From 9bc44e4393fe5b778142e6ff4a4666c30966e9e3 Mon Sep 17 00:00:00 2001 From: Muhamad Aditya Prima Date: Fri, 13 Dec 2024 03:21:05 +0700 Subject: [PATCH] Added ubi9 and ubi9-micro nginx image --- Dockerfile.alpine | 17 ++++- Dockerfile.alpine-rootless | 37 --------- Dockerfile.ubi9 | 37 +++++++++ Dockerfile.ubi9-micro | 44 +++++++++++ etc/{nginx => alpine}/conf.d/default.conf | 0 etc/alpine/fastcgi_params | 24 ++++++ etc/{nginx => alpine}/nginx.conf | 9 +-- etc/{nginx => alpine}/proxy_params | 0 etc/{nginx => alpine}/ssl_params | 0 etc/nginx/naxsi_core.rules | 91 ----------------------- etc/nginx/nginx-rootless.conf | 71 ------------------ etc/ubi9/conf.d/default.conf | 23 ++++++ etc/ubi9/nginx.conf | 70 +++++++++++++++++ etc/ubi9/proxy_params | 4 + etc/ubi9/ssl_params | 22 ++++++ 15 files changed, 242 insertions(+), 207 deletions(-) delete mode 100644 Dockerfile.alpine-rootless create mode 100644 Dockerfile.ubi9 create mode 100644 Dockerfile.ubi9-micro rename etc/{nginx => alpine}/conf.d/default.conf (100%) create mode 100644 etc/alpine/fastcgi_params rename etc/{nginx => alpine}/nginx.conf (89%) rename etc/{nginx => alpine}/proxy_params (100%) rename etc/{nginx => alpine}/ssl_params (100%) delete mode 100644 etc/nginx/naxsi_core.rules delete mode 100644 etc/nginx/nginx-rootless.conf create mode 100644 etc/ubi9/conf.d/default.conf create mode 100644 etc/ubi9/nginx.conf create mode 100644 etc/ubi9/proxy_params create mode 100644 etc/ubi9/ssl_params diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 24653cf..11767c9 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,18 +1,26 @@ +# 1.22.1 Alpine 3.17 +# 1.24.0 Alpine 3.19 +# 1.26.2 Alpine 3.21 ARG REGISTRY_URL=git.winteraccess.id/docker -ARG ALPINE_VERSION=3.20 +ARG ALPINE_VERSION=3.21 FROM ${REGISTRY_URL}/alpine:${ALPINE_VERSION} LABEL maintainer=" aprimediet@gmail.com" +USER root + WORKDIR /app +# Add nginx user and group +RUN addgroup -g 10001 nginx && adduser -D -u 10001 -G nginx -s /sbin/nologin -h /app nginx + # INSTALL WGET AND REQUIRED BUILD TOOLS RUN --mount=type=cache,target=/var/cache/apk \ apk update && apk upgrade && apk add \ nginx nginx-mod-http-naxsi # COPY CONFIGURATION FILES -ADD ./etc/nginx/nginx.conf /etc/nginx/ +ADD ./etc/nginx/nginx-rootless.conf /etc/nginx/nginx.conf ADD ./etc/nginx/naxsi_core.rules /etc/nginx/ ADD ./etc/nginx/proxy_params /etc/nginx/ ADD ./etc/nginx/ssl_params /etc/nginx/ @@ -20,10 +28,15 @@ ADD ./etc/nginx/conf.d /etc/nginx/conf.d ADD ./app . +RUN chown -R nginx:nginx /app && \ + chown -R nginx:nginx /var/lib/nginx + # CLEAR CACHE RUN apk del curl && \ rm -rf /var/cache/apk/* +USER nginx + CMD ["nginx"] EXPOSE 80 \ No newline at end of file diff --git a/Dockerfile.alpine-rootless b/Dockerfile.alpine-rootless deleted file mode 100644 index 3cf5e38..0000000 --- a/Dockerfile.alpine-rootless +++ /dev/null @@ -1,37 +0,0 @@ -ARG REGISTRY_URL=git.winteraccess.id/docker -ARG ALPINE_VERSION=3.20 - -FROM ${REGISTRY_URL}/alpine:${ALPINE_VERSION} -LABEL maintainer=" aprimediet@gmail.com" - -WORKDIR /app - -# ADD USER -RUN addgroup -g 10001 nginx && adduser -D -u 10001 -G nginx -s /sbin/nologin -h /app nginx - -# INSTALL WGET AND REQUIRED BUILD TOOLS -RUN --mount=type=cache,target=/var/cache/apk \ - apk update && apk upgrade && apk add \ - nginx nginx-mod-http-naxsi - -# COPY CONFIGURATION FILES -ADD ./etc/nginx/nginx-rootless.conf /etc/nginx/nginx.conf -ADD ./etc/nginx/naxsi_core.rules /etc/nginx/ -ADD ./etc/nginx/proxy_params /etc/nginx/ -ADD ./etc/nginx/ssl_params /etc/nginx/ -ADD ./etc/nginx/conf.d /etc/nginx/conf.d - -ADD ./app . - -RUN chown -R nginx:nginx /app && \ - chown -R nginx:nginx /var/lib/nginx - -# CLEAR CACHE -RUN apk del curl && \ - rm -rf /var/cache/apk/* - -USER nginx - -CMD ["nginx"] - -EXPOSE 80 \ No newline at end of file diff --git a/Dockerfile.ubi9 b/Dockerfile.ubi9 new file mode 100644 index 0000000..db3fd91 --- /dev/null +++ b/Dockerfile.ubi9 @@ -0,0 +1,37 @@ +ARG REGISTRY_URL=docker.io/aprimediet +ARG UBI_VERSION=9.5 + +FROM ${REGISTRY_URL}/ubi9:${UBI_VERSION} AS builder +LABEL maintainer=" aprimediet@gmail.com" + +ARG NGINX_VERSION=1.24 + +USER root + +# Add group and user nginx +RUN groupadd -g 10001 nginx && \ + useradd -u 10001 -g 10001 -m -d /app -s /sbin/nologin nginx && \ + mkdir -p /var/run/nginx && \ + chown nginx:nginx /var/run/nginx + +# Update packages, configure nginx version +# and install nginx +RUN dnf -y update && \ + dnf -y module reset nginx && \ + dnf -y module enable nginx:${NGINX_VERSION} && \ + dnf -y install nginx && \ + dnf -y autoremove && \ + dnf -y clean all + +# Copy Nginx default config files +ADD ./etc/ubi9 /etc/nginx +ADD ./app /app +RUN chown -R nginx:nginx /app + +USER nginx + +WORKDIR /app + +EXPOSE 80 + +CMD ["nginx"] \ No newline at end of file diff --git a/Dockerfile.ubi9-micro b/Dockerfile.ubi9-micro new file mode 100644 index 0000000..fcadd3a --- /dev/null +++ b/Dockerfile.ubi9-micro @@ -0,0 +1,44 @@ +ARG REGISTRY_URL=docker.io/aprimediet +ARG UBI_VERSION=9.5 +ARG NGINX_VERSION=1.24 + +FROM ${REGISTRY_URL}/nginx:${NGINX_VERSION}-ubi9 AS builder +LABEL maintainer=" aprimediet@gmail.com" + +FROM ${REGISTRY_URL}/ubi9:${UBI_VERSION}-micro AS runtime +LABEL maintainer=" aprimediet@gmail.com" + +USER root + +# Create nginx run and logs directory +RUN mkdir -p /var/run/nginx && \ + mkdir -p /var/log/nginx && \ + chown 10001:10001 /var/run/nginx && \ + chown 10001:10001 /var/log/nginx + +# Copy required libs +COPY --from=builder /usr/lib64/libcrypt* /usr/lib64 +COPY --from=builder /usr/lib64/libssl* /usr/lib64 +COPY --from=builder /usr/lib64/libz* /usr/lib64 + +# Copy nginx required files +COPY --from=builder /etc/nginx /etc/nginx +COPY --from=builder /usr/lib64/nginx /usr/lib64/nginx +COPY --from=builder /usr/libexec/nginx* /usr/libexec/ +COPY --from=builder /usr/sbin/nginx /usr/sbin +COPY --from=builder /usr/share/nginx /usr/share/nginx +COPY --from=builder /var/lib/nginx /var/lib/nginx + +# Copy Nginx default config files +ADD ./etc/ubi9 /etc/nginx +ADD ./app /app + +RUN chown -R 10001:10001 /app + +USER 10001 + +WORKDIR /app + +EXPOSE 80 + +CMD ["nginx"] \ No newline at end of file diff --git a/etc/nginx/conf.d/default.conf b/etc/alpine/conf.d/default.conf similarity index 100% rename from etc/nginx/conf.d/default.conf rename to etc/alpine/conf.d/default.conf diff --git a/etc/alpine/fastcgi_params b/etc/alpine/fastcgi_params new file mode 100644 index 0000000..e5c2f5a --- /dev/null +++ b/etc/alpine/fastcgi_params @@ -0,0 +1,24 @@ +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; \ No newline at end of file diff --git a/etc/nginx/nginx.conf b/etc/alpine/nginx.conf similarity index 89% rename from etc/nginx/nginx.conf rename to etc/alpine/nginx.conf index 1cae672..65ab6da 100644 --- a/etc/nginx/nginx.conf +++ b/etc/alpine/nginx.conf @@ -1,7 +1,5 @@ # /etc/nginx/nginx.conf -user root; - # Do not start as daemon daemon off; @@ -10,7 +8,7 @@ worker_rlimit_nofile 100000; # Set log to stderr error_log stderr warn; -pid /var/run/nginx.pid; +pid /var/run/nginx/nginx.pid; include /etc/nginx/modules/*.conf; @@ -20,7 +18,6 @@ events { http { include /etc/nginx/mime.types; - include /etc/nginx/naxsi_core.rules; default_type application/octet-stream; server_tokens off; keepalive_timeout 15; @@ -29,9 +26,9 @@ http { log_format custom_log '[$time_local] [NGINX] - $remote_addr - $remote_user - ' '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent" "$gzip_ratio"'; + '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"'; - # Do