uptime-kuma config

2026-01-25 14:43:24 +00:00
parent d84e412532
commit 73d80ea2b2
32 changed files with 422 additions and 0 deletions
@@ -0,0 +1,134 @@
+# Block SQL injections
+set $block_sql_injections 0;
+
+if ($query_string ~ "union.*select.*\(") {
+    set $block_sql_injections 1;
+}
+
+if ($query_string ~ "union.*all.*select.*") {
+    set $block_sql_injections 1;
+}
+
+if ($query_string ~ "concat.*\(") {
+    set $block_sql_injections 1;
+}
+
+if ($block_sql_injections = 1) {
+    return 403;
+}
+
+# Block file injections
+set $block_file_injections 0;
+
+if ($query_string ~ "[a-zA-Z0-9_]=http://") {
+    set $block_file_injections 1;
+}
+
+if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
+    set $block_file_injections 1;
+}
+
+if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
+    set $block_file_injections 1;
+}
+
+if ($block_file_injections = 1) {
+    return 403;
+}
+
+# Block common exploits
+set $block_common_exploits 0;
+
+if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "proc/self/environ") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
+    set $block_common_exploits 1;
+}
+
+if ($query_string ~ "base64_(en|de)code\(.*\)") {
+    set $block_common_exploits 1;
+}
+
+if ($block_common_exploits = 1) {
+    return 403;
+}
+
+# Block spam
+set $block_spam 0;
+
+if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
+    set $block_spam 1;
+}
+
+if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
+    set $block_spam 1;
+}
+
+if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
+    set $block_spam 1;
+}
+
+if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
+    set $block_spam 1;
+}
+
+if ($block_spam = 1) {
+    return 403;
+}
+
+# Block user agents
+set $block_user_agents 0;
+
+if ($http_user_agent ~ "Indy Library") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "libwww-perl") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "GetRight") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "GetWeb!") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Go!Zilla") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Download Demon") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Go-Ahead-Got-It") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "TurnitinBot") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "GrabNet") {
+    set $block_user_agents 1;
+}
+
+if ($block_user_agents = 1) {
+    return 403;
+}
@@ -0,0 +1,219 @@
+# Static upstream configurations for non-container backends
+# These hosts forward to IP addresses instead of Docker containers
+
+# ------------------------------------------------------------------------------
+# portainer.kolpacksoftware.com -> 172.17.0.1:9443 (HTTPS backend via Docker bridge)
+# ------------------------------------------------------------------------------
+upstream portainer-backend {
+    server 172.17.0.1:9443;
+}
+
+server {
+    listen 80;
+    server_name portainer.kolpacksoftware.com;
+
+    location /.well-known/acme-challenge/ {
+        root /usr/share/nginx/html;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name portainer.kolpacksoftware.com;
+
+    ssl_certificate /etc/nginx/certs/portainer.kolpacksoftware.com.crt;
+    ssl_certificate_key /etc/nginx/certs/portainer.kolpacksoftware.com.key;
+
+    include /etc/nginx/vhost.d/default;
+    include /etc/nginx/vhost.d/private;
+
+    location / {
+        proxy_pass https://portainer-backend;
+        proxy_ssl_verify off;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+# ------------------------------------------------------------------------------
+# btt-cb1.kolpacksoftware.com -> 192.168.1.173:80
+# ------------------------------------------------------------------------------
+upstream btt-cb1-backend {
+    server 192.168.1.173:80;
+}
+
+server {
+    listen 80;
+    server_name btt-cb1.kolpacksoftware.com;
+
+    location /.well-known/acme-challenge/ {
+        root /usr/share/nginx/html;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name btt-cb1.kolpacksoftware.com;
+
+    ssl_certificate /etc/nginx/certs/btt-cb1.kolpacksoftware.com.crt;
+    ssl_certificate_key /etc/nginx/certs/btt-cb1.kolpacksoftware.com.key;
+
+    include /etc/nginx/vhost.d/default;
+    include /etc/nginx/vhost.d/private;
+
+    location / {
+        proxy_pass http://btt-cb1-backend;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+# ------------------------------------------------------------------------------
+# hats.kolpacksoftware.com -> 192.168.1.66:9999
+# ------------------------------------------------------------------------------
