Skip to content

Commit

Permalink
Add persistent HTTP token path blocking to nginx
Browse files Browse the repository at this point in the history
  • Loading branch information
@wleightond
wleightond committed Oct 16, 2023
1 parent 75203c1 commit c9126e1
Show file tree
Hide file tree
Showing 8 changed files with 24 additions and 0 deletions.
1 change: 1 addition & 0 deletions certbot-nginx/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,5 +9,6 @@ RUN apt-get update && apt-get install -y \
python3-certbot-nginx

COPY nginx.conf /etc/nginx/nginx.conf
COPY conf.d/blocked_tokens.conf /etc/nginx/conf.d/blocked_tokens.conf
COPY start.sh /
CMD /start.sh
6 changes: 6 additions & 0 deletions certbot-nginx/conf.d/blocked_tokens.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# To block a token:
# location ^~ /token_path_prefix_to_block {
# access_log off;
# log_not_found off;
# return 444;
# }
3 changes: 3 additions & 0 deletions certbot-nginx/nginx.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ http {
include /etc/nginx/mime.types;
server_tokens off;

# Import blocked tokens
include /etc/nginx/conf.d/*.conf;

location ^~ /.well-known/acme-challenge {
proxy_pass http://nginx:80;
proxy_set_header Host $host;
Expand Down
1 change: 1 addition & 0 deletions docker-compose-v3-letsencrypt.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,5 +58,6 @@ services:
- certbot.env
volumes:
- /etc/letsencrypt/:/etc/letsencrypt/
- ./nginx/conf.d:/etc/nginx/conf.d/
volumes:
log-volume:
2 changes: 2 additions & 0 deletions docker-compose-v3.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,8 @@ services:
depends_on:
- "frontend"
- "switchboard"
volumes:
- ./nginx/conf.d:/etc/nginx/conf.d/
container_name: nginx
command: /usr/sbin/nginx -c /etc/nginx/nginx.conf -g "daemon off;"
volumes:
Expand Down
1 change: 1 addition & 0 deletions nginx/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,4 @@ FROM nginx
MAINTAINER Marco Slaviero <[email protected]>
LABEL Description="This image provides the http proxy for Canarytokens" Vendor="Thinkst Applied Research" Version="1.3"
COPY nginx.conf /etc/nginx/nginx.conf
COPY conf.d/blocked_tokens.conf /etc/nginx/conf.d/blocked_tokens.conf
6 changes: 6 additions & 0 deletions nginx/conf.d/blocked_tokens.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# To block a token:
# location ^~ /token_path_prefix_to_block {
# access_log off;
# log_not_found off;
# return 444;
# }
4 changes: 4 additions & 0 deletions nginx/nginx.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,10 @@ http {
client_max_body_size 50M;
listen 80;
server_name _;

# Import blocked tokens
include /etc/nginx/conf.d/*.conf;

# Proxying connections to application servers
location = / {
proxy_pass http://frontend:8082/;
Expand Down

0 comments on commit c9126e1

Please sign in to comment.