.
nginx Docker image safe by default.
Prevent the trouble of following security best practices each time you need a web server or reverse proxy. Bunkerized-nginx provides generic security configs, settings and tools so you do not need to do it yourself.
Non-exhaustive list of features:.
HTTPS support with transparent Let’s Encrypt automation.
State-of-the-art web security: HTTP security headers, avoid leaks, TLS hardening, …
Integrated ModSecurity WAF with the OWASP Core Guideline Set.
Automatic restriction of unusual behaviors with fail2ban.
Antibot difficulty through cookie, javascript, captcha or recaptcha v3.
Block TOR, proxies, bad user-agents, countries, …
Block known bad IP with DNSBL and CrowdSec.
Prevent bruteforce attacks with rate restricting.
Identify bad files with ClamAV.
Easy to set up with environment variables.
Deceiving automated tools/scanners:.
bunkerized-nginx.
Table of contents.
Live demo.
Quickstart guide.
Run HTTP server with default settings.
In combination with PHP.
Run HTTPS server with automated Let’s Encrypt.
Behind a reverse proxy.
As a reverse proxy.
Antibot obstacle.
Tutorials and examples.
List of environment variables.
nginx.
Misc.
Details leakage.
Customized mistake pages.
HTTP standard authentication.
Reverse proxy.
HTTPS.
Let’s Secure.
HTTP.
Custom certificate.
Self-signed certificate.
Misc.
ModSecurity.
Security headers.
Blocking.
Antibot.
External blacklist.
DNSBL.
CrowdSec.
Custom whitelisting.
Custom-made blacklisting.
Requests restricting.
Nations.
PHP.
Fail2ban.
ClamAV.
Misc.
Create your own image.
Include custom configurations.
You can find a live demo at https://demo-nginx.bunkerity.com.
Run HTTP server with default settings.
docker run -p 80: 8080 -v/ path/to/web/ files:/ www bunkerity/bunkerized-nginx.
Web files are stored in the/ www directory site, the container will serve files from there.
In mix with PHP.
docker network develop mynet.
docker run– network mynet -p 80: 8080 -v/ path/to/web/ files:/ www -e REMOTE_PHP= myphp -e REMOTE_PHP_PATH=/ app bunkerity/bunkerized-nginx.
docker run– network mynet– name= myphp -v/ path/to/web/ files:/ app php: fpm.
The REMOTE_PHP environment variable lets you specify the address of a remote PHP-FPM circumstances that will carry out the.php files. REMOTE_PHP_PATH must be set to the directory site where the PHP container will find the files.
Run HTTPS server with automated Let’s Encrypt.
docker run -p 80: 8080 -p 443: 8443 -v/ path/to/web/ files:/ www -v/ where/to/save/ certificates:/ etc/letsencrypt -e SERVER_NAME= www.yourdomain.com -e AUTO_LETS_ENCRYPT= yes -e REDIRECT_HTTP_TO_HTTPS= yes bunkerity/bunkerized-nginx.
Certificates are stored in the/ etc/letsencrypt directory, you ought to save it on your local drive.
If you don’t want your webserver to listen on HTTP add the environment variable LISTEN_HTTP with a no worth. Let’s Encrypt needs the port 80 to be opened so rerouting the port is necessary.
Here you have three environment variables:.
SERVER_NAME: specify the FQDN of your webserver, this is mandatory for Let’s Encrypt (www.yourdomain.com should point to your IP address).
AUTO_LETS_ENCRYPT: make it possible for automatic Let’s Encrypt development and renewal of certificates.
REDIRECT_HTTP_TO_HTTPS: make it possible for HTTP to HTTPS redirection.
Behind a reverse proxy.
docker run -p 80: 8080 -v/ path/to/web/ files:/ www -e PROXY_REAL_IP= yes bunkerity/bunkerized-nginx.
The PROXY_REAL_IP environment variable, when set to yes, activates the ngx_http_realip_module to get the genuine customer IP from the reverse proxy.
See this section if you need to fine-tune some values (trusted ip/network, header, …).
As a reverse proxy.
You can setup a reverse proxy by adding your own customized setups at server context.
For example, this is a dummy reverse proxy configuration:.
proxy_set_header Host $host;.
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;.
area/
if ($ host = www.website1.com)
if ($ host = www.website2.com)
All files (ending with.conf) in/ server-confs inside the container will be consisted of at server context. You can merely mount a volume where your config files lie:.
docker run -p 80: 8080 -e SERVER_NAME=” www.website1.com www.website2.com” -e SERVE_FILES= no -e DISABLE_DEFAULT_SERVER= yes -v/ path/to/server/ conf:/ server-confs bunkerity/bunkerized-nginx.
Here you have 3 environment variables:.
SERVER_NAME: list of legitimate Host headers sent out by clients.
SERVE_FILES: nginx will not serve files from the/ www directory site.
DISABLE_DEFAULT_SERVER: nginx will not respond to requests if Host header is not in the SERVER_NAME list.
Antibot difficulty.
docker run -p 80: 8080 -v/ path/to/web/ files:/ www -e USE_ANTIBOT= captcha bunkerity/bunkerized-nginx.
