Initial commit

2025-06-18 18:16:26 +00:00 · 2017-12-21 09:02:37 +10:00
parent dc830df253
commit 6e7435c35d
140 changed files with 19554 additions and 0 deletions
--- a/rootfs/etc/cont-finish.d/.gitignore
+++ b/rootfs/etc/cont-finish.d/.gitignore
@ -0,0 +1,2 @@
+*
+!.gitignore
--- a/rootfs/etc/cont-init.d/.gitignore
+++ b/rootfs/etc/cont-init.d/.gitignore
@ -0,0 +1,2 @@
+*
+!.gitignore
--- a/rootfs/etc/fix-attrs.d/.gitignore
+++ b/rootfs/etc/fix-attrs.d/.gitignore
@ -0,0 +1,2 @@
+*
+!.gitignore
--- a/rootfs/etc/nginx/conf.d/default.conf
+++ b/rootfs/etc/nginx/conf.d/default.conf
@ -0,0 +1,38 @@
+# Healthcheck Host which proxies to the Manager,
+# thus the healthcheck ensures both services are running
+server {
+  listen 9876 default;
+  server_name localhost;
+
+  access_log /config/logs/manager.log proxy;
+
+  set $server 127.0.0.1;
+  set $port   81;
+
+  include conf.d/include/block-exploits.conf;
+
+  location /health {
+    access_log  off;
+    include conf.d/include/proxy.conf;
+  }
+
+  location / {
+    return 404;
+  }
+}
+
+# Default 80 Host, which shows a "You are not configured" page
+server {
+  listen 80 default;
+  server_name localhost;
+
+  access_log /config/logs/default.log proxy;
+
+  include conf.d/include/assets.conf;
+  include conf.d/include/block-exploits.conf;
+
+  location / {
+    index index.html;
+    root /var/www/html;
+  }
+}
--- a/rootfs/etc/nginx/conf.d/include/assets.conf
+++ b/rootfs/etc/nginx/conf.d/include/assets.conf
@ -0,0 +1,31 @@
+location ~* ^.*\.(css|js|jpe?g|gif|png|woff|eot|ttf|svg|ico|css\.map|js\.map)$ {
+    if_modified_since off;
+
+    # use the public cache
+    proxy_cache public-cache;
+    proxy_cache_key $host$request_uri;
+
+    # ignore these headers for media
+    proxy_ignore_headers Set-Cookie Cache-Control Expires X-Accel-Expires;
+
+    # cache 200s and also 404s (not ideal but there are a few 404 images for some reason)
+    proxy_cache_valid any 30m;
+    proxy_cache_valid 404 1m;
+
+    # strip this header to avoid If-Modified-Since requests
+    proxy_hide_header Last-Modified;
+    proxy_hide_header Cache-Control;
+    proxy_hide_header Vary;
+
+    proxy_cache_bypass 0;
+    proxy_no_cache 0;
+
+    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_404;
+    proxy_connect_timeout 5s;
+    proxy_read_timeout 45s;
+
+    expires @30m;
+    access_log  off;
+
+    include conf.d/include/proxy.conf;
+}
--- a/rootfs/etc/nginx/conf.d/include/block-exploits.conf
+++ b/rootfs/etc/nginx/conf.d/include/block-exploits.conf
@ -0,0 +1,136 @@
+## Block SQL injections
+set $block_sql_injections 0;
+
+if ($query_string ~ "union.*select.*\(") {
+    set $block_sql_injections 1;
+}
+
+if ($query_string ~ "union.*all.*select.*") {
+    set $block_sql_injections 1;
+}
+
+if ($query_string ~ "concat.*\(") {
+    set $block_sql_injections 1;
+}
+
+if ($block_sql_injections = 1) {
+    return 403;
+}
+
+## Block file injections
+set $block_file_injections 0;
+
+if ($query_string ~ "[a-zA-Z0-9_]=http://") {
+    set $block_file_injections 1;
+}
+
+if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
+    set $block_file_injections 1;
+}
+
+if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
+    set $block_file_injections 1;
+}
+
+if ($block_file_injections = 1) {
+    return 403;
+}
+
+## Block common exploits
+set $block_common_exploits 0;
+
+if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "proc/self/environ") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "base64_(en|de)code\(.*\)") {
+    set $block_common_exploits 1;
+}
+
+if ($block_common_exploits = 1) {
+    return 403;
+}
+
+## Block spam
+set $block_spam 0;
+
+if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
+    set $block_spam 1;
+}
+
+if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
+    set $block_spam 1;
+}
+
+if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
+    set $block_spam 1;
+}
+
+if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
+    set $block_spam 1;
+}
+
+if ($block_spam = 1) {
+    return 403;
+}
+
+## Block user agents
+set $block_user_agents 0;
+
+# Disable Akeeba Remote Control 2.5 and earlier
+if ($http_user_agent ~ "Indy Library") {
+    set $block_user_agents 1;
+}
+
+# Common bandwidth hoggers and hacking tools.
+if ($http_user_agent ~ "libwww-perl") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "GetRight") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "GetWeb!") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Go!Zilla") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Download Demon") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Go-Ahead-Got-It") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "TurnitinBot") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "GrabNet") {
+    set $block_user_agents 1;
+}
+
+if ($block_user_agents = 1) {
+    return 403;
+}
--- a/rootfs/etc/nginx/conf.d/include/force-ssl.conf
+++ b/rootfs/etc/nginx/conf.d/include/force-ssl.conf
@ -0,0 +1,3 @@
+if ($scheme = "http") {
+    return 301 https://$host$request_uri;
+}
--- a/rootfs/etc/nginx/conf.d/include/proxy.conf
+++ b/rootfs/etc/nginx/conf.d/include/proxy.conf
@ -0,0 +1,6 @@
+add_header       X-Served-By $host;
+proxy_set_header Host $host;
+proxy_set_header X-Forwarded-Scheme $scheme;
+proxy_set_header X-Forwarded-Protocol $scheme;
+proxy_set_header X-Forwarded-For $remote_addr;
+proxy_pass       http://$server:$port;
--- a/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf
+++ b/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf
@ -0,0 +1,12 @@
+ssl_session_timeout 5m;
+ssl_session_cache shared:SSL:50m;
+
+# intermediate configuration. tweak to your needs.
