theraw/The-World-Is-Yours
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: theraw/The-World-Is-Yours:ffs
Branches Tags
theraw/The-World-Is-Yours:master theraw/The-World-Is-Yours:raweb-upcoming-release theraw/The-World-Is-Yours:ffs theraw/The-World-Is-Yours:v2-1 theraw/The-World-Is-Yours:pcre-fix theraw/The-World-Is-Yours:docker theraw/The-World-Is-Yours:v3.0 theraw/The-World-Is-Yours:v2 theraw/The-World-Is-Yours:v2.0
theraw/The-World-Is-Yours:v1.27.4 theraw/The-World-Is-Yours:v1.26.0 theraw/The-World-Is-Yours:0.0.1
...
pull from: theraw/The-World-Is-Yours:v2
Branches Tags
theraw/The-World-Is-Yours:master theraw/The-World-Is-Yours:raweb-upcoming-release theraw/The-World-Is-Yours:ffs theraw/The-World-Is-Yours:v2-1 theraw/The-World-Is-Yours:pcre-fix theraw/The-World-Is-Yours:docker theraw/The-World-Is-Yours:v3.0 theraw/The-World-Is-Yours:v2 theraw/The-World-Is-Yours:v2.0
theraw/The-World-Is-Yours:v1.27.4 theraw/The-World-Is-Yours:v1.26.0 theraw/The-World-Is-Yours:0.0.1

106 Commits
ffs ... v2

Author SHA1 Message Date
theraw 99df1b1165 Create install.sh 2019-05-11 15:09:41 +02:00
theraw e62368f7d4 Create builder.sh 2019-05-07 22:27:12 +02:00
theraw 2e2456a5a9 Update mysql-up 2019-05-07 21:58:19 +02:00
theraw 616f653d58 Create mysql-up 2019-05-07 21:54:33 +02:00
theraw d5b16a2332 Update php-up 2019-05-07 21:53:42 +02:00
theraw 14122af292 Update www70.conf 2019-05-07 21:51:34 +02:00
theraw 92bd967e82 Update www56.conf 2019-05-07 21:51:10 +02:00
theraw c4e15cd318 Create www70.conf 2019-05-07 21:49:05 +02:00
theraw d758cd1d4e Update www56.conf 2019-05-07 21:49:02 +02:00
theraw 2b9d4182dc Update www56.conf 2019-05-07 21:48:42 +02:00
theraw 5287a12787 Rename www.conf to www56.conf 2019-05-07 21:40:15 +02:00
theraw 816baa4c1e Create www.conf 2019-05-07 21:39:59 +02:00
theraw 74df403029 Update php-up 2019-05-07 21:15:33 +02:00
theraw cbfa79105f Create php-up 2019-05-07 21:14:07 +02:00
theraw d445add332 Delete install 2019-05-07 21:13:43 +02:00
theraw 1a45c2757f Update install 2019-05-07 21:07:42 +02:00
theraw c41dead02e Update nginx.conf 2019-05-07 21:06:38 +02:00
theraw 38d03ce3a3 Add files via upload 2019-05-07 20:49:18 +02:00
theraw a3dedf9b6c Delete GeoLite2-Country.mmdb 2019-05-07 20:48:56 +02:00
theraw 822705c220 Delete nbuild.sh 2019-05-07 20:03:32 +02:00
theraw adb7606b46 Create default 2019-05-07 20:02:38 +02:00
theraw ec94d4a700 Delete default 2019-05-07 20:02:26 +02:00
theraw e9e464010e Update default 2019-05-07 20:02:15 +02:00
theraw 21e3d4abdc Update nginx.conf 2019-05-07 19:59:05 +02:00
theraw 3f1285eeef Update install 2019-05-07 19:49:05 +02:00
theraw f14daa255c Update default 2019-05-07 19:44:41 +02:00
theraw 831f81ed15 Update default 2019-05-07 19:42:10 +02:00
theraw 71048a7c8b Delete template 2019-05-07 19:39:45 +02:00
theraw 75fcfaf3b2 Add files via upload 2019-05-07 19:38:30 +02:00
theraw f6490dbad8 Delete aes.min.js 2019-05-07 19:38:15 +02:00
theraw de4b296196 Add files via upload 2019-05-07 19:36:45 +02:00
theraw 67349056f2 Update index.html 2019-05-07 19:35:25 +02:00
theraw 246dca84ff Update install 2019-05-07 18:25:12 +02:00
theraw d31da1d03f Create nginx.service 2019-05-07 18:22:37 +02:00
theraw eea50b5b5c Add files via upload 2019-05-07 18:17:22 +02:00
theraw a7b336eab6 Delete nginx.zip 2019-05-07 18:17:07 +02:00
theraw 74cae860a3 Update README.md 2019-05-03 22:36:14 +02:00
theraw 366c336dbb Update config.ini 2019-05-03 13:43:38 +02:00
theraw e22a73e230 Update install 2019-05-03 13:43:35 +02:00
theraw 5194bed7dc Update install 2019-05-03 13:33:16 +02:00
theraw 876d846c73 Update config.ini 2019-05-03 13:32:23 +02:00
theraw 11f79fa7e2 Update install 2019-05-03 13:21:29 +02:00
theraw e1eb198323 Update install 2019-05-03 13:20:53 +02:00
theraw 5dc51fddc2 Update config.ini 2019-05-03 13:20:33 +02:00
theraw e7fdd70018 Add files via upload 2019-05-03 13:17:40 +02:00
theraw bd9799da78 Create README.md 2019-05-03 13:17:16 +02:00
theraw 8db552a98b Create install 2019-05-03 13:13:34 +02:00
theraw c1494fa2bd Update config.ini 2019-05-03 12:30:16 +02:00
theraw ac35c6513e Create packages 2019-04-19 13:42:43 +02:00
theraw ee2dbe9ebf Update install 2019-04-19 13:34:46 +02:00
theraw a5f7e05b12 Update install 2019-04-19 13:29:39 +02:00
theraw f8f6ace7bf Update install 2019-04-19 13:28:04 +02:00
theraw bf815e1cca Update install 2019-04-19 13:25:40 +02:00
theraw 80be401070 Update install 2019-04-19 13:25:08 +02:00
theraw a561718c77 Create install 2019-04-19 13:24:05 +02:00
theraw 283325cbc0 Delete nginxVersion 2019-04-19 13:15:06 +02:00
theraw 36e92ce99d Create config.ini 2019-04-19 13:14:59 +02:00
theraw 206d3c7361 Update README.md 2019-04-19 11:43:23 +02:00
theraw 45333ba6b2 Create nginx-raw.conf 2019-04-16 01:09:53 +02:00
theraw a1f48adaae Create nginx-limits.conf 2019-04-16 01:09:29 +02:00
theraw 23b306798f Create nginx-ban.conf 2019-04-16 01:08:57 +02:00
theraw d93485ea11 Create jail.local 2019-04-16 01:08:04 +02:00
theraw 0afb1b43ca Delete install 2019-04-16 01:05:57 +02:00
theraw 780011afed Delete jail.local 2019-04-16 01:05:50 +02:00
theraw 7302ad9d0d Delete rules 2019-04-16 01:05:43 +02:00
theraw 3cabb94a8e Delete nginx-ban.conf 2019-04-16 01:05:36 +02:00
theraw 8d113dbe27 Delete nginx-limits.conf 2019-04-16 01:05:30 +02:00
theraw f8fa55a35e Create nginx-limits.conf 2019-04-16 01:05:18 +02:00
theraw 76db3b3514 Create nginx-ban.conf 2019-04-16 01:04:47 +02:00
theraw 80046611cc Create jail.local 2019-04-16 01:04:15 +02:00
theraw 625014f6f8 Create install.sh 2019-04-16 01:03:14 +02:00
theraw f80938e7ce Create rules 2019-04-16 01:02:45 +02:00
theraw 18e7286c21 Delete nginxVersion 2019-04-16 01:02:07 +02:00
theraw 3561a9eedf Create nginxVersion 2019-04-16 01:01:56 +02:00
theraw 4ce2975888 Delete config 2019-04-16 01:00:59 +02:00
theraw cffae2724e Update feature_request.md 2019-04-16 00:59:50 +02:00
theraw 5152318bc5 Delete install 2019-04-16 00:57:58 +02:00
theraw 24e9b76623 Create install.sh 2019-04-16 00:57:49 +02:00
theraw abb5887589 Delete nginx.conf 2019-04-16 00:56:14 +02:00
theraw 5183560ca1 Delete nginx.service 2019-04-16 00:56:07 +02:00
theraw 59537ee737 Delete config 2019-04-16 00:55:59 +02:00
theraw 46fbffba5b Delete install 2019-04-16 00:55:52 +02:00
theraw 3448e29ca1 Update nginx.service 2019-04-16 00:54:48 +02:00
theraw deb07cde0f Create nginx.service 2019-04-16 00:51:47 +02:00
theraw c0aa3b9cfa Create install.sh 2019-04-16 00:49:38 +02:00
theraw 4518a92447 Delete README.md 2019-04-16 00:47:32 +02:00
theraw caa075750b Delete nginx.service 2019-04-16 00:47:25 +02:00
theraw 300483a011 Create nginx.service 2019-04-16 00:47:14 +02:00
theraw 9aa4f3af1e Update nginx.conf 2019-04-16 00:45:16 +02:00
theraw b115483366 Delete whitelist-ips.conf 2019-04-16 00:44:40 +02:00
theraw 12bf4f8130 Delete bot.conf 2019-04-16 00:44:31 +02:00
theraw 42c03509c7 Update whitelist-bot.conf 2019-04-16 00:44:17 +02:00
theraw 2c3b27bc27 Rename whitelist-ips.conf to whitelist-ips.list 2019-04-16 00:43:52 +02:00
theraw 568c0204a4 Create whitelist-bot.conf 2019-04-16 00:43:33 +02:00
theraw 481101e3e1 Create whitelist-ips.conf 2019-04-16 00:42:18 +02:00
theraw b96d730af8 Delete install 2019-04-16 00:41:28 +02:00
theraw 3ba36187e7 Update nginx.conf 2019-04-16 00:39:33 +02:00
theraw ef6e6046b5 Update README.md 2019-04-16 00:23:35 +02:00
theraw d92a921009 Update install 2019-04-16 00:14:56 +02:00
theraw 1d910d760e Update install 2019-04-16 00:14:31 +02:00
theraw 872f03297f Update README.md 2019-04-16 00:10:13 +02:00
theraw 867a28ee43 Update README.md 2019-04-16 00:08:23 +02:00
theraw c944a66a53 Update README.md 2019-04-15 23:56:15 +02:00
theraw ed0d9d0b3b Update sysctl.conf 2019-04-15 23:49:56 +02:00
theraw d0e0c7a6a9 Update install 2019-04-15 21:25:27 +02:00
theraw 3705a4b2bb Create nginxVersion 2019-04-15 19:44:03 +02:00
46 changed files with 1105 additions and 1143 deletions
Expand all files Collapse all files
.github/ISSUE_TEMPLATE/feature_request.md
-10
View File
@@ -4,14 +4,4 @@ about: Suggest an idea for this project
---
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.
