Merge branch 'feature/nginx_security' into develop

app/Http/Controllers/AliasesController.php

@@ -2,6 +2,7 @@
 
 namespace App\Http\Controllers;
 
+use Illuminate\Routing\UrlGenerator;
 use Illuminate\Http\Request;
 use App\Application;
 use App\Alias;
@@ -9,6 +10,12 @@ use phpseclib\Net\SSH2 as SSH;
 
 class AliasesController extends Controller {
 
+    protected $url;
+
+    public function __construct(UrlGenerator $url) {
+        $this->url = $url;
+    }
+
     public function index() {
         $aliases = Alias::orderBy('domain')->orderBy('application_id')->with('application')->get();
         return view('aliases', compact('aliases'));
@@ -43,7 +50,7 @@ class AliasesController extends Controller {
             return redirect('/aliases');
         }
         $ssh->setTimeout(360);
-        $response = $ssh->exec('echo '.$application->server->password.' | sudo -S sudo sh /cipi/alias-add.sh -d '.$request->domain.' -a '.$application->appcode);
+        $response = $ssh->exec('echo '.$application->server->password.' | sudo -S sudo sh /cipi/alias-add.sh -d '.$request->domain.' -a '.$application->appcode.' -r '.$this->url);
         if(strpos($response, '###CIPI###') === false) {
             $request->session()->flash('alert-error', 'There was a problem with server scripts.');
             return redirect('/aliases');

app/Http/Controllers/ApplicationsController.php

@@ -2,6 +2,7 @@
 
 namespace App\Http\Controllers;
 
+use Illuminate\Routing\UrlGenerator;
 use Illuminate\Support\Str;
 use Illuminate\Http\Request;
 use App\Application;
@@ -12,6 +13,12 @@ use PDF;
 
 class ApplicationsController extends Controller {
 
+    protected $url;
+
+    public function __construct(UrlGenerator $url) {
+        $this->url = $url;
+    }
+
     public function index() {
         $applications = Application::with('server')->with('aliases')->get();
         return view('applications', compact('applications'));
@@ -65,9 +72,9 @@ class ApplicationsController extends Controller {
         }
         $ssh->setTimeout(360);
         if($base) {
-            $response = $ssh->exec('echo '.$server->password.' | sudo -S sudo sh /cipi/host-add.sh -u '.$user.' -p '.$pass.' -dbp '.$dbpass.' -b '.$base.' -php '.$request->php.' -a '.$appcode);
+            $response = $ssh->exec('echo '.$server->password.' | sudo -S sudo sh /cipi/host-add.sh -u '.$user.' -p '.$pass.' -dbp '.$dbpass.' -b '.$base.' -php '.$request->php.' -a '.$appcode.' -r '.$this->url);
         } else {
-            $response = $ssh->exec('echo '.$server->password.' | sudo -S sudo sh /cipi/host-add.sh -u '.$user.' -p '.$pass.' -dbp '.$dbpass.' -php '.$request->php.' -a '.$appcode);
+            $response = $ssh->exec('echo '.$server->password.' | sudo -S sudo sh /cipi/host-add.sh -u '.$user.' -p '.$pass.' -dbp '.$dbpass.' -php '.$request->php.' -a '.$appcode.' -r '.$this->url);
         }
         if(strpos($response, '###CIPI###') === false) {
             $request->session()->flash('alert-error', 'There was a problem with server scripts.');

setup/18.sh

@@ -231,6 +231,14 @@ server {
 
     root /var/www/html/public;
 
+    limit_req_zone $binary_remote_addr zone=perip:10m rate=1r/s;
+    limit_req_zone $server_name zone=perserver:10m rate=10r/s;
+    limit_req zone=perip burst=5 nodelay;
+    limit_req zone=perserver burst=10;
+    client_body_timeout 10s;
+    client_header_timeout 10s;
+    client_max_body_size 256M;
+
     add_header X-Frame-Options "SAMEORIGIN";
     add_header X-XSS-Protection "1; mode=block";
     add_header X-Content-Type-Options "nosniff";

setup/20.sh

@@ -230,6 +230,14 @@ server {
 
     root /var/www/html/public;
 
