Initial Commit

.gitea/workflows/alpine-dockerio.yaml

@@ -0,0 +1,60 @@
+name: Build and Push Alpine NGINX Image to docker.io Registry
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  build:
+    name: Build and push image (root user)
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/catthehacker/ubuntu:act-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+      - name: Login to docker.io Registry
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: aprimediet
+          password: ${{ secrets.DOCKER_TOKEN }}
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Dockerfile.alpine
+          build-args: |
+            REGISTRY_URL=aprimediet
+          push: true
+          tags: |
+            aprimediet/nginx:alpine
+            aprimediet/nginx:latest-alpine
+            aprimediet/nginx:latest
+  build-rootless:
+    name: Build and push image (rootless)
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/catthehacker/ubuntu:act-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+      - name: Login to docker.io Registry
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: aprimediet
+          password: ${{ secrets.DOCKER_TOKEN }}
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Dockerfile.alpine-rootless
+          build-args: |
+            REGISTRY_URL=aprimediet
+          push: true
+          tags: |
+            aprimediet/nginx:rootless-alpine
+            aprimediet/nginx:rootless
+            aprimediet/nginx:latest-rootless-alpine
+            aprimediet/nginx:latest-rootless

.gitea/workflows/alpine-winter.yaml

@@ -0,0 +1,56 @@
+name: Build and Push Alpine NodeJS Image to Winter Access Registry
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  build:
+    name: Build and push image (Root User)
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/catthehacker/ubuntu:act-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+      - name: Login to Docker Winter Access Git Registry
+        uses: docker/login-action@v3
+        with:
+          registry: git.winteraccess.id
+          username: aditya.prima
+          password: ${{ secrets.PATOKEN }}
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Dockerfile.alpine
+          push: true
+          tags: |
+            git.winteraccess.id/${{ gitea.repository }}:alpine
+            git.winteraccess.id/${{ gitea.repository }}:latest-alpine
+            git.winteraccess.id/${{ gitea.repository }}:latest
+  build-rootless:
+    name: Build and push image (rootless)
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/catthehacker/ubuntu:act-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+      - name: Login to Docker Winter Access Git Registry
+        uses: docker/login-action@v3
+        with:
+          registry: git.winteraccess.id
+          username: aditya.prima
+          password: ${{ secrets.PATOKEN }}
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Dockerfile.alpine-rootless
+          push: true
+          tags: |
+            git.winteraccess.id/${{ gitea.repository }}:rootless-alpine
+            git.winteraccess.id/${{ gitea.repository }}:rootless
+            git.winteraccess.id/${{ gitea.repository }}:latest-rootless-alpine
+            git.winteraccess.id/${{ gitea.repository }}:latest-rootless

Dockerfile.alpine

@@ -0,0 +1,29 @@
+ARG REGISTRY_URL=git.winteraccess.id/docker
+ARG ALPINE_VERSION=3.20
+
+FROM ${REGISTRY_URL}/alpine:${ALPINE_VERSION}
+LABEL maintainer="<Muhamad Aditya Prima> aprimediet@gmail.com"
+
+WORKDIR /
+
+# INSTALL WGET AND REQUIRED BUILD TOOLS
+RUN --mount=type=cache,target=/var/cache/apk \
+    apk update && apk upgrade && apk add \
+    nginx nginx-mod-http-naxsi
+
+# COPY CONFIGURATION FILES
+ADD ./etc/nginx/nginx.conf /etc/nginx/
+ADD ./etc/nginx/naxsi_core.rules /etc/nginx/
+ADD ./etc/nginx/proxy_params /etc/nginx/
+ADD ./etc/nginx/ssl_params /etc/nginx/
+ADD ./etc/nginx/conf.d /etc/nginx/conf.d
+
+ADD ./app /app
+
+# CLEAR CACHE
+RUN apk del curl && \
+    rm -rf /var/cache/apk/*
+
+CMD ["nginx"]
+
+EXPOSE 80

Dockerfile.alpine-rootless

@@ -0,0 +1,38 @@
+ARG REGISTRY_URL=git.winteraccess.id/docker
+ARG ALPINE_VERSION=3.20
+
+FROM ${REGISTRY_URL}/alpine:${ALPINE_VERSION}
+LABEL maintainer="<Muhamad Aditya Prima> aprimediet@gmail.com"
+
+WORKDIR /
+
+# ADD USER
+RUN addgroup -g 1001 nginx && adduser -D -u 1001 -G nginx -s /bin/bash -h /app nginx
+
+# INSTALL WGET AND REQUIRED BUILD TOOLS
+RUN --mount=type=cache,target=/var/cache/apk \
+    apk update && apk upgrade && apk add \
+    nginx nginx-mod-http-naxsi
+
+# COPY CONFIGURATION FILES
+ADD ./etc/nginx/nginx-rootless.conf /etc/nginx/nginx.conf
+ADD ./etc/nginx/naxsi_core.rules /etc/nginx/
+ADD ./etc/nginx/proxy_params /etc/nginx/
+ADD ./etc/nginx/ssl_params /etc/nginx/
+ADD ./etc/nginx/conf.d /etc/nginx/conf.d
+
+ADD ./app /app
+
+RUN touch /var/run/nginx.pid && chown nginx:nginx /var/run/nginx.pid
+
+# CLEAR CACHE
+RUN apk del curl && \
+    rm -rf /var/cache/apk/*
+
+# SET AS USER NODE
+WORKDIR /app
+USER nginx
+
+# CMD ["nginx"]
+
+EXPOSE 80

app/index.html

@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Welcome to nginx!</title>
+<style>
+    body {
+        width: 35em;
+        margin: 0 auto;
+        font-family: Tahoma, Verdana, Arial, sans-serif;
+    }
+</style>
+</head>
+<body>
+<h1>Welcome to nginx!</h1>
+<h2>The aprimediet/nginx variant.</h2>
+<p>If you see this page, the nginx web server is successfully installed and
+working. Further configuration is required.</p>
+
+<p>For online documentation and support please refer to
+<a href="http://nginx.org/">nginx.org</a>.<br/>
+Commercial support is available at
+<a href="http://nginx.com/">nginx.com</a>.</p>
+
+<p>For online documentation specific to the aprimediet/nginx,<br/>
+please refer to <a href="https://github.com/aprimediet/docker-nginx">aprimediet/docker-nginx</a>.</p>
+
+<p><em>Thank you for using nginx.</em></p>
+</body>
+</html>

etc/nginx/conf.d/default.conf

@@ -0,0 +1,16 @@
+server {
+  listen 80 default_server;
+  listen [::]:80 default_server;
+
+  server_name _;
+  root /app;
+  index index.html;
+
+  location / {
+    try_files $uri $uri/ =404;
+  }
+
+  location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
+    expires 30d;
+  }
+}

