Merge pull request #107 from mikeiken:pen-test-alpha

Enhance NGINX security and fix related issues
mikeiken · Dec 1, 2024 · 99b0133 · 99b0133
2 parents 7274595 + 868ef2f
commit 99b0133
Showing 1 changed file with 92 additions and 4 deletions.
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -6,29 +6,117 @@ upstream client {
 }
 
 server {
+    # Remove server information headers
+    server_tokens off;
+    proxy_hide_header X-Powered-By;
+
+    # Add security headers
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN";
+    # add_header X-Frame-Options "DENY" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+    proxy_hide_header Content-Security-Policy;
+    # Add Content Security Policy headers
+    add_header Content-Security-Policy "
+        default-src 'self'; 
+        script-src 'self' 'unsafe-inline' 'unsafe-eval' 
+            https://cdn.jsdelivr.net; 
+        style-src 'self' 'unsafe-inline' 
+            https://cdn.jsdelivr.net 
+            https://fonts.googleapis.com; 
+        img-src 'self' data: 
+            https://cdn.jsdelivr.net
+            https://avatars.mds.yandex.net; 
+        font-src 'self' data:
+            https://fonts.gstatic.com; 
+        connect-src 'self' 
+            ws://localhost:3000/ws
+            wss://localhost:3000/ws 
+            ws://localhost:3000/socket 
+            wss://localhost:3000/socket 
+            http://127.0.0.1:8000 
+            https://127.0.0.1:8000; 
+        frame-ancestors 'none'; 
+        base-uri 'self'; 
+        form-action 'self';
+        object-src 'none';
+        media-src 'self';
+    " always;
+
+    # Block access to metadata
+    location ~ ^/latest/meta-data/ {
+        deny all;
+        return 404;
+    }
+
+    # Block direct access to AWS metadata IP
+    location ~ ^/169\.254\.169\.254 {
+        deny all;
+        return 404;
+    }
+
     listen 80;
 
     location / {
+        # Add security headers
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $http_host;
+
+        # Prevent proxy redirects to metadata
+        proxy_redirect off;
+
         proxy_pass http://frontend:3000/;
     }
 
-    location /api/swagger/ {
-        proxy_pass http://django:8000/swagger/;
-    }
-
     location /api/ {
+        # Add security headers
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $http_host;
+
+        # Prevent proxy redirects to metadata
+        proxy_redirect off;
+
         proxy_pass http://django:8000/api/;
     }
 
     location /static-dj/ {
+        # Add security headers
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $http_host;
+
+        # Prevent proxy redirects to metadata
+        proxy_redirect off;
+
         proxy_pass http://django:8000/static-dj/;
     }
 
     location /redis-commander/ {
+        # Add security headers
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $http_host;
+
+        # Prevent proxy redirects to metadata
+        proxy_redirect off;
+
         proxy_pass http://redis-commander:8081/;
     }
 
     location /rabbitmq/ {
+        # Add security headers
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $http_host;
+
+        # Prevent proxy redirects to metadata
+        proxy_redirect off;
+
         proxy_pass http://rabbitmq:15672/;
     }
 }