Skip to content
A custom Nginx image with certbot, fail2ban, CSP...
Shell Dockerfile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
src
.gitignore
LICENSE
README.md
docker-compose.yml

README.md

Nginx Cerberus Proxy

A custom Nginx proxy pass image for the typical web application. Covers most simple needs

Features

  • fail2ban: creation of a filter based on the LOGIN_URL env provided
  • static files serving
  • HTTPS with certbot
  • Content Security Policy. The execution of inline scripts is disabled by default but could be allowed by overriding CSP environnement variables (see below)
  • Strict-Transport-Security
  • X-FRAME options

Limitations

  • one to one proxy (only one web application)
  • no url rewriting (ressources mentionned in the application should have the right domain name)
  • if HTTPS, a certificate will be initiated at container startup. That means that the container shoud be instanciated with Let's Encrypt rate limits in mind

Env variables

Any of these variables could be overrided to change the container's behavior

variable name description default value
DOMAIN_NAME domain name of your application my.domain.com
LOGIN_URL login url of the application (fail2ban) /admin
STATICFILES_URL root url of static files that Nginx should serve /some/url/to/check
TO_CONTAINER container: port that Nginx should pass the connection to some_container:80
CSP_DEFAULT "'self' "
CSP_SCRIPT "'self' "
CSP_STYLE "'self' "
CSP_IMG "'self' "
CSP_CONNECT "'self' "
CSP_FONT "'self' fonts.googleapis.com"
CSP_OBJECT "'self' "
CSP_MEDIA "'self' "
CSP_FRAME "'self' https://www.google.com https://www.youtube.com https://www.facebook.com "
X_FRAME SAMEORIGIN
HTTPS whether or not should cerbot initialize SSL certs + HTTPS True

Usage

Standalone

docker-compose

Here is an example of with the deployment of a wordpress app with docker-compose. Since wordpress relies on inline-scripts, we need to bypass default CSP.

services:
  wordpress:
    image: wordpress:php7.1
    expose:
      - 80
    environment:
      WORDPRESS_DB_HOST: db
      WORDPRESS_DB_USER: exampleuser
      WORDPRESS_DB_PASSWORD: examplepass
      WORDPRESS_DB_NAME: exampledb

  db:
    image: mysql:5.7
    environment:
      MYSQL_DATABASE: exampledb
      MYSQL_USER: exampleuser
      MYSQL_PASSWORD: examplepass
      MYSQL_RANDOM_ROOT_PASSWORD: '1'

  nginx: 
    image: zar3bski/nginx_cerberus
    ports: 
      - 80:80
      - 443:443
    environment:
      DOMAIN_NAME: my.domain.com
      ADMIN_EMAIL: my@adress.com
      LOGIN_URL: /wp-login.php
      TO_CONTAINER: wordpress:80
      CSP_STYLE: "'self' 'unsafe-inline'"
      CSP_SCRIPT: "'self' 'unsafe-inline'"

CURRENT ASSIGNMENT

  • fix fail2ban not running
  • static files
  • enforce NGINX (buffer overflow prevention)
You can’t perform that action at this time.