nginx

etc/pf.conf

@@ -0,0 +1,53 @@
+ext_if="vtnet0"
+extnet=$ext_if:network
+tcp_services="{ www, https }"
+icmp_types="echoreq"
+jail_net="192.168.0.1/24"
+jail_git="192.168.0.25/24"
+jail_git6="fd00::25/24"
+jail_net6="fd00::/8"
+table <martians> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
+              10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
+              0.0.0.0/8, 240.0.0.0/4 }
+
+table <copains> const { }
+set loginterface $ext_if
+set skip on lo0
+set skip on lo1
+set block-policy drop
+scrub in on $ext_if all fragment reassemble
+scrub on $ext_if all reassemble tcp
+
+nat on $ext_if inet from  $jail_net to any -> $ext_if:0
+nat on $ext_if inet6 from $jail_net6 to any -> $ext_if:0
+
+
+rdr pass on $ext_if proto tcp from any to ($ext_if) port 9022 -> jail_git port 22
+rdr pass on $ext_if proto tcp from any to ($ext_if) port 9418 -> jail_git port 9418
+
+
+block in all
+pass out all
+
+block drop quick from <sshforce>
+block drop in quick on $ext_if from <martians> to any
+block drop out quick on $ext_if from any to <martians>
+antispoof quick for { lo0 lo1 $ext_if }
+pass quick from <copains> to any
+anchor "blacklistd/*" in on $ext_if
+
+pass log proto tcp from any to $extnet port 79
+pass proto tcp from any to $extnet port $tcp_services \
+    flags S/SA keep state
+
+# Restrictive Brute force SSH
+pass quick proto tcp from any to $extnet port ssh \
+    flags S/SA keep state \
+    (max-src-conn 15, max-src-conn-rate 5/3, \
+    overload <sshforce> flush global)
+
+pass in inet proto icmp all icmp-type $icmp_types
+pass in inet6 proto icmp6 all
+
+
+

usr/local/etc/nginx/dokuwiki.conf

@@ -0,0 +1,45 @@
+include drop.conf;
+
+client_max_body_size 15M;
+client_body_buffer_size 128k;
+location / {
+	try_files $uri $uri/ @dokuwiki;
+}
+
+location ~ \.php$ {
+	try_files $uri $uri/ /doku.php;
+	fastcgi_pass unix:/jails/php/var/run/php-fpm.sock;
+	fastcgi_param REDIRECT_STATUS 200;
+	include fastcgi_params;
+	fastcgi_param SCRIPT_FILENAME /usr/local/www/dokuwiki/$fastcgi_script_name;
+	fastcgi_param  QUERY_STRING     $query_string;
+	fastcgi_param  REQUEST_METHOD   $request_method;
+	fastcgi_param  CONTENT_TYPE     $content_type;
+	fastcgi_param  CONTENT_LENGTH   $content_length;
+	fastcgi_intercept_errors        on;
+	fastcgi_ignore_client_abort     off;
+	fastcgi_connect_timeout 60;
+	fastcgi_send_timeout 180;
+	fastcgi_read_timeout 180;
+	fastcgi_buffer_size 128k;
+	fastcgi_buffers 4 256k;
+	fastcgi_busy_buffers_size 256k;
+	fastcgi_temp_file_write_size 256k;
+}
+location @dokuwiki {
+	rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
+	rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
+	rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
+	rewrite ^/(.*) /doku.php?id=$1&$args last;
+}
+
+# Block access to data folders
+location ~ /(data|conf|bin|inc)/ {
+	deny all;
+}
+
+# Block access to .htaccess files
+location ~ /\.ht {
+	deny  all;
+}
+

usr/local/etc/nginx/drop.conf

@@ -0,0 +1,5 @@
+location = /robots.txt  { access_log off; log_not_found off; }
+location = /favicon.ico { access_log off; log_not_found off; }
+location ~ /\.          { access_log off; log_not_found off; deny all; }
+location ~ ~$           { access_log off; log_not_found off; deny all; }
+

usr/local/etc/nginx/dropall.conf

@@ -0,0 +1,5 @@
+location = /robots.txt  { access_log off; log_not_found off; deny all; }
+location = /favicon.ico { access_log off; log_not_found off; deny all; }
+location ~ /\.          { access_log off; log_not_found off; deny all; }
+location ~ ~$           { access_log off; log_not_found off; deny all; }
+

usr/local/etc/nginx/grav.conf

@@ -0,0 +1,44 @@
+    index index.html index.php;
+
+    ## Begin - Server Info
+    root /jails/grav/usr/local/www/grav;
+    server_name localhost;
+    ## End - Server Info
+
+    ## Begin - Index
+    # for subfolders, simply adjust:
+    # `location /subfolder {`
+    # and the rewrite to use `/subfolder/index.php`
+    location / {
+        try_files $uri $uri/ /index.php?$query_string;
+    }
+    ## End - Index
+
+    ## Begin - Security
+    # deny all direct access for these folders
+    location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
+    # deny running scripts inside core system folders
+    location ~* /(system|vendor)/.*\.(txt|xml|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    # deny running scripts inside user folder
+    location ~* /user/.*\.(txt|md|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    # deny access to specific files in the root folder
+    location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
+    ## End - Security
+
+    ## Begin - PHP
+    location ~ \.php$ {
+        # Choose either a socket or TCP/IP address
+		fastcgi_pass unix:/jails/grav/var/run/php-fpm.sock;
+        # fastcgi_pass unix:/var/run/php5-fpm.sock; #legacy
+        # fastcgi_pass 127.0.0.1:9000;
+
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_index index.php;
+        include fastcgi_params;
+		fastcgi_param SCRIPT_FILENAME /usr/local/www/grav/$fastcgi_script_name;
+    }
+
+    location ~ /forge {
+			rewrite ^ https://forge.dmarec.fr redirect;
+    }
+    ## End - PHP