ArchLinux/config
-2
View File
@@ -1,2 +0,0 @@
export user=raw
ArchLinux/static/nginx.conf
-120
View File
@@ -1,120 +0,0 @@
# Suggestions? => https://github.com/theraw/The-World-Is-Yours/issues
# Problems? => https://github.com/theraw/The-World-Is-Yours/issues
# Errors? => https://github.com/theraw/The-World-Is-Yours/issues
user root;
worker_processes auto;
worker_rlimit_nofile 65535;
events {
multi_accept on;
use epoll;
worker_connections 65535;
}
http {
# ////////////////////////////////////////////////////// #
# =================== START L7 ========================= #
# turn this 'on' if you want to use L7 For every domain hosted in your server
testcookie off;
testcookie_name DOPEHOSTING;
testcookie_secret random;
testcookie_session $remote_addr;
#testcookie_arg GO;
testcookie_httponly_flag on;
testcookie_max_attempts 3;
testcookie_secure_flag on;
testcookie_get_only on;
testcookie_p3p 'CP="CUR ADM OUR NOR STA NID", policyref="/w3c/p3p.xml"';
testcookie_fallback /cookies.html?backurl=$scheme://$host$request_uri;
# Those are some ip's whitelisted by me. mostly are search engines. But not everything!
testcookie_whitelist {
8.8.8.8/32;
127.0.0.1/32;
# I don't suggest using alot of IPs here as this whitelist can fail!.
}
testcookie_redirect_via_refresh on;
testcookie_refresh_encrypt_cookie on;
testcookie_refresh_encrypt_cookie_key random;
testcookie_refresh_encrypt_cookie_iv random;
testcookie_refresh_template '<html><head><meta http-equiv="refresh" content="0; $testcookie_nexturl"><title>Just a moment please...</title></head><body> </script><script src="//ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script><script type=\"text/javascript\" src="//proxy2.dopehosting.net/aes.min.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("$testcookie_enc_key"),b=toNumbers("$testcookie_enc_iv"),c=toNumbers("$testcookie_enc_set");document.cookie="DOPEHOSTING="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/";</script></body></html>';
# ===================== END L7 ========================= #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ===================== LOGS =========================== #
log_format main '$remote_addr |==| $status |==| $request |==| $time_local';
# -------------------------------------------------------#
log_format agent '$remote_addr |==| $status |==| $request |==| $http_user_agent';
# -------------------------------------------------------#
log_format full '$remote_addr |==| $remote_user |==| $time_local |==| $request |==| $status |==| $body_bytes_sent |==| $http_referer |==| $http_user_agent |==| $http_x_forwarded_for';
# =================== END LOGS ========================= #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ===================== GEIP =========================== #
geoip2 /nginx/db/GeoLite2-Country.mmdb {
$geoip2_data_country_code default=US country iso_code;
$geoip2_data_country_name country names en;
}
# EX Ban China!
#map $geoip2_data_country_code $allowed_country {
# default yes;
# CN no;
#}
# =================== END GEIP ========================= #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ===================== EXTRA ========================== #
# Don't Go with "Nginx Can Handle Everything" !
limit_conn_zone $server_name zone=max:1m;
limit_req_zone $binary_remote_addr zone=one:1m rate=1r/s;
# =================== END EXTRA ======================== #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ==================== BACKENDS ======================== #
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Example Of Backend
#upstream varnish {
# zone tcp_servers 64k;
# server 10.10.10.39:80;
#}
# =================== END BACKENDS ===================== #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ==================== GENERAL ========================= #
client_body_buffer_size 1M;
client_header_buffer_size 1M;
client_body_timeout 90s;
client_header_timeout 90s;
client_max_body_size 2M;
keepalive_timeout 10s;
port_in_redirect off;
sendfile on;
server_names_hash_bucket_size 6969;
server_name_in_redirect off;
server_tokens off;
tcp_nodelay on;
tcp_nopush on;
types_hash_max_size 2048;
resolver 8.8.8.8 8.8.4.4;
default_type application/octet-stream;
include /nginx/mime.types;
# =================== END GENERAL ====================== #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# =================== LOAD CONFIGS ===================== #
include /nginx/live/*;
include /nginx/conf.d/*;
include /nginx/naxsi_core.rules;
# =================== END CONFIGS ====================== #
# ////////////////////////////////////////////////////// #
}
ArchLinux/install → OS/ArchLinux/2019.04.01/install.sh
View File
ArchLinux/static/nginx.service → OS/ArchLinux/2019.04.01/nginx.service
+2 -2
View File
@@ -4,11 +4,11 @@ After=network.target network-online.target nss-lookup.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
PIDFile=/var/run/nginx.pid
PrivateDevices=yes
SyslogLevel=err
ExecStart=/usr/bin/nginx -g 'pid /run/nginx.pid; error_log stderr;'
ExecStart=/usr/bin/nginx -g 'pid /var/run/nginx.pid; error_log stderr;'
ExecReload=/usr/bin/nginx -s reload
KillSignal=SIGQUIT
KillMode=mixed
CENTOS7/install → OS/CentOS/7/install.sh
-4
View File
@@ -1,6 +1,2 @@
#!/bin/bash
yum -y update; yum -y upgrade; yum -y install epel-release wget zip unzip git nano
yum -y install lvemanager
yum -y install cagefs
yum -y groupinstall alt-php
OS/Ubuntu/14.04/conf.d/whitelist-bot.conf
+4
View File
@@ -0,0 +1,4 @@
geo $white_bot {
default 0;
include /nginx/conf.d/whitelist-ips.list;
}
UBUNTU14/whitelist/whitelist-ips.conf → OS/Ubuntu/14.04/conf.d/whitelist-ips.list
-4
View File
@@ -492,7 +492,3 @@
# ====================================
# END DOPEHOSTING.NET
# ====================================
OS/Ubuntu/14.04/install
+194
View File
@@ -0,0 +1,194 @@
#!/bin/bash
clean() {
mkdir -p ~/tmp; cd ~/tmp
wget https://raw.githubusercontent.com/systemroot/my-nginx/master/nginx-as-firewall/setup
chmod +x setup
./setup clean
rm -Rf ~/tmp
}
checks() {
if [ "$(whoami)" != "root" ]
then
echo "You should Login as root to use this script!";
echo "May you already have access for sudo, but commands aren't designed with sudo! so..";
echo "sudo -i";
exit 1
fi
if [ -d "/nginx/" ]; then
echo "We've detect a folder '/nginx/' which means"
echo "Maybe you have use this script before!"
exit 1
fi
if [ -d "/etc/nginx" ]; then
echo "We've detect a folder '/etc/nginx' which means"
echo "Maybe you have use this script before!"
exit 1
fi
if [ -d "/opt/nginx/" ]; then
echo "We've detect a folder '/opt/nginx/' which means"
echo "Maybe you have use this script before!"
exit 1
fi
}
reqs() {
apt-get update; apt-get upgrade -y; apt-get dist-upgrade -y; apt-get autoremove -y;
apt-get install sudo -y
apt-get install build-essential libssl-dev curl nano wget zip unzip git -y
apt-get purge --remove nginx -y
apt-get purge --remove apache2 -y
apt-get update; apt-get upgrade -y; apt-get dist-upgrade -y
apt-get autoremove -y
apt-get install apt-utils build-essential -y
apt-get install git -y
apt-get install checkinstall libpcre3 libpcre3-dev zlib1g zlib1g-dbg libxml2 zlib1g-dev -y
apt-get install -y unzip
apt-get install -y libicu-dev libcurl4-gnutls-dev libtool
apt-get install -y libmozjs-24-dev
apt-get install -y libmozjs-24-bin; sudo ln -sf /usr/bin/js24 /usr/bin/js
apt-get install openssl libssl-dev libperl-dev libexpat-dev -y
apt-get install mercurial meld -y
apt-get install libxslt-dev -y
apt-get install libgd2-xpm -y
apt-get install libgd2-xpm-dev -y
apt-get install libgeoip-dev -y
apt-get install libssl libssl-dev -y
apt-get install dh-autoreconf -y
apt-get install -y software-properties-common
apt-get install -y python-software-properties
apt-get install -y libcairo2 libcairo2-dev
apt-get install -y python-dev
sudo add-apt-repository ppa:maxmind/ppa -y
apt-get install aptitude -y
aptitude update -y
aptitude upgrade -y
aptitude install libmaxminddb0 libmaxminddb-dev mmdb-bin -y
apt-get install libmysqlclient-dev -y
apt-get install libmariadbclient-dev -y
apt-get install g++ flex bison curl doxygen libyajl-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev libxml2-dev -y
apt-get install libuuid1 uuid-dev -y
apt-get install libgd-dev libc6 -y
}
dirs() {
mkdir -p /hostdata/
mkdir -p /var/log/nginx/
mkdir -p /opt/nginx/modules/
}
cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity
cd /opt/ModSecurity/
git checkout -b v3/master origin/v3/master
sh build.sh
git submodule init
git submodule update
./configure
make -j`nproc`
make install
cd /opt/nginx/modules/
wget https://github.com/simplresty/ngx_devel_kit/archive/v0.3.1rc1.zip
unzip v0.3.1rc1.zip; rm -Rf v0.3.1rc1.zip
mv /opt/nginx/modules/ngx_devel_kit-0.3.1rc1/ /opt/nginx/modules/ngx_devel_kit/
#Pagespeed Library
cd /opt/nginx/modules/
wget https://github.com/apache/incubator-pagespeed-ngx/archive/v1.13.35.2-stable.zip
unzip v1.13.35.2-stable.zip
rm -Rf v1.13.35.2-stable.zip
mv /opt/nginx/modules/incubator-pagespeed-ngx-1.13.35.2-stable /opt/nginx/modules/ngx_pagespeed-1.13.35.2-stable
cd /opt/nginx/modules/ngx_pagespeed-1.13.35.2-stable
wget https://dl.google.com/dl/page-speed/psol/1.13.35.2-x64.tar.gz
tar -xzvf 1.13.35.2-x64.tar.gz; rm -Rf 1.13.35.2-x64.tar.gz
#LuaJIT Library
cd /opt/nginx/modules/
git clone http://luajit.org/git/luajit-2.0.git
cd luajit-2.0/
make -j`nproc`
sudo make install
ldconfig
#Naxsi Mod
cd /opt/nginx/modules/
wget https://github.com/nbs-system/naxsi/archive/master.zip
unzip master.zip; rm -Rf master.zip
mv /opt/nginx/modules/naxsi-master /opt/nginx/modules/naxsi
mkdir -p /opt/nginx/modules/
cd /opt/nginx/modules/
rm -Rf nginx_redis/
git clone https://github.com/openresty/set-misc-nginx-module.git
git clone https://github.com/FRiCKLE/ngx_cache_purge.git
git clone https://github.com/kyprizel/testcookie-nginx-module.git
git clone https://github.com/openresty/headers-more-nginx-module.git
git clone https://github.com/openresty/echo-nginx-module.git
git clone https://github.com/leev/ngx_http_geoip2_module.git
git clone https://github.com/openresty/lua-nginx-module.git
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
git clone https://github.com/openresty/encrypted-session-nginx-module.git
git clone https://github.com/flant/nginx-http-rdns.git
# Download Nginx
mkdir -p /opt/nginx/sources/
cd /opt/nginx/sources/
wget "http://nginx.org/download/nginx-$nginxVersion.tar.gz"
tar -xzvf nginx-$nginxVersion.tar.gz; rm -Rf nginx-$nginxVersion.tar.gz
cd /opt/nginx/sources/nginx-$nginxVersion/
wget https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/nbuild.sh
chmod +x nbuild.sh
./nbuild.sh
make -j`nproc`
make install
ldconfig
mkdir -p /nginx/live
mkdir -p /nginx/logs
mkdir -p /nginx/conf.d
touch /nginx/logs/access.log
touch /nginx/logs/error.log
useradd -r nginx