+    limit_req_zone $binary_remote_addr zone=perip:10m rate=1r/s;
+    limit_req_zone $server_name zone=perserver:10m rate=10r/s;
+    limit_req zone=perip burst=5 nodelay;
+    limit_req zone=perserver burst=10;
+    client_body_timeout 10s;
+    client_header_timeout 10s;
+    client_max_body_size 256M;
+
     add_header X-Frame-Options "SAMEORIGIN";
     add_header X-XSS-Protection "1; mode=block";
     add_header X-Content-Type-Options "nosniff";

storage/app/scripts/aliasadd.sh

@@ -1,7 +1,5 @@
 #!/usr/bin/env bash
 
-REMOTE=???
-
 while [ -n "$1" ] ; do
     case $1 in
     -d | --domain )
@@ -12,6 +10,10 @@ while [ -n "$1" ] ; do
             shift
             APPCODE=$1
             ;;
+    -r |  --remote )
+            shift
+            REMOTE=$1
+            ;;
     * )
             echo "ERROR: Unknown option: $1"
             exit -1

storage/app/scripts/haget.conf

@@ -9,6 +9,10 @@ server {
 
     root ???BASE???;
 
+    client_body_timeout 10s;
+    client_header_timeout 10s;
+    client_max_body_size 256M;
+
     access_log /home/???USER???/log/access.log;
     error_log /home/???USER???/log/error.log;
 

storage/app/scripts/hostadd.sh

@@ -1,6 +1,5 @@
 #!/usr/bin/env bash
 
-REMOTE=???
 DBROOT=???
 
 BASE_PATH=
@@ -34,6 +33,10 @@ while [ -n "$1" ] ; do
         shift
         PHP=$1
         ;;
+    -r |  --remote )
+        shift
+        REMOTE=$1
+        ;;
     * )
         echo "ERROR: Unknown option: $1"
         exit -1
@@ -59,8 +62,8 @@ sudo cat > "$DBBKS" <<EOF
 #!/bin/bash
 
 ######### BACKUP CONFIGURATION #########
-DBUSER=ubb04699a5
-DBPASS=630db817327b70c677254fcdccb616186e9d19c5
+DBUSER=
+DBPASS=
 DAYS=7
 
 ######### DO NOT CHANGE ANYTHING IN THIS AREA #########

storage/app/scripts/install.sh

@@ -217,17 +217,21 @@ sudo unlink JAIL
 sudo touch $JAIL
 sudo cat > "$JAIL" <<EOF
 [DEFAULT]
-# Ban hosts for one hour:
 bantime = 3600
-
-# Override /etc/fail2ban/jail.d/00-firewalld.conf:
 banaction = iptables-multiport
 
 [sshd]
 enabled = true
-
-# Auth log file
 logpath  = /var/log/auth.log
+
+[nginx-req-limit]
+enabled = true
+filter = nginx-req-limit
+action = iptables-multiport[name=ReqLimit, port=”http,https”, protocol=tcp]
+logpath = /var/log/nginx/*error.log
+findtime = 200
+bantime = 2600
+maxretry = 20
 EOF
 
 sudo systemctl restart fail2ban
@@ -249,6 +253,7 @@ sleep 3s
 
 sudo apt-get -y install nginx
 sudo systemctl start nginx.service
+sudo rpl -i -w "http {" "http { limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;" /etc/nginx/nginx.conf
 sudo systemctl enable nginx.service
 
 echo "nginx: OK!"
@@ -338,6 +343,14 @@ server {
     add_header X-XSS-Protection "1; mode=block";
     add_header X-Content-Type-Options "nosniff";
 
+    limit_req_zone $binary_remote_addr zone=perip:10m rate=1r/s;
+    limit_req_zone $server_name zone=perserver:10m rate=10r/s;
+    limit_req zone=perip burst=5 nodelay;
+    limit_req zone=perserver burst=10;
+    client_body_timeout 10s;
+    client_header_timeout 10s;
+    client_max_body_size 256M;
+
     index index.html index.php;
 
     charset utf-8;

storage/app/scripts/phpfpm.conf

@@ -4,12 +4,7 @@ group = ???USER???
 listen = /run/php/php???PHP???-fpm-???USER???.sock
 listen.owner = www-data
 listen.group = www-data
-php_admin_value[disable_functions] = exec,passthru,shell_exec,system
-php_admin_flag[allow_url_fopen] = off
-pm = dynamic
-pm.max_children = 40
-pm.start_servers = 15
-pm.min_spare_servers = 15
-pm.max_spare_servers = 25
+pm = ondemand
+pm.max_children = 50
 pm.max_requests = 500
 pm.process_idle_timeout = 10s