Update nginx-reverse.yml

README.md

@@ -1,116 +1,58 @@
 # Nginx L7 DDoS Protection! :boom: :zap:
 *(Please Read Whole Page, All Things Are Important Then If You Want You Can Use IT.)*
 
-# This is it!
-There will be no other version of this PR, This is the only and one and the best that you can find for free where you can see/do/change anything on your will and not some encrypted piece of code! This is pure open source code as you can open any file and read anything, This script automatically compiles nginx from source with lots of modules helpful but mostly who play a big role in L7 Anti-DDoS, including the L7 nginx module which you can configure as simple as https://github.com/theraw/The-World-Is-Yours/issues/10#issuecomment-442579528 more then that consider a [Donate](https://github.com/theraw/The-World-Is-Yours/blob/master/.github/FUNDING.yml) and you can contact me for further support!
-
-Summer is here, after that i may be working and i don't see having much of free time to play with nginx!
-
 # To-Do
 
-- [x] Nginx Version, Always Latest.
+- [x] Nginx V. each 10th release, current 1.60.0, next repo release 1.70.0!
-- [x] Support Ubuntu Trusty. (14.04)
+- [x] Support Ubuntu Bionic. (18.04)
-- [x] Support Ubuntu Xenial. (16.04)
-- [x] Support Ubuntu Cosmic. (18.10)
-- [x] Support Arch Linux.
 - [x] ModSecurity Support.
 - [x] Naxsi Support.
 - [x] L7 Protection.
 - [x] AutoBan System.
 - [x] Integrate Fail2Ban > IpTables.
+- [-] L7 Protection (TestCookie Module) Add Recaptcha!
+- [-/x] [Suggestions](https://github.com/theraw/The-World-Is-Yours/issues)
+
+# Q/A
+-- Why are only latest distros supported and not some distro like Ubuntu 14.04?!
+
+-- *Actually i'm a big fan of ubuntu 14.04 and some more old distros however, we should move with technology and be up to date, example for ubuntu 14.04 there are no security releases anymore furthermore one day it will be forgotten like ubuntu 12 or something else and so we should move with time*
+
+-- What knowledge should i have to be able to run nginx L7 properly?!
+
+-- *You should have at last basic knowledge about Nginx + Iptables and some docker, most of rules here will be premade that's why i'm creating a docker container so everything will come build-in and you'll not have to compile everything to avoid problems on set-up.*
+
+-- How much can this set-up protect my website?
+
+-- *This script is mostly meant for Layer 7 Attacks, However example if someone break some rule the ip from where this offence came will be banned by iptables for a perioid of time, now here is where your server provider plays a big role, when you ban a ip with iptables your provider should be able to handle that ban, there are many providers who claim that they can handle this but based on amount of attack not all can handle it so i've been using ovh all this time and i never had a problem about this.*
+
+-- How much resources do i need for this?
+
+-- *Actually that's based on kind of attack however i have run this setup even on a 1 Core 2.4Ghz, 4GB RAM, 40GB SSD, 100Mbps and everything has went well because i have the knowledge to optimize most of things and take care for everything, but i cannot deny that there were cases in big attacks where my webserver has went offline because of high cpu usage, so at that case i've shut down nginx i've filter and ban IPs from where attack came and i've been able to start nginx back all this happend in case of minutes... However as i said resources are more based on kind of attack because nginx uses multi-thread if you are using this setup for some company website or something really important i highly suggest you take someone who has really knowledge about those things so he/she can give you the best suggestion for how much resources you need and how to properly protect your website against L7 attacks*
+
+-- Can i hire you?
+
+-- *Yes, I can set this up however you want single server or load balancing + multi-backend, cache or no cache + varnish cache, company or a simple blog, I'm not that kind of person that just comes and says you "activate cloudflare" cloudflare claims to have protection against attack and maybe they do but i still see them only as a good DNS provider nothing else!  And if i fail on it you'll not pay anything! raw@dope.al*
 
 # Installation
+For each new system ubuntu, centos or whatever your distro may be you need a update/upgrade then do one reboot! So outdates packages will be up to date your kernel will be up to date and not needed files will get removed.
 
-1. **`apt-get install build-essential libssl-dev curl nano wget zip unzip sudo git psmisc -y`**
+X. **`Ubuntu`**
 
-2. **`git clone https://github.com/theraw/The-World-Is-Yours.git`**
+1. **`apt-get update; apt-get upgrade -y; apt-get dist-upgrade -y; apt-get autoremove -y; shutdown -r now`**
 
-3. **`cd The-World-Is-Yours/; chmod +x *`**
+2. **`apt-get install build-essential libssl-dev curl nano wget zip unzip sudo git psmisc -y`**
 
-4. **`./install`**
+3. **[Install Docker](https://docs.docker.com/install/linux/docker-ce/ubuntu/)**
+
+4. **[Install Docker-Composer](https://github.com/docker/compose/releases) use latest version > execute provided cmds**
+
+5. **`curl -s https:// > nginx.yml`**
+
+6. **`docker-compose -f nginx.yml up -d`**
 
 
-# Informations.
 
