Update nginx-reverse.yml

2019-04-25 06:55:50 +02:00 · 2019-04-25 06:55:07 +02:00 · 2019-04-25 06:54:53 +02:00 · 2019-04-25 06:42:47 +02:00 · 2019-04-25 06:36:19 +02:00 · 2019-04-25 05:41:31 +02:00
4 changed files with 37 additions and 167 deletions
@@ -1,122 +1,31 @@
 # Nginx L7 DDoS Protection! :boom: :zap:
 *(Please Read Whole Page, All Things Are Important Then If You Want You Can Use IT.)*
 # This is it!
 There will be no other version of this PR, This is the only and one and the best that you can find for free where you can see/do/change anything on your will and not some encrypted piece of code! This is pure open source code as you can open any file and read anything, This script automatically compiles nginx from source with lots of modules helpful but mostly who play a big role in L7 Anti-DDoS, including the L7 nginx module which you can configure as simple as https://github.com/theraw/The-World-Is-Yours/issues/10#issuecomment-442579528 more then that consider a [Donate](https://github.com/theraw/The-World-Is-Yours/blob/master/.github/FUNDING.yml) and you can contact me for further support!
 Summer is here, after that i may be working and i don't see having much of free time to play with nginx!
 # To-Do
 - [x] Nginx Version, Always Latest.
 - [x] Support Ubuntu Trusty. (14.04)
 - [x] Support Ubuntu Xenial. (16.04)
 - [x] Support Ubuntu Cosmic. (18.10)
 - [ ] Support Debian.
 - [ ] Support Centos.
 - [x] Support Arch Linux.
 - [x] ModSecurity Support.
 - [x] Naxsi Support.
 - [x] L7 Protection.
 - [x] AutoBan System.
 - [x] Integrate Fail2Ban > IpTables.
 - [ ] GUI ?
 - [ ] Monitor requests in live time from browser.
 - [ ] L7 Protection (TestCookie Module) Add Recaptcha!
 - [ ] .....
 # Installation
-1. **`apt-get install build-essential libssl-dev curl nano wget zip unzip sudo git psmisc -y`**
+1. **`Install Docker in your linux server or windows server, the docker must support linux containers.`**
-2. **`git clone https://github.com/theraw/The-World-Is-Yours.git`**
+2. **`Install Docker composer https://github.com/Yelp/docker-compose/blob/master/docs/install.md`**
-3. **`cd The-World-Is-Yours/; chmod +x *`**
+3. **`curl -s > nginx-reverse.yml`**
-4. **`./install`**
+4. **`docker-composer -f nginx-reverse.yml up -d`**
 # Informations.
 **What if installation script fails?** - Check what was the problem source fix it (mostly should be for missing packages) then remove everything under /opt/ folder and just execute again ./install
 ```
 => /nginx/                                = Nginx Path,
 => /nginx/live/                           = Vhosts Config Files Dir,
 => /nginx/logs/                           = Core Logs Files,
 => /nginx/modsecurity/                    = ModSecurity Rules Dir,
 => /hostdata/                             = Place to store your domain folders.
 => /hostdata/yourdomain.com/              = Ex of domain dir (private folder),
 => /hostdata/yourdomain.com/public_html/  = Ex of your domain webroot (public files only),
 => /hostdata/yourdomain.com/logs/         = Place where to store your Domains logs (access.log) (private folder),
 => /hostdata/yourdomain.com/ssl/          = Place where to store domain ssl/key (private folder),
 => /hostdata/yourdomain.com/cache/        = Place where to store site cache (private folder).
 // Private Folder - Means this cannot be accessed by public.
 // Public Folder  - Means files into this folder can be accessed by public.
 ```
 # Check.
 1 . [L7 (Cookie Based Protection)](https://github.com/theraw/The-World-Is-Yours/blob/master/static/nginx.conf#L15-L42) AND [Replace "proxy2.dope.. links with yours click here to find aes](https://github.com/theraw/The-World-Is-Yours/tree/master/static/vhost) which should be stored on a external link or in a place where L7 is disabled because it will not work if you put it in main site dir!.
 2 . [Auto Ban System](https://github.com/theraw/The-World-Is-Yours/blob/master/iptables/jail.local#L105-L111) based on [Connection for ip](https://github.com/theraw/The-World-Is-Yours/blob/master/static/nginx.conf#L72-L73)
 3 . [Auto Ban 444 Reqs](https://github.com/theraw/The-World-Is-Yours/blob/master/iptables/jail.local#L113-L118) A day i've been under attack of multiple proxies, and even after they got banned they still was keep trying the same thing so when you ban someone when that ip tries to access your website that request will not go on `error.log` but in `access.log` so i created this rule to ban with iptables every request who have stauts `444` so nginx will not have to handle those.
