docker
/
nginx
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: docker:05d1220a9c492549421c060e79513c74314f6bdf
Branches Tags
docker:master
docker:almalinux
docker:alpine
...
compare: docker:877333478e912408a736afa5dad114e206da0acc
Branches Tags
docker:almalinux
docker:master
docker:alpine

2 Commits
05d1220a9c ... 877333478e

Author SHA1 Message Date
Muhamad Aditya Prima 877333478e Updated workflow actions, now all images running with user nginx or uid 10001
Build and Push Alpine NGINX Image to docker.io Registry / Build and push image (push) Successful in 24s Details
Build and Push Alpine NGINX Image to docker.io Registry / Build and push ubi9 image (push) Successful in 2m44s Details
Build and Push Alpine NGINX Image to git.winteraccess.id Registry / Build and push ubi9 image (push) Successful in 20s Details
Build and Push Alpine NGINX Image to docker.io Registry / Build and push ubi9-micro image (push) Successful in 1m12s Details
Build and Push Alpine NGINX Image to git.winteraccess.id Registry / Build and push ubi9-micro image (push) Successful in 18s Details
2024-12-13 03:41:39 +07:00
Muhamad Aditya Prima 9bc44e4393 Added ubi9 and ubi9-micro nginx image 2024-12-13 03:21:05 +07:00
19 changed files with 461 additions and 274 deletions
Show Stats Expand all files Collapse all files

48
.gitea/workflows/alpine-dockerio.yaml
View File

@ -6,7 +6,7 @@ on:
jobs:
build:
name: Build and push image (root user)
name: Build and push image
runs-on: ubuntu-latest
container:
image: ghcr.io/catthehacker/ubuntu:act-latest
@ -19,42 +19,36 @@ jobs:
registry: docker.io
username: aprimediet
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build and push
- name: Build and push 1.22
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile.alpine
build-args: |
REGISTRY_URL=aprimediet
ALPINE_VERSION=3.17
push: true
tags: |
aprimediet/nginx:alpine
aprimediet/nginx:latest-alpine
aprimediet/nginx:latest
build-rootless:
name: Build and push image (rootless)
runs-on: ubuntu-latest
container:
image: ghcr.io/catthehacker/ubuntu:act-latest
steps:
- name: Check out repository code
uses: actions/checkout@v3
- name: Login to docker.io Registry
uses: docker/login-action@v3
with:
registry: docker.io
username: aprimediet
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build and push
aprimediet/nginx:1.22-alpine
- name: Build and push 1.24
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile.alpine-rootless
file: Dockerfile.alpine
build-args: |
REGISTRY_URL=aprimediet
ALPINE_VERSION=3.19
push: true
tags: |
aprimediet/nginx:rootless-alpine
aprimediet/nginx:rootless
aprimediet/nginx:latest-rootless-alpine
aprimediet/nginx:latest-rootless
aprimediet/nginx:1.24-alpine
- name: Build and push 1.26
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile.alpine
build-args: |
ALPINE_VERSION=3.21
push: true
tags: |
aprimediet/nginx:1.26-alpine
aprimediet/nginx:1.26
aprimediet/nginx:alpine
aprimediet/nginx:latest

