API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 28th, 2018
165
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Nginx 14.63 KB | None | 0 0
raw download clone embed print report
  1. load_module /usr/local/libexec/nginx/ngx_stream_module.so;
  2. load_module /usr/local/libexec/nginx/ngx_http_naxsi_module.so;
  3. load_module /usr/local/libexec/nginx/ngx_mail_module.so;
  4. load_module /usr/local/libexec/nginx/ngx_http_brotli_filter_module.so;
  5. load_module /usr/local/libexec/nginx/ngx_http_brotli_static_module.so;
  6.  
  7. user www staff;
  8. worker_processes  1;
  9.  
  10. error_log  /var/log/nginx/error.log;
  11.  
  12. events {
  13.     worker_connections  1024;
  14. }
  15.  
  16. http {
  17. include       mime.types;
  18.  
  19.  
  20. MainRule id:1000 "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop" "msg:sql keywords" "mz:ARGS|$HEADERS_VAR_X:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  21.  
  22. MainRule id:1002 "str:0x" "msg:0x, possible hex encoding" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  23.  
  24. MainRule id:1003 "str:/*" "msg:mysql comment (/*)" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  25.  
  26. MainRule id:1004 "str:*/" "msg:mysql comment (*/)" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  27.  
  28. MainRule id:1006 "str:&&" "msg:mysql keyword (&&)" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  29.  
  30. MainRule id:1007 "str:--" "msg:mysql comment (--)" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  31.  
  32. MainRule id:1008 "str:;" "msg:semicolon" "mz:ARGS" "s:$policyade66794614d4d80bd76272367ac9034:8";
  33.  
  34. MainRule id:1009 "str:=" "msg:equal sign in var, probable sql/xss" "mz:ARGS" "s:$policyade66794614d4d80bd76272367ac9034:8";
  35.  
  36. MainRule id:1010 "str:(" "msg:open parenthesis, probable sql/xss" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  37.  
  38. MainRule id:1011 "str:)" "msg:close parenthesis, probable sql/xss" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  39.  
  40. MainRule id:1013 "str:'" "msg:simple quote" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  41.  
  42. MainRule id:1015 "str:," "msg:comma" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  43.  
  44. MainRule id:1016 "str:#" "msg:mysql comment (#)" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  45.  
  46. MainRule id:1017 "str:@@" "msg:double arobase (@@)" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8";
  47. MainRule id:1100 "str:http://" "msg:http:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8";
  48. MainRule id:1101 "str:https://" "msg:https:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8";
  49.  
  50. MainRule id:1102 "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8";
  51.  
  52. MainRule id:1103 "str:php://" "msg:php:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8";
  53.  
  54. MainRule id:1104 "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8";
  55. MainRule id:1105 "str:zlib://" "msg:zlib:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8";
  56. MainRule id:1106 "str:data://" "msg:data:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8";
  57. MainRule id:1107 "str:glob://" "msg:glob:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8";
  58. MainRule id:1108 "str:phar://" "msg:phar:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8";
  59. MainRule id:1109 "str:file://" "msg:file:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8";
  60. MainRule id:1110 "str:gopher://" "msg:gopher:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8";
  61.  
  62. MainRule id:1200 "str:.." "msg:double dot" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy2cc55acff3794c3291aec2bee3351296:8";
  63.  
  64. MainRule id:1202 "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy2cc55acff3794c3291aec2bee3351296:8";
  65.  
  66. MainRule id:1203 "str:c:\\" "msg:obvious windows path" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy2cc55acff3794c3291aec2bee3351296:8";
  67.  
  68. MainRule id:1204 "str:cmd.exe" "msg:obvious probe" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy2cc55acff3794c3291aec2bee3351296:8";
  69.  
  70. MainRule id:1205 "str:\\" "msg:backslash" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy2cc55acff3794c3291aec2bee3351296:8";
  71.  
  72. MainRule id:1206 "str:/" "msg:slash in args" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy2cc55acff3794c3291aec2bee3351296:8";
  73.  
  74. MainRule id:1302 "str:<" "msg:html open tag" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy127e988975984655b82d3eefe7f881c6:8";
  75.  
  76. MainRule id:1303 "str:>" "msg:html close tag" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy127e988975984655b82d3eefe7f881c6:8";
  77.  
  78. MainRule id:1310 "str:[" "msg:open square backet ([), possible js" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy127e988975984655b82d3eefe7f881c6:8";
  79.  
