From 1dfa673201cd0182a4b34ee0736493b4eade195d Mon Sep 17 00:00:00 2001 From: Tom Noogen Date: Tue, 8 Aug 2017 19:34:03 -0500 Subject: [PATCH] make SSL PCI compliance until July 2018 --- files/etc/nginx/cdn-ips.conf | 76 ++++++++++++++++++++++++++++++++++++ files/etc/nginx/nginx.new | 28 ++++--------- 2 files changed, 83 insertions(+), 21 deletions(-) create mode 100644 files/etc/nginx/cdn-ips.conf diff --git a/files/etc/nginx/cdn-ips.conf b/files/etc/nginx/cdn-ips.conf new file mode 100644 index 0000000..d7393f3 --- /dev/null +++ b/files/etc/nginx/cdn-ips.conf @@ -0,0 +1,76 @@ +# Local cache/proxy +set_real_ip_from 127.0.0.1/32; + +# Incapsula +set_real_ip_from 199.83.128.0/21; +set_real_ip_from 198.143.32.0/19; +set_real_ip_from 149.126.72.0/21; +set_real_ip_from 103.28.248.0/22; +set_real_ip_from 185.11.124.0/22; +set_real_ip_from 192.230.64.0/18; +set_real_ip_from 45.64.64.0/22; + +# Cloudflare +set_real_ip_from 103.21.244.0/22; +set_real_ip_from 103.22.200.0/22; +set_real_ip_from 103.31.4.0/22; +set_real_ip_from 104.16.0.0/12; +set_real_ip_from 108.162.192.0/18; +set_real_ip_from 141.101.64.0/18; +set_real_ip_from 162.158.0.0/15; +set_real_ip_from 172.64.0.0/13; +set_real_ip_from 173.245.48.0/20; +set_real_ip_from 188.114.96.0/20; +set_real_ip_from 190.93.240.0/20; +set_real_ip_from 197.234.240.0/22; +set_real_ip_from 198.41.128.0/17; +set_real_ip_from 199.27.128.0/21; + +# stackpath https://support.stackpath.com/hc/en-us/articles/224785167-IP-Blocks +set_real_ip_from 108.161.176.0/20; +set_real_ip_from 94.46.144.0/20; +set_real_ip_from 146.88.128.0/20; +set_real_ip_from 198.232.124.0/22; +set_real_ip_from 23.111.8.0/22; +set_real_ip_from 217.22.28.0/22; +set_real_ip_from 64.125.76.64/27; +set_real_ip_from 64.125.76.96/27; +set_real_ip_from 64.125.78.96/27; +set_real_ip_from 64.125.78.192/27; +set_real_ip_from 151.139.0.0/19; +set_real_ip_from 64.125.78.224/27; +set_real_ip_from 64.125.102.32/27; +set_real_ip_from 64.125.102.64/27; +set_real_ip_from 64.125.102.96/27; +set_real_ip_from 94.31.27.64/27; +set_real_ip_from 94.31.33.128/27; +set_real_ip_from 94.31.33.160/27; +set_real_ip_from 94.31.33.192/27; +set_real_ip_from 94.31.56.160/27; +set_real_ip_from 177.54.148.0/24; +set_real_ip_from 94.46.144.0/21; +set_real_ip_from 185.18.207.64/26; +set_real_ip_from 50.31.249.224/27; +set_real_ip_from 50.31.251.32/28; +set_real_ip_from 119.81.42.192/27; +set_real_ip_from 119.81.104.96/28; +set_real_ip_from 119.81.67.8/29; +set_real_ip_from 119.81.0.104/30; +set_real_ip_from 119.81.1.144/30; +set_real_ip_from 27.50.77.226/32; +set_real_ip_from 27.50.79.130/32; +set_real_ip_from 103.66.28.0/22; +set_real_ip_from 119.81.131.130/32; +set_real_ip_from 119.81.131.131/32; +set_real_ip_from 216.12.211.59/32; +set_real_ip_from 216.12.211.60/32; +set_real_ip_from 37.58.110.67/32; +set_real_ip_from 37.58.110.68/32; +set_real_ip_from 158.85.206.228/32; +set_real_ip_from 158.85.206.231/32; +set_real_ip_from 174.36.204.195/32; +set_real_ip_from 174.36.204.196/32; +set_real_ip_from 103.228.104.0/22; + +real_ip_header X-Forwarded-For; + diff --git a/files/etc/nginx/nginx.new b/files/etc/nginx/nginx.new index 2d0db33..a256bcf 100644 --- a/files/etc/nginx/nginx.new +++ b/files/etc/nginx/nginx.new @@ -37,9 +37,11 @@ http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; - log_format simple '-= ngx: $status $request_uri $request_time $remote_addr'; + log_format better '-= ngx: $status $request_method $scheme://$host$request_uri $request_time ' + '$remote_addr $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/nginx/access.log simple; + access_log /var/log/nginx/access.log better; # Mime settings include /etc/nginx/mime.types; @@ -55,27 +57,9 @@ http { gzip_disable "MSIE [1-6]\."; - # Cloudflare https://www.cloudflare.com/ips - set_real_ip_from 199.27.128.0/21; - set_real_ip_from 173.245.48.0/20; - set_real_ip_from 103.21.244.0/22; - set_real_ip_from 103.22.200.0/22; - set_real_ip_from 103.31.4.0/22; - set_real_ip_from 141.101.64.0/18; - set_real_ip_from 108.162.192.0/18; - set_real_ip_from 190.93.240.0/20; - set_real_ip_from 188.114.96.0/20; - set_real_ip_from 197.234.240.0/22; - set_real_ip_from 198.41.128.0/17; - set_real_ip_from 162.158.0.0/15; - set_real_ip_from 104.16.0.0/12; - set_real_ip_from 172.64.0.0/13; - real_ip_header CF-Connecting-IP; - - # SSL PCI Compliance ssl_session_cache shared:SSL:10m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # remove TLSv1 for PCI-DSS compliance + ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"; @@ -103,6 +87,8 @@ http { log_subrequest on; rewrite_log on; + include /etc/nginx/cdn-ips.conf; + # Wildcard include include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*.conf;