not log access + # Log access to stdout access_log /dev/stdout custom_log; # SSL diff --git a/etc/nginx/proxy_params b/etc/alpine/proxy_params similarity index 100% rename from etc/nginx/proxy_params rename to etc/alpine/proxy_params diff --git a/etc/nginx/ssl_params b/etc/alpine/ssl_params similarity index 100% rename from etc/nginx/ssl_params rename to etc/alpine/ssl_params diff --git a/etc/nginx/naxsi_core.rules b/etc/nginx/naxsi_core.rules deleted file mode 100644 index 8b40fa8..0000000 --- a/etc/nginx/naxsi_core.rules +++ /dev/null @@ -1,91 +0,0 @@ -################################## -## INTERNAL RULES IDS:1-999 ## -################################## -#@MainRule "msg:weird request, unable to parse" id:1; -#@MainRule "msg:request too big, stored on disk and not parsed" id:2; -#@MainRule "msg:invalid hex encoding, null bytes" id:10; -#@MainRule "msg:unknown content-type" id:11; -#@MainRule "msg:invalid formatted url" id:12; -#@MainRule "msg:invalid POST format" id:13; -#@MainRule "msg:invalid POST boundary" id:14; -#@MainRule "msg:invalid JSON" id:15; -#@MainRule "msg:empty POST" id:16; -#@MainRule "msg:libinjection_sql" id:17; -#@MainRule "msg:libinjection_xss" id:18; -#@MainRule "msg:no generic rules" id:19; -#@MainRule "msg:bad utf8" id:20; - - - -################################## -## SQL Injections IDs:1000-1099 ## -################################## -MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop|load_file|substr|group_concat|dumpfile" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000; -MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001; -MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002; -## Hardcore rules -MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003; -MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004; -MainRule "str:|" "msg:mysql keyword (|)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005; -MainRule "str:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006; -## end of hardcore rules -MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007; -MainRule "str:;" "msg:semicolon" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008; -MainRule "str:=" "msg:equal sign in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009; -MainRule "str:(" "msg:open parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010; -MainRule "str:)" "msg:close parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011; -MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013; -MainRule "str:," "msg:comma" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015; -MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016; -MainRule "str:@@" "msg:double arobase (@@)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1017; - -############################### -## OBVIOUS RFI IDs:1100-1199 ## -############################### -MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100; -MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101; -MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102; -MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103; -MainRule "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104; -MainRule "str:zlib://" "msg:zlib:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1105; -MainRule "str:data://" "msg:data:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1106; -MainRule "str:glob://" "msg:glob:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1107; -MainRule "str:phar://" "msg:phar:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1108; -MainRule "str:file://" "msg:file:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1109; -MainRule "str:gopher://" "msg:gopher:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1110; -MainRule "str:zip://" "msg:zip:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1111; -MainRule "str:expect://" "msg:expect:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1112; -MainRule "str:input://" "msg:input:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1113; - -####################################### -## Directory traversal IDs:1200-1299 ## -####################################### -MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200; -MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202; -MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203; -MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204; -MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205; -#MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206; -MainRule "str:/..;/" "msg:dir traversal bypass" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1207; - -######################################## -## Cross Site Scripting IDs:1300-1399 ## -######################################## -MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302; -MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303; -MainRule "str:[" "msg:open square backet ([), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310; -MainRule "str:]" "msg:close square bracket (]), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311; -MainRule "str:~" "msg:tilde (~) character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312; -MainRule "str:`" "msg:grave accent (`)" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314; -MainRule "rx:%[23]." "msg:double encoding" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315; - -#################################### -## Evading tricks IDs: 1400-1500 ## -#################################### -MainRule "str:&#" "msg:utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400; -MainRule "str:%U" "msg:M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401; - -############################# -## File uploads: 1500-1600 ## -############################# -MainRule "rx:\.ph|\.asp|\.ht|\.jsp" "msg:asp/php/jsp file upload" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500; \ No newline at end of file diff --git a/etc/nginx/nginx-rootless.conf b/etc/nginx/nginx-rootless.conf deleted file mode 100644 index b9f4e1d..0000000 --- a/etc/nginx/nginx-rootless.conf +++ /dev/null @@ -1,71 +0,0 @@ -# /etc/nginx/nginx.conf - -user nginx nginx; - -# Do not start as daemon -daemon off; - -worker_processes auto; -worker_rlimit_nofile 100000; - -# Set log to stderr -error_log stderr warn; -pid /tmp/nginx.pid; - -include /etc/nginx/modules/*.conf; - -events { - worker_connections 1024; -} - -http { - include /etc/nginx/mime.types; - include /etc/nginx/naxsi_core.rules; - default_type application/octet-stream; - server_tokens off; - keepalive_timeout 15; - sendfile on; - tcp_nodelay on; - - log_format custom_log '[$time_local] [NGINX] - $remote_addr - $remote_user - ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent" "$gzip_ratio"'; - - # Do not log access - access_log /dev/stdout custom_log; - - # SSL - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:2m; - - # buffering causes issues, disable it - # increase buffer size. still useful even when buffering is off - proxy_buffering off; - proxy_buffer_size 4k; - - # Buffer size - client_body_buffer_size 10k; - client_header_buffer_size 1k; - client_max_body_size 8m; - large_client_header_buffers 2 1k; - - # Timeouts - client_body_timeout 12; - client_header_timeout 12; - send_timeout 10; - - # GZip Compression - gzip on; - gzip_http_version 1.0; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 1280; - gzip_buffers 128 4k; - # gzip_proxied expired no-cache no-store private auth; - gzip_proxied any; - gzip_disable "msie6"; - # gzip_types text/plain application/x-javascript text/xml text/css application/xml; - gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp; - - include /etc/nginx/conf.d/*.conf; -} \ No newline at end of file diff --git a/etc/ubi9/conf.d/default.conf b/etc/ubi9/conf.d/default.conf new file mode 100644 index 0000000..91eb4d0 --- /dev/null +++ b/etc/ubi9/conf.d/default.conf @@ -0,0 +1,23 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name _; + root /app; + index index.html; + + error_log stderr warn; + + location / { + try_files $uri $uri/ index.html; + } + + location ~* .