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-
+ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AE
+S128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+ssl_prefer_server_ciphers on;
+
+# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+add_header Strict-Transport-Security max-age=15768000;
--- a/rootfs/etc/nginx/nginx.conf
+++ b/rootfs/etc/nginx/nginx.conf
@ -0,0 +1,55 @@
+# run nginx in foreground
+daemon off;
+
+user root;
+
+# Set number of worker processes automatically based on number of CPU cores.
+worker_processes auto;
+
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
+error_log /config/logs/error.log warn;
+
+# Includes files with directives to load dynamic modules.
+include /etc/nginx/modules/*.conf;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+  include                   /etc/nginx/mime.types;
+  default_type              application/octet-stream;
+  sendfile                  on;
+  server_tokens             off;
+  tcp_nopush                on;
+  tcp_nodelay               on;
+  client_body_temp_path     /tmp/nginx/body 1 2;
+  keepalive_timeout         65;
+  ssl_prefer_server_ciphers on;
+  gzip                      on;
+  proxy_ignore_client_abort off;
+  client_max_body_size      2000m;
+  proxy_http_version        1.1;
+  proxy_set_header          X-Forwarded-Scheme $scheme;
+  proxy_set_header          X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header          Accept-Encoding "";
+  proxy_cache               off;
+  proxy_cache_path          /var/lib/nginx/cache/public  levels=1:2 keys_zone=public-cache:30m max_size=192m;
+  proxy_cache_path          /var/lib/nginx/cache/private levels=1:2 keys_zone=private-cache:5m max_size=1024m;
+
+  # MISS
+  # BYPASS
+  # EXPIRED - expired, request was passed to backend
+  # UPDATING - expired, stale response was used due to proxy/fastcgi_cache_use_stale updating
+  # STALE - expired, stale response was used due to proxy/fastcgi_cache_use_stale
+  # HIT
+  # - (dash) - request never reached to upstream module. Most likely it was processed at Nginx-level only (e.g. forbidden, redirects, etc) (Ref: Mail Thread
+  log_format proxy '[$time_local] $upstream_cache_status $upstream_status $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] [Sent-to $server] "$http_user_agent" "$http_referer"';
+
+  access_log /config/logs/default.log proxy;
+
+  include /etc/nginx/conf.d/*.conf;
+  include /config/nginx/*.conf;
+}
--- a/rootfs/etc/services.d/manager/finish
+++ b/rootfs/etc/services.d/manager/finish
@ -0,0 +1,3 @@
+#!/usr/bin/with-contenv bash
+
+s6-svscanctl -t /var/run/s6/services
--- a/rootfs/etc/services.d/manager/run
+++ b/rootfs/etc/services.d/manager/run
@ -0,0 +1,4 @@
+#!/usr/bin/with-contenv bash
+
+cd /srv/manager
+node --abort_on_uncaught_exception --max_old_space_size=250 /srv/manager/src/backend/index.js
--- a/rootfs/etc/services.d/nginx/finish
+++ b/rootfs/etc/services.d/nginx/finish
@ -0,0 +1 @@
+/bin/true
--- a/rootfs/etc/services.d/nginx/run
+++ b/rootfs/etc/services.d/nginx/run
@ -0,0 +1,5 @@
+#!/usr/bin/with-contenv bash
+
+mkdir -p /tmp/nginx /config/{nginx,logs,access} /var/lib/nginx/cache/{public,private}
+chown root /tmp/nginx
+exec nginx
--- a/rootfs/root/.bashrc
+++ b/rootfs/root/.bashrc
@ -0,0 +1,13 @@
+
+# Custom bash prompt via kirsle.net/wizards/ps1.html
+if [ -t 1 ] ; then
+    export PS1="\e[1;34m[\e[1;33m\u@\e[1;32mdocker-\h\e[1;37m:\w\[\e[1;34m]\e[1;36m\\$ \e[0m"
+fi
+
+# Aliases
+alias l='ls -lAsh --color'
+alias ls='ls -C1 --color'
+alias cp='cp -ip'
+alias rm='rm -i'
+alias mv='mv -i'
+alias h='cd ~;clear;'
--- a/rootfs/var/www/html/index.html
+++ b/rootfs/var/www/html/index.html
@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html lang="en">
+    <head>
+        <meta charset="utf-8">
+        <meta http-equiv="X-UA-Compatible" content="IE=edge">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>Default Site</title>
+        <link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet">
+        <style>
+            .jumbotron { margin-top: 50px; }
+        </style>
+    </head>
+    <body>
+        <div class="container">
+            <div class="jumbotron">
+                <h1>Congratulations!</h1>
+                <p>You've successfully started the Nginx Proxy Manager.</p>
+                <p>If you're seeing this site then you're trying to access a host that isn't set up yet.</p>
+                <p>Log in to the Admin panel to get started.</p>
+            </div>
+            <p class="text-center"><small>Powered by <a href="#" target="_blank">Nginx Proxy Manager</a></small></p>
+        </div>
+    </body>
+</html>