59
.gitea/workflows/alpine-winter.yaml
View File

@ -1,4 +1,4 @@
name: Build and Push Alpine NodeJS Image to Winter Access Registry
name: Build and Push Alpine NGINX Image to docker.io Registry
on:
push:
branches:
@ -6,51 +6,52 @@ on:
jobs:
build:
name: Build and push image (Root User)
name: Build and push image
runs-on: ubuntu-latest
container:
image: ghcr.io/catthehacker/ubuntu:act-latest
steps:
- name: Check out repository code
uses: actions/checkout@v3
- name: Login to Docker Winter Access Git Registry
- name: Login to docker.io Registry
uses: docker/login-action@v3
with:
registry: git.winteraccess.id
username: aditya.prima
password: ${{ secrets.PATOKEN }}
- name: Build and push
username: ${{ vars.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and push 1.22
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile.alpine
build-args: |
REGISTRY_URL=git.winteraccess.id/docker
ALPINE_VERSION=3.17
push: true
tags: |
git.winteraccess.id/${{ gitea.repository }}:alpine
git.winteraccess.id/${{ gitea.repository }}:latest-alpine
git.winteraccess.id/${{ gitea.repository }}:latest
build-rootless:
name: Build and push image (rootless)
runs-on: ubuntu-latest
container:
image: ghcr.io/catthehacker/ubuntu:act-latest
steps:
- name: Check out repository code
uses: actions/checkout@v3
- name: Login to Docker Winter Access Git Registry
uses: docker/login-action@v3
with:
registry: git.winteraccess.id
username: aditya.prima
password: ${{ secrets.PATOKEN }}
- name: Build and push
git.winteraccess.id/${{ gitea.repository }}:1.22-alpine
- name: Build and push 1.24
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile.alpine-rootless
file: Dockerfile.alpine
build-args: |
REGISTRY_URL=git.winteraccess.id/docker
ALPINE_VERSION=3.19
push: true
tags: |
git.winteraccess.id/${{ gitea.repository }}:rootless-alpine
git.winteraccess.id/${{ gitea.repository }}:rootless
git.winteraccess.id/${{ gitea.repository }}:latest-rootless-alpine
git.winteraccess.id/${{ gitea.repository }}:latest-rootless
git.winteraccess.id/${{ gitea.repository }}:1.24-alpine
- name: Build and push 1.26
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile.alpine
build-args: |
REGISTRY_URL=git.winteraccess.id/docker
ALPINE_VERSION=3.21
push: true
tags: |
git.winteraccess.id/${{ gitea.repository }}:1.26-alpine
git.winteraccess.id/${{ gitea.repository }}:1.26
git.winteraccess.id/${{ gitea.repository }}:alpine
git.winteraccess.id/${{ gitea.repository }}:latest

79
.gitea/workflows/ubi9-dockerio.yaml Normal file
View File

@ -0,0 +1,79 @@
name: Build and Push Alpine NGINX Image to docker.io Registry
on:
push:
branches:
- master
jobs:
build:
name: Build and push ubi9 image
runs-on: ubuntu-latest
container:
image: ghcr.io/catthehacker/ubuntu:act-latest
steps:
- name: Check out repository code
uses: actions/checkout@v3
- name: Login to docker.io Registry
uses: docker/login-action@v3
with:
registry: docker.io
username: aprimediet
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build and push 1.22
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile.ubi9
build-args: |
NGINX_VERSION=1.22
push: true
tags: |
aprimediet/nginx:1.22-ubi9
- name: Build and push 1.24
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile.ubi9
build-args: |
NGINX_VERSION=1.24
push: true
tags: |
aprimediet/nginx:1.24-ubi9
aprimediet/nginx:ubi9
build-micro:
name: Build and push ubi9-micro image
runs-on: ubuntu-latest
container:
image: ghcr.io/catthehacker/ubuntu:act-latest
needs:
- build
steps:
- name: Check out repository code
uses: actions/checkout@v3
- name: Login to docker.io Registry
uses: docker/login-action@v3
with:
registry: docker.io
username: aprimediet
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build and push 1.22
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile.ubi9-micro
build-args: |
NGINX_VERSION=1.22
push: true
tags: |
aprimediet/nginx:1.22-ubi9-micro
- name: Build and push 1.24
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile.ubi9-micro
build-args: |
NGINX_VERSION=1.24
push: true
tags: |
aprimediet/nginx:1.24-ubi9-micro
aprimediet/nginx:ubi9-micro

