init

Signed-off-by: Zoey <zoey@z0ey.de>

rootfs/usr/local/nginx/conf/conf.d/default.conf

@@ -0,0 +1,34 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name nginxproxymanager-default;
+    
+    include conf.d/include/force-ssl.conf;
+    include conf.d/include/block-exploits.conf;
+    include conf.d/include/letsencrypt-acme-challenge.conf;
+}
+
+# First 443 Host, which is the default if another default doesn't exist
+server {
+    listen 443 ssl http2;
+    listen 443 http3;
+    listen [::]:443 ssl http2;
+    listen [::]:443 http3;
+
+    add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
+
+    server_name nginxproxymanager-default;
+    
+    ssl_certificate /data/nginx/dummycert.pem;
+    ssl_certificate_key /data/nginx/dummykey.pem;
+    
+    include conf.d/include/ssl-ciphers.conf;
+    include conf.d/include/block-exploits.conf;
+    include conf.d/include/letsencrypt-acme-challenge.conf;
+
+    location / {
+        include conf.d/include/letsencrypt-acme-challenge.conf;
+        root /var/www/html;
+    }
+}

rootfs/usr/local/nginx/conf/conf.d/include/block-exploits.conf

@@ -0,0 +1,136 @@
+## Block SQL injections
+set $block_sql_injections 0;
+
+if ($query_string ~ "union.*select.*\(") {
+    set $block_sql_injections 1;
+}
+
+if ($query_string ~ "union.*all.*select.*") {
+    set $block_sql_injections 1;
+}
+
+if ($query_string ~ "concat.*\(") {
+    set $block_sql_injections 1;
+}
+
+if ($block_sql_injections = 1) {
+    return 403;
+}
+
+## Block file injections
+set $block_file_injections 0;
+
+if ($query_string ~ "[a-zA-Z0-9_]=http://") {
+    set $block_file_injections 1;
+}
+
+if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
+    set $block_file_injections 1;
+}
+
+if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
+    set $block_file_injections 1;
+}
+
+if ($block_file_injections = 1) {
+    return 403;
+}
+
+## Block common exploits
+set $block_common_exploits 0;
+
+if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "proc/self/environ") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "base64_(en|de)code\(.*\)") {
+    set $block_common_exploits 1;
+}
+
+if ($block_common_exploits = 1) {
+    return 403;
+}
+
+## Block spam
+set $block_spam 0;
+
+if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
+    set $block_spam 1;
+}
+
+if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
+    set $block_spam 1;
+}
+
+if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
+    set $block_spam 1;
+}
+
+if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
+    set $block_spam 1;
+}
+
+if ($block_spam = 1) {
+    return 403;
+}
+
+## Block user agents
+set $block_user_agents 0;
+
+# Disable Akeeba Remote Control 2.5 and earlier
+if ($http_user_agent ~ "Indy Library") {
+    set $block_user_agents 1;
+}
+
+# Common bandwidth hoggers and hacking tools.
+if ($http_user_agent ~ "libwww-perl") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "GetRight") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "GetWeb!") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Go!Zilla") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Download Demon") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Go-Ahead-Got-It") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "TurnitinBot") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "GrabNet") {
+    set $block_user_agents 1;
+}
+
+if ($block_user_agents = 1) {
+    return 403;
+}

rootfs/usr/local/nginx/conf/conf.d/include/force-ssl.conf

@@ -0,0 +1,3 @@
+if ($scheme = "http") {
+    return 301 https://$host$request_uri;
+}

rootfs/usr/local/nginx/conf/conf.d/include/letsencrypt-acme-challenge.conf

@@ -0,0 +1,18 @@
+location ^~ /.well-known/acme-challenge/ {
+    auth_basic off;
+    auth_request off;
+    allow all;
+    root /tmp/letsencrypt-acme-challenge;
+}
+
+location = /.well-known/acme-challenge/ {
+    return 404;
+}
+
+location = /nftd {
+    return 301 /nftd/;
+}
+
+location ^~ /nftd/ {
+    alias /nftd/;
+}

rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf

@@ -0,0 +1,11 @@
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Port $server_port;
+proxy_set_header X-Forwarded-Scheme $scheme;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header Accept-Encoding "";
+proxy_set_header Host $host:$server_port;
+
+proxy_http_version 1.1;
+proxy_ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1 SSLv3 SSLv2;
+proxy_pass $forward_scheme://$server:$port$request_uri;