  80. MainRule id:1311 "str:]" "msg:close square bracket (]), possible js" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy127e988975984655b82d3eefe7f881c6:8";
  81.  
  82. MainRule id:1312 "str:~" "msg:tilde (~) character" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy127e988975984655b82d3eefe7f881c6:8";
  83.  
  84. MainRule id:1400 "str:&#" "msg:utf7/8 encoding" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policye9d3021b531b49c4a428c16606345e86:8";
  85.  
  86. MainRule id:1401 "str:%U" "msg:M$ encoding" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policye9d3021b531b49c4a428c16606345e86:8";
  87.  
  88. MainRule id:1500 "rx:\.ph|\.asp|\.ht" "msg:asp/php file upload" "mz:FILE_EXT" "s:$policy07991d37641a4506b9e90622d9205729:8";
  89.  
  90.  
  91. log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
  92.                   '$status $body_bytes_sent "$http_referer" '
  93.                   '"$http_user_agent" "$http_x_forwarded_for"';
  94. log_format  anonymized  ':: - $remote_user [$time_local] "$request" '
  95.                   '$status $body_bytes_sent "$http_referer" '
  96.                   '"$http_user_agent" "$http_x_forwarded_for"';
  97.  
  98. #tcp_nopush     on;
  99.  
  100. # 200M should be big enough for file servers etc.
  101. client_max_body_size 200M;
  102. brotli_static on;
  103. brotli on;
  104. gzip_static on;
  105. gzip on;
  106. server_tokens off;
  107. sendfile Off;
  108. default_type  application/octet-stream;
  109. keepalive_timeout 60;
  110.  
  111. map $http_upgrade $connection_upgrade {
  112.     default upgrade;
  113.     ''      close;
  114. }
  115.  
  116. # TODO add when core is ready for allowing nginx to serve the web interface
  117. # include nginx_web.conf;
  118.  
  119.  
  120.  
  121.  
  122. # UPSTREAM SERVERS
  123. upstream upstream58a939473afe4f73bd7efef96629e130 {
  124. server 10.15.0.1:80 weight=1 max_conns=500 max_fails=10 fail_timeout=10;
  125.  
  126. }
  127. upstream upstreamb9cdcf636a9246c7b259cbecb7cd6b0e {
  128. server 10.15.0.2:80 weight=1 max_conns=500 max_fails=10 fail_timeout=10;
  129.  
  130. }
  131.  
  132. server {
  133.     listen  80;
  134.     listen  [::]:80;
  135.     server_name  www.xxx.com;
  136.     charset utf-8;
  137.     access_log  /var/log/nginx/www.xxx.com.access.log main;
  138.     error_log  /var/log/nginx/www.xxx.com.error.log;
  139.     #include tls.conf;
  140.     error_page 404 /opnsense_error_404.html;
  141.     error_page 500 501 502 503 504 /opnsense_server_error.html;
  142.     # location to ban the host permanently
  143.     set $naxsi_extensive_log 0;
  144.     location @permanentban {
  145.         access_log /var/log/nginx/permanentban.access.log main;
  146.         internal;
  147.         add_header Content-Type text/plain;
  148.         add_header Charset utf-8;
  149.         return 403 "You got banned permanently from this server.";
  150.     }
  151.     error_page 418 = @permanentban;
  152.     location /opnsense_server_error.html {
  153.         internal;
  154.         root /usr/local/etc/nginx/views;
  155.     }
  156.     location /opnsense_error_404.html {
  157.         internal;
  158.         root /usr/local/etc/nginx/views;
  159.     }
  160.     location /waf_denied.html {
  161.         root /usr/local/etc/nginx/views;
  162.         access_log /var/log/nginx/waf_denied.access.log main;
  163.     }
  164.     location ^~ /.well-known/acme-challenge/ {
  165.         default_type "text/plain";
  166.         root /var/etc/acme-client/challenges;
  167.     }
  168.     # block based on User Agents - stuff I have found over the years in my server log
  169.     if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|okhttp|ZmEu|sqlmap|LMAO/2.0|ltx71|zgrab|Ronin/2.0|Hakai/2.0) {
  170.       return 418;
  171.     }
  172.         if ($http_user_agent ~ "Indy\sLibrary|Morfeus Fucking Scanner|MSIE [0-6]\.\d+")
  173.     {
  174.       return 418;
  175.     }
  176.     if ($http_user_agent ~ ^Mozilla/[\d\.]+$)
  177.     {
  178.       return 418;
  179.     }
  180.  