etc/nginx/naxsi_core.rules

@@ -0,0 +1,91 @@
+##################################
+## INTERNAL RULES IDS:1-999     ##
+##################################
+#@MainRule "msg:weird request, unable to parse" id:1;
+#@MainRule "msg:request too big, stored on disk and not parsed" id:2;
+#@MainRule "msg:invalid hex encoding, null bytes" id:10;
+#@MainRule "msg:unknown content-type" id:11;
+#@MainRule "msg:invalid formatted url" id:12;
+#@MainRule "msg:invalid POST format" id:13;
+#@MainRule "msg:invalid POST boundary" id:14;
+#@MainRule "msg:invalid JSON" id:15;
+#@MainRule "msg:empty POST" id:16;
+#@MainRule "msg:libinjection_sql" id:17;
+#@MainRule "msg:libinjection_xss" id:18;
+#@MainRule "msg:no generic rules" id:19;
+#@MainRule "msg:bad utf8" id:20;
+
+
+
+##################################
+## SQL Injections IDs:1000-1099 ##
+##################################
+MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop|load_file|substr|group_concat|dumpfile" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
+MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
+MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002;
+## Hardcore rules
+MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003;
+MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004;
+MainRule "str:|" "msg:mysql keyword (|)"  "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005;
+MainRule "str:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006;
+## end of hardcore rules
+MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007;
+MainRule "str:;" "msg:semicolon" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008;
+MainRule "str:=" "msg:equal sign in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009;
+MainRule "str:(" "msg:open parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;
+MainRule "str:)" "msg:close parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;
+MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013;
+MainRule "str:," "msg:comma" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015;
+MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016;
+MainRule "str:@@" "msg:double arobase (@@)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1017;
+
+###############################
+## OBVIOUS RFI IDs:1100-1199 ##
+###############################
+MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100;
+MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101;
+MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102;
+MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103;
+MainRule "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104;
+MainRule "str:zlib://" "msg:zlib:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1105;
+MainRule "str:data://" "msg:data:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1106;
+MainRule "str:glob://" "msg:glob:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1107;
+MainRule "str:phar://" "msg:phar:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1108;
+MainRule "str:file://" "msg:file:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1109;
+MainRule "str:gopher://" "msg:gopher:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1110;
+MainRule "str:zip://" "msg:zip:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1111;
+MainRule "str:expect://" "msg:expect:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1112;
+MainRule "str:input://" "msg:input:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1113;
+
+#######################################
+## Directory traversal IDs:1200-1299 ##
+#######################################                                          
+MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200;
+MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202;
+MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203;
+MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204;
+MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205;
+#MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206;
+MainRule "str:/..;/" "msg:dir traversal bypass" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1207;
+
+########################################
+## Cross Site Scripting IDs:1300-1399 ##
+########################################
+MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302;
+MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303;
+MainRule "str:[" "msg:open square backet ([), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310;
+MainRule "str:]" "msg:close square bracket (]), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311;
+MainRule "str:~" "msg:tilde (~) character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312;
+MainRule "str:`"  "msg:grave accent (`)" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314;
+MainRule "rx:%[23]."  "msg:double encoding" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315;
+
+####################################
+## Evading tricks IDs: 1400-1500 ##
+####################################
+MainRule "str:&#" "msg:utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400;
+MainRule "str:%U" "msg:M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401;
+
+#############################
+## File uploads: 1500-1600 ##
+#############################
+MainRule "rx:\.ph|\.asp|\.ht|\.jsp" "msg:asp/php/jsp file upload" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500;

etc/nginx/nginx-rootless.conf

@@ -0,0 +1,69 @@
+# /etc/nginx/nginx.conf
+
+# Do not start as daemon
+daemon off;
+
+worker_processes auto;
+worker_rlimit_nofile 100000;
+
+# Set log to stderr
+error_log stderr warn;
+pid       /var/run/nginx.pid;
+
+include /etc/nginx/modules/*.conf;
+
+events {
+  worker_connections 1024;
+}
+
+http {
+  include /etc/nginx/mime.types;
+  include /etc/nginx/naxsi_core.rules;
+  default_type application/octet-stream;
+  server_tokens off;
+  keepalive_timeout 15;
+  sendfile on;
+  tcp_nodelay on;
+
+  log_format custom_log '[$time_local] [NGINX] - $remote_addr - $remote_user - '
+                        '"$request" $status $body_bytes_sent '
+                        '"$http_referer" "$http_user_agent" "$gzip_ratio"';
+
+  # Do not log access
+  access_log /dev/stdout custom_log;
+
+  # SSL
+  ssl_prefer_server_ciphers on;
+  ssl_session_cache shared:SSL:2m;
+
+  # buffering causes issues, disable it
+  # increase buffer size. still useful even when buffering is off
+  proxy_buffering off;
+  proxy_buffer_size 4k;
+
+  # Buffer size
+  client_body_buffer_size 10k;
+  client_header_buffer_size 1k;
+  client_max_body_size 8m;
+  large_client_header_buffers 2 1k;
+
+  # Timeouts
+  client_body_timeout 12;
+  client_header_timeout 12;
+  send_timeout 10;
+
+  # GZip Compression
+  gzip on;
+  gzip_http_version 1.0;
+  gzip_vary on;
+  gzip_comp_level 4;
+  gzip_min_length 1280;
+  gzip_buffers 128 4k;
+  # gzip_proxied expired no-cache no-store private auth;
+  gzip_proxied any;
+  gzip_disable "msie6";
+  # gzip_types text/plain application/x-javascript text/xml text/css application/xml;
+  gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp;
+  
+  include /etc/nginx/conf.d/*.conf;
+}

