Guest User

Untitled

a guest
Nov 28th, 2018
28
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. load_module /usr/local/libexec/nginx/ngx_stream_module.so;
  2. load_module /usr/local/libexec/nginx/ngx_http_naxsi_module.so;
  3. load_module /usr/local/libexec/nginx/ngx_mail_module.so;
  4. load_module /usr/local/libexec/nginx/ngx_http_brotli_filter_module.so;
  5. load_module /usr/local/libexec/nginx/ngx_http_brotli_static_module.so;
  6.  
  7. user www staff;
  8. worker_processes  1;
  9.  
  10. error_log  /var/log/nginx/error.log;
  11.  
  12. events {
  13.     worker_connections  1024;
  14. }
  15.  
  16. http {
  17. include       mime.types;
  18.  
  19.  
  20. MainRule id:1000 "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop" "msg:sql keywords" "mz:ARGS|$HEADERS_VAR_X:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  21.  
  22. MainRule id:1002 "str:0x" "msg:0x, possible hex encoding" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  23.  
  24. MainRule id:1003 "str:/*" "msg:mysql comment (/*)" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  25.  
  26. MainRule id:1004 "str:*/" "msg:mysql comment (*/)" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  27.  
  28. MainRule id:1006 "str:&&" "msg:mysql keyword (&&)" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  29.  
  30. MainRule id:1007 "str:--" "msg:mysql comment (--)" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  31.  
  32. MainRule id:1008 "str:;" "msg:semicolon" "mz:ARGS" "s:$policyade66794614d4d80bd76272367ac9034:8";
  33.  
  34. MainRule id:1009 "str:=" "msg:equal sign in var, probable sql/xss" "mz:ARGS" "s:$policyade66794614d4d80bd76272367ac9034:8";
  35.  
  36. MainRule id:1010 "str:(" "msg:open parenthesis, probable sql/xss" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  37.  
  38. MainRule id:1011 "str:)" "msg:close parenthesis, probable sql/xss" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  39.  
  40. MainRule id:1013 "str:'" "msg:simple quote" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  41.  
  42. MainRule id:1015 "str:," "msg:comma" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  43.  
  44. MainRule id:1016 "str:#" "msg:mysql comment (#)" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  45.  
  46. MainRule id:1017 "str:@@" "msg:double arobase (@@)" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  47. MainRule id:1100 "str:http://" "msg:http:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8";
  48. MainRule id:1101 "str:https://" "msg:https:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8";
  49.  
  50. MainRule id:1102 "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8";
  51.  
  52. MainRule id:1103 "str:php://" "msg:php:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8";
  53.  
  54. MainRule id:1104 "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8";
  55. MainRule id:1105 "str:zlib://" "msg:zlib:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8";
  56. MainRule id:1106 "str:data://" "msg:data:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8";
  57. MainRule id:1107 "str:glob://" "msg:glob:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8";
  58. MainRule id:1108 "str:phar://" "msg:phar:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8";
  59. MainRule id:1109 "str:file://" "msg:file:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8";
  60. MainRule id:1110 "str:gopher://" "msg:gopher:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8";
  61.  
  62. MainRule id:1200 "str:.." "msg:double dot" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy2cc55acff3794c3291aec2bee3351296:8";
  63.  
  64. MainRule id:1202 "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy2cc55acff3794c3291aec2bee3351296:8";
  65.  
  66. MainRule id:1203 "str:c:\\" "msg:obvious windows path" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy2cc55acff3794c3291aec2bee3351296:8";
  67.  
  68. MainRule id:1204 "str:cmd.exe" "msg:obvious probe" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy2cc55acff3794c3291aec2bee3351296:8";
  69.  
  70. MainRule id:1205 "str:\\" "msg:backslash" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy2cc55acff3794c3291aec2bee3351296:8";
  71.  
  72. MainRule id:1206 "str:/" "msg:slash in args" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy2cc55acff3794c3291aec2bee3351296:8";
  73.  
  74. MainRule id:1302 "str:<" "msg:html open tag" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy127e988975984655b82d3eefe7f881c6:8";
  75.  
  76. MainRule id:1303 "str:>" "msg:html close tag" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy127e988975984655b82d3eefe7f881c6:8";
  77.  
  78. MainRule id:1310 "str:[" "msg:open square backet ([), possible js" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy127e988975984655b82d3eefe7f881c6:8";
  79.  
