Configuration Examples
Contents |
In this page, we provide some configuration examples of the functionality in SEnginx.
Some site
Configuration File
In this configuration file, we enable cookie poisoning protection, robot mitigation and naxsi.
user nobody;
worker_processes 1;
error_log logs/error.log notice;
pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
include /usr/local/senginx/naxsi/naxsi_config/naxsi_core.rules;
geoip_country /usr/local/senginx/GeoIP.dat;
geoip_city /usr/local/senginx/GeoLiteCity.dat;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
' - [$geoip_city, $geoip_city_country_name]';
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
gzip on;
session_max_size 1024;
upstream backend {
server 127.0.0.1:8086;
}
server {
listen 80;
server_name some_site.org;
access_log logs/access.www.log main;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
session_timeout 600;
session on;
location /RequestDenied {
return 403;
}
location /favicon.ico {
proxy_pass http://backend;
}
location /download {
proxy_pass http://backend;
}
location /img {
proxy_pass http://backend;
}
location /cn {
error_log logs/error.cn.log;
robot_mitigation on;
robot_mitigation_mode js;
robot_mitigation_action block;
robot_mitigation_whitelist {
"Baidu" "Baiduspider";
"Google" "Googlebot";
}
cookie_poisoning on;
cookie_poisoning_action block;
#LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
include wl.conf;
## check rules
CheckRule "$XSS >= 4" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 8" BLOCK;
CheckRule "$UPLOAD >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$SQL >= 8" BLOCK;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://backend;
}
location /en {
error_log logs/error.en.log;
robot_mitigation on;
robot_mitigation_mode js;
robot_mitigation_action block;
robot_mitigation_whitelist {
"Google" "Googlebot";
}
cookie_poisoning on;
cookie_poisoning_action block;
#LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
include wl-en.conf;
## check rules
CheckRule "$XSS >= 4" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 8" BLOCK;
CheckRule "$UPLOAD >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$SQL >= 8" BLOCK;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://backend;
}
location / {
if ($geoip_country_code = CN) {
rewrite ^/$ /cn redirect;
}
if ($geoip_country_code != CN) {
rewrite ^/$ /en redirect;
}
}
}
}
Explanation
This config file is based on senginx 1.5.3, and in this senginx we compiled cookie poisoning moduel and GeoIP module, some of the directives may not be valid in older versions.
The basic hierarchy of Some site is: apache listens on port 8080 at localhost, and then senginx reverse proxies all the request to this port along with the following functions:
- Dispatch requests based on the request's Geo-Location (according to the source IP address).
- HTTP session
- Robot Mitigation
- Cookie Poisoning
- All protection in naxsi
