init

Signed-off-by: Zoey <zoey@z0ey.de>
2025-08-03 16:03:38 +00:00 · 2022-12-16 09:05:58 +01:00
parent fd30cfe98b
commit 19a304d9ce
169 changed files with 2074 additions and 27536 deletions
--- a/rootfs/usr/local/nginx/conf/conf.d/default.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/default.conf
@@ -0,0 +1,34 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name nginxproxymanager-default;
+    
+    include conf.d/include/force-ssl.conf;
+    include conf.d/include/block-exploits.conf;
+    include conf.d/include/letsencrypt-acme-challenge.conf;
+}
+
+# First 443 Host, which is the default if another default doesn't exist
+server {
+    listen 443 ssl http2;
+    listen 443 http3;
+    listen [::]:443 ssl http2;
+    listen [::]:443 http3;
+
+    add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
+
+    server_name nginxproxymanager-default;
+    
+    ssl_certificate /data/nginx/dummycert.pem;
+    ssl_certificate_key /data/nginx/dummykey.pem;
+    
+    include conf.d/include/ssl-ciphers.conf;
+    include conf.d/include/block-exploits.conf;
+    include conf.d/include/letsencrypt-acme-challenge.conf;
+
+    location / {
+        include conf.d/include/letsencrypt-acme-challenge.conf;
+        root /var/www/html;
+    }
+}
--- a/rootfs/usr/local/nginx/conf/conf.d/include/block-exploits.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/block-exploits.conf
@@ -0,0 +1,136 @@
+## Block SQL injections
+set $block_sql_injections 0;
+
+if ($query_string ~ "union.*select.*\(") {
+    set $block_sql_injections 1;
+}
+
+if ($query_string ~ "union.*all.*select.*") {
+    set $block_sql_injections 1;
+}
+
+if ($query_string ~ "concat.*\(") {
+    set $block_sql_injections 1;
+}
+
+if ($block_sql_injections = 1) {
+    return 403;
+}
+
+## Block file injections
+set $block_file_injections 0;
+
+if ($query_string ~ "[a-zA-Z0-9_]=http://") {
+    set $block_file_injections 1;
+}
+
+if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
+    set $block_file_injections 1;
+}
+
+if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
+    set $block_file_injections 1;
+}
+
+if ($block_file_injections = 1) {
+    return 403;
+}
+
+## Block common exploits
+set $block_common_exploits 0;
+
+if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "proc/self/environ") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "base64_(en|de)code\(.*\)") {
+    set $block_common_exploits 1;
+}
+
+if ($block_common_exploits = 1) {
+    return 403;
+}
+
+## Block spam
+set $block_spam 0;
+
+if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
+    set $block_spam 1;
+}
+
+if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
+    set $block_spam 1;
+}
+
+if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
+    set $block_spam 1;
+}
+
+if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
+    set $block_spam 1;
+}
+
+if ($block_spam = 1) {
+    return 403;
+}
+
+## Block user agents
+set $block_user_agents 0;
+
+# Disable Akeeba Remote Control 2.5 and earlier
+if ($http_user_agent ~ "Indy Library") {
+    set $block_user_agents 1;
+}
+
+# Common bandwidth hoggers and hacking tools.
+if ($http_user_agent ~ "libwww-perl") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "GetRight") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "GetWeb!") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Go!Zilla") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Download Demon") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Go-Ahead-Got-It") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "TurnitinBot") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "GrabNet") {
+    set $block_user_agents 1;
+}
+
+if ($block_user_agents = 1) {
+    return 403;
+}
--- a/rootfs/usr/local/nginx/conf/conf.d/include/force-ssl.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/force-ssl.conf
@@ -0,0 +1,3 @@
+if ($scheme = "http") {
+    return 301 https://$host$request_uri;
+}
--- a/rootfs/usr/local/nginx/conf/conf.d/include/letsencrypt-acme-challenge.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/letsencrypt-acme-challenge.conf
@@ -0,0 +1,18 @@
+location ^~ /.well-known/acme-challenge/ {
+    auth_basic off;
+    auth_request off;
+    allow all;
+    root /tmp/letsencrypt-acme-challenge;
+}
+
+location = /.well-known/acme-challenge/ {
+    return 404;
+}
+
+location = /nftd {
+    return 301 /nftd/;
+}
+
+location ^~ /nftd/ {
+    alias /nftd/;
+}
--- a/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf
@@ -0,0 +1,11 @@
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Port $server_port;
+proxy_set_header X-Forwarded-Scheme $scheme;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header Accept-Encoding "";
+proxy_set_header Host $host:$server_port;
+
+proxy_http_version 1.1;
+proxy_ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1 SSLv3 SSLv2;
+proxy_pass $forward_scheme://$server:$port$request_uri;
--- a/rootfs/usr/local/nginx/conf/conf.d/include/ssl-ciphers.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/ssl-ciphers.conf
@@ -0,0 +1,9 @@
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ssl_session_tickets off;
+ssl_dhparam /etc/ssl/dhparam;
+
+# intermediate configuration. tweak to your needs.
+ssl_protocols TLSv1.3 TLSv1.2;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
--- a/rootfs/usr/local/nginx/conf/conf.d/production.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/production.conf
@@ -0,0 +1,45 @@
+# Admin Interface
+server {
+    listen 81 ssl http2 default_server;
+    listen 81 http3 default_server;
+    listen [::]:81 ssl http2 default_server;
+    listen [::]:81 http3 default_server;
+
+    server_name nginxproxymanager;
+    ssl_certificate /data/nginx/dummycert.pem;
+    ssl_certificate_key /data/nginx/dummykey.pem;
+    include conf.d/include/ssl-ciphers.conf;
+    include conf.d/include/block-exploits.conf;
+    include conf.d/include/letsencrypt-acme-challenge.conf;
+    add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
+
+    location /api {
+        return 301 /api/;
+    }
+
+    location /api/ {
+        proxy_pass http://127.0.0.1:48693/;
+        
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header X-Forwarded-Scheme $scheme;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Accept-Encoding "";
+        proxy_set_header Host $host:$server_port;
+        
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_read_timeout 15m;
+        proxy_send_timeout 15m;
+    }
+
+    location / {
+        root /app/frontend;
+        if ($request_uri ~ ^/(.*)\.html$) {
+            return 302 /$1;
+        }
+        try_files $uri $uri.html $uri/ /index.html;
+    }
+}