79
.gitea/workflows/ubi9-winter.yaml Normal file
View File

@ -0,0 +1,79 @@
name: Build and Push Alpine NGINX Image to git.winteraccess.id Registry
on:
push:
branches:
- master
jobs:
build:
name: Build and push ubi9 image
runs-on: ubuntu-latest
container:
image: ghcr.io/catthehacker/ubuntu:act-latest
steps:
- name: Check out repository code
uses: actions/checkout@v3
- name: Login to git.winteraccess.id Registry
uses: docker/login-action@v3
with:
registry: git.winteraccess.id
username: ${{ vars.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and push 1.22
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile.ubi9
build-args: |
NGINX_VERSION=1.22
push: true
tags: |
git.winteraccess.id/${{ gitea.repository }}:1.22-ubi9
- name: Build and push 1.24
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile.ubi9
build-args: |
NGINX_VERSION=1.24
push: true
tags: |
git.winteraccess.id/${{ gitea.repository }}:1.24-ubi9
git.winteraccess.id/${{ gitea.repository }}:ubi9
build-micro:
name: Build and push ubi9-micro image
runs-on: ubuntu-latest
container:
image: ghcr.io/catthehacker/ubuntu:act-latest
needs:
- build
steps:
- name: Check out repository code
uses: actions/checkout@v3
- name: Login to git.winteraccess.id Registry
uses: docker/login-action@v3
with:
registry: git.winteraccess.id
username: ${{ vars.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and push 1.22
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile.ubi9-micro
build-args: |
NGINX_VERSION=1.22
push: true
tags: |
git.winteraccess.id/${{ gitea.repository }}:1.22-ubi9-micro
- name: Build and push 1.24
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile.ubi9-micro
build-args: |
NGINX_VERSION=1.24
push: true
tags: |
git.winteraccess.id/${{ gitea.repository }}:1.24-ubi9-micro
git.winteraccess.id/${{ gitea.repository }}:ubi9-micro

38
Dockerfile.alpine
View File

@ -1,29 +1,41 @@
ARG REGISTRY_URL=git.winteraccess.id/docker
ARG ALPINE_VERSION=3.20
# 1.22.1 Alpine 3.17
# 1.24.0 Alpine 3.19
# 1.26.2 Alpine 3.21
ARG REGISTRY_URL=docker.io/aprimediet
ARG ALPINE_VERSION=3.21
FROM ${REGISTRY_URL}/alpine:${ALPINE_VERSION}
LABEL maintainer="<Muhamad Aditya Prima> aprimediet@gmail.com"
WORKDIR /app
USER root
# Add nginx user and group
RUN addgroup -g 10001 nginx && \
adduser -D -u 10001 -G nginx -s /sbin/nologin -h /app nginx && \
mkdir -p /var/run/nginx && \
chown nginx:nginx /var/run/nginx
# INSTALL WGET AND REQUIRED BUILD TOOLS
RUN --mount=type=cache,target=/var/cache/apk \
apk update && apk upgrade && apk add \
nginx nginx-mod-http-naxsi
nginx
# COPY CONFIGURATION FILES
ADD ./etc/nginx/nginx.conf /etc/nginx/
ADD ./etc/nginx/naxsi_core.rules /etc/nginx/
ADD ./etc/nginx/proxy_params /etc/nginx/
ADD ./etc/nginx/ssl_params /etc/nginx/
ADD ./etc/nginx/conf.d /etc/nginx/conf.d
ADD ./etc/alpine /etc/nginx
ADD ./app /app
ADD ./app .
RUN chown -R nginx:nginx /app && \
chown -R nginx:nginx /var/lib/nginx
# CLEAR CACHE
RUN apk del curl && \
rm -rf /var/cache/apk/*
rm -rf /var/cache/apk/* && \
rm -rf /etc/nginx/http.d
USER nginx
WORKDIR /app
EXPOSE 80
CMD ["nginx"]
EXPOSE 80