usr/local/etc/nginx/nginx.conf

@@ -0,0 +1,129 @@
+user  www;
+worker_processes  6;
+timer_resolution 500ms;
+
+events {
+	worker_connections  1024;
+	use kqueue;
+}
+
+
+http {
+	default_type  application/octet-stream;
+	include       /usr/local/etc/nginx/mime.types;
+
+	#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+	#                  '$status $body_bytes_sent "$http_referer" '
+	#                  '"$http_user_agent" "$http_x_forwarded_for"';
+
+	access_log  /var/log/nginx/access.log;
+
+	sendfile	on;
+	tcp_nopush	on;
+	aio	on;
+
+	keepalive_timeout  65;
+
+	gzip  	on;
+	gzip_min_length  1100;
+	gzip_buffers     4 8k;
+	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+	ssl_dhparam /usr/local/etc/nginx/dhparam.pem;
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_ecdh_curve X25519:P-521:P-384:P-256;
+	ssl_prefer_server_ciphers on;
+	ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384";
+	ssl_session_cache shared:SSL:10m;
+
+	ssl_session_timeout 15m;
+	ssl_session_tickets off;
+
+	map $scheme $php_https { default off; https on; }
+	server {
+		http2 on;
+		listen 80 ;
+		listen [::]:80 ;
+		server_name  dmarec.fr;
+		error_page   500 502 503 504  /50x.html;
+		include dropall.conf;
+		include nobot.conf;
+		location = /50x.html {
+			root   /usr/local/www/nginx-dist;
+		}
+		location /files {
+			alias /usr/local/www/files;
+		}
+		include grav.conf;
+	}
+	server {
+		http2 on;
+		listen [::]:443 ssl;
+		listen 443 ssl ;
+		server_name dmarec.fr;
+		include dropall.conf;
+		include nobot.conf;
+
+		ssl_certificate /usr/local/etc/letsencrypt/live/dmarec.fr/fullchain.pem;
+		ssl_certificate_key /usr/local/etc/letsencrypt/live/dmarec.fr/privkey.pem;
+		# redirect server error pages to the static page /50x.html
+		#
+		error_page   500 502 503 504  /50x.html;
+		#root /usr/local/www/nginx;
+		location = /50x.html {
+			root   /usr/local/www/nginx-dist;
+		}
+
+		location /files {
+			alias /usr/local/www/files;
+		}
+		include grav.conf;
+	}
+	server {
+		http2 on;
+		listen [::]:80 accept_filter=httpready;
+		listen 80 accept_filter=httpready;
+		server_name wiki.fug-fr.org ;
+		include nobot.conf;
+		root /jails/php/usr/local/www/dokuwiki;
+		index doku.php index.html;
+		#Enforce https for logins, admin
+		if ($args ~* do=(log|admin|profile)) {
+			rewrite ^ https://$host$request_uri? redirect;
+		}
+		include dokuwiki.conf;
+	}
+
+	server {
+		http2 on;
+		listen [::]:443 ssl accept_filter=httpready;
+		listen 443 ssl accept_filter=httpready;
+		server_name wiki.fug-fr.org ;
+		include nobot.conf;
+		root /jails/php/usr/local/www/dokuwiki;
+		index doku.php;
+		ssl_certificate /usr/local/etc/letsencrypt/live/wiki.fug-fr.org/fullchain.pem;
+		ssl_certificate_key /usr/local/etc/letsencrypt/live/wiki.fug-fr.org/privkey.pem;
+		keepalive_requests    10;
+		keepalive_timeout     60 60;
+#		if ($args ~* (do=show|^$)){
+#			rewrite ^ http://$host$request_uri? redirect;
+#		}
+		include dokuwiki.conf;
+	}
+	server {
+		http2 on;
+		listen [::]:443 ssl;
+		listen 443 ssl;
+		server_name forge.dmarec.fr;
+		ssl_certificate /usr/local/etc/letsencrypt/live/forge.dmarec.fr/fullchain.pem;
+		ssl_certificate_key /usr/local/etc/letsencrypt/live/forge.dmarec.fr/privkey.pem;
+		keepalive_requests    10;
+		keepalive_timeout     60 60;
+
+		location / {
+			proxy_pass http://192.168.0.25:3000/;
+		}
+	}
+
+}

usr/local/etc/nginx/nobot.conf

@@ -0,0 +1,6 @@
+if ($http_user_agent ~*
+		"facebookexternalhit|GPTBot|ClaudeBot|Claude|CCBot|Applebot|Facebookbot|Meta-ExternalAgent|diffbot|PerplexityBot|Omgili|Omgilibot|ImagesiftBot|Bytespider|Amazonbot|Youbot")
+{
+	return 403;
+}
+