rm -Rf /etc/init.d/nginx
cd /etc/init.d/; wget https://raw.githubusercontent.com/systemroot/my-nginx/master/nginx-as-firewall/static/nginx
chmod +x /etc/init.d/nginx
cd /nginx/; mkdir conf.d; rm -Rf nginx.conf*; wget https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/nginx.conf
mkdir -p /nginx/live/
cd /nginx/live/
wget https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/vhost/default
mkdir -p /hostdata/default
mkdir -p /hostdata/default/public_html
mkdir -p /hostdata/default/logs
mkdir -p /hostdata/default/cache
mkdir -p /nginx/modsecurity/
cd /hostdata/default/public_html/
wget https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/html/index.html
sudo update-rc.d nginx defaults
cd /nginx/; mkdir db/; cd db/; wget https://github.com/theraw/The-World-Is-Yours/raw/master/static/GeoLite2-Country.mmdb
cd /nginx/; rm -Rf *.default
cp /opt/nginx/modules/naxsi/naxsi_config/naxsi_core.rules /nginx/naxsi_core.rules
cp /opt/ModSecurity/modsecurity.conf-recommended /nginx/modsecurity/modsecurity.conf
cd /opt/; git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cp -a /opt/owasp-modsecurity-crs/rules/ /nginx/modsecurity/
cp -a /opt/owasp-modsecurity-crs/crs-setup.conf.example /nginx/modsecurity/crs-setup.conf
clear
#mkdir -p /tmp/; cd /tmp; wget https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/iptables/install
#chmod +x install; ./install
clear
sudo apt-get install fail2ban -y
sudo service fail2ban stop
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/iptables/jail.local > /etc/fail2ban/jail.local
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/iptables/filter.d/nginx-limits.conf > /etc/fail2ban/filter.d/nginx-limits.conf
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/iptables/filter.d/nginx-ban.conf > /etc/fail2ban/filter.d/nginx-ban.conf
touch /nginx/logs/error.log
clear
sudo service fail2ban start
clear
service fail2ban status
nginx -t
service nginx stop
service nginx start
OS/Ubuntu/14.04/packages
+66
View File
@@ -0,0 +1,66 @@
sudo
build-essential
libssl-dev
curl
nano
wget
zip
unzip
git
apt-utils
build-essential
git
checkinstall
libpcre3
libpcre3-dev
zlib1g
zlib1g-dbg
libxml2
zlib1g-dev
unzip
libicu-dev
libcurl4-gnutls-dev
libtool
libmozjs-24-dev
libmozjs-24-bin
openssl
libssl-dev
libperl-dev
libexpat-dev
mercurial
meld
libxslt-dev
libgd2-xpm
libgd2-xpm-dev
libgeoip-dev
libssl
libssl-dev
dh-autoreconf
software-properties-common
python-software-properties
libcairo2
libcairo2-dev
python-dev
aptitude
libmaxminddb0
libmaxminddb-dev
mmdb-bin
libmysqlclient-dev
libmariadbclient-dev
g++
flex
bison
curl
doxygen
libyajl-dev
libgeoip-dev
libtool
dh-autoreconf
libcurl4-gnutls-dev
libxml2
libpcre++-dev
libxml2-dev
libuuid1
uuid-dev
libgd-dev
libc6
OS/Ubuntu/16.04/nginx.service
+16
View File
@@ -0,0 +1,16 @@
[Unit]
Description=The-World-Is-Yours - Nginx L7 Anti-DDoS
After=network.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /var/run/nginx.pid
TimeoutStopSec=5
KillMode=mixed
[Install]
WantedBy=multi-user.target
OS/Ubuntu/18.04/mysql-up
+9
View File
@@ -0,0 +1,9 @@
#!/bin/bash
sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8
sudo add-apt-repository 'deb [arch=amd64] http://mirror.23media.de/mariadb/repo/10.3/ubuntu bionic main'
apt-get update; apt-get upgrade -y; apt-get dist-upgrade -y; apt-get autoremove -y
sudo apt install mariadb-server
mysql_secure_installation
UBUNTU16/nginx.service → OS/Ubuntu/18.04/nginx.service
+1 -1
View File
@@ -1,5 +1,5 @@
[Unit]
Description=A high performance web server and a reverse proxy server
Description=The-World-Is-Yours - Nginx L7 Anti-DDoS
After=network.target
[Service]
OS/Ubuntu/18.04/php-up
+54
View File
@@ -0,0 +1,54 @@
#!/bin/bash
export CDN=""
apt install software-properties-common -y
apt install python-software-properties -y
sudo add-apt-repository ppa:ondrej/php -y
apt update; apt upgrade -y
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4F4EA0AAE5267A6C
apt update; apt upgrade -y
# 5.6
apt install -y php5.6-fpm
apt install -y php5.6 php5.6-common php5.6-cgi php5.6-cli php5.6-dev php5.6-curl
apt install -y php5.6-gd php5.6-imap php5.6-intl php5.6-ldap php5.6-mysql
apt install -y php5.6-pgsql php5.6-recode php5.6-tidy php5.6-json php5.6-bz2
apt install -y php5.6-mcrypt php5.6-readline php5.6-interbase php5.6-xmlrpc
apt install -y php5.6-gmp php5.6-xsl php5.6-mbstring php5.6-soap php5.6-xml php5.6-zip
service php5.6-fpm stop
curl -s $CDN/5.6/www.conf > /etc/php/5.6/fpm/pool.d/www.conf
ex -sc '%s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g|x' /etc/php/5.6/fpm/php.ini
ex -sc '%s/output_buffering = 4096/output_buffering = Off/g|x' /etc/php/5.6/fpm/php.ini
ex -sc '%s/serialize_precision = 17/serialize_precision = 100/g|x' /etc/php/5.6/fpm/php.ini
perl -pi -e 's/error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT/error_reporting = E_ALL/g' /etc/php/5.6/fpm/php.ini
perl -pi -e 's/;error_log = syslog/error_log = php_error.log/g' /etc/php/5.6/fpm/php.ini
perl -pi -e 's/;date.timezone =/date.timezone = UTC/g' /etc/php/5.6/fpm/php.ini
service php5.6-fpm start
# 7.0
apt install -y php7.0 php7.0-fpm
apt install -y php7.0-common php7.0-cgi php7.0-cli php7.0-phpdbg php7.0-dev php7.0-curl
apt install -y php7.0-enchant php7.0-gd php7.0-gmp php7.0-imap php7.0-interbase
apt install -y php7.0-intl php7.0-ldap php7.0-mcrypt php7.0-readline php7.0-odbc
apt install -y php7.0-pgsql php7.0-pspell php7.0-recode php7.0-snmp php7.0-tidy
apt install -y php7.0-xmlrpc php7.0-xsl php7.0-json php7.0-sybase php7.0-sqlite3
apt install -y php7.0-mysql php7.0-bz2 php7.0-bcmath php7.0-mbstring php7.0-soap
apt install -y php7.0-xml php7.0-zip php7.0-dba
service php7.0-fpm stop
curl -s $CDN/7.0/www.conf > /etc/php/7.0/fpm/pool.d/www.conf
ex -sc '%s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g|x' /etc/php/7.0/fpm/php.ini
ex -sc '%s/output_buffering = 4096/output_buffering = Off/g|x' /etc/php/7.0/fpm/php.ini
perl -pi -e 's/error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT/error_reporting = E_ALL/g' /etc/php/7.0/fpm/php.ini
perl -pi -e 's/;error_log = syslog/error_log = php_error.log/g' /etc/php/7.0/fpm/php.ini
perl -pi -e 's/;date.timezone =/date.timezone = UTC/g' /etc/php/7.0/fpm/php.ini
service php7.0-fpm start
#Clean up.
apt-get remove php7.3-common php7.3-xml -y; apt-get autoremove -y
rm -Rf /etc/php/7.3
OS/Ubuntu/18.04/pool/www56.conf
+47
View File
@@ -0,0 +1,47 @@
[php56]
;prefix = /path/to/pools/$pool
user = nginx
group = nginx
listen = 127.0.0.1:9000
listen.backlog = 65535
listen.owner = nginx
listen.group = nginx
;listen.mode = 0660
;listen.acl_users =
;listen.acl_groups =
listen.allowed_clients = 127.0.0.1
pm = ondemand
pm.max_children = 200
pm.start_servers = 5
pm.min_spare_servers = 10
pm.max_spare_servers = 200
pm.process_idle_timeout = 2s;
pm.max_requests = 1000
;pm.status_path = /status
;ping.path = /ping
;ping.response = pong
;access.log = log/$pool.access.log
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
;slowlog = log/$pool.log.slow
;request_slowlog_timeout = 0
;request_terminate_timeout = 0
;rlimit_files = 1024
;rlimit_core = 0
;chroot =
;chdir = /var/www
;catch_workers_output = yes
;clear_env = no
security.limit_extensions = .php
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
php_admin_value[memory_limit] = 128M
OS/Ubuntu/18.04/pool/www70.conf
+55
View File
@@ -0,0 +1,55 @@
[php70]
;prefix = /path/to/pools/$pool
user = nginx
group = nginx
listen = 127.0.0.1:9100
listen.backlog = 65535
listen.owner = nginx
listen.group = nginx
;listen.mode = 0660
;listen.acl_users =
;listen.acl_groups =
listen.allowed_clients = 127.0.0.1
; process.priority = -19
; process.dumpable = yes
pm = ondemand
pm.max_children = 200
pm.start_servers = 5
pm.min_spare_servers = 10
pm.max_spare_servers = 200
pm.process_idle_timeout = 2s;
pm.max_requests = 1000
;pm.status_path = /status
;ping.path = /ping
;ping.response = pong
; enable those logs if you have cpu or other problems are helpful but disable after you're done
; because having a lot of logs on it means more resources will be used!
;access.log = /var/log/php_debug_70.log
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
;slowlog = log/$pool.log.slow
;request_slowlog_timeout = 0
;request_terminate_timeout = 0
;rlimit_files = 1024
;rlimit_core = 0
;chroot =
;chdir = /var/www
;catch_workers_output = yes
;clear_env = no
security.limit_extensions = .php
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
php_admin_value[memory_limit] = 128M
OS/Ubuntu/18.04/source/README.md
+1
View File
@@ -0,0 +1 @@
# Pre-Builds
OS/Ubuntu/18.04/source/nginx16.zip
BIN
View File
Binary file not shown.
README.md
+15 -95
View File
@@ -3,115 +3,35 @@
# To-Do
- [x] Nginx Version, Always Latest.
- [x] Support Ubuntu Trusty. (14.04)
- [x] Support Ubuntu Xenial. (16.04)
- [x] Support Ubuntu Cosmic. (18.10)
- [ ] Support Debian.
- [ ] Support Centos.
- [x] Support Arch Linux.
- [x] Nginx V. each 10th release, current 1.60.0, next repo release 1.70.0!
- [x] Support Ubuntu Bionic. (18.04)
- [x] ModSecurity Support.
- [x] Naxsi Support.
- [x] L7 Protection.
- [x] AutoBan System.
- [x] Integrate Fail2Ban > IpTables.
- [ ] GUI ?
- [ ] Monitor requests in live time from browser.
- [ ] L7 Protection (TestCookie Module) Add Recaptcha!
- [ ] .....
- [-] L7 Protection (TestCookie Module) Add Recaptcha!
- [-/x] [Suggestions](https://github.com/theraw/The-World-Is-Yours/issues)
# Installation
For each new system ubuntu, centos or whatever your distro may be you need a update/upgrade then do one reboot! So outdates packages will be up to date your kernel will be up to date and not needed files will get removed.
1. **`apt-get install build-essential libssl-dev curl nano wget zip unzip sudo git psmisc -y`**
X. **`Ubuntu`**
2. **`git clone https://github.com/theraw/The-World-Is-Yours.git`**
1. **`apt-get update; apt-get upgrade -y; apt-get dist-upgrade -y; apt-get autoremove -y; shutdown -r now`**
3. **`cd The-World-Is-Yours/; chmod +x *`**
2. **`apt-get install build-essential libssl-dev curl nano wget zip unzip sudo git psmisc -y`**
4. **`./install`**
3. **[Install Docker](https://docs.docker.com/install/linux/docker-ce/ubuntu/)**
4. **[Install Docker-Composer](https://github.com/docker/compose/releases) use latest version > execute provided cmds**
5. **`curl -s https:// > nginx.yml`**
6. **`docker-compose -f nginx.yml up -d`**
# Informations.
**What if installation script fails?** - Check what was the problem source fix it (mostly should be for missing packages) then remove everything under /opt/ folder and just execute again ./install
```
=> /nginx/ = Nginx Path,
=> /nginx/live/ = Vhosts Config Files Dir,
=> /nginx/logs/ = Core Logs Files,
=> /nginx/modsecurity/ = ModSecurity Rules Dir,
=> /hostdata/ = Place to store your domain folders.