37
Dockerfile.alpine-rootless
View File

@ -1,37 +0,0 @@
ARG REGISTRY_URL=git.winteraccess.id/docker
ARG ALPINE_VERSION=3.20
FROM ${REGISTRY_URL}/alpine:${ALPINE_VERSION}
LABEL maintainer="<Muhamad Aditya Prima> aprimediet@gmail.com"
WORKDIR /app
# ADD USER
RUN addgroup -g 10001 nginx && adduser -D -u 10001 -G nginx -s /sbin/nologin -h /app nginx
# INSTALL WGET AND REQUIRED BUILD TOOLS
RUN --mount=type=cache,target=/var/cache/apk \
apk update && apk upgrade && apk add \
nginx nginx-mod-http-naxsi
# COPY CONFIGURATION FILES
ADD ./etc/nginx/nginx-rootless.conf /etc/nginx/nginx.conf
ADD ./etc/nginx/naxsi_core.rules /etc/nginx/
ADD ./etc/nginx/proxy_params /etc/nginx/
ADD ./etc/nginx/ssl_params /etc/nginx/
ADD ./etc/nginx/conf.d /etc/nginx/conf.d
ADD ./app .
RUN chown -R nginx:nginx /app && \
chown -R nginx:nginx /var/lib/nginx
# CLEAR CACHE
RUN apk del curl && \
rm -rf /var/cache/apk/*
USER nginx
CMD ["nginx"]
EXPOSE 80

37
Dockerfile.ubi9 Normal file
View File

@ -0,0 +1,37 @@
ARG REGISTRY_URL=docker.io/aprimediet
ARG UBI_VERSION=9.5
FROM ${REGISTRY_URL}/ubi9:${UBI_VERSION} AS builder
LABEL maintainer="<Muhamad Aditya Prima> aprimediet@gmail.com"
ARG NGINX_VERSION=1.24
USER root
# Add group and user nginx
RUN groupadd -g 10001 nginx && \
useradd -u 10001 -g 10001 -m -d /app -s /sbin/nologin nginx && \
mkdir -p /var/run/nginx && \
chown nginx:nginx /var/run/nginx
# Update packages, configure nginx version
# and install nginx
RUN dnf -y update && \
dnf -y module reset nginx && \
dnf -y module enable nginx:${NGINX_VERSION} && \
dnf -y install nginx && \
dnf -y autoremove && \
dnf -y clean all
# Copy Nginx default config files
ADD ./etc/ubi9 /etc/nginx
ADD ./app /app
RUN chown -R nginx:nginx /app
USER nginx
WORKDIR /app
EXPOSE 80
CMD ["nginx"]

44
Dockerfile.ubi9-micro Normal file
View File

@ -0,0 +1,44 @@
ARG REGISTRY_URL=docker.io/aprimediet
ARG UBI_VERSION=9.5
ARG NGINX_VERSION=1.24
FROM ${REGISTRY_URL}/nginx:${NGINX_VERSION}-ubi9 AS builder
LABEL maintainer="<Muhamad Aditya Prima> aprimediet@gmail.com"
FROM ${REGISTRY_URL}/ubi9:${UBI_VERSION}-micro AS runtime
LABEL maintainer="<Muhamad Aditya Prima> aprimediet@gmail.com"
USER root
# Create nginx run and logs directory
RUN mkdir -p /var/run/nginx && \
mkdir -p /var/log/nginx && \
chown 10001:10001 /var/run/nginx && \
chown 10001:10001 /var/log/nginx
# Copy required libs
COPY --from=builder /usr/lib64/libcrypt* /usr/lib64
COPY --from=builder /usr/lib64/libssl* /usr/lib64
COPY --from=builder /usr/lib64/libz* /usr/lib64
# Copy nginx required files
COPY --from=builder /etc/nginx /etc/nginx
COPY --from=builder /usr/lib64/nginx /usr/lib64/nginx
COPY --from=builder /usr/libexec/nginx* /usr/libexec/
COPY --from=builder /usr/sbin/nginx /usr/sbin
COPY --from=builder /usr/share/nginx /usr/share/nginx
COPY --from=builder /var/lib/nginx /var/lib/nginx
# Copy Nginx default config files
ADD ./etc/ubi9 /etc/nginx
ADD ./app /app
RUN chown -R 10001:10001 /app
USER 10001
WORKDIR /app
EXPOSE 80
CMD ["nginx"]

