Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
1cb22b3
Testing config
Marchosiax May 17, 2025
47f11d8
Add v2api config
Marchosiax May 31, 2025
307b19d
add profile
AmirRajabii Jul 19, 2025
d1b9864
Add ip configs
Marchosiax Jul 29, 2025
a220564
Merge remote-tracking branch 'origin/dev' into dev
Marchosiax Jul 29, 2025
1f9b4bf
Add bc-gateway
AmirRajabii Sep 3, 2025
4dd6602
Remove bc-gateway
AmirRajabii Sep 3, 2025
63ba56e
Add auth gateway health check
AmirRajabii Nov 2, 2025
4935732
Add bc location for handling chain scanner webhook
fatemeh-i Nov 5, 2025
a25dcb9
Fix the bc location
fatemeh-i Nov 5, 2025
370e9ec
Add server block for admin v2 panel
AmirRajabii Feb 24, 2026
1b40ab8
Add mobile web app route in the nginx config
fatemeh-i Apr 13, 2026
671bce8
Handle public files in nginx
fatemeh-i Apr 13, 2026
598c064
Change the root directory for the beta apps
fatemeh-i Apr 14, 2026
03c8917
Change the way to separate mobile/desktop web app
fatemeh-i Apr 14, 2026
22d4ff1
Fix the regex issue in separating mobile and desktop apps
fatemeh-i Apr 14, 2026
459d318
Set the log directory for nginx
fatemeh-i Apr 14, 2026
a8cc888
Change the log directory for nginx
fatemeh-i Apr 14, 2026
4e9e55f
Change the route policy of beta app
fatemeh-i Apr 15, 2026
a495007
Handle errors around favicon
fatemeh-i Apr 15, 2026
aede9c4
Fix typo in beta app block
fatemeh-i Apr 17, 2026
2c7036b
Set SERVER_NAME_BETA_APP as an env for the nginx.conf
fatemeh-i Apr 17, 2026
5e33838
Remove extra spaces in envsubst
fatemeh-i Apr 17, 2026
3718e48
Fix the issue in the syntax of envsubst
fatemeh-i Apr 17, 2026
fe544cb
Change the beta app root to a dynamic configuration
fatemeh-i Apr 18, 2026
a03fa6a
Rename web_root var to web_app_root
fatemeh-i Apr 18, 2026
05baf1e
Change the location order
fatemeh-i Apr 18, 2026
e469e30
Change thes tructure of locations in beta app section
fatemeh-i Apr 18, 2026
0e829af
Make a decision about the root in the server blok to handle root in a…
fatemeh-i Apr 18, 2026
0fa9fa1
Route swagger subdomain
fatemeh-i May 30, 2026
fb9df65
Add modsec and lua modules to nginx
fatemeh-i Jun 16, 2026
f122eb7
Implementing compatibility between operating systems
fatemeh-i Jun 16, 2026
0d49083
Implementing compatibility between operating systems
fatemeh-i Jun 16, 2026
0748e1f
Correct a typo
fatemeh-i Jun 17, 2026
43fe08b
Change the admin panel config
fatemeh-i Jun 17, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 26 additions & 22 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,22 +1,26 @@
FROM nginx:1.20.2
COPY nginx.conf /etc/nginx/nginx.conf.org
COPY health-check.conf /etc/nginx/
ENV EXPOSED_PORT 443
ENV SERVER_NAME_DASHBOARD dashboard.opex.dev
ENV SERVER_NAME_ADMIN_PANEL admin.opex.dev
ENV SERVER_NAME_WEB_APP app.opex.dev
ENV SERVER_NAME_AUTH auth.opex.dev
ENV SERVER_NAME_HEALTH health.opex.dev
ENV SERVER_NAME_API api.opex.dev
ENV SERVER_NAME_KIBANA kibana.opex.dev
ENV SERVER_NAME_GRAFANA grafana.opex.dev
ENV SERVER_NAME_MOBILE_APP mobile.opex.dev
ENV SERVER_WALLET_STAT walletstat.opex.dev
ENV SERVER_NAME_KC kc.opex.dev
ENV SERVER_NAME_V2_AUTH v2auth.opex.dev
ENTRYPOINT sh -c 'envsubst \
\$EXPOSED_PORT,\$SERVER_NAME_DASHBOARD,\$SERVER_NAME_ADMIN_PANEL,\$SERVER_NAME_WEB_APP,\$SERVER_NAME_AUTH,\$SERVER_NAME_HEALTH,\$SERVER_NAME_API,\$SERVER_NAME_MOBILE_APP,\$SERVER_WALLET_STAT,\$SERVER_NAME_GRAFANA,\$SERVER_NAME_KIBANA,\$SERVER_NAME_KC,\$SERVER_NAME_V2_AUTH \
< /etc/nginx/nginx.conf.org \
| tee /etc/nginx/nginx.conf \
&& nginx -g "daemon off;"'
EXPOSE 443
FROM really/nginx-modsecurity:latest
USER root
# Install envsubst safely from the same Alpine version
RUN apk add --no-cache gettext

# nginx template
COPY nginx.conf.template /etc/nginx/nginx.conf.template

# ModSecurity configuration
COPY ./modsecurity/ /etc/nginx/modsecurity/

# Lua scripts (if you need them)
COPY ./lua/ /etc/nginx/lua/

COPY ./health-check.conf /etc/nginx/health-check.conf

# Startup script
COPY entrypoint.sh /entrypoint.sh


RUN sed -i 's/\r$//' /entrypoint.sh \
&& chmod +x /entrypoint.sh

ENTRYPOINT ["/entrypoint.sh"]

EXPOSE 443
5 changes: 5 additions & 0 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,14 @@ services:
- SERVER_WALLET_STAT=$SERVER_WALLET_STAT
- SERVER_NAME_KC=$SERVER_NAME_KC
- SERVER_NAME_V2_AUTH=$SERVER_NAME_V2_AUTH
- SERVER_NAME_BETA_APP=$SERVER_NAME_BETA_APP
- SERVER_NAME_SWAGGER=$SERVER_NAME_SWAGGER
- SERVER_NAME_ADMIN_V2_PANEL=$SERVER_NAME_ADMIN_V2_PANEL
secrets:
- opex_dev_crt
- private_pem
volumes:
- /var/www:/var/www:ro
nginx-exporter:
image: nginx/nginx-prometheus-exporter:1.1.0
ports:
Expand Down
38 changes: 38 additions & 0 deletions entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
#!/bin/sh

set -e

echo "Generating nginx.conf..."

envsubst '
$EXPOSED_PORT
$SERVER_NAME_DASHBOARD
$SERVER_NAME_ADMIN_PANEL
$SERVER_NAME_WEB_APP
$SERVER_NAME_AUTH
$SERVER_NAME_HEALTH
$SERVER_NAME_API
$SERVER_NAME_MOBILE_APP
$SERVER_WALLET_STAT
$SERVER_NAME_GRAFANA
$SERVER_NAME_KIBANA
$SERVER_NAME_KC
$SERVER_NAME_V2_AUTH
$SERVER_NAME_BETA_APP
$SERVER_NAME_SWAGGER
$SERVER_NAME_ADMIN_V2_PANEL
' \
< /etc/nginx/nginx.conf.template \
> /etc/nginx/nginx.conf


echo "Generated config size:"
wc -c /etc/nginx/nginx.conf

echo "Checking events section:"
grep "events" /etc/nginx/nginx.conf || true


nginx -t

exec nginx -g "daemon off;"
71 changes: 71 additions & 0 deletions lua/upload_check.lua
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
local allowed_ext = {".png", ".jpg", ".jpeg"}
local blocked_ext = {".php", ".exe", ".sh", ".bat", ".js" , ".svg"} -- dangerous extensions

local function ends_with(str, ending)
return str:lower():sub(-#ending) == ending:lower()
end

local function contains_blocked(str)
str = str:lower()
for _, ext in ipairs(blocked_ext) do
if str:find(ext, 1, true) then
return true
end
end
return false
end

local headers = ngx.req.get_headers()
local content_type = headers["content-type"]
local is_admin = false

local admin_ips = {
["188.136.193.194"] = true,
["193.186.32.236"] = true,
["188.75.66.34"] = true
}

local client_ip = ngx.var.remote_addr

local is_admin = admin_ips[client_ip] or false

-- ngx.log(ngx.ERR, "Client IP: ", client_ip, " | Admin: ", tostring(is_admin))
ngx.log(
ngx.ERR,
"URI=", ngx.var.request_uri,
" METHOD=", ngx.req.get_method(),
" CONTENT_TYPE=", tostring(content_type),
" ADMIN=", tostring(is_admin)
)
if content_type and content_type:find("multipart/form-data", 1, true) and not is_admin then
ngx.req.read_body()
local body = ngx.req.get_body_data()
if body then
for filename in body:gmatch('filename="(.-)"') do
-- 1. Check allowed extensions
local allowed = false
for _, ext in ipairs(allowed_ext) do
if ends_with(filename, ext) then
allowed = true
break
end
end
if not allowed then
ngx.status = 403
ngx.say("Blocked upload: only PNG, JPG, JPEG allowed")
ngx.log(ngx.ERR,"Blocked upload: only PNG, JPG, JPEG allowed")
ngx.exit(403)
end

-- 2. Check for multiple dangerous extensions
if contains_blocked(filename) then
ngx.status = 403
ngx.say("Blocked upload: filename contains forbidden extension")
ngx.log(ngx.ERR,"Blocked upload: filename contains forbidden extension")
ngx.exit(403)
end
end
end
end
-- ngx.req.discard_body()

93 changes: 93 additions & 0 deletions modsecurity/modsecurity.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
# Enable ModSecurity
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off

# Logging
SecAuditEngine RelevantOnly
SecAuditLog /var/log/modsec_audit.log
SecAuditLogParts AIJDEFHZ
SecAuditLogType Serial
SecDebugLog /var/log/modsec_debug.log
SecDebugLogLevel 3
# Temp directories
SecTmpDir /tmp/
SecDataDir /tmp/

