From c9126e13054d2cb2d958b2568c9d865e55a91673 Mon Sep 17 00:00:00 2001 From: William Leighton Dawson Date: Mon, 16 Oct 2023 16:27:26 +0200 Subject: [PATCH] Add persistent HTTP token path blocking to nginx --- certbot-nginx/Dockerfile | 1 + certbot-nginx/conf.d/blocked_tokens.conf | 6 ++++++ certbot-nginx/nginx.conf | 3 +++ docker-compose-v3-letsencrypt.yml | 1 + docker-compose-v3.yml | 2 ++ nginx/Dockerfile | 1 + nginx/conf.d/blocked_tokens.conf | 6 ++++++ nginx/nginx.conf | 4 ++++ 8 files changed, 24 insertions(+) create mode 100644 certbot-nginx/conf.d/blocked_tokens.conf create mode 100644 nginx/conf.d/blocked_tokens.conf diff --git a/certbot-nginx/Dockerfile b/certbot-nginx/Dockerfile index 25d520b..d185e67 100644 --- a/certbot-nginx/Dockerfile +++ b/certbot-nginx/Dockerfile @@ -9,5 +9,6 @@ RUN apt-get update && apt-get install -y \ python3-certbot-nginx COPY nginx.conf /etc/nginx/nginx.conf +COPY conf.d/blocked_tokens.conf /etc/nginx/conf.d/blocked_tokens.conf COPY start.sh / CMD /start.sh diff --git a/certbot-nginx/conf.d/blocked_tokens.conf b/certbot-nginx/conf.d/blocked_tokens.conf new file mode 100644 index 0000000..2cb8598 --- /dev/null +++ b/certbot-nginx/conf.d/blocked_tokens.conf @@ -0,0 +1,6 @@ +# To block a token: + # location ^~ /token_path_prefix_to_block { + # access_log off; + # log_not_found off; + # return 444; + # } diff --git a/certbot-nginx/nginx.conf b/certbot-nginx/nginx.conf index 602285c..81daa48 100644 --- a/certbot-nginx/nginx.conf +++ b/certbot-nginx/nginx.conf @@ -21,6 +21,9 @@ http { include /etc/nginx/mime.types; server_tokens off; + # Import blocked tokens + include /etc/nginx/conf.d/*.conf; + location ^~ /.well-known/acme-challenge { proxy_pass http://nginx:80; proxy_set_header Host $host; diff --git a/docker-compose-v3-letsencrypt.yml b/docker-compose-v3-letsencrypt.yml index e94d9e5..512ce4c 100644 --- a/docker-compose-v3-letsencrypt.yml +++ b/docker-compose-v3-letsencrypt.yml @@ -58,5 +58,6 @@ services: - certbot.env volumes: - /etc/letsencrypt/:/etc/letsencrypt/ + - ./nginx/conf.d:/etc/nginx/conf.d/ volumes: log-volume: diff --git a/docker-compose-v3.yml b/docker-compose-v3.yml index a11d948..55346a1 100644 --- a/docker-compose-v3.yml +++ b/docker-compose-v3.yml @@ -52,6 +52,8 @@ services: depends_on: - "frontend" - "switchboard" + volumes: + - ./nginx/conf.d:/etc/nginx/conf.d/ container_name: nginx command: /usr/sbin/nginx -c /etc/nginx/nginx.conf -g "daemon off;" volumes: diff --git a/nginx/Dockerfile b/nginx/Dockerfile index 8fd9533..21667d7 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -2,3 +2,4 @@ FROM nginx MAINTAINER Marco Slaviero LABEL Description="This image provides the http proxy for Canarytokens" Vendor="Thinkst Applied Research" Version="1.3" COPY nginx.conf /etc/nginx/nginx.conf +COPY conf.d/blocked_tokens.conf /etc/nginx/conf.d/blocked_tokens.conf diff --git a/nginx/conf.d/blocked_tokens.conf b/nginx/conf.d/blocked_tokens.conf new file mode 100644 index 0000000..2cb8598 --- /dev/null +++ b/nginx/conf.d/blocked_tokens.conf @@ -0,0 +1,6 @@ +# To block a token: + # location ^~ /token_path_prefix_to_block { + # access_log off; + # log_not_found off; + # return 444; + # } diff --git a/nginx/nginx.conf b/nginx/nginx.conf index e1e4d71..cb11dbb 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -29,6 +29,10 @@ http { client_max_body_size 50M; listen 80; server_name _; + + # Import blocked tokens + include /etc/nginx/conf.d/*.conf; + # Proxying connections to application servers location = / { proxy_pass http://frontend:8082/;