=> /hostdata/yourdomain.com/ = Ex of domain dir (private folder),
=> /hostdata/yourdomain.com/public_html/ = Ex of your domain webroot (public files only),
=> /hostdata/yourdomain.com/logs/ = Place where to store your Domains logs (access.log) (private folder),
=> /hostdata/yourdomain.com/ssl/ = Place where to store domain ssl/key (private folder),
=> /hostdata/yourdomain.com/cache/ = Place where to store site cache (private folder).
// Private Folder - Means this cannot be accessed by public.
// Public Folder - Means files into this folder can be accessed by public.
```
# Check.
1 . [L7 (Cookie Based Protection)](https://github.com/theraw/The-World-Is-Yours/blob/master/static/nginx.conf#L15-L42) AND [Replace "proxy2.dope.. links with yours click here to find aes](https://github.com/theraw/The-World-Is-Yours/tree/master/static/vhost) which should be stored on a external link or in a place where L7 is disabled because it will not work if you put it in main site dir!.
2 . [Auto Ban System](https://github.com/theraw/The-World-Is-Yours/blob/master/iptables/jail.local#L105-L111) based on [Connection for ip](https://github.com/theraw/The-World-Is-Yours/blob/master/static/nginx.conf#L72-L73)
3 . [Auto Ban 444 Reqs](https://github.com/theraw/The-World-Is-Yours/blob/master/iptables/jail.local#L113-L118) A day i've been under attack of multiple proxies, and even after they got banned they still was keep trying the same thing so when you ban someone when that ip tries to access your website that request will not go on `error.log` but in `access.log` so i created this rule to ban with iptables every request who have stauts `444` so nginx will not have to handle those.
4 . [Kernel Settings](https://github.com/theraw/The-World-Is-Yours/blob/master/static/sysctl.conf#L1-L34)
5 . [Naxsi Rules Included](https://github.com/theraw/The-World-Is-Yours/blob/master/static/nginx.conf#L118)
6 . [Example of Naxsi](https://github.com/theraw/The-World-Is-Yours/blob/master/static/vhost/default#L22-L29)
7 . [Check Iptables rules](https://github.com/theraw/The-World-Is-Yours/blob/master/iptables/rules) It will not be automatically enabled, because this changes based on providers in ovh it work in azure it doesn't work. so you need to manually activate iptables!
8 . ModSecurity is not loaded. However you need to set it up by yourself. you have a folder `/nginx/modsecurity/`
which ModSecurity rules are stored, open `/nginx/modsecurity/modsecurity.conf` add those
```bash
Include crs-setup.conf
Include rules/*.conf
```
ModSecurity is by default enabled as "detect only" you can turn it on always by doing this
```bash
SecRuleEngine On
```
Using modSecurity for your site
```bash
server {
.....
modsecurity on;
modsecurity_rules_file /nginx/modsecurity/modsecurity.conf;
location / {
.....
}
}
```
**Careful** Using modsec rules like
```
location / {
modsecurity_rules_file /nginx/modsecurity/modsecurity.conf;
}
```
it means that's enabled just for your main place `/` not for other dirs in your site ex `/admin/` (:
Test it!
`curl 'http://localhost/?q="><script>wanna hack</script>'`
```html
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>
```
# Keep In Mind.
The **L7 Protection** is the same way which **cloudflare** have that banner "Under Attack" A.K.A Cookie based authorization. Most of bots from where attacks will come doesn't support cookies so it will fail to access your site. (Test it by yourself to "curl http://yoursite.com" before you activate L7 and after you start L7 so you will understand better.)
UBUNTU14/conf.d/bot.conf
-4
View File
@@ -1,4 +0,0 @@
geo $white_bot {
default 0;
include /nginx/whitelist/whitelist-ips.conf;
}
UBUNTU14/install
-63
View File
@@ -1,63 +0,0 @@
#!/bin/bash
ireqs() {
mkdir -p /tmp/nginx-plus/; cd /tmp/nginx-plus
wget
apt-get update; apt-get upgrade -y; apt-get dist-upgrade -y
apt-get autoremove -y
apt-get install apt-utils build-essential -y
apt-get install git -y
apt-get install checkinstall libpcre3 libpcre3-dev zlib1g zlib1g-dbg libxml2 zlib1g-dev -y
apt-get install -y unzip
apt-get install -y libicu-dev libcurl4-gnutls-dev libtool
apt-get install -y libmozjs-24-dev
apt-get install -y libmozjs-24-bin; sudo ln -sf /usr/bin/js24 /usr/bin/js
apt-get install openssl libssl-dev libperl-dev libexpat-dev -y
apt-get install mercurial meld -y
apt-get install libxslt-dev -y
apt-get install libgd2-xpm -y
apt-get install libgd2-xpm-dev -y
apt-get install libgeoip-dev -y
apt-get install libssl libssl-dev -y
apt-get install dh-autoreconf -y
apt-get install -y software-properties-common
apt-get install -y python-software-properties
apt-get install -y libcairo2 libcairo2-dev
apt-get install -y python-dev
sudo add-apt-repository ppa:maxmind/ppa -y
apt-get install aptitude -y
aptitude update -y
aptitude upgrade -y
aptitude install libmaxminddb0 libmaxminddb-dev mmdb-bin -y
apt-get install libmysqlclient-dev -y
apt-get install libmariadbclient-dev -y
apt-get install g++ flex bison curl doxygen libyajl-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev libxml2-dev -y
}
# Nginx Env's Extra Stuff.
#ngx-envs() {
#
#}
download() {
cd /
wget https://github.com/systemroot/my-nginx/raw/master/nginx-plus/nginx-plus.zip
unzip -P ****** nginx-plus.zip; rm -Rf nginx-plus.zip
clear
}
rebuild-conf() {
}
download-mods() {
}
compile-mods() {
}
move-mods() {
}
UBUNTU16/README.md
-1
View File
@@ -1 +0,0 @@
`
config
-37
View File
@@ -1,37 +0,0 @@
#!/bin/bash
# ===============================================================================
# YOU SHOULD CHANGE THOSE.
# ===============================================================================
export NS_PORT='80' # $BIND_IP:80.
export ADMIN_PORT='8282' # $BIND_IP:8282.
export BIND_IP='145.239.109.73' # $BIND_IP:$NS_PORT Will be used for your nginx vhosts configs.
export MY_OS='UBUNTU14' # (UBUNTU14 = Ubuntu 14.04, CENTOS7 = Centos 7.x, Debian7 = Debian 7.9).
export SYM_IT='/nginx' # (Easy way to find nginx 'cd /nginx').
# ===============================================================================
# ===============================================================================
# ===============================================================================
# I DON'T GAVE SUPPORT IF YOU CHANGE THOSE.
# ===============================================================================
export OWNER='root' # Under which user will nginx run!
export PHP_OWNER='root' # Under which group will nginx run!
export HOSTDATA='/hostdata/' # In which folder will website files stored!
export HOSTDATA_DEF='/hostdata/default/public_html/' # Where is the default_server folder.
# CONFIGS.
# ===============================================================================
export NGINX_CONF='/nginx/nginx.conf' # nginx.conf
export VHOST_LIVE_DIR='/nginx/live/' # Live sites.conf folder.
export DEFAULT_SERVER='/nginx/live/default.conf' # Where is the default_server conf.
# EXAMPLE OF EXTRA CONFIGS.
# ===============================================================================
export NGINX_RAILS_UNICORN_CONF_FILE='/etc/nginx/conf.d/rails-unicorn.conf'
export NGINX_RAILS_THIN_CONF_FILE='/etc/nginx/conf.d/rails-thin.conf'
export NGINX_PYRAMID_CONF_FILE='/etc/nginx/conf.d/pyramid.conf'
export NGINX_DJANGO_CONF_FILE='/etc/nginx/conf.d/django.conf'
export NGINX_PHP_CONF_FILE='/etc/nginx/conf.d/php-fpm.conf'
# ===============================================================================
# ===============================================================================
config.ini
+6
View File
@@ -0,0 +1,6 @@
export nginxVersion='1.16.0'
export nginxIndex='https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/html/index.html'
export nginxGeoDB='https://github.com/theraw/The-World-Is-Yours/raw/master/static/GeoLite2-Country.mmdb'
export ubuntu18build='https://github.com/theraw/The-World-Is-Yours/raw/v2/OS/Ubuntu/18.04/source/nginx.zip'
export ubuntu18nginxconf='https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/nginx.conf'
export ubuntu18defauconf='https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/vhost/default'
iptables/filter.d/nginx-ban.conf → data/fail2ban/OS/Ubuntu/14.04/filter.d/nginx-ban.conf
View File
iptables/filter.d/nginx-limits.conf → data/fail2ban/OS/Ubuntu/14.04/filter.d/nginx-limits.conf
View File
iptables/jail.local → data/fail2ban/OS/Ubuntu/14.04/jail.local
+1
View File
@@ -1,3 +1,4 @@
[DEFAULT]
ignoreip = 127.0.0.1/8
data/fail2ban/OS/Ubuntu/18.04/filter.d/nginx-ban.conf
+5
View File
@@ -0,0 +1,5 @@
[Definition]