When USE_ANTIBOT is set to captcha, every users visiting your site needs to finish a captcha before accessing the pages. Others challenges are also offered: cookie, javascript or recaptcha (more details here).
You will discover some docker-compose. yml examples in the examples directory and tutorials about bunkerized-nginx in our blog.
nginx.
Misc.
SERVER_NAME.
Worths: …
Default worth: www.bunkerity.com.
Sets the host names of the webserver separated with spaces. This should match the Host header sent out by customers.
Useful when utilized with AUTO_LETSENCRYPT= yes and/or DISABLE_DEFAULT_SERVER= yes.
MAX_CLIENT_SIZE.
Worths: 0|Xm.
Default worth: 10 m.
Sets the maximum body size prior to nginx returns a 413 error code.
Setting to 0 ways “limitless” body size.
ALLOWED_METHODS.
Values: permitted HTTP techniques separated with|char.
Default worth: GET|POST|HEAD.
Only the HTTP approaches noted here will be accepted by nginx. If not listed, nginx will close the connection.
DISABLE_DEFAULT_SERVER.
Values: yes|no.
Default value: no.
If set to yes, nginx will just react to HTTP demand when the Host header match a FQDN specified in the SERVER_NAME environment variable.
For example, it will close the connection if a bot gain access to the site with direct ip.
SERVE_FILES.
Values: yes|no.
Default worth: yes.
If set to yes, nginx will serve files from/ www directory within the container.
An usage case to not serving files is when you setup bunkerized-nginx as a reverse proxy via a custom configuration.
DNS_RESOLVERS.
Values:.
Default value: 127.0.0.11 8.8.8.8.
The IP addresses of the DNS resolvers to utilize when carrying out DNS lookups.
WRITE_ACCESS.
Worths: yes|no.
Default value: no.
If set to yes, nginx will be granted write access to the/ www directory site.
Set it to yes if your website utilizes file upload or produces vibrant declare example.
ROOT_FOLDER.
Values: *.
Default value:/ www.
The default folder where nginx will search for web files. Don’t change it unless you want to make your own image.
HTTP_PORT.
Worths:.
Default value:8080
The HTTP port number utilized by nginx and certbot inside the container.
HTTPS_PORT.
Worths:.
Default value:8443
The HTTPS port number used by nginx inside the container.
Details leakage.
SERVER_TOKENS.
Worths: on|off.
Default value: off.
If set to on, nginx will show server variation in Server header and default mistake pages.
HEADER_SERVER.
Values: yes|no.
Default worth: no.
If set to no, nginx will eliminate the Server header in HTTP responses.
Customized mistake pages.
ERROR_XXX.
Worths:.
Default value:.
Use this sort of environment variable to define custom-made error page depending upon the HTTP error code. Replace XXX with HTTP code.
For instance: ERROR _404=/404 html suggests the/404 html page will be displayed when 404 code is produced. The course is relative to the root web folder.
HTTP basic authentication.
USE_AUTH_BASIC.
Values: yes|no.
Default worth: no.
If set to yes, allows HTTP fundamental authentication at the area AUTH_BASIC_LOCATION with user AUTH_BASIC_USER and password AUTH_BASIC_PASSWORD.
AUTH_BASIC_LOCATION.
Values: sitewide |/ somedir |
Default worth: sitewide.
The area to restrict when USE_AUTH_BASIC is set to yes. If the unique worth sitewide is used then auth fundamental will be set at server level outside any area context.
AUTH_BASIC_USER.
Worths:.
Default value: changeme.
The username permitted to access AUTH_BASIC_LOCATION when USE_AUTH_BASIC is set to yes.
AUTH_BASIC_PASSWORD.
Values:.
Default worth: changeme.
The password of AUTH_BASIC_USER when USE_AUTH_BASIC is set to yes.
AUTH_BASIC_TEXT.
Worths:.
Default value: Restricted location.
The text showed inside the login prompt when USE_AUTH_BASIC is set to yes.
Reverse proxy.
PROXY_REAL_IP.
Values: yes|no.
Default worth: no.
Set this environment variable to yes if you’re utilizing bunkerized-nginx behind a reverse proxy. This means you will see the genuine client address rather of the proxy one inside your logs. Modsecurity, fail2ban and others security tools will also then work correctly.
PROXY_REAL_IP_FROM.
Worths:.
Default worth: 192.1680.0/16172.160.0/1210.0.0.0/ 8.
When PROXY_REAL_IP is set to yes, lets you define the trusted IPs/networks enabled to send out the appropriate customer address.
PROXY_REAL_IP_HEADER.
Values: X-Forwarded-For|X-Real-IP|custom header.
Default value: X-Forwarded-For.
When PROXY_REAL_IP is set to yes, lets you define the header which contains the real client IP address.
PROXY_REAL_IP_RECURSIVE.
Values: on|off.
Default value: on.
When PROXY_REAL_IP is set to yes, setting this to on prevent spoofing attacks utilizing the header specified in PROXY_REAL_IP_HEADER.
HTTPS.
