Andy andybeak
andybeak
/ iptables.sh
Last active
April 2, 2020 22:57
Set up firewall for webserver behind a reverse proxy #book #course
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| logger Configuring iptables | |
| # Flush existing rules | |
| sudo iptables -F | |
| # Allow SSH from bastion server | |
| sudo iptables -A INPUT -p tcp -s 172.31.23.163/32 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| sudo apt update && sudo apt upgrade -y | |
| if ! lsb_release -r -s | grep -q '18.04'; then | |
| echo "Please use Ubuntu 18.04 LTS"; | |
| exit; | |
| fi | |
| echo "---- Installing dependencies" | |
| sudo apt-get install -y \ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| require('../vendor/autoload.php'); | |
| use Monolog\Logger; | |
| use Monolog\Handler\SocketHandler; | |
| // create a log channel | |
| $log = new Logger('elk'); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| // can't log out if the session isn't started | |
| session_start(); | |
| // emptying the session data is useful if your script continues running after logging out | |
| $_SESSION = []; | |
| // set the cookie to expire immediately | |
| if (ini_get("session.use_cookies")) { | |
| $params = session_get_cookie_params(); | |
| setcookie(session_name(), '', time() - 42000, | |
| $params["path"], $params["domain"], |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| listen 443 ssl; | |
| server_name example.com; | |
| ssl on; | |
| # enable HSTS | |
| add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;"; | |
| # prevent clickjacking | |
| add_header X-Frame-Options "SAMEORIGIN"; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // See https://nginx.org/en/docs/http/ngx_http_map_module.html | |
| // This sets the value of $cors_header depending on the value of $http_origin | |
| map $http_origin $cors_header{ | |
| default ""; | |
| "~^(https:\/\/safedomain\.com)$" "$http_origin"; | |
| "~^(https:\/\/anotherdomain\.com)$" "$http_origin"; | |
| } | |
| server { | |
| listen 80; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| // Answer from https://stackoverflow.com/questions/7648623/dynamically-running-clamavs-clamscan-on-file-uploads-with-php | |
| $safe_path = escapeshellarg($_FILES['uploadedfile']['tmp_name']); | |
| $command = 'clamscan ' . $safe_path; | |
| $out = ''; | |
| $int = -1; | |
| exec($command, $out, $int); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| version: '3' | |
| services: | |
| nginx: | |
| image: nginx:1.13.1 | |
| container_name: nginx-proxy | |
| ports: | |
| - "80:80" | |
| - "443:443" | |
| volumes: | |
| - conf:/etc/nginx/conf.d |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| version: '3' | |
| services: | |
| sonarqube: | |
| image: 'sonarqube:6.7.6-community' | |
| restart: always | |
| networks: | |
| - sonarnet | |
| ports: | |
| - "10000:9000" | |
| volumes: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| version: '3' | |
| services: | |
| sonarqube: | |
| image: 'sonarqube:6.7.6-community' | |
| restart: always | |
| networks: | |
| - sonarnet | |
| ports: | |
| - "10000:9000" | |
| volumes: |