-
Notifications
You must be signed in to change notification settings - Fork 647
/
http.conf
199 lines (187 loc) · 8.44 KB
/
http.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
include mime.types;
{% include "OPNsense/Nginx/ruleset.conf" ignore missing with context %}
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format anonymized ':: - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#tcp_nopush on;
# 200M should be big enough for file servers etc.
client_max_body_size 200M;
brotli_static on;
brotli on;
gzip_static on;
gzip on;
server_tokens off;
sendfile {% if OPNsense.Nginx.http.sendfile is defined and OPNsense.Nginx.http.sendfile == '1' %}On{% else %}Off{% endif %};
{% if OPNsense.Nginx.http.default_type is defined and OPNsense.Nginx.http.default_type != '' %}
default_type {{ OPNsense.Nginx.http.default_type }};
{% else %}
default_type application/octet-stream;
{% endif %}
{% if OPNsense.Nginx.http.keepalive_timeout is defined and OPNsense.Nginx.http.keepalive_timeout != '' %}
keepalive_timeout {{ OPNsense.Nginx.http.keepalive_timeout }};
{% endif %}
# TODO add when core is ready for allowing nginx to serve the web interface
# include nginx_web.conf;
{% include "OPNsense/Nginx/upstream.conf" ignore missing with context %}
{% set listen_list = [] %}
{% for server in helpers.toList('OPNsense.Nginx.http_server') %}
{% set single_servername = server.servername.split(",")[0] %}
server {
{% if server.listen_http_port is defined %}
listen [::]:{{ server.listen_http_port }}{% if server.listen_https_port not in listen_list%} ipv6only=off{% endif %};
{% do listen_list.append(server.listen_http_port) %}
{% endif %}
{% if server.listen_https_port is defined and server.certificate is defined %}
listen [::]:{{ server.listen_https_port }}{% if server.listen_https_port not in listen_list%} ipv6only=off{% endif %} http2 ssl;
{% do listen_list.append(server.listen_https_port) %}
{% if server.ca is defined %}
ssl_client_certificate /usr/local/etc/nginx/key/{{ single_servername }}_ca.pem;
ssl_verify_client {{ server.verify_client }};
{% endif %}
ssl_certificate_key /usr/local/etc/nginx/key/{{ single_servername }}.key;
ssl_certificate /usr/local/etc/nginx/key/{{ single_servername }}.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_dhparam /usr/local/etc/dh-parameters.4096;
ssl_ciphers 'ECDHE-ECDSA-CAMELLIA256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CAMELLIA128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CAMELLIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
sendfile {% if server.sendfile is defined and server.sendfile == '1' %}On{% else %}Off{% endif %};
proxy_set_header X-TLS-Cipher $ssl_cipher;
proxy_set_header X-TLS-Protocol $ssl_protocol;
proxy_set_header X-TLS-SNI-Host $ssl_server_name;
{% endif %}
# proxy headers for backend server
{% if server.verify_client != 'off' %}
proxy_set_header X-Client-Dn $ssl_client_s_dn;
proxy_set_header X-Client-Verify $ssl_client_verify;
{% endif %}
{% if server.verify_client == 'optional_no_ca' %}
proxy_set_header X-Client-Certificate $ssl_client_escaped_cert;
{% endif %}
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
server_name {{ server.servername }};
charset {{ server.charset }};
access_log /var/log/nginx/{{ server.servername }}.access.log {{ server.access_log_format }};
{% if server.root is defined and server.root != '' %}
root "{{server.root}}";
{% endif %}
#include tls.conf;
error_page 404 /opnsense_error_404.html;
error_page 500 501 502 503 504 /opnsense_server_error.html;
{% if server.security_header is defined and server.security_header != '' %}
{% set security_rule = helpers.getUUID(server.security_header) %}
{% if security_rule is defined %}
{% include "OPNsense/Nginx/security_rule.conf" ignore missing with context %}
{% endif %}
{% endif %}
# location to ban the host permanently
set $naxsi_extensive_log {% if server.naxsi_extensive_log is defined and server.naxsi_extensive_log == '1' %}1{% else %}0{% endif %};
location @permanentban {
access_log /var/log/nginx/permanentban.access.log main;
internal;
add_header Content-Type text/plain;
add_header Charset utf-8;
return 403 "You got banned permanently from this server.";
}
error_page 418 = @permanentban;
location /opnsense_server_error.html {
internal;
root /usr/local/etc/nginx/views;
}
location /opnsense_error_404.html {
internal;
root /usr/local/etc/nginx/views;
}
location /waf_denied.html {
root /usr/local/etc/nginx/views;
access_log /var/log/nginx/waf_denied.access.log main;
}
{% if server.enable_acme_support is defined and server.enable_acme_support == '1' %}
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/etc/acme-client/challenges;
}
{% endif %}
# block based on User Agents - stuff I have found over the years in my server log
if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|okhttp|ZmEu) {
return 418;
}
if ($http_user_agent ~ "Indy\sLibrary|Morfeus Fucking Scanner")
{
return 418;
}
location = /opnsense-report-csp-violation {
include fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/csp_report.php;
fastcgi_param TLS-Cipher $ssl_cipher;
fastcgi_param TLS-Protocol $ssl_protocol;
fastcgi_param TLS-SNI-Host $ssl_server_name;
{% if helpers._template_in_data['__uuid__'] is defined %}
{% for uuid in helpers._template_in_data['__uuid__'] %}
{% if helpers._template_in_data['__uuid__'][uuid] == server %}
fastcgi_param SERVER-UUID "{{ uuid }}";
{% endif %}
{% endfor %}
{% endif %}
fastcgi_intercept_errors on;
fastcgi_pass unix:/var/run/php-webgui.socket;
}
location /opnsense-auth-request {
internal;
fastcgi_pass unix:/var/run/php-webgui.socket;
fastcgi_index index.php;
fastcgi_param TLS-Cipher $ssl_cipher;
fastcgi_param TLS-Protocol $ssl_protocol;
fastcgi_param TLS-SNI-Host $ssl_server_name;
fastcgi_param Original-URI $request_uri;
fastcgi_param Original-HOST $host;
{% if helpers._template_in_data['__uuid__'] is defined %}
{% for uuid in helpers._template_in_data['__uuid__'] %}
{% if helpers._template_in_data['__uuid__'][uuid] == server %}
fastcgi_param SERVER-UUID "{{ uuid }}";
{% endif %}
{% endfor %}
{% endif %}
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/ngx_auth.php;
fastcgi_intercept_errors on;
include fastcgi_params;
}
{% if server.block_nonpublic_data is defined and server.block_nonpublic_data == '1' %}
# apache htpasswd and htaccess
location ~ /\.ht {
return 403;
}
# those files may expose file system stuff
location ~ \.DS_Store$ {
return 403;
}
{% endif %}
{% if server.https_only is defined and server.https_only == '1' %}
if ($scheme != "https") {
return 302 https://$host$request_uri;
}
{% endif %}
{% if server.rewrites is defined %}
{% for rewrite_uuid in server.rewrites.split(',') %}
{% set rewrite = helpers.getUUID(rewrite_uuid) %}
rewrite {{ rewrite.source }} {{ rewrite.destination }}{% if rewrite.flag is defined%} {{ rewrite.flag }}{% endif %};
{% endfor %}
{% endif %}
{% if server.locations is defined %}
{% for location_uuid in server.locations.split(',') %}
{% set location = helpers.getUUID(location_uuid) %}
{% include "OPNsense/Nginx/location.conf" ignore missing with context %}
{% endfor %}
{% endif %}
}
{% endfor %}