Let’s Encrypt.
AUTO_LETS_ENCRYPT.
Values: yes|no.
Default value: no.
If set to yes, automated certificate generation and renewal will be setup through Let’s Encrypt. This will make it possible for HTTPS on your site free of charge.
You will need to reroute both 80 and 443 port to your container and likewise set the SERVER_NAME environment variable.
HTTP.
LISTEN_HTTP.
Worths: yes|no.
Default worth: yes.
If set to no, nginx will not in listen on HTTP (port 80).
Helpful if you only want HTTPS access to your site.
REDIRECT_HTTP_TO_HTTPS.
Values: yes|no.
Default worth: no.
If set to yes, nginx will reroute all HTTP demands to HTTPS.
Custom certificate.
USE_CUSTOM_HTTPS.
Values: yes|no.
Default value: no.
If set to yes, HTTPS will be made it possible for with certificate/key of your option.
CUSTOM_HTTPS_CERT.
Values:.
Default worth:.
Full path of the certificate file to utilize when USE_CUSTOM_HTTPS is set to yes.
CUSTOM_HTTPS_KEY.
Values:.
Default worth:.
Full path of the crucial file to utilize when USE_CUSTOM_HTTPS is set to yes.
Self-signed certificate.
GENERATE_SELF_SIGNED_SSL.
Values: yes|no.
Default value: no.
If set to yes, HTTPS will be made it possible for with a container produced self-signed certificate.
SELF_SIGNED_SSL_EXPIRY.
Worths: integer.
Default value: 365 (1 year).
Needs GENERATE_SELF_SIGNED_SSL to work.
Sets the expiry date for the self generated certificate.
SELF_SIGNED_SSL_COUNTRY.
Values: text.
Default worth: Switzerland.
Needs GENERATE_SELF_SIGNED_SSL to work.
Sets the country for the self created certificate.
SELF_SIGNED_SSL_STATE.
Values: text.
Default worth: Switzerland.
Needs GENERATE_SELF_SIGNED_SSL to work.
Sets the state for the self produced certificate.
SELF_SIGNED_SSL_CITY.
Worths: text.
Default worth: Bern.
Requirements GENERATE_SELF_SIGNED_SSL to work.
Sets the city for the self generated certificate.
SELF_SIGNED_SSL_ORG.
Values: text.
Default value: AcmeInc.
Needs GENERATE_SELF_SIGNED_SSL to work.
Sets the organisation name for the self generated certificate.
SELF_SIGNED_SSL_OU.
Values: text.
Default worth: IT.
Needs GENERATE_SELF_SIGNED_SSL to work.
Sets the organisitional system for the self created certificate.
SELF_SIGNED_SSL_CN.
Values: text.
Default value: bunkerity-nginx.
Needs GENERATE_SELF_SIGNED_SSL to work.
Sets the CN server name for the self created certificate.
Misc.
HTTP2.
Worths: yes|no.
Default worth: yes.
If set to yes, nginx will utilize HTTP2 protocol when HTTPS is enabled.
HTTPS_PROTOCOLS.
Worths: TLSv1.2|TLSv1.3|TLSv1.2 TLSv1.3.
Default value: TLSv1.2 TLSv1.3.
The supported version of TLS. We advise the default value TLSv1.2 TLSv1.3 for compatibility reasons.
ModSecurity.
USE_MODSECURITY.
Values: yes|no.
Default worth: yes.
If set to yes, the ModSecurity WAF will be allowed.
You can consist of customized guidelines by adding.conf files into the/ modsec-confs/ directory site inside the container (i.e: through a volume).
USE_MODSECURITY_CRS.
Worths: yes|no.
Default worth: yes.
If set to yes, the OWASP ModSecurity Core Rule Set will be used. It provides generic guidelines to discover common web attacks.
You can tailor the CRS (i.e.: add WordPress exclusions) by including custom.conf files into the/ modsec-crs-confs/ directory site inside the container (i.e: through a volume). Files inside this directory site are included before the CRS guidelines. If you require to fine-tune (i.e.: SecRuleUpdateTargetById) put.conf files inside the/ modsec-confs/ which is included after the CRS guidelines.
Security headers.
X_FRAME_OPTIONS.
ALLOW-FROM https://www.website.net
Default value: DENY.
Policy to be utilized when the site is shown through iframe. Can be used to alleviate clickjacking attacks.
More information here.
X_XSS_PROTECTION.
Values: 0|1|1; mode= block.
Default value: 1; mode= block.
Policy to be used when XSS is found by the internet browser. Just works with Web Explorer.
More info here.
X_CONTENT_TYPE_OPTIONS.
Values: nosniff.
Default value: nosniff.
Tells the internet browser to be strict about MIME type.
More details here.
REFERRER_POLICY.
no-referrer-when-downgrade
Default worth: no-referrer.
Policy to be used for the Referer header.
More details here.
FEATURE_POLICY.
Values:.
Default worth: accelerometer ‘none’; ambient-light-sensor ‘none’; autoplay ‘none’; electronic camera ‘none’; display-capture ‘none’; file-
Learn More