 4 . [Kernel Settings](https://github.com/theraw/The-World-Is-Yours/blob/master/static/sysctl.conf#L1-L34)
 5 . [Naxsi Rules Included](https://github.com/theraw/The-World-Is-Yours/blob/master/static/nginx.conf#L118)
 6 . [Example of Naxsi](https://github.com/theraw/The-World-Is-Yours/blob/master/static/vhost/default#L22-L29)
 7 . [Check Iptables rules](https://github.com/theraw/The-World-Is-Yours/blob/master/iptables/rules) It will not be automatically enabled, because this changes based on providers in ovh it work in azure it doesn't work. so you need to manually activate iptables!
 8 . ModSecurity is not loaded. However you need to set it up by yourself. you have a folder `/nginx/modsecurity/`
 which ModSecurity rules are stored, open `/nginx/modsecurity/modsecurity.conf` add those
 ```bash
 Include crs-setup.conf
 Include rules/*.conf
 ```
 ModSecurity is by default enabled as "detect only" you can turn it on always by doing this
 ```bash
 SecRuleEngine On
 ```
 Using modSecurity for your site
 ```bash
 server { 
     ..... 
        modsecurity on;
        modsecurity_rules_file /nginx/modsecurity/modsecurity.conf; 
        location / { 
     ..... 
        } 
 }
 ```
 **Careful** Using modsec rules like
 ```
   location / { 
       modsecurity_rules_file /nginx/modsecurity/modsecurity.conf; 
   } 
 ```
 it means that's enabled just for your main place `/` not for other dirs in your site ex `/admin/` (:
 Test it!
 `curl 'http://localhost/?q="><script>wanna hack</script>'`
 ```html
 <html>
 <head><title>403 Forbidden</title></head>
 <body bgcolor="white">
 <center><h1>403 Forbidden</h1></center>
 <hr><center>nginx</center>
 </body>
 </html>
 ```
 # Keep In Mind.
 The **L7 Protection** is the same way which **cloudflare** have that banner "Under Attack" A.K.A Cookie based authorization. Most of bots from where attacks will come doesn't support cookies so it will fail to access your site. (Test it by yourself to "curl http://yoursite.com" before you activate L7 and after you start L7 so you will understand better.)
 The L7 protection is a good thing for your protection. But a very bad thing for your website seo!, As facebook/google/bing and all search engines will not be able to access your website anymore. There is a way to allow them but if you have 1 year free time to find all their ips go and try it. I've been thinking for a "reverse dns" whitelist but haven't done it so as of now it is like this.
 # Contributors
 Feel free to pull request or do a suggestion..
@@ -0,0 +1,27 @@
 version: '3.7'
 services:
  reverse:
    container_name: reverse
    ports:
     - "0.0.0.0:80:80"
     - "0.0.0.0:443:443"
    image: "theraw/reversed:L7"
    shm_size: '512MB'
    privileged: true
    restart: unless-stopped
    networks:
      reverse_net:
        ipv4_address: 172.69.0.70
    cap_add:
     - "CAP_SYS_RESOURCE"
     - "CAP_SYS_TIME"
 networks:
  reverse_net:
    driver: bridge
    driver_opts:
      com.docker.network.enable_ipv6: "false"
    ipam:
      driver: default
      config:
      - subnet: 172.69.0.0/16
@@ -1,61 +0,0 @@
 version: '3.7'
 services:
  nginx:
    container_name: nginx
    ports:
     - "0.0.0.0:80-9000:80-9000"
    image: ""
    shm_size: '512MB'
    privileged: true
    restart: unless-stopped
    networks:
      nginx_net:
        ipv4_address: 172.22.0.22
    dns:
     - "8.8.8.8"
     - "8.8.4.4"
    ulimits:
     nproc: 65535
    cap_add:
     - "ALL"
    volumes:
      - /dopesrv/nginx:/nginx
      - /dopesrv/etc:/etc
      - /dopesrv/opt:/opt
      - /dopesrv/home:/home
      - /dopesrv/root:/root
      - /dopesrv/var:/var
  db:
    container_name: db
