Update nginx config for well being

- turned off server tokens so the server does not leak nginx information on errors and header - Added header to turn off cross site scripting - use stable release of nginx instead of mainline - limit available methods - update response code
2024-10-13 13:34:05 +00:00 · 2017-09-26 14:19:55 +02:00 · 2017-09-26 14:19:55 +02:00 · 4371a2ce4b
commit 4371a2ce4b
parent 86ddbc2750
5 changed files with 35 additions and 15 deletions
--- a/k8s/nginx-http/container/Dockerfile
+++ b/k8s/nginx-http/container/Dockerfile
@ -1,4 +1,4 @@
-FROM nginx:1.13.1
+FROM nginx:stable
 LABEL maintainer "dev@bigchaindb.com"
 WORKDIR /
 RUN apt-get update \
--- a/k8s/nginx-http/container/nginx.conf.template
+++ b/k8s/nginx-http/container/nginx.conf.template
@ -45,6 +45,12 @@ http {

  keepalive_timeout 60s;

+  # Do not expose nginx data/version number in error response and header
+  server_tokens off;
+
+  # To prevent cross-site scripting
+  add_header X-XSS-Protection "1; mode=block";
+
  # The following map blocks enable lazy-binding to the backend at runtime,
  # rather than binding as soon as NGINX starts.
  map $remote_addr $bdb_backend {
@ -54,7 +60,6 @@ http {
  # Frontend server for the external clients
  server {
    listen CLUSTER_FRONTEND_PORT;
-
    underscores_in_headers on;

    # Forward websockets to backend BDB at 9985.
@ -75,6 +80,10 @@ http {
      # max client request body size: avg transaction size.
      client_max_body_size 15k;

+      if ($request_method !~ ^(GET|OPTIONS|POST)$) {
+        return 444;
+      }
+
      # No auth for GETs, forward directly to BDB.
      if ($request_method = GET) {
        proxy_pass http://$bdb_backend:BIGCHAINDB_API_PORT;
@ -82,11 +91,10 @@ http {

      # POST requests get forwarded to OpenResty instance. Enable CORS too.
      if ($request_method = POST ) {
-        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
        add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
-        
+
        proxy_pass http://$bdb_backend:BIGCHAINDB_API_PORT;
      }

@ -130,10 +138,10 @@ stream {

  # Enable logging when connections are being throttled.
  limit_conn_log_level notice;
-  
+
  # Allow 16 connections from the same IP address.
  limit_conn two 16;
-  
+
  # DNS resolver to use for all the backend names specified in this configuration.
  resolver DNS_SERVER valid=30s ipv6=off;

@ -142,7 +150,7 @@ stream {
  map $remote_addr $mdb_backend {
    default MONGODB_BACKEND_HOST;
  }
-  
+
  # Frontend server to forward connections to MDB instance.
  server {
    listen MONGODB_FRONTEND_PORT so_keepalive=10m:1m:5;
--- a/k8s/nginx-https/container/Dockerfile
+++ b/k8s/nginx-https/container/Dockerfile
@ -1,4 +1,4 @@
-FROM nginx:1.13.1
+FROM nginx:stable
 LABEL maintainer "dev@bigchaindb.com"
 WORKDIR /
 RUN apt-get update \
--- a/k8s/nginx-https/container/docker_build_and_push.bash
+++ b/k8s/nginx-https/container/docker_build_and_push.bash
@ -1,5 +1,5 @@
 #!/bin/bash

-docker build -t bigchaindb/nginx_https:1.0 .
+docker build -t bigchaindb/nginx_https:1.1 .

-docker push bigchaindb/nginx_https:1.0
+docker push bigchaindb/nginx_https:1.1
--- a/k8s/nginx-https/container/nginx.conf.template
+++ b/k8s/nginx-https/container/nginx.conf.template
@ -42,6 +42,12 @@ http {
  client_body_timeout 10s;
  client_header_timeout 10s;

+  # Do not expose nginx data/version number in error response and header
+  server_tokens off;
+
+  # To prevent cross-site scripting
+  add_header X-XSS-Protection "1; mode=block";
+
  # DNS resolver to use for all the backend names specified in this configuration.
  resolver DNS_SERVER valid=30s ipv6=off;

@ -59,11 +65,13 @@ http {
  # Frontend server for the external clients; acts as HTTPS termination point.
  server {
    listen CLUSTER_FRONTEND_PORT ssl;
+    add_header X-XSS-Protection "1; mode=block";
    server_name "CLUSTER_FQDN";
-    ssl_certificate        /etc/nginx/ssl/cert.pem;
-    ssl_certificate_key    /etc/nginx/ssl/cert.key;
-    ssl_protocols          TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers            HIGH:!aNULL:!MD5;
+
+    ssl_certificate /etc/nginx/ssl/cert.pem;
+    ssl_certificate_key /etc/nginx/ssl/cert.key;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers HIGH:!aNULL:!MD5;

    underscores_in_headers on;

@ -89,6 +97,10 @@ http {
      # max client request body size: avg transaction size.
      client_max_body_size 15k;

+      if ($request_method !~ ^(GET|OPTIONS|POST)$) {
+        return 444;
+      }
+
      # No auth for GETs, forward directly to BDB.
      if ($request_method = GET) {
        proxy_pass http://$bdb_backend:BIGCHAINDB_API_PORT;
@ -135,7 +147,7 @@ http {
    location / {
        add_header Upgrade "TLS/1.2, HTTP/1.1" always;
        default_type text/plain;
-        return 426 'Consider using the HTTPS protocol next time!';
+        return 301 'Consider using the HTTPS protocol next time!';
    }
  }
 }