VC-HB3-Accelerator/DLE
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
725e7fd5a24739dd95ba65b2dd8ca8be8e181e7d
DLE/webssh-agent/nginx-template.conf

129 lines
4.8 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Rate limiting для защиты от DDoS
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=api_limit_per_ip:10m rate=5r/s;
# Блокировка известных сканеров и вредоносных ботов
map $http_user_agent $bad_bot {
default 0;
~*bot 1;
~*crawler 1;
~*spider 1;
~*scanner 1;
~*sqlmap 1;
~*nikto 1;
~*dirb 1;
~*gobuster 1;
~*wfuzz 1;
~*burp 1;
~*zap 1;
~*nessus 1;
~*openvas 1;
~*Chrome/[1-4][0-9]\. 1;
~*Firefox/[1-6][0-9]\. 1;
~*Safari/[1-9]\. 1;
~*MSIE\ [1-9]\. 1;
}
server {
listen 80;
server_name DOMAIN_PLACEHOLDER;
root /usr/share/nginx/html;
index index.html;
# Блокировка подозрительных ботов
if ($bad_bot = 1) {
return 403;
}
# Защита от path traversal
if ($request_uri ~* "(\.\.|\.\./|\.\.\\|\.\.%2f|\.\.%5c)") {
return 404;
}
# Защита от опасных расширений
location ~* \.(zip|rar|7z|tar|gz|bz2|xz|sql|sqlite|db|bak|backup|old|csv|php|asp|aspx|jsp|cgi|pl|py|sh|bash|exe|bat|cmd|com|pif|scr|vbs|vbe|jar|war|ear|dll|so|dylib|bin|sys|ini|log|tmp|temp|swp|swo|~)$ {
return 404;
}
# Защита от доступа к чувствительным файлам
location ~* /(\.htaccess|\.htpasswd|\.env|\.git|\.svn|\.DS_Store|Thumbs\.db|web\.config|robots\.txt|sitemap\.xml)$ {
deny all;
return 404;
}
# Защита от доступа к конфигурационным файлам
location ~* /\.(env|config|ini|conf|cfg|yml|yaml|json|xml|sql|db|bak|backup|old|tmp|temp|log)$ {
deny all;
return 404;
}
# Основной location
location / {
# Rate limiting для основных страниц
limit_req zone=req_limit_per_ip burst=20 nodelay;
try_files $uri $uri/ /index.html;
# Базовые заголовки безопасности
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' ws: wss:;" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
}
# Статические файлы
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
expires 1y;
add_header Cache-Control "public, immutable";
add_header Vary Accept-Encoding;
# Заголовки безопасности для статических файлов
add_header X-Content-Type-Options "nosniff" always;
}
# API
location /api/ {
# Rate limiting для API (более строгое)
limit_req zone=api_limit_per_ip burst=10 nodelay;
proxy_pass http://BACKEND_CONTAINER_PLACEHOLDER:8000/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Заголовки безопасности для API
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
}
# WebSocket поддержка
location /ws {
proxy_pass http://BACKEND_CONTAINER_PLACEHOLDER:8000/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400;
}
# Скрытие информации о сервере
server_tokens off;
}
}
Reference in New Issue View Git Blame Copy Permalink