-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathnginx updated 8g firewall rules v9.conf
338 lines (282 loc) · 11.8 KB
/
nginx updated 8g firewall rules v9.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
# ============================================
# 8G Nginx Firewall Rules
# ============================================
http {
# -----------------------------------------
# 1. Logging for Blocked Requests
# -----------------------------------------
log_format detailed '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time '
'$ssl_protocol $ssl_cipher';
# -----------------------------------------
# Dynamic IP Blocking
# -----------------------------------------
geo $blocked_ip {
default 0;
# Known bad IP ranges
192.0.2.0/24 1;
198.51.100.0/24 1;
}
# -----------------------------------------
# Additional Maps (moved from server block)
# -----------------------------------------
map $http_user_agent $bad_bot {
default 0;
~*(?i)(80legs|360Spider|Aboundex|Abonti|Acunetix|^AIBOT) 1;
~*(?i)(AISeeker|Anemone|Ant|BackDoorBot|BackWeb|Bandit) 1;
~*(?i)(Baiduspider|BatchFTP|Bigfoot|Black.Hole|BlackWidow) 1;
~*(?i)(BlowFish|Bot|Buddy|BuiltBotTough|BunnySlippers) 1;
# Add more patterns as needed
}
map $content_type $max_request_size {
default 10m;
"application/json" 1m;
"application/xml" 2m;
"multipart/form-data" 20m;
"application/x-www-form-urlencoded" 1m;
}
# -----------------------------------------
# 2. Query String Blocking Rules
# -----------------------------------------
map $query_string $block_query {
# Common XSS attempts
~*(?:<script|javascript:|data:text/html|onerror=|onload=|alert\(|eval\() 1;
# Common SQL injection signatures with word boundaries
~*(?:\bunion\s+select\b|\binformation_schema\b|\bsleep\(|\bload_file\(|\binto\s+outfile\b|\bconcat\(|\bbase64_decode\() 1;
# Extremely long query strings (DoS)
~*[A-Za-z0-9]{1000,} 1;
# Sensitive file paths
~*(?:etc/passwd|etc/shadow|proc/self/environ|\.ssh|\.bash_history) 1;
# Command injection patterns
~*(?:;wget\s|;curl\s|;nc\s|;rm\s|;bash\s|;sh\s) 1;
default 0;
}
# -----------------------------------------
# 3. Request URI Blocking Rules
# -----------------------------------------
map $request_uri $block_uri {
# Malicious scripts / webshells
~*(?:phpinfo|shell\.php|c99\.php|r57\.php|wso\.php|phpmyadmin|pma|sqlmap|adminer|log4shell) 1;
# Suspicious file extensions
~*\.(?:cgi|asp|aspx|dll|exe|jsp|mdb|sql|ini|sh|bat|pl|ps1|vbs|pem|key|crt|pfx|csr)$ 1;
# System directories
~*(?:/etc/|/proc/|/root/|/tmp/|/var/|/\.git|/\.svn) 1;
default 0;
}
# -----------------------------------------
# 4. User Agent Blocking Rules
# -----------------------------------------
map $http_user_agent $block_agent {
# Known attack tools and scanners
~*(?:acunetix|nikto|sqlmap|netsparker|nessus|dirbuster|masscan|burpsuite|wpscan|httperf) 1;
~*(?:curl|python|ruby|wget|java|go-http-client|headlesschrome|phantomjs|selenium|puppeteer) 1;
# Empty user agent
~*^$ 1;
default 0;
}
# -----------------------------------------
# 5. Referer Blocking Rules
# -----------------------------------------
map $http_referer $block_referer {
# Common spammy referers
~*(?:poker|viagra|cialis|dating|porn|pharma|casino|adult) 1;
# Suspicious TLDs (anchored)
~*\.(?:ru|cn|xyz|top|buzz|icu)$ 1;
default 0;
}
# -----------------------------------------
# 6. HTTP Method Blocking Rules
# -----------------------------------------
map $request_method $block_method {
# Uncommon/Harmful methods
~*(?:TRACE|TRACK|CONNECT|MOVE|PROPFIND|PROPPATCH|COPY|LOCK|UNLOCK|MKCOL) 1;
default 0;
}
# -----------------------------------------
# 7. Combine All Conditions
# -----------------------------------------
map "$block_query$block_uri$block_agent$block_referer$block_method" $block_all {
"~*1" 1;
default 0;
}
# -----------------------------------------
# 8. Rate & Connection Limiting & Timeouts
# -----------------------------------------
limit_req_zone $binary_remote_addr zone=8g_limit:5m rate=5r/s;
limit_conn_zone $binary_remote_addr zone=conn_limit:5m;
client_body_timeout 10s;
client_header_timeout 10s;
keepalive_timeout 5s 5s;
send_timeout 10s;
client_body_buffer_size 16k;
client_header_buffer_size 1k;
client_max_body_size 10m;
large_client_header_buffers 2 1k;
lingering_timeout 5s;
lingering_time 30s;