# Keep uploaded files temporarily for inspection
SecUploadDir /tmp/modsec-upload/
SecUploadKeepFiles On

# Default actions
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"

############################################################
# 1. Block dangerous HTML/script payloads in parameters only
# (NOT raw multipart request body)
############################################################
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_HEADERS \
"@rx (?i)(<script\b|javascript:|onerror\s*=|onload\s*=|<iframe\b|<object\b|<embed\b)" \
"id:1001,phase:2,t:none,deny,log,msg:'Blocked dangerous HTML/script payload'"

############################################################
# 2. Block dangerous MIME types
############################################################
SecRule REQUEST_HEADERS:Content-Type \
"@rx (?i)(application/x-php|application/x-msdownload|application/x-sh|text/x-python|application/x-msdos-program)" \
"id:1002,phase:1,t:none,deny,log,msg:'Blocked dangerous MIME type'"

############################################################
# 3. Block dangerous file access attempts
############################################################
SecRule REQUEST_URI \
"@rx (?i)\.(php[0-9]?|phtml|phar|asp|aspx|jsp|exe|sh|bat|pl|py|cgi)(\?|$)" \
"id:1003,phase:1,t:none,deny,log,msg:'Blocked dangerous file request'"

############################################################
# 4. Detect code injection attempts
############################################################
SecRule ARGS|REQUEST_COOKIES \
"@rx (?i)(<\?php|system\(|exec\(|shell_exec\(|passthru\(|popen\(|cmd\.exe|/bin/sh|/bin/bash)" \
"id:1004,phase:2,t:none,deny,log,msg:'Blocked code injection pattern'"

############################################################
# 5. Block dangerous uploaded file extensions
############################################################
SecRule FILES_NAMES \
"@rx (?i)\.(php|phtml|phar|asp|aspx|jsp|exe|sh|bat|pl|py|cgi)$" \
"id:1005,phase:2,t:none,deny,log,msg:'Blocked dangerous uploaded file extension'"

############################################################
# 6. Detect dangerous content inside uploaded files
############################################################
SecRule FILES_TMP_CONTENT \
"@rx (?i)(<\?php|<script\b|system\(|exec\(|shell_exec\(|passthru\()" \
"id:1006,phase:2,t:none,deny,log,msg:'Blocked malicious uploaded file content'"

############################################################
# 7. Restrict allowed upload extensions
# Adjust allowed extensions as needed
############################################################
SecRule FILES_NAMES \
"!@rx (?i)\.(jpg|jpeg|png|gif|webp|pdf|txt|doc|docx|xls|xlsx|zip)$" \
"id:1007,phase:2,t:none,deny,log,msg:'Upload extension not allowed'"

############################################################
# 8. Limit request body size (50MB)
############################################################
SecRequestBodyLimit 52428800


############################################################
# 9. Multipart strict validation
############################################################
SecRule MULTIPART_STRICT_ERROR "@eq 1" \
"id:1008,phase:2,log,pass,msg:'Multipart parser warning'"

############################################################
# 10. Block null byte attacks
############################################################
SecRule ARGS|ARGS_NAMES|REQUEST_URI \
"@rx \x00" \
"id:1009,phase:2,deny,log,msg:'Null byte attack detected'"
41 changes: 41 additions & 0 deletions modsecurity/modsecurity.conf.back
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# Enable ModSecurity
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off

# Logging
SecAuditEngine RelevantOnly
SecAuditLog /var/log/modsec_audit.log
SecAuditLogParts AIJDEFHZ
SecAuditLogType Serial

SecTmpDir /tmp/
SecDataDir /tmp/

# Default actions
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"

############################################################
# 1. Block dangerous HTML/script tags in all requests
############################################################
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_HEADERS|REQUEST_BODY \
"@rx (?i:<\s*/?\s*(script|iframe|object|embed|applet|meta|svg|link|body|html|base|form|style|frame|frameset|img|video|audio|source|input|button|textarea|select|option|xmp)\b[^>]*>)" \
"id:1001,phase:2,t:none,deny,log,msg:'Blocked dangerous HTML/script tag in request'"

############################################################
# 2. Block dangerous MIME types
SecRule REQUEST_HEADERS:Content-Type "@rx (?i)(application/x-php|application/x-msdownload|application/x-sh|text/x-python|application/x-msdos-program)" \
"id:1002,phase:1,t:none,deny,log,msg:'Blocked dangerous MIME type'"

############################################################
# 3. Block direct access to dangerous file URIs
SecRule REQUEST_URI "@rx (?i)\.(php[0-9]?|phtml|phar|asp|aspx|jsp|exe|sh|bat|pl|py|cgi)(\?|$)" \
"id:1003,phase:1,t:none,deny,log,msg:'Blocked direct request to dangerous file type in URI'"

############################################################
# 4. Code injection patterns
SecRule REQUEST_BODY "(?i)(<\?php|system\(|exec\(|shell_exec\(|passthru\(|popen\(|cmd\.exe|/bin/sh|/bin/bash)" \
"id:1004,phase:2,t:none,deny,log,msg:'Blocked possible code injection pattern'"


Loading
Loading