0
etc/nginx/conf.d/default.conf → etc/alpine/conf.d/default.conf
View File

24
etc/alpine/fastcgi_params Normal file
View File

@ -0,0 +1,24 @@
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

9
etc/nginx/nginx.conf → etc/alpine/nginx.conf
View File

@ -1,7 +1,5 @@
# /etc/nginx/nginx.conf
user root;
# Do not start as daemon
daemon off;
@ -10,7 +8,7 @@ worker_rlimit_nofile 100000;
# Set log to stderr
error_log stderr warn;
pid /var/run/nginx.pid;
pid /var/run/nginx/nginx.pid;
include /etc/nginx/modules/*.conf;
@ -20,7 +18,6 @@ events {
http {
include /etc/nginx/mime.types;
include /etc/nginx/naxsi_core.rules;
default_type application/octet-stream;
server_tokens off;
keepalive_timeout 15;
@ -29,9 +26,9 @@ http {
log_format custom_log '[$time_local] [NGINX] - $remote_addr - $remote_user - '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$gzip_ratio"';
'"$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"';
# Do not log access
# Log access to stdout
access_log /dev/stdout custom_log;
# SSL

0
etc/nginx/proxy_params → etc/alpine/proxy_params
View File

0
etc/nginx/ssl_params → etc/alpine/ssl_params
View File

91
etc/nginx/naxsi_core.rules
View File

@ -1,91 +0,0 @@
##################################
## INTERNAL RULES IDS:1-999 ##
##################################
#@MainRule "msg:weird request, unable to parse" id:1;
#@MainRule "msg:request too big, stored on disk and not parsed" id:2;
#@MainRule "msg:invalid hex encoding, null bytes" id:10;
#@MainRule "msg:unknown content-type" id:11;
#@MainRule "msg:invalid formatted url" id:12;
#@MainRule "msg:invalid POST format" id:13;
#@MainRule "msg:invalid POST boundary" id:14;
#@MainRule "msg:invalid JSON" id:15;
#@MainRule "msg:empty POST" id:16;
#@MainRule "msg:libinjection_sql" id:17;
#@MainRule "msg:libinjection_xss" id:18;
#@MainRule "msg:no generic rules" id:19;
#@MainRule "msg:bad utf8" id:20;
##################################
## SQL Injections IDs:1000-1099 ##
##################################
MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop|load_file|substr|group_concat|dumpfile" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002;
## Hardcore rules
MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003;
MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004;
MainRule "str:|" "msg:mysql keyword (|)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005;
MainRule "str:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006;
## end of hardcore rules
MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007;
MainRule "str:;" "msg:semicolon" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008;
MainRule "str:=" "msg:equal sign in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009;
MainRule "str:(" "msg:open parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;
MainRule "str:)" "msg:close parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;
MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013;
MainRule "str:," "msg:comma" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015;
MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016;
MainRule "str:@@" "msg:double arobase (@@)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1017;
###############################
## OBVIOUS RFI IDs:1100-1199 ##
###############################
MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100;
MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101;
MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102;
MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103;
MainRule "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104;
MainRule "str:zlib://" "msg:zlib:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1105;
MainRule "str:data://" "msg:data:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1106;
MainRule "str:glob://" "msg:glob:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1107;
MainRule "str:phar://" "msg:phar:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1108;
MainRule "str:file://" "msg:file:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1109;
MainRule "str:gopher://" "msg:gopher:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1110;
MainRule "str:zip://" "msg:zip:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1111;
MainRule "str:expect://" "msg:expect:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1112;
MainRule "str:input://" "msg:input:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1113;
#######################################
## Directory traversal IDs:1200-1299 ##
#######################################
MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200;
MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202;
MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203;
MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204;
MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205;
#MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206;
MainRule "str:/..;/" "msg:dir traversal bypass" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1207;
########################################
## Cross Site Scripting IDs:1300-1399 ##
########################################
MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302;
MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303;
MainRule "str:[" "msg:open square backet ([), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310;
MainRule "str:]" "msg:close square bracket (]), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311;
MainRule "str:~" "msg:tilde (~) character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312;
MainRule "str:`" "msg:grave accent (`)" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314;
MainRule "rx:%[23]." "msg:double encoding" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315;
####################################
## Evading tricks IDs: 1400-1500 ##
####################################
MainRule "str:&#" "msg:utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400;
MainRule "str:%U" "msg:M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401;
#############################
## File uploads: 1500-1600 ##
#############################
MainRule "rx:\.ph|\.asp|\.ht|\.jsp" "msg:asp/php/jsp file upload" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500;