    image: 'mariadb:latest'
    shm_size: '512MB'
    privileged: true
    restart: unless-stopped
    ports:
      - '3306:3306'
    networks:
      nginx_net:
        ipv4_address: 172.22.0.33
    dns:
     - "8.8.8.8"
     - "8.8.4.4"
    ulimits:
     nproc: 65535
    cap_add:
     - "ALL"
    environment:
      MYSQL_ROOT_PASSWORD: '67WxFgoz1M'
      MYSQL_DATABASE: 'nginx'
      MYSQL_USER: 'dopeuser'
      MYSQL_PASSWORD: '67WxFgoz1M'
    volumes:
      - /dopesrv/var/lib/mysql:/var/lib/mysql
 networks:
  nginx_net:
    driver: bridge
    driver_opts:
      com.docker.network.enable_ipv6: "false"
    ipam:
      driver: default
      config:
      - subnet: 172.22.0.0/16
@@ -1,5 +0,0 @@
 <html>
 <center><h1>NGINX-AS-WEB-FIREWALL Default Page!?</h1></center>
 <center><h2>If you can see this that means your installation was successful!</h2></center>
 <center><h2>Thank You For Using This Project, For Issues or suggestion Post them on <a href="https://github.com/theraw/The-World-Is-Yours" target="_blank">(Github)</a></h2></center>
 </html>
Author	SHA1	Message	Date
theraw	58746b68e9	Update nginx-reverse.yml	2019-04-25 06:55:50 +02:00
theraw	05a33f8a09	Update nginx-reverse.yml	2019-04-25 06:55:07 +02:00
theraw	a380f57555	Update nginx-reverse.yml	2019-04-25 06:54:53 +02:00
theraw	961a4e3f1f	Update nginx-reverse.yml	2019-04-25 06:42:47 +02:00
theraw	0bdcdce644	Update nginx-reverse.yml	2019-04-25 06:36:19 +02:00
theraw	e48c8e57b8	Update README.md	2019-04-25 05:41:31 +02:00
theraw	a6fcc8e5f3	Update README.md	2019-04-25 05:24:15 +02:00
theraw	890a8f21ba	Update README.md	2019-04-25 05:23:44 +02:00
theraw	c0e99809ae	Update README.md	2019-04-25 05:23:30 +02:00
theraw	ec00277e98	Create nginx-reverse.yml	2019-04-25 05:20:59 +02:00
theraw	80a31c4014	Delete error-report.md	2019-04-25 05:17:01 +02:00
theraw	5344f3d20f	Delete feature_request.md	2019-04-25 05:16:54 +02:00
theraw	653e8fc16e	Delete nginx.conf	2019-04-25 05:16:44 +02:00
theraw	e75f633343	Delete nginx.service	2019-04-25 05:16:36 +02:00
theraw	b667e720b1	Delete config	2019-04-25 05:16:29 +02:00
theraw	33042a80ce	Delete install	2019-04-25 05:16:23 +02:00
theraw	de837d48d7	Delete install	2019-04-25 05:15:37 +02:00
theraw	54b7610b83	Delete bot.conf	2019-04-25 05:15:19 +02:00
theraw	84e4d1353b	Delete whitelist-ips.conf	2019-04-25 05:15:11 +02:00
theraw	c79be05bb5	Delete install	2019-04-25 05:15:04 +02:00
theraw	55b5d53df8	Delete README.md	2019-04-25 05:14:56 +02:00
theraw	a27f2b9ef2	Delete nginx.service	2019-04-25 05:14:50 +02:00
theraw	56b5cd4855	Delete nginx-ban.conf	2019-04-25 05:14:40 +02:00
theraw	7be59aedb3	Delete nginx-limits.conf	2019-04-25 05:14:34 +02:00
theraw	b0997f76f2	Delete install	2019-04-25 05:14:26 +02:00
theraw	62ce627948	Delete jail.local	2019-04-25 05:14:20 +02:00
theraw	2036acaa2b	Delete rules	2019-04-25 05:14:11 +02:00
theraw	b416603327	Delete banlist.conf	2019-04-25 05:14:00 +02:00
theraw	8ffdce57ea	Delete country.conf	2019-04-25 05:13:54 +02:00
theraw	203dae10b7	Delete index.html	2019-04-25 05:13:47 +02:00
theraw	25e6f5fdf9	Delete template	2019-04-25 05:13:38 +02:00
theraw	f642bbd52b	Delete aes.min.js	2019-04-25 05:13:30 +02:00
theraw	c140e7ab56	Delete default	2019-04-25 05:13:24 +02:00
theraw	9179c69aeb	Delete GeoLite2-Country.mmdb	2019-04-25 05:13:16 +02:00
theraw	09d0cfa7b6	Delete nbuild.sh	2019-04-25 05:13:09 +02:00
theraw	b1d6586f08	Delete nginx.conf	2019-04-25 05:13:03 +02:00
theraw	155b972a48	Delete sysctl.conf	2019-04-25 05:12:57 +02:00
theraw	1b5b47670b	Delete config	2019-04-25 05:12:44 +02:00
theraw	3963d8c199	Delete install	2019-04-25 05:12:34 +02:00
theraw	cbc2dbe047	Update README.md	2019-04-25 05:11:19 +02:00