+ 
-
-
+
+ 
-
- 
-
-
- 
-
-
- 
+
+ 
+# Trivy Scan
+- [Buster-slim based image](https://trivy.dev/results/?image=baudneo/nginx-proxy-manager:latest)
+- [Bullseye-slim based image](https://trivy.dev/results/?image=baudneo/nginx-proxy-manager:bullseye)
+---
This project comes as a pre-built docker image that enables you to easily forward to your websites
running at home or otherwise, including free SSL, without having to know too much about Nginx or Letsencrypt.
@@ -29,7 +27,7 @@ running at home or otherwise, including free SSL, without having to know too muc
## Project Goal
I created this project to fill a personal need to provide users with a easy way to accomplish reverse
-proxying hosts with SSL termination and it had to be so easy that a monkey could do it. This goal hasn't changed.
+proxying hosts with SSL termination, and it had to be so easy that a monkey could do it. This goal hasn't changed.
While there might be advanced options they are optional and the project should be as simple as possible
so that the barrier for entry here is low.
@@ -82,13 +80,16 @@ services:
3. Bring up your stack by running
```bash
+# Using docker-compose
docker-compose up -d
+# Or, if you use the 'compose' plugin for docker
+docker compose up -d
```
4. Log in to the Admin UI
When your docker container is running, connect to it on port `81` for the admin interface.
-Sometimes this can take a little bit because of the entropy of keys.
+Sometimes this can take a little due to the entropy of keys.
[http://127.0.0.1:81](http://127.0.0.1:81)
@@ -117,8 +118,8 @@ Immediately after logging in with this default user you will be asked to modify
- `CROWDSEC_BOUNCER=1` - Enable CrowdSec OpenResty bouncer, still needs to be configured.
- `CROWDSEC_LAPI=[URL]` - configure CrowdSec local API URL
- `CROWDSEC_KEY=[API KEY]` - configure CrowdSec API key
-- `$CROWDSEC_RECAP_SECRET=[SECRET KEY]` - configure reCAPTCHA
-- `$CROWDSEC_RECAP_SITE=[SITE KEY]` - configure reCAPTCHA
+- `CROWDSEC_RECAP_SECRET=[SECRET KEY]` - configure reCAPTCHA
+- `CROWDSEC_RECAP_SITE=[SITE KEY]` - configure reCAPTCHA
- `SSL_CERTS_PATH` - CA certificate used to communicate with Google for reCAPTCHA validation
## Configuration
- Config file located at `data/crowdsec/crowdsec-openresty-bouncer.conf`
@@ -139,22 +140,25 @@ Immediately after logging in with this default user you will be asked to modify
# ModSecurity
_ModSecurity WAF is installed and loaded by default, OWASP-CoreRuleSet is installed and used as the default rule set. The user is responsible for configuring modsecurity via config/CLI._
+__MODSECURITY HAS KNOWN MEMORY LEAKS!__ Whenever `nginx -s reload` is issued expect RAM to increase by 10 to several hundred MB (depending on if you have custom rule files or are double enabling modsec). Nginx is reloaded every time a host is created/modified and when the SSL cert renewal timer resets. The only way to get modsec to release REAM is to restart nginx from inside the running container using `nginx -s stop; nginx -s reload` or by restarting the container using `sudo docker restart [Name of NPM container]`
+
## Environment Variables
- `MODSEC_CREATE=1` - Force recreating the default modsecurity config, _This should never be needed_
-- `MODSEC_ADMIN_PANEL=1` - Enable ModSec for the admin panel
-- `MODSEC_ENABLE=1` - Enable ModSec for the default.conf server block
-
-## Tips to enable
-### The minimum directives that need to be added to enable modsec.
-- See all directives -> https://github.com/SpiderLabs/ModSecurity-nginx#usage
+- `MODSEC_ADMIN_PANEL=1` - Enable ModSec for the admin panel (Port 81 web interface)
+- `MODSEC_ENABLE=1` - Enable ModSec in the __ROOT__ http {} block (Enabled ModSec for ALL HTTP servers)
+## The minimum directives that need to be added to enable modsec.
```
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
```
-- To enable modsec for **ALL HTTP** hosts, add the directives to `data/nginx/custom/http_top.conf`
-- To enable for only **certain HTTP** hosts, add the directives to the `Advanced` tab configuration at the root level (not inside a `location` block)
-- To enable only for **certain locations** on _certain HTTP_ hosts, place the directives into a `location` block inside the `Advanced` tab
-- **Stream hosts are untested and, as far as I know, unsupported**. ModSec directives go in server and HTTP blocks.
+- See all directives -> https://github.com/SpiderLabs/ModSecurity-nginx#usage
+-----
+## Tips to enable
+- To enable modsec for __ALL HTTP__ hosts, set MODSEC_ENABLE=1 _(Enabled in root http {} block)_
+- If MODSEC_ENABLE=1. To disable modsec for __certain HTTP hosts__, add `modsecurity off;` in the Advanced tab.
+- If MODSEC_ENABLE=1. To disable modsec for __certain HTTP host locations__, add `modsecurity off;` in a location {} block in the Advanced tab.
+- To load __custom rules__ file, add `modsecurity_rules_file 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
-