(jpg|jpeg|png|gif|ico|css|js)$ { + expires 30d; + } + + location /nginx-status { + stub_status on; + allow all; + } +} \ No newline at end of file diff --git a/etc/ubi9/nginx.conf b/etc/ubi9/nginx.conf new file mode 100644 index 0000000..eee3d39 --- /dev/null +++ b/etc/ubi9/nginx.conf @@ -0,0 +1,70 @@ +# For more information on configuration, see: +# * Official English Documentation: http://nginx.org/en/docs/ +# * Official Russian Documentation: http://nginx.org/ru/docs/ + +# Do not start as daemon +daemon off; +worker_rlimit_nofile 100000; + +worker_processes auto; +error_log stderr warn; +pid /var/run/nginx/nginx.pid; + +# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. +include /usr/share/nginx/modules/*.conf; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + server_tokens off; + keepalive_timeout 15; + sendfile on; + tcp_nodelay on; + + log_format custom_log '[$time_local] [NGINX] - $remote_addr - $remote_user - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"'; + + # Log access to stdout + access_log /dev/stdout custom_log; + + # SSL + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:2m; + + + # buffering causes issues, disable it + # increase buffer size. still useful even when buffering is off + proxy_buffering off; + proxy_buffer_size 4k; + + # Buffer size + client_body_buffer_size 10k; + client_header_buffer_size 1k; + client_max_body_size 8m; + large_client_header_buffers 2 1k; + + # Timeouts + client_body_timeout 12; + client_header_timeout 12; + send_timeout 10; + + # GZip Compression + gzip on; + gzip_http_version 1.0; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 1280; + gzip_buffers 128 4k; + # gzip_proxied expired no-cache no-store private auth; + gzip_proxied any; + gzip_disable "msie6"; + # gzip_types text/plain application/x-javascript text/xml text/css application/xml; + gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp; + + include /etc/nginx/conf.d/*.conf; +} \ No newline at end of file diff --git a/etc/ubi9/proxy_params b/etc/ubi9/proxy_params new file mode 100644 index 0000000..11c0f2c --- /dev/null +++ b/etc/ubi9/proxy_params @@ -0,0 +1,4 @@ +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; \ No newline at end of file diff --git a/etc/ubi9/ssl_params b/etc/ubi9/ssl_params new file mode 100644 index 0000000..db1efbe --- /dev/null +++ b/etc/ubi9/ssl_params @@ -0,0 +1,22 @@ +# secure nginx, see https://cipherli.st/ + +ssl_protocols TLSv1.3 +ssl_prefer_server_ciphers off; +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:10m; +ssl_session_tickets off; # Requires nginx >= 1.5.9 +ssl_stapling on; # Requires nginx >= 1.3.7 +ssl_stapling_verify on; # Requires nginx => 1.3.7 +resolver 8.8.8.8 8.8.4.4 valid=300s; +resolver_timeout 5s; + +# https://hstspreload.org +add_header Strict-Transport-Security "max-age=63072000" always; +# By default, HSTS header is not added to subdomain requests. If you have subdomains and want +# HSTS to apply to all of them, you should add the includeSubDomains variable like this: +#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; + +add_header X-Frame-Options DENY; +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; +add_header X-Robots-Tag none; \ No newline at end of file