+upstream hats-backend {
+    server 192.168.1.66:9999;
+}
+
+server {
+    listen 80;
+    server_name hats.kolpacksoftware.com;
+
+    location /.well-known/acme-challenge/ {
+        root /usr/share/nginx/html;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name hats.kolpacksoftware.com;
+
+    ssl_certificate /etc/nginx/certs/hats.kolpacksoftware.com.crt;
+    ssl_certificate_key /etc/nginx/certs/hats.kolpacksoftware.com.key;
+
+    include /etc/nginx/vhost.d/default;
+    include /etc/nginx/vhost.d/private;
+
+    location / {
+        proxy_pass http://hats-backend;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+# ------------------------------------------------------------------------------
+# pve-nas.kolpacksoftware.com -> 192.168.1.245:8006 (HTTPS backend - Proxmox)
+# ------------------------------------------------------------------------------
+upstream pve-nas-backend {
+    server 192.168.1.245:8006;
+}
+
+server {
+    listen 80;
+    server_name pve-nas.kolpacksoftware.com;
+
+    location /.well-known/acme-challenge/ {
+        root /usr/share/nginx/html;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name pve-nas.kolpacksoftware.com;
+
+    ssl_certificate /etc/nginx/certs/pve-nas.kolpacksoftware.com.crt;
+    ssl_certificate_key /etc/nginx/certs/pve-nas.kolpacksoftware.com.key;
+
+    include /etc/nginx/vhost.d/default;
+    include /etc/nginx/vhost.d/private;
+
+    # Proxmox needs larger buffers
+    proxy_buffer_size 128k;
+    proxy_buffers 4 256k;
+    proxy_busy_buffers_size 256k;
+
+    location / {
+        proxy_pass https://pve-nas-backend;
+        proxy_ssl_verify off;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+# ------------------------------------------------------------------------------
+# unraid.kolpacksoftware.com -> 192.168.1.192:80
+# ------------------------------------------------------------------------------
+upstream unraid-backend {
+    server 192.168.1.192:80;
+}
+
+server {
+    listen 80;
+    server_name unraid.kolpacksoftware.com;
+
+    location /.well-known/acme-challenge/ {
+        root /usr/share/nginx/html;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name unraid.kolpacksoftware.com;
+
+    ssl_certificate /etc/nginx/certs/unraid.kolpacksoftware.com.crt;
+    ssl_certificate_key /etc/nginx/certs/unraid.kolpacksoftware.com.key;
+
+    include /etc/nginx/vhost.d/default;
+    include /etc/nginx/vhost.d/private;
+
+    location / {
+        proxy_pass http://unraid-backend;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
@@ -0,0 +1 @@
+include /etc/nginx/vhost.d/private;
@@ -0,0 +1 @@
+public
@@ -0,0 +1 @@
+include /etc/nginx/vhost.d/private;
@@ -0,0 +1 @@
+include /etc/nginx/vhost.d/private;
@@ -0,0 +1 @@
+include /etc/nginx/vhost.d/private;
@@ -0,0 +1,12 @@
+# Default configuration applied to all virtual hosts
+# Security headers and WAF rules - applied to ALL hosts (public and private)
+
+# Security headers
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header X-XSS-Protection "1; mode=block" always;
+add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+# Include block-exploits rules
+include /etc/nginx/conf.d/block-exploits.conf;
@@ -0,0 +1 @@
+include /etc/nginx/vhost.d/private;
@@ -0,0 +1,6 @@
+# Docker registry needs Authorization header passthrough
+proxy_set_header Authorization $http_authorization;
+proxy_pass_header Authorization;
+
+# Private access control
+include /etc/nginx/vhost.d/private;
@@ -0,0 +1 @@
+include /etc/nginx/vhost.d/private;
@@ -0,0 +1 @@
+include /etc/nginx/vhost.d/private;
@@ -0,0 +1 @@
+include /etc/nginx/vhost.d/private;
@@ -0,0 +1 @@
+include /etc/nginx/vhost.d/private;
@@ -0,0 +1 @@
+public
@@ -0,0 +1 @@
+include /etc/nginx/vhost.d/private;
@@ -0,0 +1 @@
+include /etc/nginx/vhost.d/private;
@@ -0,0 +1 @@
+include /etc/nginx/vhost.d/private;
@@ -0,0 +1 @@
+public
@@ -0,0 +1 @@
+include /etc/nginx/vhost.d/private;
@@ -0,0 +1,7 @@
+# Access control for private hosts
+# Symlink this file to restrict access to local networks only
+
+allow 192.168.1.0/24;
+allow 172.16.0.0/12;
+# allow 162.10.130.22;  # Netskope - uncomment if needed for corporate VPN
+deny all;
@@ -0,0 +1 @@
+include /etc/nginx/vhost.d/private;
@@ -0,0 +1 @@
+include /etc/nginx/vhost.d/private;
@@ -0,0 +1 @@
+public
@@ -0,0 +1 @@
+public
@@ -0,0 +1 @@
+public
@@ -0,0 +1 @@
+include /etc/nginx/vhost.d/private;
@@ -0,0 +1 @@
+public
@@ -0,0 +1 @@
+include /etc/nginx/vhost.d/private;
@@ -0,0 +1 @@
+include /etc/nginx/vhost.d/private;
@@ -0,0 +1 @@
+public