From a702914f20e21807f1490e9800e0bddc169fec0b Mon Sep 17 00:00:00 2001
From: Brett <brett@kowh.ai>
Date: Fri, 2 Jun 2023 10:34:36 +0200
Subject: [PATCH] harden NGINX config

---
 nginx/Dockerfile         | 17 +++++++++--
 nginx/setup/default.conf | 24 +++++++++++----
 nginx/setup/nginx.conf   | 64 +++++++++++++++++++++++++++++++++++++---
 3 files changed, 94 insertions(+), 11 deletions(-)

diff --git a/nginx/Dockerfile b/nginx/Dockerfile
index 8abad79..4efef3f 100644
--- a/nginx/Dockerfile
+++ b/nginx/Dockerfile
@@ -2,11 +2,24 @@ FROM nginx:stable-alpine
 
 ENV NGINX_DIR=/etc/nginx
 
+RUN apk update --no-cache && \
+    apk upgrade --no-cache && \
+    apk add --no-cache openssl
+
 COPY setup/nginx.conf ${NGINX_DIR}/nginx.conf
 COPY setup/index.html /usr/share/nginx/html/index.html
 COPY setup/default.conf ${NGINX_DIR}/conf.d/
 
 RUN mkdir -p ${NGINX_DIR}/certs
-COPY setup/ckan-local.* ${NGINX_DIR}/certs/
 
-EXPOSE 81
\ No newline at end of file
+EXPOSE 81
+
+ENTRYPOINT \
+  openssl req \
+    -subj '/C=DE/ST=Berlin/L=Berlin/O=None/CN=localhost' \
+    -x509 -newkey rsa:4096 \
+    -nodes -keyout /etc/nginx/ssl/default_key.pem \
+    -keyout ${NGINX_DIR}/certs/ckan-local.key \
+    -out ${NGINX_DIR}/certs/ckan-local.crt \
+    -days 365 && \
+  nginx -g 'daemon off;'
\ No newline at end of file
diff --git a/nginx/setup/default.conf b/nginx/setup/default.conf
index 17e9cc1..5406109 100644
--- a/nginx/setup/default.conf
+++ b/nginx/setup/default.conf
@@ -6,6 +6,18 @@ server {
     server_name  localhost;
     ssl_certificate /etc/nginx/certs/ckan-local.crt;
     ssl_certificate_key /etc/nginx/certs/ckan-local.key;
+    
+    # TLS 1.2 & 1.3 only
+    ssl_protocols TLSv1.2 TLSv1.3;
+
+    # Disable weak ciphers
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+
+    # SSL sessions
+    ssl_session_timeout 1d;
+    # ssl_session_cache dfine in stream and http
+    ssl_session_tickets off;
 
     #access_log  /var/log/nginx/host.access.log  main;
 
@@ -20,13 +32,15 @@ server {
         proxy_cache_key $host$scheme$proxy_host$request_uri;
     }
 
-    error_page  404              /404.html;
+    error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 /error.html;
 
-    # redirect server error pages to the static page /50x.html
+    # redirect server error pages to the static page /error.html
     #
-    error_page   500 502 503 504  /50x.html;
-    location = /50x.html {
-        root   /usr/share/nginx/html;
+    location = /error.html {
+      ssi on;
+      internal;
+      auth_basic off;
+      root /usr/share/nginx/html;
     }
 
 }
\ No newline at end of file
diff --git a/nginx/setup/nginx.conf b/nginx/setup/nginx.conf
index b14c5be..ddc819c 100644
--- a/nginx/setup/nginx.conf
+++ b/nginx/setup/nginx.conf
@@ -22,14 +22,70 @@ http {
     access_log  /var/log/nginx/access.log  main;
 
     sendfile        on;
-    #tcp_nopush     on;
-
+    tcp_nopush     on;
+    tcp_nodelay  on;
+    types_hash_max_size 2048;
     keepalive_timeout  65;
 
-    #gzip  on;
+    # Don't expose Nginx version
+    server_tokens off;
+
+    # Prevent clickjacking attacks
+    add_header X-Frame-Options "SAMEORIGIN";
+
+    # Mitigate Cross-Site scripting attack
+    add_header X-XSS-Protection "1; mode=block";
+
+    # Enable gzip encryption
+    gzip  on;
     
     proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;
     proxy_temp_path /tmp/nginx_proxy 1 2;
 
     include /etc/nginx/conf.d/*.conf;
-}
\ No newline at end of file
+
+    # Error status text
+    map $status $status_text {
+      400 'Bad Request';
+      401 'Unauthorized';
+      402 'Payment Required';
+      403 'Forbidden';
+      404 'Not Found';
+      405 'Method Not Allowed';
+      406 'Not Acceptable';
+      407 'Proxy Authentication Required';
+      408 'Request Timeout';
+      409 'Conflict';
+      410 'Gone';
+      411 'Length Required';
+      412 'Precondition Failed';
+      413 'Payload Too Large';
+      414 'URI Too Long';
+      415 'Unsupported Media Type';
+      416 'Range Not Satisfiable';
+      417 'Expectation Failed';
+      418 'I\'m a teapot';
+      421 'Misdirected Request';
+      422 'Unprocessable Entity';
+      423 'Locked';
+      424 'Failed Dependency';
+      425 'Too Early';
+      426 'Upgrade Required';
+      428 'Precondition Required';
+      429 'Too Many Requests';
+      431 'Request Header Fields Too Large';
+      451 'Unavailable For Legal Reasons';
+      500 'Internal Server Error';
+      501 'Not Implemented';
+      502 'Bad Gateway';
+      503 'Service Unavailable';
+      504 'Gateway Timeout';
+      505 'HTTP Version Not Supported';
+      506 'Variant Also Negotiates';
+      507 'Insufficient Storage';
+      508 'Loop Detected';
+      510 'Not Extended';
+      511 'Network Authentication Required';
+      default 'Something is wrong';
+    }
+}