Discover Centmin Mod today
Register Now

Nginx A straight forward tutorial to install test-cookie?

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by Oxide, Jun 25, 2015.

  1. eva2000

    eva2000 Administrator Staff Member

    41,731
    9,397
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,434
    Local Time:
    8:17 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x

     
  2. rdan

    rdan Well-Known Member

    4,671
    1,121
    113
    May 25, 2014
    Ratings:
    +1,663
    Local Time:
    6:17 AM
    Mainline
    10.2
    @Oxide
    Can you share your working config?
    I have mine setup already but sometimes page redirect to wrong url :/.
     
  3. Oxide

    Oxide Active Member

    516
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    8:17 AM
    Code:
    #default config, module disabled
        testcookie off;
    
        #setting cookie name
        testcookie_name FirewallName;
    
        #setting secret
        testcookie_secret aegpjaegjueg81;
    
        #setting session key
        testcookie_session $remote_addr$http_user_agent;
    
        #setting argument name
        testcookie_arg cgz;
    
        #setting maximum number of cookie setting attempts
        testcookie_max_attempts 3;
    
        #setting p3p policy
        testcookie_p3p 'CP="CUR ADM OUR NOR STA NID", policyref="/w3c/p3p.xml"';
    
        #setting fallback url
        testcookie_fallback http://$host/error.html;
    
        include test-cookie/whitelistedip.conf;
    
    
        #setting redirect via html code
        testcookie_redirect_via_refresh off;
    
        #enable encryption
        testcookie_refresh_encrypt_cookie on;
    
        #setting encryption key
        testcookie_refresh_encrypt_cookie_key deregae88173582eagea375231523d3e;
    
        #setting encryption iv
        testcookie_refresh_encrypt_cookie_iv deregae88173582eagea375231523d3e;
    
        #setting response template
        testcookie_refresh_template '<html><body>redirecting..<script type=\"text/javascript\" src=\"/aes.min.js\" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("$testcookie_enc_key"),b=toNumbers("$testcookie_enc_iv"),c=toNumbers("$testcookie_enc_set");document.cookie="FirewallName="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/";location.href="$testcookie_nexturl";</script></body></html>';
     
    • Like Like x 1
  4. Oxide

    Oxide Active Member

    516
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    8:17 AM
    also add request limit and limit_conn or whatever, to "php.conf" . i set it to around 15 r/s .. in case iit's windows botnet attack that stores cookie, they will reach limit easily and your site will be online ;)
     
  5. rdan

    rdan Well-Known Member

    4,671
    1,121
    113
    May 25, 2014
    Ratings:
    +1,663
    Local Time:
    6:17 AM
    Mainline
    10.2
    Yeah I have mine 180r/m :D or 3/s.
     
  6. Oxide

    Oxide Active Member

    516
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    8:17 AM
    yeah that should work, windows bots can do up to 500 r/S lol

    also of course, if your host isnt protected on layer-4 then this wont help much.. some CSF firewall config will not do anything
     
  7. rdan

    rdan Well-Known Member

    4,671
    1,121
    113
    May 25, 2014
    Ratings:
    +1,663
    Local Time:
    6:17 AM
    Mainline
    10.2
    I'm behind Cloudflare :).
    So i'm just protecting on Layer 7.
     
  8. Oxide

    Oxide Active Member

    516
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    8:17 AM
    Great, assume you also do not allow avatar uploads by URL also use remote mail service? :)
     
  9. rdan

    rdan Well-Known Member

    4,671
    1,121
    113
    May 25, 2014
    Ratings:
    +1,663
    Local Time:
    6:17 AM
    Mainline
    10.2
    Yes.
    Vultr Mail Server :)
     
  10. rdan

    rdan Well-Known Member

    4,671
    1,121
    113
    May 25, 2014
    Ratings:
    +1,663
    Local Time:
    6:17 AM
    Mainline
    10.2
    So you are missing those 3 variables?
     
  11. rdan

    rdan Well-Known Member

    4,671
    1,121
    113
    May 25, 2014
    Ratings:
    +1,663
    Local Time:
    6:17 AM
    Mainline
    10.2
    What about your server/location block looks like?
     
  12. Oxide

    Oxide Active Member

    516
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    8:17 AM
    testcookie on;
     
  13. rdan

    rdan Well-Known Member

    4,671
    1,121
    113
    May 25, 2014
    Ratings:
    +1,663
    Local Time:
    6:17 AM
    Mainline
    10.2
  14. Oxide

    Oxide Active Member

    516
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    8:17 AM
  15. rdan

    rdan Well-Known Member

    4,671
    1,121
    113
    May 25, 2014
    Ratings:
    +1,663
    Local Time:
    6:17 AM
    Mainline
    10.2
    You mean I don't need this config?
     
  16. Oxide

    Oxide Active Member

    516
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    8:17 AM
    yes, the one i use is not that, it redirects instantly (invisible for the user) but adds a small query string
     
  17. rdan

    rdan Well-Known Member

    4,671
    1,121
    113
    May 25, 2014
    Ratings:
    +1,663
    Local Time:
    6:17 AM
    Mainline
    10.2
    How? :|
     
  18. rdan

    rdan Well-Known Member

    4,671
    1,121
    113
    May 25, 2014
    Ratings:
    +1,663
    Local Time:
    6:17 AM
    Mainline
    10.2
    I think you don't need this config:
    Code:
    #setting redirect via html code
        testcookie_redirect_via_refresh off;
    
        #enable encryption
        testcookie_refresh_encrypt_cookie on;
    
        #setting encryption key
        testcookie_refresh_encrypt_cookie_key deregae88173582eagea375231523d3e;
    
        #setting encryption iv
        testcookie_refresh_encrypt_cookie_iv deregae88173582eagea375231523d3e;
    
        #setting response template
        testcookie_refresh_template '<html><body>redirecting..<script type=\"text/javascript\" src=\"/aes.min.js\" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("$testcookie_enc_key"),b=toNumbers("$testcookie_enc_iv"),c=toNumbers("$testcookie_enc_set");document.cookie="FirewallName="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/";location.href="$testcookie_nexturl";</script></body></html>';
    Since you don't use html redirect.
     
  19. rdan

    rdan Well-Known Member

    4,671
    1,121
    113
    May 25, 2014
    Ratings:
    +1,663
    Local Time:
    6:17 AM
    Mainline
    10.2
    testcookie_redirect_via_refresh
    Is default off also.
     
  20. Oxide

    Oxide Active Member

    516
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    8:17 AM
    my config works like a charm :p http://goo.gl/8Egsjk (check first time u visit it, it adds small query)