  181.     location = /opnsense-report-csp-violation {
  182.       include       fastcgi_params;
  183.       fastcgi_param QUERY_STRING $query_string;
  184.       fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/csp_report.php;
  185.       fastcgi_param TLS-Cipher $ssl_cipher;
  186.       fastcgi_param TLS-Protocol $ssl_protocol;
  187.       fastcgi_param TLS-SNI-Host $ssl_server_name;
  188.       fastcgi_param SERVER-UUID "d5602450-f3b9-4163-a5e2-f0d09e2f3678";
  189.       fastcgi_intercept_errors on;
  190.       fastcgi_pass  unix:/var/run/php-webgui.socket;
  191.     }
  192.     location /opnsense-auth-request {
  193.       internal;
  194.       fastcgi_pass  unix:/var/run/php-webgui.socket;
  195.       fastcgi_index index.php;
  196.       fastcgi_param TLS-Cipher $ssl_cipher;
  197.       fastcgi_param TLS-Protocol $ssl_protocol;
  198.       fastcgi_param TLS-SNI-Host $ssl_server_name;
  199.       fastcgi_param Original-URI $request_uri;
  200.       fastcgi_param Original-HOST $host;
  201.       fastcgi_param SERVER-UUID "d5602450-f3b9-4163-a5e2-f0d09e2f3678";
  202.       fastcgi_param SCRIPT_FILENAME  /usr/local/opnsense/scripts/nginx/ngx_auth.php;
  203.       fastcgi_intercept_errors on;
  204.       include        fastcgi_params;
  205.     }
  206.  
  207.  
  208. location  / {
  209.     SecRulesEnabled;
  210.     LibInjectionXss;
  211.     CheckRule "$LIBINJECTION_XSS >= 8" BLOCK;
  212.     BasicRule wl:19;
  213.  
  214.     CheckRule "$policyade66794614d4d80bd76272367ac9034 >= 8" BLOCK;
  215.  
  216.     CheckRule "$policy1c0480d874834fdfab63313107d8d987 >= 8" BLOCK;
  217.  
  218.     CheckRule "$policy2cc55acff3794c3291aec2bee3351296 >= 8" BLOCK;
  219.  
  220.     CheckRule "$policy127e988975984655b82d3eefe7f881c6 >= 8" BLOCK;
  221.  
  222.     CheckRule "$policye9d3021b531b49c4a428c16606345e86 >= 8" BLOCK;
  223.  
  224.     CheckRule "$policy07991d37641a4506b9e90622d9205729 >= 8" BLOCK;
  225.     LibInjectionSql;
  226.     CheckRule "$LIBINJECTION_SQL >= 8" BLOCK;
  227.     DeniedUrl "/waf_denied.html";
  228.     autoindex off;
  229.     http2_push_preload off;
  230.     proxy_set_header Host $host;
  231.     proxy_set_header X-TLS-Cipher $ssl_cipher;
  232.     proxy_set_header X-TLS-Protocol $ssl_protocol;
  233.     proxy_set_header X-TLS-SNI-Host $ssl_server_name;
  234.     # proxy headers for backend server
  235.     proxy_set_header X-Real-IP $remote_addr;
  236.     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  237.     proxy_set_header X-Forwarded-Proto $scheme;
  238.     proxy_pass http://upstream58a939473afe4f73bd7efef96629e130;
  239.  
  240. }
  241. }
  242.  
  243. server {
  244.     listen  80;
  245.     listen  [::]:80;
  246.     server_name  plus.xxx.com;
  247.     charset utf-8;
  248.     access_log  /var/log/nginx/plus.xxx.com.access.log main;
  249.     error_log  /var/log/nginx/plus.xxx.com.error.log;
  250.     #include tls.conf;
  251.     error_page 404 /opnsense_error_404.html;
  252.     error_page 500 501 502 503 504 /opnsense_server_error.html;
  253.     # location to ban the host permanently
  254.     set $naxsi_extensive_log 0;
  255.     location @permanentban {
  256.         access_log /var/log/nginx/permanentban.access.log main;
  257.         internal;
  258.         add_header Content-Type text/plain;
  259.         add_header Charset utf-8;
  260.         return 403 "You got banned permanently from this server.";
  261.     }
  262.     error_page 418 = @permanentban;
  263.     location /opnsense_server_error.html {
  264.         internal;
  265.         root /usr/local/etc/nginx/views;
  266.     }
  267.     location /opnsense_error_404.html {
  268.         internal;
  269.         root /usr/local/etc/nginx/views;
  270.     }
  271.     location /waf_denied.html {
  272.         root /usr/local/etc/nginx/views;
  273.         access_log /var/log/nginx/waf_denied.access.log main;
  274.     }
  275.     location ^~ /.well-known/acme-challenge/ {
  276.         default_type "text/plain";
  277.         root /var/etc/acme-client/challenges;
  278.     }
  279.     # block based on User Agents - stuff I have found over the years in my server log
  280.     if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|okhttp|ZmEu|sqlmap|LMAO/2.0|ltx71|zgrab|Ronin/2.0|Hakai/2.0) {
  281.       return 418;
  282.     }
  283.         if ($http_user_agent ~ "Indy\sLibrary|Morfeus Fucking Scanner|MSIE [0-6]\.\d+")
  284.     {
  285.       return 418;
  286.     }
  287.     if ($http_user_agent ~ ^Mozilla/[\d\.]+$)
  288.     {
  289.       return 418;
  290.     }
  291.  
