TL; DR: Absolutely stable systems don’t exist, so the answer is no way. But you can make your life much easier with the bunkerized-nginx Docker container. Let’s talk about how it differs from the standard nginx image and what interesting things it can do here.
Bunker Server
In general, my word bunkerized in relation to the server is associated exclusively with CyberBunker, and here this analogy is, in principle, appropriate. The French Bunkerity team develops ready-made secure images for nginx, mariadb, php and phpmyadmin, promising protection against intrusion, bots and indexers, brute force and dangerous files, as the owners of the pirate bunker once guaranteed security and anonymity.
Scanners cannot see the server https://demo-nginx.bunkerity.com/, although it is available in the browser.
Real features
In addition to the standard advantages of nginx in docker, we get:
- HTTPS support with Let’s Encrypt auto-renewal,
- Up-to-date web security: HTTP security headers, php.ini hardening, memory leak prevention and more
- Built-in Modsecurity Firewall with OWASP Core Rule Set
- Automatic blocking of suspicious activities through fail2ban
- Protection against bot attacks – mandatory verification by captcha / cookies / custom js (analogue of Attack mode in Cloudflare)
- Blocking onion routing, proxies, by suspicious / banned user agent, and even by country of request
- Automatic IP check in DNSBL blacklist
- Protection against brute force (limit on requests)
- Detecting dangerous / corrupted files with ClamAV
- Compact configuration via environment variables
- Support for non-standard architectures like arm32v7
Something looks trite, some may seem superfluous (why should I rebuild nginx if I run the container on x86_64?), But thanks to flexible configuration, almost everything can be customized to your taste and to your needs.
Run
Installation
docker pull bunkerity / bunkerized-nginx
HTTP server with default settings
docker run -p 80:80 -v / path / to / web / files: / www bunkerity / bunkerized-nginx
The files are served from the / www directory.
HTTPS server with automatic Let’s Encrypt management
docker run -p 80:80 -p 443: 443 -v / path / to / web / files: / www -v / where / to / save / certificates: / etc / letsencrypt -e SERVER_NAME = www.yourdomain.com - e AUTO_LETS_ENCRYPT = yes -e REDIRECT_HTTP_TO_HTTPS = yes bunkerity / bunkerized-nginx
The certificates are stored in the / etc / letsencrypt directory. You can prevent the server from listening to HTTP by adding LISTEN_HTTP: no. Don’t forget to set up a redirect because Let’s Encrypt needs port 80 open.
The following variables were used here:
SERVER_NAME – FQDN (fully qualified domain name) of your server
AUTO_LETS_ENCRYPT – Automatically generates and renews Let’s Encrypt certificates
REDIRECT_HTTP_TO_HTTPS – redirects HTTP to HTTPS (cap)
Working in reverse proxy mode
The actual configuration of the reverse proxy falls on the user:
location / { if ($ host = www.website1.com) { proxy_pass http: //192.168.42.10$request_uri; } if ($ host = www.website2.com) { proxy_pass http: //192.168.42.11$request_uri; } }
All configuration files (.conf) in the / server-confs directory will be included in the server context. It is enough just to mount the volume with configs to the container:
docker run -p 80:80 -e SERVER_NAME = "www.website1.com www.website2.com" -e SERVE_FILES = no -e DISABLE_DEFAULT_SERVER = yes -v / path / to / server / conf: / server-confs bunkerity / bunkerized-nginx
Here:
SERVER_NAME – list of valid Host headers sent by the client
SERVE_FILES – allows (yes) or disallows (no) nginx to serve files from / www
DISABLE_DEFAULT_SERVER – nginx will not respond to requests for which Host is not in the SERVER_NAME list
Working behind a reverse proxy
docker run -p 80:80 -v / path / to / web / files: / www -e PROXY_REAL_IP = yes bunkerity / bunkerized-nginx
When you enable PROXY_REAL_IP: yes, the nginx module ngx_http_realip_module is activated to get the real IP of the client due to the proxy.
Mandatory anti-bot check
docker run -p 80:80 -v / path / to / web / files: / www -e USE_ANTIBOT = captcha bunkerity / bunkerized-nginx
With USE_ANTIBOT: captcha, all users will be forced to go through the captcha when entering. Cookie, javascript, recaptcha options are also available. The docks are here.
Conclusion
bunkerized-nginx is a convenient option for those who need to quickly launch nginx and not worry about its security, vulnerability fixing and privacy in the future. Literally in one line, you can launch a ready-made container and forget about it. At the same time, despite a simple start, it is still a full-fledged nginx with its huge functionality, which allows you to configure everything as flexibly as possible.