71
etc/nginx/nginx-rootless.conf
View File

@ -1,71 +0,0 @@
# /etc/nginx/nginx.conf
user nginx nginx;
# Do not start as daemon
daemon off;
worker_processes auto;
worker_rlimit_nofile 100000;
# Set log to stderr
error_log stderr warn;
pid /tmp/nginx.pid;
include /etc/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
include /etc/nginx/naxsi_core.rules;
default_type application/octet-stream;
server_tokens off;
keepalive_timeout 15;
sendfile on;
tcp_nodelay on;
log_format custom_log '[$time_local] [NGINX] - $remote_addr - $remote_user - '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$gzip_ratio"';
# Do not log access
access_log /dev/stdout custom_log;
# SSL
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:2m;
# buffering causes issues, disable it
# increase buffer size. still useful even when buffering is off
proxy_buffering off;
proxy_buffer_size 4k;
# Buffer size
client_body_buffer_size 10k;
client_header_buffer_size 1k;
client_max_body_size 8m;
large_client_header_buffers 2 1k;
# Timeouts
client_body_timeout 12;
client_header_timeout 12;
send_timeout 10;
# GZip Compression
gzip on;
gzip_http_version 1.0;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 1280;
gzip_buffers 128 4k;
# gzip_proxied expired no-cache no-store private auth;
gzip_proxied any;
gzip_disable "msie6";
# gzip_types text/plain application/x-javascript text/xml text/css application/xml;
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp;
include /etc/nginx/conf.d/*.conf;
}

23
etc/ubi9/conf.d/default.conf Normal file
View File

@ -0,0 +1,23 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /app;
index index.html;
error_log stderr warn;
location / {
try_files $uri $uri/ index.html;
}
location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
expires 30d;
}
location /nginx-status {
stub_status on;
allow all;
}
}

70
etc/ubi9/nginx.conf Normal file
View File

@ -0,0 +1,70 @@
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
# Do not start as daemon
daemon off;
worker_rlimit_nofile 100000;
worker_processes auto;
error_log stderr warn;
pid /var/run/nginx/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
server_tokens off;
keepalive_timeout 15;
sendfile on;
tcp_nodelay on;
log_format custom_log '[$time_local] [NGINX] - $remote_addr - $remote_user - '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"';
# Log access to stdout
access_log /dev/stdout custom_log;
# SSL
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:2m;
# buffering causes issues, disable it
# increase buffer size. still useful even when buffering is off
proxy_buffering off;
proxy_buffer_size 4k;
# Buffer size
client_body_buffer_size 10k;
client_header_buffer_size 1k;
client_max_body_size 8m;
large_client_header_buffers 2 1k;
# Timeouts
client_body_timeout 12;
client_header_timeout 12;
send_timeout 10;
# GZip Compression
gzip on;
gzip_http_version 1.0;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 1280;
gzip_buffers 128 4k;
# gzip_proxied expired no-cache no-store private auth;
gzip_proxied any;
gzip_disable "msie6";
# gzip_types text/plain application/x-javascript text/xml text/css application/xml;
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp;
include /etc/nginx/conf.d/*.conf;
}

4
etc/ubi9/proxy_params Normal file
View File

@ -0,0 +1,4 @@
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

22
etc/ubi9/ssl_params Normal file
View File

@ -0,0 +1,22 @@
# secure nginx, see https://cipherli.st/
ssl_protocols TLSv1.3
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# https://hstspreload.org
add_header Strict-Transport-Security "max-age=63072000" always;
# By default, HSTS header is not added to subdomain requests. If you have subdomains and want
# HSTS to apply to all of them, you should add the includeSubDomains variable like this:
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;