  80. MainRule id:1311 "str:]" "msg:close square bracket (]), possible js" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy127e988975984655b82d3eefe7f881c6:8";
  81.  
  82. MainRule id:1312 "str:~" "msg:tilde (~) character" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy127e988975984655b82d3eefe7f881c6:8";
  83.  
  84. MainRule id:1400 "str:&#" "msg:utf7/8 encoding" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policye9d3021b531b49c4a428c16606345e86:8";
  85.  
  86. MainRule id:1401 "str:%U" "msg:M$ encoding" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policye9d3021b531b49c4a428c16606345e86:8";
  87.  
  88. MainRule id:1500 "rx:\.ph|\.asp|\.ht" "msg:asp/php file upload" "mz:FILE_EXT" "s:$policy07991d37641a4506b9e90622d9205729:8";
  89.  
  90.  
  91. log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
  92.                   '$status $body_bytes_sent "$http_referer" '
  93.                   '"$http_user_agent" "$http_x_forwarded_for"';
  94. log_format  anonymized  ':: - $remote_user [$time_local] "$request" '
  95.                   '$status $body_bytes_sent "$http_referer" '
  96.                   '"$http_user_agent" "$http_x_forwarded_for"';
  97.  
  98. #tcp_nopush     on;
  99.  
  100. # 200M should be big enough for file servers etc.
  101. client_max_body_size 200M;
  102. brotli_static on;
  103. brotli on;
  104. gzip_static on;
  105. gzip on;
  106. server_tokens off;
  107. sendfile Off;
  108. default_type  application/octet-stream;
  109. keepalive_timeout 60;
  110.  
  111. map $http_upgrade $connection_upgrade {
  112.     default upgrade;
  113.     ''      close;
  114. }
  115.  
  116. # TODO add when core is ready for allowing nginx to serve the web interface
  117. # include nginx_web.conf;
  118.  
  119.  
  120.  
  121.  
  122. # UPSTREAM SERVERS
  123. upstream upstream58a939473afe4f73bd7efef96629e130 {
  124. server 10.15.0.1:80 weight=1 max_conns=500 max_fails=10 fail_timeout=10;
  125.  
  126. }
  127. upstream upstreamb9cdcf636a9246c7b259cbecb7cd6b0e {
  128. server 10.15.0.2:80 weight=1 max_conns=500 max_fails=10 fail_timeout=10;
  129.  
  130. }
  131.  
  132. server {
  133.     listen  80;
  134.     listen  [::]:80;
  135.     server_name  www.xxx.com;
  136.     charset utf-8;
  137.     access_log  /var/log/nginx/www.xxx.com.access.log main;
  138.     error_log  /var/log/nginx/www.xxx.com.error.log;
  139.     #include tls.conf;
  140.     error_page 404 /opnsense_error_404.html;
  141.     error_page 500 501 502 503 504 /opnsense_server_error.html;
  142.     # location to ban the host permanently
  143.     set $naxsi_extensive_log 0;
  144.     location @permanentban {
  145.         access_log /var/log/nginx/permanentban.access.log main;
  146.         internal;
  147.         add_header Content-Type text/plain;
  148.         add_header Charset utf-8;
  149.         return 403 "You got banned permanently from this server.";
  150.     }
  151.     error_page 418 = @permanentban;
  152.     location /opnsense_server_error.html {
  153.         internal;
  154.         root /usr/local/etc/nginx/views;
  155.     }
  156.     location /opnsense_error_404.html {
  157.         internal;
  158.         root /usr/local/etc/nginx/views;
  159.     }
  160.     location /waf_denied.html {
  161.         root /usr/local/etc/nginx/views;
  162.         access_log /var/log/nginx/waf_denied.access.log main;
  163.     }
  164.     location ^~ /.well-known/acme-challenge/ {
  165.         default_type "text/plain";
  166.         root /var/etc/acme-client/challenges;
  167.     }
  168.     # block based on User Agents - stuff I have found over the years in my server log
  169.     if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|okhttp|ZmEu|sqlmap|LMAO/2.0|ltx71|zgrab|Ronin/2.0|Hakai/2.0) {
  170.       return 418;
  171.     }
  172.         if ($http_user_agent ~ "Indy\sLibrary|Morfeus Fucking Scanner|MSIE [0-6]\.\d+")
  173.     {
  174.       return 418;
  175.     }
  176.     if ($http_user_agent ~ ^Mozilla/[\d\.]+$)
  177.     {
  178.       return 418;
  179.     }
  180.  