  292.     location = /opnsense-report-csp-violation {
  293.       include       fastcgi_params;
  294.       fastcgi_param QUERY_STRING $query_string;
  295.       fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/csp_report.php;
  296.       fastcgi_param TLS-Cipher $ssl_cipher;
  297.       fastcgi_param TLS-Protocol $ssl_protocol;
  298.       fastcgi_param TLS-SNI-Host $ssl_server_name;
  299.       fastcgi_param SERVER-UUID "8df10317-96d5-489e-9593-44cde20a2e12";
  300.       fastcgi_intercept_errors on;
  301.       fastcgi_pass  unix:/var/run/php-webgui.socket;
  302.     }
  303.     location /opnsense-auth-request {
  304.       internal;
  305.       fastcgi_pass  unix:/var/run/php-webgui.socket;
  306.       fastcgi_index index.php;
  307.       fastcgi_param TLS-Cipher $ssl_cipher;
  308.       fastcgi_param TLS-Protocol $ssl_protocol;
  309.       fastcgi_param TLS-SNI-Host $ssl_server_name;
  310.       fastcgi_param Original-URI $request_uri;
  311.       fastcgi_param Original-HOST $host;
  312.       fastcgi_param SERVER-UUID "8df10317-96d5-489e-9593-44cde20a2e12";
  313.       fastcgi_param SCRIPT_FILENAME  /usr/local/opnsense/scripts/nginx/ngx_auth.php;
  314.       fastcgi_intercept_errors on;
  315.       include        fastcgi_params;
  316.     }
  317.  
  318.  
  319. location  / {
  320.     SecRulesEnabled;
  321.     LibInjectionXss;
  322.     CheckRule "$LIBINJECTION_XSS >= 8" BLOCK;
  323.     BasicRule wl:19;
  324.  
  325.     CheckRule "$policyade66794614d4d80bd76272367ac9034 >= 8" BLOCK;
  326.  
  327.     CheckRule "$policy1c0480d874834fdfab63313107d8d987 >= 8" BLOCK;
  328.  
  329.     CheckRule "$policy2cc55acff3794c3291aec2bee3351296 >= 8" BLOCK;
  330.  
  331.     CheckRule "$policy127e988975984655b82d3eefe7f881c6 >= 8" BLOCK;
  332.  
  333.     CheckRule "$policye9d3021b531b49c4a428c16606345e86 >= 8" BLOCK;
  334.  
  335.     CheckRule "$policy07991d37641a4506b9e90622d9205729 >= 8" BLOCK;
  336.     LibInjectionSql;
  337.     CheckRule "$LIBINJECTION_SQL >= 8" BLOCK;
  338.     DeniedUrl "/waf_denied.html";
  339.     autoindex off;
  340.     http2_push_preload off;
  341.     proxy_set_header Host $host;
  342.     proxy_set_header X-TLS-Cipher $ssl_cipher;
  343.     proxy_set_header X-TLS-Protocol $ssl_protocol;
  344.     proxy_set_header X-TLS-SNI-Host $ssl_server_name;
  345.     # proxy headers for backend server
  346.     proxy_set_header X-Real-IP $remote_addr;
  347.     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  348.     proxy_set_header X-Forwarded-Proto $scheme;
  349.     proxy_pass http://upstream58a939473afe4f73bd7efef96629e130;
  350.  
  351. }
  352. }
  353.  
  354. }
  355. # mail {
  356. # }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!