access to hidden files and directories
+location ~ /\.(?!well-known\/) {
+    deny all;
+}
+# deny access to base64 encoded urls
+location ~* \"(base64_encode)(.*)(\()\" {
+    deny all;
+}
+# deny access to url with the javascript eval() function
+location ~* \"(eval\()\" {
+    deny all;
+}
+# deny access to url which include \"127.0.0.1\"
+location ~* \"(127\.0\.0\.1)\" {
+    deny all;
+}
+location ~* \"(GLOBALS|REQUEST)(=|\[|%)\" {
+    deny all;
+}
+location ~* \"(<|%3C).*script.*(>|%3)\" {
+    deny all;
+}
+location ~ \"(\\|\.\.\.|\.\./|~|`|<|>|\|)\" {
+    deny all;
+}
+location ~* \"(\'|\\")(.*)(drop|insert|md5|select|union)\" {
+    deny all;
+}
+location ~* \"(https?|ftp|php):/\" {
+    deny all;
+}
+location ~* \"(=\\\'|=\\%27|/\\\'/?)\.\" {
+    deny all;
+}
+location ~ \"(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\\"\\\\")\" {
+    deny all;
+}
+location ~ \"(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)\" {
+    deny all;
+}
+location ~* \"(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|boot\.ini|etc/passwd|eval\(|self/environ|(wp-)?config\.|cgi-|muieblack)\" {
+    deny all;
+}
+location ~* \"/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|configuration)\.php\" {
+    deny all;
+}
--- a/deployment/bare_metal/nginx/common/protect_add_header.conf
+++ b/deployment/bare_metal/nginx/common/protect_add_header.conf
@ -0,0 +1,9 @@
+# Prevent browsers from incorrectly detecting non-scripts as scripts
+# https://infosec.mozilla.org/guidelines/web_security#x-content-type-options
+add_header X-Content-Type-Options "nosniff";
+
+# prevent clickjacking: https://www.owasp.org/index.php/Clickjacking
+# https://geekflare.com/add-x-frame-options-nginx/
+# https://infosec.mozilla.org/guidelines/web_security#x-frame-options
+add_header Content-Security-Policy "frame-ancestors 'none'";
+add_header X-Frame-Options "DENY";
--- a/deployment/bare_metal/nginx/sites-available/gradido.conf
+++ b/deployment/bare_metal/nginx/sites-available/gradido.conf
@ -24,8 +24,8 @@ server {
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

-    #include /etc/nginx/common/protect.conf;
-    #include /etc/nginx/common/protect_add_header.conf;
+    include /etc/nginx/common/protect.conf;
+    include /etc/nginx/common/protect_add_header.conf;
 	#include /etc/nginx/common/ssl.conf;

    #gzip_static  on;