From c563bd58f7af720a428e53fa3248c1489dc3ddf7 Mon Sep 17 00:00:00 2001 From: Ulf Gebhardt Date: Thu, 6 Jan 2022 07:55:09 +0100 Subject: [PATCH] include protective configs for nginx --- deployment/bare_metal/install.sh | 2 + .../bare_metal/nginx/common/protect.conf | 54 +++++++++++++++++++ .../nginx/common/protect_add_header.conf | 9 ++++ .../nginx/sites-available/gradido.conf | 4 +- 4 files changed, 67 insertions(+), 2 deletions(-) create mode 100644 deployment/bare_metal/nginx/common/protect.conf create mode 100644 deployment/bare_metal/nginx/common/protect_add_header.conf diff --git a/deployment/bare_metal/install.sh b/deployment/bare_metal/install.sh index e342fa546..300cc1533 100755 --- a/deployment/bare_metal/install.sh +++ b/deployment/bare_metal/install.sh @@ -63,6 +63,8 @@ sudo rm default sudo ln -s /home/gradido/gradido/deployment/bare_metal/nginx/sites-available/gradido.conf gradido.conf cd /etc/nginx/sites-available sudo ln -s /home/gradido/gradido/deployment/bare_metal/nginx/sites-available/gradido.conf gradido.conf +cd /etc/nginx +sudo ln -s /home/gradido/gradido/deployment/bare_metal/nginx/common common # Install yarn sudo apt-get install -y curl diff --git a/deployment/bare_metal/nginx/common/protect.conf b/deployment/bare_metal/nginx/common/protect.conf new file mode 100644 index 000000000..358549a53 --- /dev/null +++ b/deployment/bare_metal/nginx/common/protect.conf @@ -0,0 +1,54 @@ +# Deny access to readme.(txt|html) or license.(txt|html) or example.(txt|html) and other common git related files +location ~* \"/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)\" { + deny all; +} +# Deny access to backup extensions & log files +location ~* \"\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$\" { + deny all; +} +# deny access to hidden files and directories +location ~ /\.(?!well-known\/) { + deny all; +} +# deny access to base64 encoded urls +location ~* \"(base64_encode)(.*)(\()\" { + deny all; +} +# deny access to url with the javascript eval() function +location ~* \"(eval\()\" { + deny all; +} +# deny access to url which include \"127.0.0.1\" +location ~* \"(127\.0\.0\.1)\" { + deny all; +} +location ~* \"(GLOBALS|REQUEST)(=|\[|%)\" { + deny all; +} +location ~* \"(<|%3C).*script.*(>|%3)\" { + deny all; +} +location ~ \"(\\|\.\.\.|\.\./|~|`|<|>|\|)\" { + deny all; +} +location ~* \"(\'|\\")(.*)(drop|insert|md5|select|union)\" { + deny all; +} +location ~* \"(https?|ftp|php):/\" { + deny all; +} +location ~* \"(=\\\'|=\\%27|/\\\'/?)\.\" { + deny all; +} +location ~ \"(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\\"\\\\")\" { + deny all; +} +location ~ \"(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)\" { + deny all; +} +location ~* \"(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|boot\.ini|etc/passwd|eval\(|self/environ|(wp-)?config\.|cgi-|muieblack)\" { + deny all; +} +location ~* \"/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|configuration)\.php\" { + deny all; +} \ No newline at end of file diff --git a/deployment/bare_metal/nginx/common/protect_add_header.conf b/deployment/bare_metal/nginx/common/protect_add_header.conf new file mode 100644 index 000000000..998f10696 --- /dev/null +++ b/deployment/bare_metal/nginx/common/protect_add_header.conf @@ -0,0 +1,9 @@ +# Prevent browsers from incorrectly detecting non-scripts as scripts +# https://infosec.mozilla.org/guidelines/web_security#x-content-type-options +add_header X-Content-Type-Options "nosniff"; + +# prevent clickjacking: https://www.owasp.org/index.php/Clickjacking +# https://geekflare.com/add-x-frame-options-nginx/ +# https://infosec.mozilla.org/guidelines/web_security#x-frame-options +add_header Content-Security-Policy "frame-ancestors 'none'"; +add_header X-Frame-Options "DENY"; \ No newline at end of file diff --git a/deployment/bare_metal/nginx/sites-available/gradido.conf b/deployment/bare_metal/nginx/sites-available/gradido.conf index 99e288b2a..02425fcc0 100644 --- a/deployment/bare_metal/nginx/sites-available/gradido.conf +++ b/deployment/bare_metal/nginx/sites-available/gradido.conf @@ -24,8 +24,8 @@ server { include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - #include /etc/nginx/common/protect.conf; - #include /etc/nginx/common/protect_add_header.conf; + include /etc/nginx/common/protect.conf; + include /etc/nginx/common/protect_add_header.conf; #include /etc/nginx/common/ssl.conf; #gzip_static on;