-**What if installation script fails?** - Check what was the problem source fix it (mostly should be for missing packages) then remove everything under /opt/ folder and just execute again ./install
-
-```
-=> /nginx/                                = Nginx Path,
-=> /nginx/live/                           = Vhosts Config Files Dir,
-=> /nginx/logs/                           = Core Logs Files,
-=> /nginx/modsecurity/                    = ModSecurity Rules Dir,
-=> /hostdata/                             = Place to store your domain folders.
-=> /hostdata/yourdomain.com/              = Ex of domain dir (private folder),
-=> /hostdata/yourdomain.com/public_html/  = Ex of your domain webroot (public files only),
-=> /hostdata/yourdomain.com/logs/         = Place where to store your Domains logs (access.log) (private folder),
-=> /hostdata/yourdomain.com/ssl/          = Place where to store domain ssl/key (private folder),
-=> /hostdata/yourdomain.com/cache/        = Place where to store site cache (private folder).
-
-// Private Folder - Means this cannot be accessed by public.
-// Public Folder  - Means files into this folder can be accessed by public.
-```
-
-
-# Check.
-
-1 . [L7 (Cookie Based Protection)](https://github.com/theraw/The-World-Is-Yours/blob/master/static/nginx.conf#L15-L42) AND [Replace "proxy2.dope.. links with yours click here to find aes](https://github.com/theraw/The-World-Is-Yours/tree/master/static/vhost) which should be stored on a external link or in a place where L7 is disabled because it will not work if you put it in main site dir!.
-
-2 . [Auto Ban System](https://github.com/theraw/The-World-Is-Yours/blob/master/iptables/jail.local#L105-L111) based on [Connection for ip](https://github.com/theraw/The-World-Is-Yours/blob/master/static/nginx.conf#L72-L73)
-
-3 . [Auto Ban 444 Reqs](https://github.com/theraw/The-World-Is-Yours/blob/master/iptables/jail.local#L113-L118) A day i've been under attack of multiple proxies, and even after they got banned they still was keep trying the same thing so when you ban someone when that ip tries to access your website that request will not go on `error.log` but in `access.log` so i created this rule to ban with iptables every request who have stauts `444` so nginx will not have to handle those.
-
-4 . [Kernel Settings](https://github.com/theraw/The-World-Is-Yours/blob/master/static/sysctl.conf#L1-L34)
-
-5 . [Naxsi Rules Included](https://github.com/theraw/The-World-Is-Yours/blob/master/static/nginx.conf#L118)
-
-6 . [Example of Naxsi](https://github.com/theraw/The-World-Is-Yours/blob/master/static/vhost/default#L22-L29)
-
-7 . [Check Iptables rules](https://github.com/theraw/The-World-Is-Yours/blob/master/iptables/rules) It will not be automatically enabled, because this changes based on providers in ovh it work in azure it doesn't work. so you need to manually activate iptables!
-
-8 . ModSecurity is not loaded. However you need to set it up by yourself. you have a folder `/nginx/modsecurity/`
-which ModSecurity rules are stored, open `/nginx/modsecurity/modsecurity.conf` add those
-
-```bash
-Include crs-setup.conf
-Include rules/*.conf
-```
-ModSecurity is by default enabled as "detect only" you can turn it on always by doing this
-
-```bash
-SecRuleEngine On
-```
-
-Using modSecurity for your site
-```bash
-server { 
-     ..... 
-        modsecurity on;
-        modsecurity_rules_file /nginx/modsecurity/modsecurity.conf; 
-        location / { 
-     ..... 
-        } 
-}
-```
-**Careful** Using modsec rules like
-```
-   location / { 
-       modsecurity_rules_file /nginx/modsecurity/modsecurity.conf; 
-   } 
-```
-it means that's enabled just for your main place `/` not for other dirs in your site ex `/admin/` (:
-
-
-Test it!
-`curl 'http://localhost/?q="><script>wanna hack</script>'`
-```html
-<html>
-<head><title>403 Forbidden</title></head>
-<body bgcolor="white">
-<center><h1>403 Forbidden</h1></center>
-<hr><center>nginx</center>
-</body>
-</html>
-```
 
 # Keep In Mind.
 The **L7 Protection** is the same way which **cloudflare** have that banner "Under Attack" A.K.A Cookie based authorization. Most of bots from where attacks will come doesn't support cookies so it will fail to access your site. (Test it by yourself to "curl http://yoursite.com" before you activate L7 and after you start L7 so you will understand better.)