failregex = ^.*client: <HOST>.* 444.*$
ignoreregex =
data/fail2ban/OS/Ubuntu/18.04/filter.d/nginx-limits.conf
+8
View File
@@ -0,0 +1,8 @@
# fail2ban filter configuration for nginx limit connection for ip.
[Definition]
failregex = ^.*client: <HOST>.*$
ignoreregex =
data/fail2ban/OS/Ubuntu/18.04/filter.d/nginx-raw.conf
+5
View File
@@ -0,0 +1,5 @@
[Definition]
failregex = ^.*client: <HOST>.* 400.*$
ignoreregex =
data/fail2ban/OS/Ubuntu/18.04/jail.local
+333
View File
@@ -0,0 +1,333 @@
[DEFAULT]
bantime = 3600
findtime = 1
maxretry = 2
backend = auto
usedns = warn
destemail = root@localhost
sendername = Fail2Ban
banaction = iptables-multiport
mta = sendmail
protocol = tcp
chain = INPUT
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
action = %(action_)s
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
[nginx-limits]
enabled = true
port = http,https
filter = nginx-limits
logpath = /hostdata/*/logs/error.log
maxretry = 3
[nginx-ban]
enabled = true
port = http,https
filter = nginx-ban
logpath = /hostdata/*/logs/access.log
maxretry = 3
[nginx-raw]
enabled = true
port = http,https
filter = nginx-raw
logpath = /hostdata/*/logs/access.log
maxretry = 3
[dropbear]
enabled = true
port = ssh
filter = dropbear
logpath = /var/log/auth.log
maxretry = 6
[pam-generic]
enabled = true
filter = pam-generic
port = all
banaction = iptables-allports
#port = anyport
logpath = /var/log/auth.log
maxretry = 6
[xinetd-fail]
enabled = false
filter = xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2
[ssh-route]
enabled = false
filter = sshd
action = route
logpath = /var/log/sshd.log
maxretry = 6
[ssh-iptables-ipset4]
enabled = false
port = ssh
filter = sshd
banaction = iptables-ipset-proto4
logpath = /var/log/sshd.log
maxretry = 6
[ssh-iptables-ipset6]
enabled = false
port = ssh
filter = sshd
banaction = iptables-ipset-proto6
logpath = /var/log/sshd.log
maxretry = 6
[apache]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-multiport]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-noscript]
enabled = false
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-overflows]
enabled = false
port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2
[php-url-fopen]
enabled = false
port = http,https
filter = php-url-fopen
logpath = /var/www/*/logs/access_log
[lighttpd-fastcgi]
enabled = false
port = http,https
filter = lighttpd-fastcgi
logpath = /var/log/lighttpd/error.log
# Same as above for mod_auth
# It catches wrong authentifications
[lighttpd-auth]
enabled = false
port = http,https
filter = suhosin
logpath = /var/log/lighttpd/error.log
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log
[roundcube-auth]
enabled = false
filter = roundcube-auth
port = http,https
logpath = /var/log/roundcube/userlogins
[sogo-auth]
enabled = false
filter = sogo-auth
port = http, https
# without proxy this would be:
# port = 20000
logpath = /var/log/sogo/sogo.log
[vsftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6
[proftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[pure-ftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 6
[wuftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = wuftpd
logpath = /var/log/syslog
maxretry = 6
[postfix]
enabled = false
port = smtp,ssmtp,submission
filter = postfix
logpath = /var/log/mail.log
[couriersmtp]
enabled = false
port = smtp,ssmtp,submission
filter = couriersmtp
logpath = /var/log/mail.log
[courierauth]
enabled = false
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log
[sasl]
enabled = false
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter = postfix-sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = /var/log/mail.log
[dovecot]
enabled = false
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.log
# To log wrong MySQL access attempts add to /etc/my.cnf:
# log-error=/var/log/mysqld.log
# log-warning = 2
[mysqld-auth]
enabled = false
filter = mysqld-auth
port = 3306
logpath = /var/log/mysqld.log
#[named-refused-udp]
#
#enabled = false
#port = domain,953
#protocol = udp
#filter = named-refused
#logpath = /var/log/named/security.log
[named-refused-tcp]
enabled = false
port = domain,953
protocol = tcp
filter = named-refused
logpath = /var/log/named/security.log
# Multiple jails, 1 per protocol, are necessary ATM:
# see https://github.com/fail2ban/fail2ban/issues/37
[asterisk-tcp]
enabled = false
filter = asterisk
port = 5060,5061
protocol = tcp
logpath = /var/log/asterisk/messages
[asterisk-udp]
enabled = false
filter = asterisk
port = 5060,5061
protocol = udp
logpath = /var/log/asterisk/messages
# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
# Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
[recidive]
enabled = false
filter = recidive
logpath = /var/log/fail2ban.log
action = iptables-allports[name=recidive]
sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 5
iptables/install → data/iptables/install.sh
View File
iptables/rules → data/iptables/rules
View File
install
+54 -545
View File
@@ -1,576 +1,85 @@
#!/bin/bash
if [ "$1" == "install" ]; then
case "`grep DISTRIB_CODENAME /etc/*-release | awk -F '=' '{print $2}'`" in
trusty)
bionic)
if [ "$(whoami)" != "root" ]
then
echo "You should Login as root to use this script!";
echo "May you already have access for sudo, but commands aren't designed with sudo! so..";
echo "sudo -i";
exit 1
fi
if [ -d "/nginx/" ]; then
echo "We've detect a folder '/nginx/' which means"
echo "Maybe you have use this script before!"
echo "You can fix this by executing!"
echo "./setup clean"
echo "We've detect a folder '/nginx/'"
echo "Please to a fresh reinstallation of your server this is a whole new release you can't update!"
exit 1
fi
if [ -d "/etc/nginx" ]; then
echo "We've detect a folder '/etc/nginx' which means"
echo "Maybe you have use this script before!"
echo "./setup clean"
echo "Maybe you have installed nginx on your system!"
echo "Please remove everything related to nginx apache or any other web server using port 80/443"
exit 1
fi
if [ -d "/opt/nginx/" ]; then
echo "We've detect a folder '/opt/nginx/' which means"
echo "Maybe you have use this script before!"
echo "./setup clean"
exit 1
fi
apt-get update; apt-get upgrade -y; apt-get dist-upgrade -y; apt-get autoremove -y;
apt-get install sudo -y
apt-get install build-essential libssl-dev curl nano wget zip unzip git -y
apt-get purge --remove nginx -y
apt-get purge --remove apache2 -y
cd ~/;
wget https://raw.githubusercontent.com/systemroot/my-nginx/master/nginx-as-firewall/setup
chmod +x setup
./setup clean
rm -Rf ~/setup
apt-get update; apt-get upgrade -y; apt-get dist-upgrade -y
apt-get autoremove -y
apt-get install apt-utils build-essential -y
apt-get install git -y
apt-get install checkinstall libpcre3 libpcre3-dev zlib1g zlib1g-dbg libxml2 zlib1g-dev -y
apt-get install -y unzip
apt-get install -y libicu-dev libcurl4-gnutls-dev libtool
apt-get install -y libmozjs-24-dev
apt-get install -y libmozjs-24-bin; sudo ln -sf /usr/bin/js24 /usr/bin/js
apt-get install openssl libssl-dev libperl-dev libexpat-dev -y
apt-get install mercurial meld -y
apt-get install libxslt-dev -y
apt-get install libgd2-xpm -y
apt-get install libgd2-xpm-dev -y
apt-get install libgeoip-dev -y
apt-get install libssl libssl-dev -y
apt-get install dh-autoreconf -y
apt-get install -y software-properties-common
apt-get install -y python-software-properties
apt-get install -y libcairo2 libcairo2-dev
apt-get install -y python-dev
apt-get update; apt-get upgrade -y; apt-get dist-upgrade -y; apt-get autoremove -y
apt-get install build-essential libssl-dev curl nano wget zip unzip git sudo iftop htop -y
sudo add-apt-repository ppa:maxmind/ppa -y
apt-get install aptitude -y
aptitude update -y
aptitude upgrade -y
aptitude install libmaxminddb0 libmaxminddb-dev mmdb-bin -y
apt-get install libmysqlclient-dev -y
apt-get install libmariadbclient-dev -y
apt-get install g++ flex bison curl doxygen libyajl-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev libxml2-dev -y
apt-get install libuuid1 uuid-dev -y
apt-get install libgd-dev libc6 -y
apt-get update; apt-get upgrade -y; apt-get autoremove -y
apt-get install libmaxminddb0 libmaxminddb-dev mmdb-bin -y
apt-get install libgd-dev -y
mkdir -p /hostdata/
mkdir -p /var/log/nginx/
mkdir -p /opt/nginx/modules/
cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity
cd /opt/ModSecurity/
git checkout -b v3/master origin/v3/master
sh build.sh
git submodule init
git submodule update
./configure
make -j`nproc`
make install
cd /opt/nginx/modules/
wget https://github.com/simplresty/ngx_devel_kit/archive/v0.3.1rc1.zip
unzip v0.3.1rc1.zip; rm -Rf v0.3.1rc1.zip
mv /opt/nginx/modules/ngx_devel_kit-0.3.1rc1/ /opt/nginx/modules/ngx_devel_kit/
#Pagespeed Library
cd /opt/nginx/modules/
wget https://github.com/apache/incubator-pagespeed-ngx/archive/v1.13.35.2-stable.zip
unzip v1.13.35.2-stable.zip
rm -Rf v1.13.35.2-stable.zip
mv /opt/nginx/modules/incubator-pagespeed-ngx-1.13.35.2-stable /opt/nginx/modules/ngx_pagespeed-1.13.35.2-stable
cd /opt/nginx/modules/ngx_pagespeed-1.13.35.2-stable
wget https://dl.google.com/dl/page-speed/psol/1.13.35.2-x64.tar.gz
tar -xzvf 1.13.35.2-x64.tar.gz; rm -Rf 1.13.35.2-x64.tar.gz
#LuaJIT Library
cd /opt/nginx/modules/
git clone http://luajit.org/git/luajit-2.0.git
cd luajit-2.0/
make -j`nproc`
sudo make install
ldconfig
#Naxsi Mod
cd /opt/nginx/modules/
wget https://github.com/nbs-system/naxsi/archive/master.zip
unzip master.zip; rm -Rf master.zip
mv /opt/nginx/modules/naxsi-master /opt/nginx/modules/naxsi
mkdir -p /opt/nginx/modules/
cd /opt/nginx/modules/
rm -Rf nginx_redis/
git clone https://github.com/openresty/set-misc-nginx-module.git
git clone https://github.com/FRiCKLE/ngx_cache_purge.git
git clone https://github.com/kyprizel/testcookie-nginx-module.git
git clone https://github.com/openresty/headers-more-nginx-module.git
git clone https://github.com/openresty/echo-nginx-module.git
git clone https://github.com/leev/ngx_http_geoip2_module.git
git clone https://github.com/openresty/lua-nginx-module.git
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
git clone https://github.com/openresty/encrypted-session-nginx-module.git
git clone https://github.com/flant/nginx-http-rdns.git
# Download Nginx
mkdir -p /opt/nginx/sources/
cd /opt/nginx/sources/
wget 'http://nginx.org/download/nginx-1.15.5.tar.gz'
tar -xzvf nginx-1.15.5.tar.gz; rm -Rf nginx-1.15.5.tar.gz
cd /opt/nginx/sources/nginx-1.15.5/
wget https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/nbuild.sh
chmod +x nbuild.sh
./nbuild.sh
make -j`nproc`
make install
ldconfig
mkdir -p /nginx/live
mkdir -p /nginx/logs
mkdir -p /nginx/conf.d
touch /nginx/logs/access.log
touch /nginx/logs/error.log
useradd -r nginx
rm -Rf /etc/init.d/nginx
cd /etc/init.d/; wget https://raw.githubusercontent.com/systemroot/my-nginx/master/nginx-as-firewall/static/nginx
chmod +x /etc/init.d/nginx
cd /nginx/; mkdir conf.d; rm -Rf nginx.conf*; wget https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/nginx.conf
mkdir -p /nginx/live/
cd /nginx/live/
wget https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/vhost/default
mkdir -p /hostdata/default
mkdir -p /hostdata/default/public_html
mkdir -p /hostdata/default/logs
mkdir -p /hostdata/default/cache
mkdir -p /nginx/modsecurity/
cd /hostdata/default/public_html/
wget https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/html/index.html
sudo update-rc.d nginx defaults
cd /nginx/; mkdir db/; cd db/; wget https://github.com/theraw/The-World-Is-Yours/raw/master/static/GeoLite2-Country.mmdb
cd /nginx/; rm -Rf *.default
cp /opt/nginx/modules/naxsi/naxsi_config/naxsi_core.rules /nginx/naxsi_core.rules
cp /opt/ModSecurity/modsecurity.conf-recommended /nginx/modsecurity/modsecurity.conf
cd /opt/; git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cp -a /opt/owasp-modsecurity-crs/rules/ /nginx/modsecurity/
cp -a /opt/owasp-modsecurity-crs/crs-setup.conf.example /nginx/modsecurity/crs-setup.conf
clear
#mkdir -p /tmp/; cd /tmp; wget https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/iptables/install
#chmod +x install; ./install
clear
sudo apt-get install fail2ban -y
sudo service fail2ban stop
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/iptables/jail.local > /etc/fail2ban/jail.local
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/iptables/filter.d/nginx-limits.conf > /etc/fail2ban/filter.d/nginx-limits.conf
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/iptables/filter.d/nginx-ban.conf > /etc/fail2ban/filter.d/nginx-ban.conf
touch /nginx/logs/error.log
clear
sudo service fail2ban start
clear
service fail2ban status
nginx -t
service nginx stop
service nginx start
;;
xenial)
if [ "$(whoami)" != "root" ]
then
echo "You should Login as root to use this script!";
echo "May you already have access for sudo, but commands aren't designed with sudo! so..";
echo "sudo -i";
exit 1
fi
if [ -d "/nginx/" ]; then
echo "We've detect a folder '/nginx/' which means"
echo "Maybe you have use this script before!"
