Skip to content

feat(lab11): hardened nginx reverse proxy + ModSecurity WAF#1420

Open
wannebetheshy wants to merge 6 commits into
inno-devops-labs:mainfrom
wannebetheshy:feature/lab11
Open

feat(lab11): hardened nginx reverse proxy + ModSecurity WAF#1420
wannebetheshy wants to merge 6 commits into
inno-devops-labs:mainfrom
wannebetheshy:feature/lab11

Conversation

@wannebetheshy

Copy link
Copy Markdown
  • Task 1 β€” TLS 1.3 + 6 security headers (with proof)
  • Task 2 β€” Rate limit + timeouts + cipher hardening + 7-step cert-rotation runbook
  • Bonus β€” ModSecurity v3 (OWASP CRS 4.28.0) WAF blocks SQL injection that Nginx-alone passes

feat(lab3): SSH signing + gitleaks pre-commit + history rewrite practice
- TLS 1.3 only (ssl_protocols TLSv1.3), X25519:secp384r1, session tickets off
- 6 required security headers + COOP/CORP extras, all with `always`
- HSTS max-age=63072000 (2-year preload), HTTP 308 β†’ HTTPS redirect
- Rate limit 10r/m burst=5 on /rest/user/login; limit_conn 50/IP
- Fail-closed timeouts: client 10s, proxy read 30s, connect 5s
- Bonus: owasp/modsecurity-crs:nginx-alpine WAF (CRS 4.28.0, 851 rules)
  blocks SQL injection ' OR 1=1-- with 403; rule 949110 fired
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant