From be377e75ef18ef9e2b979abd4b85fe4c2636b19d Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Tue, 9 Apr 2024 19:05:56 +0200 Subject: [PATCH 1/4] Stopped serving package.json / package-lock.json files Since this repo is public, this doesn't matter, the information is public. Might as well remove it though, there's no reason to serve these files. Signed-off-by: Ole Herman Schumacher Elgesem --- Dockerfile | 2 ++ nginx.conf | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 0e0119e..7160f44 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,6 +10,8 @@ COPY . ./ RUN npm run build RUN ./hugo -v RUN npm run create-modules-json +RUN rm ./public/package.json +RUN rm ./public/package-lock.json RUN find public -type f -regex '^.*\.\(svg\|css\|html\|xml\)$' -size +1k -exec gzip -k '{}' \; FROM nginx:stable-alpine diff --git a/nginx.conf b/nginx.conf index dc08074..4808536 100644 --- a/nginx.conf +++ b/nginx.conf @@ -50,7 +50,7 @@ http { # deny running scripts inside user folder location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } # deny access to specific files in the root folder - location ~ /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess) { return 403; } + location ~ /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess|package.json|package-lock.json) { return 403; } ## End - Security # Try to keep the file uplodas in the memory: From 86b102029481a44a6b75078a08cc65d34dd9a3cf Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Tue, 9 Apr 2024 19:08:44 +0200 Subject: [PATCH 2/4] Improved the docker command in README so I can copy paste it * Made it interactive with the -it flag * Changed the container name to be more descriptive / correct * Put it on one line to make it easier to copy paste * Replaced /path/to/volume with ./proxy since that'll probably be allowed to mount Signed-off-by: Ole Herman Schumacher Elgesem --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index be0cb57..bbc2002 100644 --- a/README.md +++ b/README.md @@ -45,8 +45,7 @@ Using docker / podman to build and serve is fairly straight forward: ``` export GITHUB_USERNAME_TOKEN='place githubName:token here' -docker build --build-arg GITHUB_USERNAME_TOKEN --tag cfbs-website -f Dockerfile . -docker run -p 80:80 -p 81:81 --volume /path/to/volume:/home/proxy --name cfbs-website --rm cfbs-website +docker build --build-arg GITHUB_USERNAME_TOKEN --tag cfengine-build-website -f Dockerfile . && docker run -it -p 80:80 -p 81:81 --volume ./proxy:/home/proxy --name cfengine-build-website --rm cfengine-build-website ``` ## CFEngine Build repositories From 4b75c897c4c67ece2dbeb789707d97c328d3f017 Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Tue, 9 Apr 2024 19:13:27 +0200 Subject: [PATCH 3/4] Return 404 instead of 403 for everything blocked by nginx.conf Doesn't matter much since this repo is public, but if we end up using this config in another project, it seems safer to not give any information about which things are being blocked by the nginx config. Signed-off-by: Ole Herman Schumacher Elgesem --- nginx.conf | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/nginx.conf b/nginx.conf index 4808536..8679d65 100644 --- a/nginx.conf +++ b/nginx.conf @@ -44,13 +44,13 @@ http { ## Begin - Security location ~ ^/(.well-known/security.txt|security.txt) { return 301 https://northern.tech/security.txt; } # deny all direct access for these folders - location ~* /(.git|cache|bin|logs|backup|tests)/.*$ { return 403; } + location ~* /(.git|cache|bin|logs|backup|tests)/.*$ { return 404; } # deny running scripts inside core system folders - location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } + location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 404; } # deny running scripts inside user folder - location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } + location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 404; } # deny access to specific files in the root folder - location ~ /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess|package.json|package-lock.json) { return 403; } + location ~ /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess|package.json|package-lock.json) { return 404; } ## End - Security # Try to keep the file uplodas in the memory: @@ -96,7 +96,7 @@ http { set $block_common_exploits 1; } if ($block_common_exploits = 1) { - return 403; + return 404; } ## Block SQL injections set $block_sql_injections 0; @@ -110,7 +110,7 @@ http { set $block_sql_injections 1; } if ($block_sql_injections = 1) { - return 403; + return 404; } ## Block file injections set $block_file_injections 0; @@ -124,7 +124,7 @@ http { set $block_file_injections 1; } if ($block_file_injections = 1) { - return 403; + return 404; } ## Block spam set $block_spam 0; @@ -141,7 +141,7 @@ http { set $block_spam 1; } if ($block_spam = 1) { - return 403; + return 404; } ## Common bandwidth hoggers and hacking tools. set $block_user_agents 0; @@ -170,7 +170,7 @@ http { set $block_user_agents 1; } if ($block_user_agents = 1) { - return 403; + return 404; } } From cd686600dc07753553b7087af0a8f2fd9f9fd459 Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Tue, 9 Apr 2024 19:16:41 +0200 Subject: [PATCH 4/4] Added a few more known filenames to the list in nginx config Signed-off-by: Ole Herman Schumacher Elgesem --- nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.conf b/nginx.conf index 8679d65..9882e5e 100644 --- a/nginx.conf +++ b/nginx.conf @@ -50,7 +50,7 @@ http { # deny running scripts inside user folder location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 404; } # deny access to specific files in the root folder - location ~ /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess|package.json|package-lock.json) { return 404; } + location ~ /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess|package.json|package-lock.json|Dockerfile|Containerfile|Makefile) { return 404; } ## End - Security # Try to keep the file uplodas in the memory: