5/5 - (2 votes)

TL; DR: Absolutely stable systems don’t exist, so the answer is no way. But you can make your life much easier with the bunkerized-nginx Docker container. Let’s talk about how it differs from the standard nginx image and what interesting things it can do here.

Bunker Server

In general, my word bunkerized in relation to the server is associated exclusively with CyberBunker, and here this analogy is, in principle, appropriate. The French Bunkerity team develops ready-made secure images for nginx, mariadb, php and phpmyadmin, promising protection against intrusion, bots and indexers, brute force and dangerous files, as the owners of the pirate bunker once guaranteed security and anonymity.

Scanners cannot see the server https://demo-nginx.bunkerity.com/, although it is available in the browser.

Real features

In addition to the standard advantages of nginx in docker, we get:

  • HTTPS support with Let’s Encrypt auto-renewal,
  • Up-to-date web security: HTTP security headers, php.ini hardening, memory leak prevention and more
  • Built-in Modsecurity Firewall with OWASP Core Rule Set
  • Automatic blocking of suspicious activities through fail2ban
  • Protection against bot attacks – mandatory verification by captcha / cookies / custom js (analogue of Attack mode in Cloudflare)
  • Blocking onion routing, proxies, by suspicious / banned user agent, and even by country of request
  • Automatic IP check in DNSBL blacklist
  • Protection against brute force (limit on requests)
  • Detecting dangerous / corrupted files with ClamAV
  • Compact configuration via environment variables
  • Support for non-standard architectures like arm32v7

Something looks trite, some may seem superfluous (why should I rebuild nginx if I run the container on x86_64?), But thanks to flexible configuration, almost everything can be customized to your taste and to your needs.

Run

Installation

docker pull bunkerity / bunkerized-nginx

HTTP server with default settings

docker run -p 80:80 -v / path / to / web / files: / www bunkerity / bunkerized-nginx

The files are served from the / www directory.

HTTPS server with automatic Let’s Encrypt management

docker run -p 80:80 -p 443: 443 -v / path / to / web / files: / www -v / where / to / save / certificates: / etc / letsencrypt -e SERVER_NAME = www.yourdomain.com - e AUTO_LETS_ENCRYPT = yes -e REDIRECT_HTTP_TO_HTTPS = yes bunkerity / bunkerized-nginx

The certificates are stored in the / etc / letsencrypt directory. You can prevent the server from listening to HTTP by adding LISTEN_HTTP: no. Don’t forget to set up a redirect because Let’s Encrypt needs port 80 open.

The following variables were used here:

SERVER_NAME – FQDN (fully qualified domain name) of your server
AUTO_LETS_ENCRYPT – Automatically generates and renews Let’s Encrypt certificates
REDIRECT_HTTP_TO_HTTPS – redirects HTTP to HTTPS (cap)

Working in reverse proxy mode

The actual configuration of the reverse proxy falls on the user:

location / {
if ($ host = www.website1.com) {
proxy_pass http: //192.168.42.10$request_uri;
}

if ($ host = www.website2.com) {
proxy_pass http: //192.168.42.11$request_uri;
}
}

All configuration files (.conf) in the / server-confs directory will be included in the server context. It is enough just to mount the volume with configs to the container:

docker run -p 80:80 -e SERVER_NAME = "www.website1.com www.website2.com" -e SERVE_FILES = no -e DISABLE_DEFAULT_SERVER = yes -v / path / to / server / conf: / server-confs bunkerity / bunkerized-nginx

Here:

SERVER_NAME – list of valid Host headers sent by the client
SERVE_FILES – allows (yes) or disallows (no) nginx to serve files from / www
DISABLE_DEFAULT_SERVER – nginx will not respond to requests for which Host is not in the SERVER_NAME list

Working behind a reverse proxy

docker run -p 80:80 -v / path / to / web / files: / www -e PROXY_REAL_IP = yes bunkerity / bunkerized-nginx

When you enable PROXY_REAL_IP: yes, the nginx module ngx_http_realip_module is activated to get the real IP of the client due to the proxy.

Mandatory anti-bot check

docker run -p 80:80 -v / path / to / web / files: / www -e USE_ANTIBOT = captcha bunkerity / bunkerized-nginx

With USE_ANTIBOT: captcha, all users will be forced to go through the captcha when entering. Cookie, javascript, recaptcha options are also available. The docks are here.

Conclusion

bunkerized-nginx is a convenient option for those who need to quickly launch nginx and not worry about its security, vulnerability fixing and privacy in the future. Literally in one line, you can launch a ready-made container and forget about it. At the same time, despite a simple start, it is still a full-fledged nginx with its huge functionality, which allows you to configure everything as flexibly as possible.

Related posts:

  1. Nginx-log-collector utility to send nginx logs to Clickhouse
  2. Error 502 bad gateway in Nginx
  3. Caching s3 in nginx and Google User Content DDoS
  4. Comfortable DevOpsSec: Nemesida WAF Free for NGINX with API and personal account