install

@@ -0,0 +1,38 @@
+#!/bin/bash
+case "`grep DISTRIB_CODENAME /etc/*-release | awk -F '=' '{print $2}'`" in
+      bionic)
+             if [ "$(whoami)" != "root" ]
+             then
+                 echo "You should Login as root to use this script!";
+                 echo "May you already have access for sudo, but this script has no sudo before his commands so please switch";
+                 echo "sudo -i";
+                 exit 1
+             fi
+
+             if [ -d "/nginx/" ]; then
+                 echo "We've detect a folder '/nginx/' which means"
+                 echo "Maybe you have use this script before!"
+                 echo "You can fix this by executing!"
+                 echo "./clean"
+                 exit 1
+             fi
+
+             if [ -d "/etc/nginx" ]; then
+                 echo "We've detect a folder '/etc/nginx' which means"
+                 echo "May you've already installed nginx what's important is that for this installation we need port :80 free"
+                 echo "So please remove nginx or disable it with"
+                 echo "service nginx stop"
+                 echo "systemctl disable nginx"
+                 exit 1
+             fi
+
+             if [ -d "/etc/apache2" ]; then
+                 echo "We've detect a folder '/etc/apache2/' which means"
+                 echo "May you've already installed apache2 what's important is that for this installation we need port :80 free"
+                 echo "So please remove apache2 or disable it with"
+                 echo "service apache2 stop"
+                 echo "systemctl disable apache2"
+                 exit 1
+             fi
+      ;;
+esac

nginx-reverse.yml

@@ -0,0 +1,35 @@
+version: '3.7'
+services:
+  nginx:
+    container_name: nginx
+    ports:
+     - "0.0.0.0:80:80"
+     - "0.0.0.0:443:443"
+    image: "theraw/the-world-is-yours:nginx"
+    shm_size: '512MB'
+    privileged: true
+    restart: unless-stopped
+    networks:
+      nginx_net:
+        ipv4_address: 172.69.0.70
+    dns:
+     - "1.1.1.1"
+     - "1.1.0.0"
+    ulimits:
+     nproc: 65535
+    cap_add:
+     - "CAP_SYS_RESOURCE"
+     - "CAP_SYS_TIME"
+    volumes:
+       - /nginx:/nginx
+       - /hostdata:/hostdata
+
+networks:
+  nginx_net:
+    driver: bridge
+    driver_opts:
+      com.docker.network.enable_ipv6: "false"
+    ipam:
+      driver: default
+      config:
+      - subnet: 172.69.0.0/16

setup

@@ -1,61 +0,0 @@
-version: '3.7'
-services:
-  nginx:
-    container_name: nginx
-    ports:
-     - "0.0.0.0:80-9000:80-9000"
-    image: ""
-    shm_size: '512MB'
-    privileged: true
-    restart: unless-stopped
-    networks:
-      nginx_net:
-        ipv4_address: 172.22.0.22
-    dns:
-     - "8.8.8.8"
-     - "8.8.4.4"
-    ulimits:
-     nproc: 65535
-    cap_add:
-     - "ALL"
-    volumes:
-      - /dopesrv/nginx:/nginx
-      - /dopesrv/etc:/etc
-      - /dopesrv/opt:/opt
-      - /dopesrv/home:/home
-      - /dopesrv/root:/root
-      - /dopesrv/var:/var
-  db:
-    container_name: db
-    image: 'mariadb:latest'
-    shm_size: '512MB'
-    privileged: true
-    restart: unless-stopped
-    ports:
-      - '3306:3306'
-    networks:
-      nginx_net:
-        ipv4_address: 172.22.0.33
-    dns:
-     - "8.8.8.8"
-     - "8.8.4.4"
-    ulimits:
-     nproc: 65535
-    cap_add:
-     - "ALL"
-    environment:
-      MYSQL_ROOT_PASSWORD: '67WxFgoz1M'
-      MYSQL_DATABASE: 'nginx'
-      MYSQL_USER: 'dopeuser'
-      MYSQL_PASSWORD: '67WxFgoz1M'
-    volumes:
-      - /dopesrv/var/lib/mysql:/var/lib/mysql
-networks:
-  nginx_net:
-    driver: bridge
-    driver_opts:
-      com.docker.network.enable_ipv6: "false"
-    ipam:
-      driver: default
-      config:
-      - subnet: 172.22.0.0/16

static/html/index.html

@@ -1,5 +0,0 @@
-<html>
-<center><h1>NGINX-AS-WEB-FIREWALL Default Page!?</h1></center>
-<center><h2>If you can see this that means your installation was successful!</h2></center>
-<center><h2>Thank You For Using This Project, For Issues or suggestion Post them on <a href="https://github.com/theraw/The-World-Is-Yours" target="_blank">(Github)</a></h2></center>
-</html>