  181.     location = /opnsense-report-csp-violation {
  182.       include       fastcgi_params;
  183.       fastcgi_param QUERY_STRING $query_string;
  184.       fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/csp_report.php;
  185.       fastcgi_param TLS-Cipher $ssl_cipher;
  186.       fastcgi_param TLS-Protocol $ssl_protocol;
  187.       fastcgi_param TLS-SNI-Host $ssl_server_name;
  188.       fastcgi_param SERVER-UUID "d5602450-f3b9-4163-a5e2-f0d09e2f3678";
  189.       fastcgi_intercept_errors on;
  190.       fastcgi_pass  unix:/var/run/php-webgui.socket;
  191.     }
  192.     location /opnsense-auth-request {
  193.       internal;
  194.       fastcgi_pass  unix:/var/run/php-webgui.socket;
  195.       fastcgi_index index.php;
  196.       fastcgi_param TLS-Cipher $ssl_cipher;
  197.       fastcgi_param TLS-Protocol $ssl_protocol;
  198.       fastcgi_param TLS-SNI-Host $ssl_server_name;
  199.       fastcgi_param Original-URI $request_uri;
  200.       fastcgi_param Original-HOST $host;
  201.       fastcgi_param SERVER-UUID "d5602450-f3b9-4163-a5e2-f0d09e2f3678";
  202.       fastcgi_param SCRIPT_FILENAME  /usr/local/opnsense/scripts/nginx/ngx_auth.php;
  203.       fastcgi_intercept_errors on;
  204.       include        fastcgi_params;
  205.     }
  206.  
  207.  
  208. location  / {
  209.     SecRulesEnabled;
  210.     LibInjectionXss;
  211.     CheckRule "$LIBINJECTION_XSS >= 8" BLOCK;
  212.     BasicRule wl:19;
  213.  
  214.     CheckRule "$policyade66794614d4d80bd76272367ac9034 >= 8" BLOCK;
  215.  
  216.     CheckRule "$policy1c0480d874834fdfab63313107d8d987 >= 8" BLOCK;
  217.  
  218.     CheckRule "$policy2cc55acff3794c3291aec2bee3351296 >= 8" BLOCK;
  219.  
  220.     CheckRule "$policy127e988975984655b82d3eefe7f881c6 >= 8" BLOCK;
  221.  
  222.     CheckRule "$policye9d3021b531b49c4a428c16606345e86 >= 8" BLOCK;
  223.  
  224.     CheckRule "$policy07991d37641a4506b9e90622d9205729 >= 8" BLOCK;
  225.     LibInjectionSql;
  226.     CheckRule "$LIBINJECTION_SQL >= 8" BLOCK;
  227.     DeniedUrl "/waf_denied.html";
  228.     autoindex off;
  229.     http2_push_preload off;
  230.     proxy_set_header Host $host;
  231.     proxy_set_header X-TLS-Cipher $ssl_cipher;
  232.     proxy_set_header X-TLS-Protocol $ssl_protocol;
  233.     proxy_set_header X-TLS-SNI-Host $ssl_server_name;
  234.     # proxy headers for backend server
  235.     proxy_set_header X-Real-IP $remote_addr;
  236.     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  237.     proxy_set_header X-Forwarded-Proto $scheme;
  238.     proxy_pass http://upstream58a939473afe4f73bd7efef96629e130;
  239.  
  240. }
  241. }
  242.  
  243. server {
  244.     listen  80;
  245.     listen  [::]:80;
  246.     server_name  plus.xxx.com;
  247.     charset utf-8;
  248.     access_log  /var/log/nginx/plus.xxx.com.access.log main;
  249.     error_log  /var/log/nginx/plus.xxx.com.error.log;
  250.     #include tls.conf;
  251.     error_page 404 /opnsense_error_404.html;
  252.     error_page 500 501 502 503 504 /opnsense_server_error.html;
  253.     # location to ban the host permanently
  254.     set $naxsi_extensive_log 0;
  255.     location @permanentban {
  256.         access_log /var/log/nginx/permanentban.access.log main;
  257.         internal;
  258.         add_header Content-Type text/plain;
  259.         add_header Charset utf-8;
  260.         return 403 "You got banned permanently from this server.";
  261.     }
  262.     error_page 418 = @permanentban;
  263.     location /opnsense_server_error.html {
  264.         internal;
  265.         root /usr/local/etc/nginx/views;
  266.     }
  267.     location /opnsense_error_404.html {
  268.         internal;
  269.         root /usr/local/etc/nginx/views;
  270.     }
  271.     location /waf_denied.html {
  272.         root /usr/local/etc/nginx/views;
  273.         access_log /var/log/nginx/waf_denied.access.log main;
  274.     }
  275.     location ^~ /.well-known/acme-challenge/ {
  276.         default_type "text/plain";
  277.         root /var/etc/acme-client/challenges;
  278.     }
  279.     # block based on User Agents - stuff I have found over the years in my server log
  280.     if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|okhttp|ZmEu|sqlmap|LMAO/2.0|ltx71|zgrab|Ronin/2.0|Hakai/2.0) {
  281.       return 418;
  282.     }
  283.         if ($http_user_agent ~ "Indy\sLibrary|Morfeus Fucking Scanner|MSIE [0-6]\.\d+")
  284.     {
  285.       return 418;
  286.     }
  287.     if ($http_user_agent ~ ^Mozilla/[\d\.]+$)
  288.     {
  289.       return 418;
  290.     }
  291.  