echo "You can fix this by executing!"
echo "./setup clean"
exit 1
fi
if [ -d "/etc/nginx" ]; then
echo "We've detect a folder '/etc/nginx' which means"
echo "Maybe you have use this script before!"
echo "./setup clean"
exit 1
fi
if [ -d "/opt/nginx/" ]; then
echo "We've detect a folder '/opt/nginx/' which means"
echo "Maybe you have use this script before!"
echo "./setup clean"
exit 1
fi
apt update
apt upgrade -y
apt dist-upgrade -y
apt install build-essential apt-utils libssl-dev curl nano wget zip unzip git htop iftop whois screen sudo -y
apt purge --remove nginx -y
apt purge --remove apache2 -y
apt autoremove -y
cd ~/;
wget https://raw.githubusercontent.com/systemroot/my-nginx/master/nginx-as-firewall/setup
chmod +x setup
./setup clean
rm -Rf ~/setup
apt install -y checkinstall libpcre3 libpcre3-dev zlib1g zlib1g-dbg libxml2 zlib1g-dev
apt install -y libicu-dev libcurl4-gnutls-dev libtool
apt install -y libmozjs-24-dev
apt install -y libmozjs-24-bin; sudo ln -sf /usr/bin/js24 /usr/bin/js
apt install openssl libssl-dev libperl-dev libexpat-dev -y
apt install mercurial meld -y
apt install libxslt-dev -y
apt install libgd2-xpm -y
apt install libgd2-xpm-dev -y
apt install libgeoip-dev -y
apt install dh-autoreconf -y
apt install -y software-properties-common
apt install -y python-software-properties
apt install -y libcairo2 libcairo2-dev
apt install -y python-dev
sudo add-apt-repository ppa:maxmind/ppa -y
apt update; apt upgrade -y; apt dist-upgrade -y
apt install aptitude -y
aptitude update -y
aptitude upgrade -y
aptitude install libmaxminddb0 libmaxminddb-dev mmdb-bin -y
apt install libmysqlclient-dev -y
apt install libmariadbclient-dev -y
apt install g++ flex bison curl doxygen libyajl-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev libxml2-dev -y
apt install libuuid1 uuid-dev -y
mkdir -p /hostdata/
mkdir -p /var/log/nginx/
mkdir -p /opt/nginx/modules/
cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity
cd /opt/ModSecurity/
git checkout -b v3/master origin/v3/master
sh build.sh
git submodule init
git submodule update
./configure
make -j`nproc`
make install
cd /opt/nginx/modules/
wget https://github.com/simplresty/ngx_devel_kit/archive/v0.3.1rc1.zip
unzip v0.3.1rc1.zip; rm -Rf v0.3.1rc1.zip
mv /opt/nginx/modules/ngx_devel_kit-0.3.1rc1/ /opt/nginx/modules/ngx_devel_kit/
cd /opt/nginx/modules/
wget https://github.com/apache/incubator-pagespeed-ngx/archive/v1.13.35.2-stable.zip
unzip v1.13.35.2-stable.zip
rm -Rf v1.13.35.2-stable.zip
mv /opt/nginx/modules/incubator-pagespeed-ngx-1.13.35.2-stable /opt/nginx/modules/ngx_pagespeed-1.13.35.2-stable
cd /opt/nginx/modules/ngx_pagespeed-1.13.35.2-stable
wget https://dl.google.com/dl/page-speed/psol/1.13.35.2-x64.tar.gz
tar -xzvf 1.13.35.2-x64.tar.gz; rm -Rf 1.13.35.2-x64.tar.gz
#LuaJIT Library
cd /opt/nginx/modules/
git clone http://luajit.org/git/luajit-2.0.git
cd luajit-2.0/
make -j`nproc`
sudo make install
ldconfig
cd /opt/nginx/modules/
wget https://github.com/nbs-system/naxsi/archive/master.zip
unzip master.zip; rm -Rf master.zip
mv /opt/nginx/modules/naxsi-master /opt/nginx/modules/naxsi
mkdir -p /opt/nginx/modules/
cd /opt/nginx/modules/
rm -Rf nginx_redis/
git clone https://github.com/openresty/set-misc-nginx-module.git
git clone https://github.com/FRiCKLE/ngx_cache_purge.git
git clone https://github.com/kyprizel/testcookie-nginx-module.git
git clone https://github.com/openresty/headers-more-nginx-module.git
git clone https://github.com/openresty/echo-nginx-module.git
git clone https://github.com/leev/ngx_http_geoip2_module.git
git clone https://github.com/openresty/lua-nginx-module.git
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
git clone https://github.com/openresty/encrypted-session-nginx-module.git
git clone https://github.com/flant/nginx-http-rdns.git
# Download Nginx
mkdir -p /opt/nginx/sources/
cd /opt/nginx/sources/
wget 'http://nginx.org/download/nginx-1.14.0.tar.gz'
tar -xzvf nginx-1.14.0.tar.gz; rm -Rf nginx-1.14.0.tar.gz
cd /opt/nginx/sources/nginx-1.14.0/
wget https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/nbuild.sh
chmod +x nbuild.sh
./nbuild.sh
make -j`nproc`
make install
ldconfig
mkdir -p /nginx/live
mkdir -p /nginx/logs
mkdir -p /nginx/conf.d
touch /nginx/logs/access.log
touch /nginx/logs/error.log
useradd -r nginx
rm -Rf /etc/init.d/nginx
cd /etc/init.d/; wget https://raw.githubusercontent.com/systemroot/my-nginx/master/nginx-as-firewall/static/nginx
chmod +x /etc/init.d/nginx
cd /nginx/; mkdir conf.d; rm -Rf nginx.conf*; wget https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/nginx.conf
cd /nginx/live/
wget https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/vhost/default
mkdir -p /hostdata/default
mkdir -p /hostdata/default/public_html
mkdir -p /hostdata/default/logs
mkdir -p /hostdata/default/cache
mkdir -p /nginx/modsecurity/
cd /hostdata/default/public_html/
wget https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/html/index.html
sudo update-rc.d nginx defaults
cd /nginx/; mkdir db/; cd db/; wget https://github.com/theraw/The-World-Is-Yours/raw/master/static/GeoLite2-Country.mmdb
cd /nginx/; rm -Rf *.default
cp /opt/nginx/modules/naxsi/naxsi_config/naxsi_core.rules /nginx/naxsi_core.rules
cp /opt/ModSecurity/modsecurity.conf-recommended /nginx/modsecurity/modsecurity.conf
cd /opt/; git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cp -a /opt/owasp-modsecurity-crs/rules/ /nginx/modsecurity/
cp -a /opt/owasp-modsecurity-crs/crs-setup.conf.example /nginx/modsecurity/crs-setup.conf
clear
cd /etc/systemd/system/; wget https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/UBUNTU16/nginx.service
sudo systemctl start nginx.service && sudo systemctl enable nginx.service
useradd nginx
mkdir -p /usr/local/nginx/
cd /; wget https://github.com/theraw/The-World-Is-Yours/raw/v2/OS/Ubuntu/18.04/source/nginx16.zip; unzip nginx16.zip; rm -Rf nginx16.zip
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/v2/OS/Ubuntu/18.04/nginx.service > /etc/systemd/system/nginx.service
killall nginx
systemctl daemon-reload
service nginx stop
service nginx start
;;
cosmic)
if [ "$(whoami)" != "root" ]
then
echo "You should Login as root to use this script!";
echo "May you already have access for sudo, but commands aren't designed with sudo! so..";
echo "sudo -i";
exit 1
fi
if [ -d "/nginx/" ]; then
echo "We've detect a folder '/nginx/' which means"
echo "Maybe you have use this script before!"
echo "You can fix this by executing!"
echo "./setup clean"
exit 1
fi
if [ -d "/etc/nginx" ]; then
echo "We've detect a folder '/etc/nginx' which means"
echo "Maybe you have use this script before!"
echo "./setup clean"
exit 1
fi
if [ -d "/opt/nginx/" ]; then
echo "We've detect a folder '/opt/nginx/' which means"
echo "Maybe you have use this script before!"