# Remove duplicate timeouts (ensured no duplicates)
# -----------------------------------------
# Proxy Headers Protection
# -----------------------------------------
proxy_hide_header X-Powered-By;
proxy_hide_header X-AspNet-Version;
proxy_hide_header X-AspNetMvc-Version;
# -----------------------------------------
# Compression (GZIP) for Security. Uncomment the first 3 rules if gzip is not already enabled in your nginx config
# -----------------------------------------
#gzip on;
#gzip_vary on;
#gzip_comp_level 6;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip_proxied no-cache no-store private expired auth;
gzip_disable "MSIE [1-6]\.";
# -----------------------------------------
# 9. Server Blocks
# -----------------------------------------
# Redirect HTTP to HTTPS
server {
listen 80;
server_name yourdomain.com www.yourdomain.com; # Replace with your domain
return 301 https://$host$request_uri;
}
# HTTPS/HTTP/3 Server Block
server {
# Enable HTTP/3
#listen 443 quic reuseport; # For HTTP/3 (QUIC)
listen 443 ssl http2; # For HTTP/2
#http3 on;
#quic_retry on;
server_name yourdomain.com www.yourdomain.com; # Replace with your domain
# SSL Configuration
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Deny access to hidden files and directories
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# Protect sensitive files
location ~* (?:README|LICENSE|COPYING|AUTHORS|INSTALL|TODO|VERSION|CHANGES|NEWS)$ {
deny all;
access_log off;
log_not_found off;
}
# Apply Rate & Connection Limits
limit_req zone=8g_limit burst=10 nodelay;
limit_conn conn_limit 10;
# Security Headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data: https:;" always;
server_tokens off;
# File Upload Restrictions
client_max_body_size 10M;
# Access Control for Sensitive Files
location ~* ^/(?:\.ht|\.git|\.svn|wp-config\.php|phpunit|composer\.(json|lock)|package-lock\.json|yarn\.lock|setup\.php)$ {
deny all;
}
# Block Hidden Files/Folders (redundant but consistent)
location ~ /\. {
deny all;
}
# Block Backups, Logs, and Sensitive Files
location ~* \.(?:log|backup|sql|db|tar|gz|zip|7z|bin|pfx|pgp|dmp|bak)$ {
deny all;
}
# Rate Limit on Login/XML-RPC
location = /wp-login.php {
limit_req zone=8g_limit burst=3 nodelay;
try_files $uri $uri/ =404;
# Request Body Validation
client_body_in_file_only clean;
client_body_in_single_buffer on;
}
location = /xmlrpc.php {
limit_req zone=8g_limit burst=3 nodelay;
try_files $uri $uri/ =404;
# Request Body Validation
client_body_in_file_only clean;
client_body_in_single_buffer on;
}
# Deny Admin Panels & Sensitive Paths
location ~* /(admin|adminer|mysqladmin|phpmyadmin|pma|myadmin|backup|logs|webshell)$ {
deny all;
}
# Additional Security for /admin/ section
location /admin/ {
add_header X-Frame-Options "DENY" always;
add_header Content-Security-Policy "frame-ancestors 'none';" always;
}
# Additional Security and CORS for /api/ section
location /api/ {
add_header X-Frame-Options "DENY" always;
add_header Access-Control-Allow-Origin "https://yourdomain.com";
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
add_header Access-Control-Allow-Headers "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization";
}
# Main location
location / {
# Check for blocked IP
if ($blocked_ip) {
return 444;
}
# Check combined blocking conditions
if ($block_all = 1) {
return 403;
}
add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0" always;
expires off;
try_files $uri $uri/ =404;
# Request Body Validation
client_body_in_file_only clean;
client_body_in_single_buffer on;
}
# Log blocked requests separately
access_log /var/log/nginx/blocked.log blocked if=$block_all;
# Prevent Caching of Admin/Restricted Areas
location ~* /(wp-admin|wp-includes|cgi-bin|phpmyadmin|adminer|setup\.php|login\.php)$ {
add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0" always;
expires off;
}
# If bad bot detected
if ($bad_bot) {
return 444;
}
# FastCGI Protection
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_intercept_errors on;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
fastcgi_read_timeout 60s;
fastcgi_send_timeout 60s;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# Only allow GET, HEAD, POST, OPTIONS methods
if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$) {
return 405;
}
# Optional custom error pages
# error_page 404 /404.html;
# error_page 403 /403.html;
# error_page 405 /405.html;
}
}