rootfs/usr/local/nginx/conf/conf.d/include/ssl-ciphers.conf

@@ -0,0 +1,9 @@
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ssl_session_tickets off;
+ssl_dhparam /etc/ssl/dhparam;
+
+# intermediate configuration. tweak to your needs.
+ssl_protocols TLSv1.3 TLSv1.2;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;

rootfs/usr/local/nginx/conf/conf.d/production.conf

@@ -0,0 +1,45 @@
+# Admin Interface
+server {
+    listen 81 ssl http2 default_server;
+    listen 81 http3 default_server;
+    listen [::]:81 ssl http2 default_server;
+    listen [::]:81 http3 default_server;
+
+    server_name nginxproxymanager;
+    ssl_certificate /data/nginx/dummycert.pem;
+    ssl_certificate_key /data/nginx/dummykey.pem;
+    include conf.d/include/ssl-ciphers.conf;
+    include conf.d/include/block-exploits.conf;
+    include conf.d/include/letsencrypt-acme-challenge.conf;
+    add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
+
+    location /api {
+        return 301 /api/;
+    }
+
+    location /api/ {
+        proxy_pass http://127.0.0.1:48693/;
+        
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header X-Forwarded-Scheme $scheme;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Accept-Encoding "";
+        proxy_set_header Host $host:$server_port;
+        
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_read_timeout 15m;
+        proxy_send_timeout 15m;
+    }
+
+    location / {
+        root /app/frontend;
+        if ($request_uri ~ ^/(.*)\.html$) {
+            return 302 /$1;
+        }
+        try_files $uri $uri.html $uri/ /index.html;
+    }
+}

rootfs/usr/local/nginx/conf/letsencrypt.ini

@@ -0,0 +1,7 @@
+text = True
+non-interactive = True
+webroot-path = /tmp/letsencrypt-acme-challenge
+rsa-key-size = 4096
+key-type = ecdsa
+elliptic-curve = secp384r1
+preferred-chain = ISRG Root X1

rootfs/usr/local/nginx/conf/nginx.conf

@@ -0,0 +1,102 @@
+user root;
+daemon off;
+pcre_jit on;
+worker_processes auto;
+error_log stderr;
+
+# Custom
+include /data/nginx/custom/root.conf;
+
+events {
+    use epoll;
+
+    # Custom
+    include /data/nginx/custom/events.conf;
+}
+
+http {
+    log_not_found off;
+    access_log /dev/null;
+    
+    include mime.types;
+    default_type text/plain;
+    
+    server_tokens build;
+    aio threads;
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    client_max_body_size 0;
+
+    gzip on;
+    gunzip on;
+    gzip_vary on;
+    gzip_types *;
+    gzip_proxied any;
+    gzip_comp_level 9;
+
+    resolver localhost;
+    index index.html Index.html;
+    
+    error_page 404 =307 $scheme://$host:$server_port;
+    error_page 497 =301 https://$host:$server_port$request_uri;
+
+    # Default upstream scheme
+    map $host $forward_scheme {
+        default http;
+    }
+
+    # Websocket
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+
+    # Fancy Index
+    fancyindex on;
+    fancyindex_localtime on;
+    fancyindex_show_path on;
+    fancyindex_exact_size off;
+    fancyindex_default_sort name;
+    fancyindex_show_dotfiles off;
+    fancyindex_hide_symlinks off;
+    fancyindex_hide_parent_dir off;
+    fancyindex_directories_first on;
+    fancyindex_time_format "%d-%m-%Y %T";
+    fancyindex_ignore "nft";
+    fancyindex_header "/nftd/header.html";
+    fancyindex_footer "/nftd/footer.html";
+
+    # Real IP Determination
+    real_ip_recursive on;
+    set_real_ip_from 10.0.0.0/8;
+    set_real_ip_from 172.16.0.0/12;
+    set_real_ip_from 192.168.0.0/16;
+    set_real_ip_from 169.254.0.0/16;
+    set_real_ip_from fc00::/7;
+    set_real_ip_from fec0::/10;
+
+    include conf.d/include/ip_ranges.conf;
+    
+    include /data/nginx/default.conf;
+    include conf.d/*.conf;
+
+    # Custom
+    include /data/nginx/custom/http_top.conf;
+
+    # Files generated by NPM
+    include /data/nginx/proxy_host/*.conf;
+    include /data/nginx/redirection_host/*.conf;
+    include /data/nginx/dead_host/*.conf;
+
+    # Custom
+    include /data/nginx/custom/http.conf;
+}
+
+stream {
+    # Files generated by NPM
+    include /data/nginx/stream/*.conf;
+
+    # Custom
+    include /data/nginx/custom/stream.conf;
+}