etc/nginx/nginx.conf

@@ -0,0 +1,71 @@
+# /etc/nginx/nginx.conf
+
+user root;
+
+# Do not start as daemon
+daemon off;
+
+worker_processes auto;
+worker_rlimit_nofile 100000;
+
+# Set log to stderr
+error_log stderr warn;
+pid       /var/run/nginx.pid;
+
+include /etc/nginx/modules/*.conf;
+
+events {
+  worker_connections 1024;
+}
+
+http {
+  include /etc/nginx/mime.types;
+  include /etc/nginx/naxsi_core.rules;
+  default_type application/octet-stream;
+  server_tokens off;
+  keepalive_timeout 15;
+  sendfile on;
+  tcp_nodelay on;
+
+  log_format custom_log '[$time_local] [NGINX] - $remote_addr - $remote_user - '
+                        '"$request" $status $body_bytes_sent '
+                        '"$http_referer" "$http_user_agent" "$gzip_ratio"';
+
+  # Do not log access
+  access_log /dev/stdout custom_log;
+
+  # SSL
+  ssl_prefer_server_ciphers on;
+  ssl_session_cache shared:SSL:2m;
+
+  # buffering causes issues, disable it
+  # increase buffer size. still useful even when buffering is off
+  proxy_buffering off;
+  proxy_buffer_size 4k;
+
+  # Buffer size
+  client_body_buffer_size 10k;
+  client_header_buffer_size 1k;
+  client_max_body_size 8m;
+  large_client_header_buffers 2 1k;
+
+  # Timeouts
+  client_body_timeout 12;
+  client_header_timeout 12;
+  send_timeout 10;
+
+  # GZip Compression
+  gzip on;
+  gzip_http_version 1.0;
+  gzip_vary on;
+  gzip_comp_level 4;
+  gzip_min_length 1280;
+  gzip_buffers 128 4k;
+  # gzip_proxied expired no-cache no-store private auth;
+  gzip_proxied any;
+  gzip_disable "msie6";
+  # gzip_types text/plain application/x-javascript text/xml text/css application/xml;
+  gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp;
+  
+  include /etc/nginx/conf.d/*.conf;
+}

etc/nginx/proxy_params

@@ -0,0 +1,4 @@
+proxy_set_header Host $http_host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;

etc/nginx/ssl_params

@@ -0,0 +1,22 @@
+# secure nginx, see https://cipherli.st/
+
+ssl_protocols TLSv1.3
+ssl_prefer_server_ciphers off;
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off; # Requires nginx >= 1.5.9
+ssl_stapling on; # Requires nginx >= 1.3.7
+ssl_stapling_verify on; # Requires nginx => 1.3.7
+resolver 8.8.8.8 8.8.4.4 valid=300s;
+resolver_timeout 5s;
+
+# https://hstspreload.org
+add_header Strict-Transport-Security "max-age=63072000" always; 
+# By default, HSTS header is not added to subdomain requests. If you have subdomains and want
+# HSTS to apply to all of them, you should add the includeSubDomains variable like this:
+#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
+
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Robots-Tag none;