echo "./setup clean"
exit 1
fi
apt-get update; apt-get upgrade -y; apt-get dist-upgrade -y; apt-get autoremove -y;
apt-get install sudo -y
apt-get install build-essential libssl-dev curl nano wget zip unzip git -y
apt-get purge --remove nginx -y
apt-get purge --remove apache2 -y
cd ~/;
wget https://raw.githubusercontent.com/systemroot/my-nginx/master/nginx-as-firewall/setup
chmod +x setup
./setup clean
rm -Rf ~/setup
apt-get update; apt-get upgrade -y; apt-get dist-upgrade -y
apt-get autoremove -y
apt-get install apt-utils build-essential -y
apt-get install git -y
apt-get install checkinstall libpcre3 libpcre3-dev zlib1g zlib1g-dbg libxml2 zlib1g-dev -y
apt-get install -y unzip
apt-get install -y libicu-dev libcurl4-gnutls-dev libtool
apt-get install -y libmozjs-24-dev
apt-get install -y libmozjs-24-bin; sudo ln -sf /usr/bin/js24 /usr/bin/js
apt-get install openssl libssl-dev libperl-dev libexpat-dev -y
apt-get install mercurial meld -y
apt-get install libxslt-dev -y
apt-get install libgd2-xpm -y
apt-get install libgd2-xpm-dev -y
apt-get install libgeoip-dev -y
apt-get install libssl libssl-dev -y
apt-get install dh-autoreconf -y
apt-get install -y software-properties-common
apt-get install -y python-software-properties
apt-get install -y libcairo2 libcairo2-dev
apt-get install -y python-dev
sudo add-apt-repository ppa:maxmind/ppa -y
apt-get install aptitude -y
aptitude update -y
aptitude upgrade -y
aptitude install libmaxminddb0 libmaxminddb-dev mmdb-bin -y
apt-get install libmysqlclient-dev -y
apt-get install libmariadbclient-dev -y
apt-get install g++ flex bison curl doxygen libyajl-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev libxml2-dev -y
apt-get install libuuid1 uuid-dev -y
apt-get install libgd-dev libc6 -y
mkdir -p /hostdata/
mkdir -p /var/log/nginx/
mkdir -p /opt/nginx/modules/
cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity
cd /opt/ModSecurity/
git checkout -b v3/master origin/v3/master
sh build.sh
git submodule init
git submodule update
./configure
make -j`nproc`
make install
cd /opt/nginx/modules/
wget https://github.com/simplresty/ngx_devel_kit/archive/v0.3.1rc1.zip
unzip v0.3.1rc1.zip; rm -Rf v0.3.1rc1.zip
mv /opt/nginx/modules/ngx_devel_kit-0.3.1rc1/ /opt/nginx/modules/ngx_devel_kit/
#Pagespeed Library
cd /opt/nginx/modules/
wget https://github.com/apache/incubator-pagespeed-ngx/archive/v1.13.35.2-stable.zip
unzip v1.13.35.2-stable.zip
rm -Rf v1.13.35.2-stable.zip
mv /opt/nginx/modules/incubator-pagespeed-ngx-1.13.35.2-stable /opt/nginx/modules/ngx_pagespeed-1.13.35.2-stable
cd /opt/nginx/modules/ngx_pagespeed-1.13.35.2-stable
wget https://dl.google.com/dl/page-speed/psol/1.13.35.2-x64.tar.gz
tar -xzvf 1.13.35.2-x64.tar.gz; rm -Rf 1.13.35.2-x64.tar.gz
#LuaJIT Library
cd /opt/nginx/modules/
git clone http://luajit.org/git/luajit-2.0.git
cd luajit-2.0/
make -j`nproc`
sudo make install
ldconfig
#Naxsi Mod
cd /opt/nginx/modules/
wget https://github.com/nbs-system/naxsi/archive/master.zip
unzip master.zip; rm -Rf master.zip
mv /opt/nginx/modules/naxsi-master /opt/nginx/modules/naxsi
mkdir -p /opt/nginx/modules/
cd /opt/nginx/modules/
rm -Rf nginx_redis/
git clone https://github.com/openresty/set-misc-nginx-module.git
git clone https://github.com/FRiCKLE/ngx_cache_purge.git
git clone https://github.com/kyprizel/testcookie-nginx-module.git
git clone https://github.com/openresty/headers-more-nginx-module.git
git clone https://github.com/openresty/echo-nginx-module.git
git clone https://github.com/leev/ngx_http_geoip2_module.git
git clone https://github.com/openresty/lua-nginx-module.git
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
git clone https://github.com/openresty/encrypted-session-nginx-module.git
git clone https://github.com/flant/nginx-http-rdns.git
# Download Nginx
mkdir -p /opt/nginx/sources/
cd /opt/nginx/sources/
wget 'http://nginx.org/download/nginx-1.15.5.tar.gz'
tar -xzvf nginx-1.15.5.tar.gz; rm -Rf nginx-1.15.5.tar.gz
cd /opt/nginx/sources/nginx-1.15.5/
wget https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/nbuild.sh
chmod +x nbuild.sh
./nbuild.sh
make -j`nproc`
make install
ldconfig
mkdir -p /nginx/live
mkdir -p /nginx/logs
mkdir -p /nginx/conf.d
touch /nginx/logs/access.log
touch /nginx/logs/error.log
useradd -r nginx
rm -Rf /etc/init.d/nginx
cd /etc/init.d/; wget https://raw.githubusercontent.com/systemroot/my-nginx/master/nginx-as-firewall/static/nginx
chmod +x /etc/init.d/nginx
cd /nginx/; mkdir conf.d; rm -Rf nginx.conf*; wget https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/nginx.conf
mkdir -p /nginx/live/
cd /nginx/live/
wget https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/vhost/default
mkdir -p /hostdata/default
mkdir -p /hostdata/default/public_html
mkdir -p /hostdata/default/logs
mkdir -p /hostdata/default/cache
mkdir -p /nginx/modsecurity/
cd /hostdata/default/public_html/
wget https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/html/index.html
sudo update-rc.d nginx defaults
cd /nginx/; mkdir db/; cd db/; wget https://github.com/theraw/The-World-Is-Yours/raw/master/static/GeoLite2-Country.mmdb
cd /nginx/; rm -Rf *.default
cp /opt/nginx/modules/naxsi/naxsi_config/naxsi_core.rules /nginx/naxsi_core.rules
cp /opt/ModSecurity/modsecurity.conf-recommended /nginx/modsecurity/modsecurity.conf
cd /opt/; git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cp -a /opt/owasp-modsecurity-crs/rules/ /nginx/modsecurity/
cp -a /opt/owasp-modsecurity-crs/crs-setup.conf.example /nginx/modsecurity/crs-setup.conf
clear
cd /etc/systemd/system/; wget https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/UBUNTU16/nginx.service
sudo systemctl start nginx.service && sudo systemctl enable nginx.service
systemctl daemon-reload
clear
service nginx stop
service nginx start
clear
nginx -t
echo "Installation script on ubuntu 18 maybe can fail is not well tested if so please report any problem on github!"
;;
centos)
yum -y update; yum -y upgrade
yum install epel-release wget curl git zip unzip -y
yum remove httpd -y
yum remove apache2 -y
yum remove nginx -y
# create dirs
mkdir /hostdata
mkdir -p /nginx/live
mkdir -p /nginx/conf.d
mkdir -p /nginx/db/
mkdir -p /nginx/modules
mkdir -p /hostdata/default/logs
mkdir -p /hostdata/default/public_html
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/v2/static/html/index.html > /hostdata/default/public_html/index.html
mkdir -p /hostdata/default/public_html/L7
cd /hostdata/default/public_html/L7; wget https://github.com/theraw/The-World-Is-Yours/raw/v2/static/html/loading.gif
cd /hostdata/default/public_html/L7; wget https://raw.githubusercontent.com/theraw/The-World-Is-Yours/v2/static/html/aes.min.js
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/v2/static/live/default > /nginx/live/default
curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/v2/static/nginx.conf > /nginx/nginx.conf
cd /nginx/db/; wget https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz; tar xf GeoLite2-City.tar.gz; rm -Rf GeoLite2-City.tar.gz
mv /nginx/db/GeoLite2-City_*/GeoLite2-City.mmdb /nginx/db/; rm -Rf /nginx/db/GeoLite2-City_*
cd /nginx/db/; wget https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.tar.gz; tar xf GeoLite2-Country.tar.gz; rm -Rf GeoLite2-Country.tar.gz
mv /nginx/db/GeoLite2-Country_*/GeoLite2-Country.mmdb /nginx/db/; rm -Rf /nginx/db/GeoLite2-Country_*
;;
esac
fi
if [ "$1" == 'clean' ]; then
service nginx stop
systemctl disable nginx.service
rm -Rf /nginx
rm -Rf /usr/local/nginx
rm -Rf /usr/sbin/nginx
rm -Rf /etc/init.d/nginx
rm -Rf /hostdata/
rm -Rf /opt/nginx
rm -Rf /etc/systemd/system/nginx.service
systemctl daemon-reload
clear
echo "We've just removed /nginx and /hostdata and /opt/nginx"
fi
static/GeoLite2-Country.mmdb
BIN
View File
Binary file not shown.
static/nbuild.sh → static/builder.sh
+10 -18
View File
@@ -1,12 +1,15 @@
#!/bin/bash
# Please use this to build dynamic modules every single detail is strictly required!
./configure \
--user=nginx \
--group=nginx \
--modules-path=/nginx/modules/ \
--sbin-path=/usr/sbin/nginx \
--conf-path=/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--error-log-path=/nginx/logs/error.log \
--http-log-path=/nginx/logs/access.log \
--pid-path=/run/nginx.pid \
--lock-path=/run/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-pcre \
--with-threads \
--with-file-aio \
@@ -34,17 +37,6 @@
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--with-ld-opt="-Wl,-rpath,/usr/local/lib/" \
--add-module=/opt/nginx/modules/ngx_devel_kit \
--add-module=/opt/nginx/modules/ngx_pagespeed-1.13.35.2-stable \
--add-module=/opt/nginx/modules/testcookie-nginx-module \
--add-module=/opt/nginx/modules/set-misc-nginx-module \
--add-module=/opt/nginx/modules/headers-more-nginx-module \
--add-module=/opt/nginx/modules/echo-nginx-module \
--add-module=/opt/nginx/modules/ngx_cache_purge \
--add-module=/opt/nginx/modules/ngx_http_geoip2_module \
--add-module=/opt/nginx/modules/lua-nginx-module \
--add-module=/opt/nginx/modules/ModSecurity-nginx \
--add-module=/opt/nginx/modules/encrypted-session-nginx-module \
--add-module=/opt/nginx/modules/naxsi/naxsi_src/ \
--add-module=/opt/nginx/modules/nginx-http-rdns
--with-ld-opt="-Wl,-rpath,/usr/local/lib/" \
--add-dynamic-module=/the path of /ngx_devel_kit \
--add-dynamic-module=/your module path
static/vhost/aes.min.js → static/html/aes.min.js
Vendored
View File
static/html/index.html
+2 -2
View File
@@ -1,5 +1,5 @@
<html>
<center><h1>NGINX-AS-WEB-FIREWALL Default Page!?</h1></center>
<center><h1>The World Is Yours Default Page</h1></center>
<center><h2>If you can see this that means your installation was successful!</h2></center>
<center><h2>Thank You For Using This Project, For Issues or suggestion Post them on <a href="https://github.com/theraw/The-World-Is-Yours" target="_blank">(Github)</a></h2></center>
<center><h2>Thanks Using This Project, For Issues or suggestion Post them on <a href="https://github.com/theraw/The-World-Is-Yours/issues" target="_blank">(Github)</a></h2></center>
</html>
static/html/loading.gif
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 708 KiB

static/iptables/geoip/install.sh
+15
View File
@@ -0,0 +1,15 @@
#!/bin/bash
mkdir /opt/xgeoip; cd /opt/xgeoip; wget https://sourceforge.net/projects/xtables-addons/files/Xtables-addons/xtables-addons-3.3.tar.xz/download; tar xf download; rm -rf download
mv /opt/xgeoip/xtables-addons-3.3 /opt/iptables-geoip-3.3
cd /opt/iptables-geoip-3.3; ./configure
make -j`nproc`
make install
clear
bash /opt/iptables-geoip-3.3/geoip/xt_geoip_dl
mv /opt/iptables-geoip-3.3/geoip/GeoLite2-Country-CSV_*/* /opt/iptables-geoip-3.3/geoip
bash /opt/iptables-geoip-3.3/geoip/xt_geoip_build
mkdir -p /usr/share/xt_geoip/
mv /opt/iptables-geoip-3.3/geoip/*.iv4 /usr/share/xt_geoip/
mv /opt/iptables-geoip-3.3/geoip/*.iv6 /usr/share/xt_geoip/
static/live/default
+32
View File
@@ -0,0 +1,32 @@
server {
listen 80 default_server;
root /hostdata/default/public_html;
index index.html;
server_name localhost;
# ================================================
add_header GEO_COUNTRY_CODE $geoip2_data_country_code;
add_header GEO_COUNTRY_NAME $geoip2_data_country_name;
add_header GEO_STATE $geoip2_data_state;
add_header GEO_CITY_NAME $geoip2_data_city_name;
add_header GEO_ZIP_CODE $geoip2_data_zip;
add_header X-Content-Type-Options 'nosniff' always;
add_header X-Xss-Protection '1; mode=block';
add_header Referrer-Policy 'no-referrer-when-downgrade';
# ================================================
# ================================================
access_log /hostdata/default/logs/access.log main;
error_log /hostdata/default/logs/error.log;
# ================================================
# ================================================
location / {
try_files $uri $uri/ =404;
}
location ^~ /L7 {
testcookie off;
}
# ================================================
}
static/modules.zip
BIN
View File
Binary file not shown.