  292.     location = /opnsense-report-csp-violation {
  293.       include       fastcgi_params;
  294.       fastcgi_param QUERY_STRING $query_string;
  295.       fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/csp_report.php;
  296.       fastcgi_param TLS-Cipher $ssl_cipher;
  297.       fastcgi_param TLS-Protocol $ssl_protocol;
  298.       fastcgi_param TLS-SNI-Host $ssl_server_name;
  299.       fastcgi_param SERVER-UUID "8df10317-96d5-489e-9593-44cde20a2e12";
  300.       fastcgi_intercept_errors on;
  301.       fastcgi_pass  unix:/var/run/php-webgui.socket;
  302.     }
  303.     location /opnsense-auth-request {
  304.       internal;
  305.       fastcgi_pass  unix:/var/run/php-webgui.socket;
  306.       fastcgi_index index.php;
  307.       fastcgi_param TLS-Cipher $ssl_cipher;
  308.       fastcgi_param TLS-Protocol $ssl_protocol;
  309.       fastcgi_param TLS-SNI-Host $ssl_server_name;
  310.       fastcgi_param Original-URI $request_uri;
  311.       fastcgi_param Original-HOST $host;
  312.       fastcgi_param SERVER-UUID "8df10317-96d5-489e-9593-44cde20a2e12";
  313.       fastcgi_param SCRIPT_FILENAME  /usr/local/opnsense/scripts/nginx/ngx_auth.php;
  314.       fastcgi_intercept_errors on;
  315.       include        fastcgi_params;
  316.     }
  317.  
  318.  
  319. location  / {
  320.     SecRulesEnabled;
  321.     LibInjectionXss;
  322.     CheckRule "$LIBINJECTION_XSS >= 8" BLOCK;
  323.     BasicRule wl:19;
  324.  
  325.     CheckRule "$policyade66794614d4d80bd76272367ac9034 >= 8" BLOCK;
  326.  
  327.     CheckRule "$policy1c0480d874834fdfab63313107d8d987 >= 8" BLOCK;
  328.  
  329.     CheckRule "$policy2cc55acff3794c3291aec2bee3351296 >= 8" BLOCK;
  330.  
  331.     CheckRule "$policy127e988975984655b82d3eefe7f881c6 >= 8" BLOCK;
  332.  
  333.     CheckRule "$policye9d3021b531b49c4a428c16606345e86 >= 8" BLOCK;
  334.  
  335.     CheckRule "$policy07991d37641a4506b9e90622d9205729 >= 8" BLOCK;
  336.     LibInjectionSql;
  337.     CheckRule "$LIBINJECTION_SQL >= 8" BLOCK;
  338.     DeniedUrl "/waf_denied.html";
  339.     autoindex off;
  340.     http2_push_preload off;
  341.     proxy_set_header Host $host;
  342.     proxy_set_header X-TLS-Cipher $ssl_cipher;
  343.     proxy_set_header X-TLS-Protocol $ssl_protocol;
  344.     proxy_set_header X-TLS-SNI-Host $ssl_server_name;
  345.     # proxy headers for backend server
  346.     proxy_set_header X-Real-IP $remote_addr;
  347.     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  348.     proxy_set_header X-Forwarded-Proto $scheme;
  349.     proxy_pass http://upstream58a939473afe4f73bd7efef96629e130;
  350.  
  351. }
  352. }
  353.  
  354. }
  355. # mail {
  356. # }
RAW Paste Data