static/nginx.conf
+152 -98
View File
@@ -1,121 +1,175 @@
# Suggestions? => https://github.com/theraw/The-World-Is-Yours/issues
# Problems? => https://github.com/theraw/The-World-Is-Yours/issues
# Errors? => https://github.com/theraw/The-World-Is-Yours/issues
user nginx;
pid /var/run/nginx.pid;
worker_processes auto;
# Problems? => https://github.com/theraw/The-World-Is-Yours/issues
user nginx;
worker_processes auto;
worker_rlimit_nofile 65535;
# ====================================================================
error_log /var/log/nginx/error.log notice;
pid /run/nginx.pid;
# ====================================================================
# ====================================================================
# LOAD DYNAMIC MODS
# ====================================================================
load_module /nginx/modules/ndk_http_module.so;
load_module /nginx/modules/ngx_http_set_misc_module.so;
load_module /nginx/modules/ngx_http_geoip2_module.so;
load_module /nginx/modules/ngx_stream_geoip2_module.so;
load_module /nginx/modules/ngx_http_testcookie_access_module.so;
load_module /nginx/modules/ngx_http_cookie_flag_filter_module.so;
# load_module /nginx/modules/ngx_http_headers_more_filter_module.so
# load_module /nginx/modules/ngx_http_encrypted_session_module.so
# load_module /nginx/modules/ngx_http_brotli_filter_module.so
# load_module /nginx/modules/ngx_http_brotli_static_module.so
# This module is nginx rtmp module but a better one, has same features rtmp/vod/hls/dash etc.
# load_module /nginx/modules/ngx_http_flv_live_module.so
# Every module works but modSecurity doesn't work because you have to compile mod security library
#
# load_module /nginx/modules/ngx_http_modsecurity_module.so;
# ====================================================================
events {
worker_connections 65535;
multi_accept on;
use epoll;
worker_connections 65535;
}
http {
# ////////////////////////////////////////////////////// #
# =================== START L7 ========================= #
# turn this 'on' if you want to use L7 For every domain hosted in your server
testcookie off;
testcookie_name DOPEHOSTING;
testcookie_secret random;
testcookie_session $remote_addr;
#testcookie_arg GO;
testcookie_httponly_flag on;
testcookie_max_attempts 3;
testcookie_secure_flag on;
testcookie_get_only on;
testcookie_p3p 'CP="CUR ADM OUR NOR STA NID", policyref="/w3c/p3p.xml"';
testcookie_fallback /cookies.html?backurl=$scheme://$host$request_uri;
# Those are some ip's whitelisted by me. mostly are search engines. But not everything!
testcookie_whitelist {
8.8.8.8/32;
127.0.0.1/32;
# I don't suggest using alot of IPs here as this whitelist can fail!.
}
testcookie_redirect_via_refresh on;
testcookie_refresh_encrypt_cookie on;
testcookie_refresh_encrypt_cookie_key random;
testcookie_refresh_encrypt_cookie_iv random;
testcookie_refresh_template '<html><head><meta http-equiv="refresh" content="0; $testcookie_nexturl"><title>Just a moment please...</title></head><body> </script><script src="//ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script><script type=\"text/javascript\" src="//proxy2.dopehosting.net/aes.min.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("$testcookie_enc_key"),b=toNumbers("$testcookie_enc_iv"),c=toNumbers("$testcookie_enc_set");document.cookie="DOPEHOSTING="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/";</script></body></html>';
# ===================== END L7 ========================= #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ===================== LOGS =========================== #
log_format main '$remote_addr |==| $status |==| $request |==| $time_local';
# -------------------------------------------------------#
log_format agent '$remote_addr |==| $status |==| $request |==| $http_user_agent';
# -------------------------------------------------------#
log_format full '$remote_addr |==| $remote_user |==| $time_local |==| $request |==| $status |==| $body_bytes_sent |==| $http_referer |==| $http_user_agent |==| $http_x_forwarded_for';
# =================== END LOGS ========================= #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ===================== GEIP =========================== #
# ==================== GEOIP =========================== #
geoip2 /nginx/db/GeoLite2-Country.mmdb {
$geoip2_data_country_code default=US country iso_code;
$geoip2_data_country_code default=US source=$remote_addr country iso_code;
$geoip2_data_country_name country names en;
}
# EX Ban China!
#map $geoip2_data_country_code $allowed_country {
# default yes;
# CN no;
#}
# =================== END GEIP ========================= #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ===================== EXTRA ========================== #
# Don't Go with "Nginx Can Handle Everything" !
limit_conn_zone $server_name zone=max:1m;
limit_req_zone $binary_remote_addr zone=one:1m rate=1r/s;
# =================== END EXTRA ======================== #
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ==================== BACKENDS ======================== #
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Example Of Backend
#upstream varnish {
# zone tcp_servers 64k;
# server 10.10.10.39:80;
#}
# =================== END BACKENDS ===================== #
# ////////////////////////////////////////////////////// #
geoip2 /nginx/db/GeoLite2-City.mmdb {
$geoip2_data_city_name default=NA city names en;
$geoip2_data_zip default=NA postal code;
$geoip2_data_state default=NA subdivisions 0 names en;
}
# ================== END GEOIP ========================= #
# ////////////////////////////////////////////////////// #
# ==================== GENERAL ========================= #
client_body_buffer_size 1M;
client_header_buffer_size 1M;
client_body_timeout 90s;
client_header_timeout 90s;
client_max_body_size 2M;
keepalive_timeout 10s;
port_in_redirect off;
# ////////////////////////////////////////////////////// #
include /nginx/mime.types;
# ////////////////////////////////////////////////////// #
# ////////////////////////////////////////////////////// #
# ===================== LOGS =========================== #
log_format main '$remote_addr status: $status |==| $request |==| $time_local';
# -------------------------------------------------------#
log_format agent '$time_local - client: $remote_addr $status |==| $request |==| $http_user_agent';
# -------------------------------------------------------#
log_format full '$remote_addr |==| $remote_user |==| $time_local |==| $request |==| $status |==| $body_bytes_sent |==| $http_referer |==| $http_user_agent |==| $http_x_forwarded_for |==| $http_origin';
# -------------------------------------------------------#
log_format json escape=json '[{'
'"body_bytes_sent":"$body_bytes_sent",'
'"bytes_sent":"$bytes_sent",'
'"http_host":"$http_host",'
'"msec":"$msec",'
'"time_local":"$time_local",'
'"connection":"$connection",'
'"connection_requests":"$connection_requests",'
'"remote_addr":"$remote_addr",'
'"request_length":"$request_length",'
'"request_method":"$request_method",'
'"request_uri":"$request_uri",'
'"http_user_agent":"$http_user_agent",'
'"http_x_forwarded_for":"$http_x_forwarded_for",'
'"country_code":"$geoip2_data_country_code",'
'"server_port":"$server_port",'
'"server_protocol":"$server_protocol",'
'"ssl_protocol":"$ssl_protocol",'
'"status":"$status",'
'"upstream_response_time":"$upstream_response_time",'
'"upstream_addr":"$upstream_addr",'
'"upstream_connect_time":"$upstream_connect_time"'
'}]';
# =================== END LOGS========================== #
# ////////////////////////////////////////////////////// #
default_type application/octet-stream;
sendfile on;
server_names_hash_bucket_size 6969;
server_names_hash_max_size 6969;
resolver 8.8.8.8;
client_body_buffer_size 128k;
client_header_buffer_size 5M;
client_max_body_size 128M;
client_body_timeout 30s;
client_header_timeout 30s;
keepalive_timeout 30s;
open_file_cache max=200000 inactive=20s;
open_file_cache_errors on;
open_file_cache_min_uses 2;
open_file_cache_valid 30s;
reset_timedout_connection on;
send_timeout 30s;
port_in_redirect off;
server_name_in_redirect off;
server_tokens off;
tcp_nodelay on;
tcp_nopush on;
types_hash_max_size 2048;
resolver 8.8.8.8 8.8.4.4;
default_type application/octet-stream;
include /nginx/mime.types;
# =================== END GENERAL ====================== #
# ////////////////////////////////////////////////////// #
# CloudFlare IPs
# List: https://www.cloudflare.com/ips-v4
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
# ////////////////////////////////////////////////////// #
# =================== LOAD CONFIGS ===================== #
include /nginx/live/*;
include /nginx/conf.d/*;
include /nginx/naxsi_core.rules;
# =================== END CONFIGS ====================== #
## Gzip Settings ##
gzip on;
gzip_buffers 16 8k;
gzip_comp_level 5;
gzip_disable "msie6";
gzip_min_length 256;
gzip_proxied any;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-javascript
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/javascript
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy
text/x-js
text/xml;
gzip_vary on;
include /nginx/live/*;
include /nginx/conf.d/*.conf;
# ////////////////////////////////////////////////////// #
}
static/raws/template
-55
View File
@@ -1,55 +0,0 @@
server {
listen 80;
root /hostdata/raws.com/public_html;
index index.html index.php;
server_name raws.com www.raws.com;
location / {
SecRulesEnabled;
LearningMode;
DeniedUrl "/denied/";
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
access_log /hostdata/raws.com/logs/access.log main;
error_log /hostdata/raws.com/logs/error.log;
try_files $uri $uri/ =404;
}
location /denied/ {
return 444;
}
# =========================================
# PHPMYADMIN.
# =========================================
location /phpmyadmin {
root /hostdata/default/;
location ~ ^/phpmyadmin/(.+\.php)$ {
try_files $uri =404;
root /hostdata/default/;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /nginx/fastcgi_params;
}
}
# =========================================
# END PHPMYADMIN.
# =========================================
# =========================================
# PHP.
# =========================================
location ~ \.php {
try_files $uri /index.php =404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /nginx/fastcgi_params;
}
# =========================================
# END PHP.
# =========================================
}
static/sysctl.conf
+18 -34
View File
@@ -1,35 +1,19 @@
vm.nr_hugepages = 128
net.ipv4.ip_forward = 0
vm.nr_hugepages = 0
vm.vfs_cache_pressure = 100
fs.file-max = 1000000
kernel.randomize_va_space = 2
net.ipv4.ip_forward = 1
net.ipv4.tcp_syncookies = 1
#net.ipv4.icmp_echo_ignore_broadcasts = 1
#net.ipv4.icmp_ignore_bogus_error_responses = 1
#net.ipv4.conf.all.log_martians = 1
#net.ipv4.conf.default.log_martians = 1
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv4.conf.default.accept_source_route = 0
#net.ipv4.conf.all.rp_filter = 1
#net.ipv4.conf.default.rp_filter = 1
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv4.conf.default.accept_redirects = 0
#net.ipv4.conf.all.secure_redirects = 0
#net.ipv4.conf.default.secure_redirects = 0
#net.ipv4.conf.all.send_redirects = 0
#net.ipv4.conf.default.send_redirects = 0
#kernel.randomize_va_space = 1
#net.ipv6.conf.default.router_solicitations = 0
#net.ipv6.conf.default.accept_ra_rtr_pref = 0
#net.ipv6.conf.default.accept_ra_pinfo = 0
#net.ipv6.conf.default.accept_ra_defrtr = 0
#net.ipv6.conf.default.autoconf = 0
#net.ipv6.conf.default.dad_transmits = 0
#net.ipv6.conf.default.max_addresses = 1
#fs.file-max = 65535
#kernel.pid_max = 65536
#net.ipv4.ip_local_port_range = 2000 65000
#net.ipv4.tcp_rmem = 4096 87380 8388608
#net.ipv4.tcp_wmem = 4096 87380 8388608
#net.core.rmem_max = 8388608
#net.core.wmem_max = 8388608
#net.core.netdev_max_backlog = 5000
#net.ipv4.tcp_window_scaling = 1
net.ipv4.ip_local_port_range = 12000 65535
net.ipv4.tcp_window_scaling = 1
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 2000
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_fin_timeout = 90
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
kernel.sched_autogroup_enabled = 0
static/vhost/default
-48
View File
@@ -1,48 +0,0 @@
server {
listen 80 default_server;
root /hostdata/default/public_html;
index index.html;
server_name localhost;
# ================================================
# LIMIT CONNECTION FOR IP / IPs WILL BE AUTO BANNED IF YOU HAVE INSTALL IPTABLES/FAIL2BAN
limit_conn max 800;
limit_req zone=one burst=300 nodelay;
# ================================================
# ================================================
# 1. Don't put log files into location / {..} it will not work as you think. Use like this.
# 2. If you change their name or location make sure you also change those https://github.com/theraw/The-World-Is-Yours/blob/master/iptables/jail.local#L105-L118
access_log /hostdata/default/logs/access.log main;
error_log /hostdata/default/logs/error.log;
# ================================================
# ================================================
location / {
SecRulesEnabled;
LearningMode;
DeniedUrl "/denied/";
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
try_files $uri $uri/ =404;
}
# ================================================
location /denied/ {
return 444;
}
# ================================================
location ~ \.php {
try_files $uri /index.php =404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# ================================================
}