From 100b7f2213b0b7bc14caba175baf202fc8cbfbb8 Mon Sep 17 00:00:00 2001
From: VirtuBox <contact@virtubox.net>
Date: Mon, 28 May 2018 02:40:37 +0200
Subject: [PATCH] add ipscrub configuration

anonymise visitors IPs to be GDPR compliant
---
 etc/nginx/nginx-intermediate.conf | 9 ++++++---
 etc/nginx/nginx-tlsv12.conf       | 9 ++++++---
 etc/nginx/nginx.conf              | 9 ++++++---
 etc/nginx/sites-available/22222   | 2 +-
 etc/nginx/sites-available/default | 3 +++
 scripts/freshclam                 | 9 +++++++++
 6 files changed, 31 insertions(+), 10 deletions(-)
 create mode 100644 scripts/freshclam

diff --git a/etc/nginx/nginx-intermediate.conf b/etc/nginx/nginx-intermediate.conf
index fbb8114..55d1437 100644
--- a/etc/nginx/nginx-intermediate.conf
+++ b/etc/nginx/nginx-intermediate.conf
@@ -30,7 +30,7 @@ http
 
     # Limit Request
     limit_req_status 403;
-    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
+    limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
 
     #Simple DOS mitigation
     ##Max c/s by ip
@@ -97,9 +97,12 @@ http
     error_log /var/log/nginx/error.log;
 
     # Log format Settings
-    log_format rt_cache '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] '
+    log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
     '$http_host "$request" $status $body_bytes_sent '
-    '"$http_referer" "$http_user_agent"';
+    '"$http_referer" "$http_user_agent" $server_protocol';
+        
+    # ipscrub settings
+    ipscrub_period_seconds 3600;
 
     ##
     # Gzip Settings
diff --git a/etc/nginx/nginx-tlsv12.conf b/etc/nginx/nginx-tlsv12.conf
index 21f0b9a..cf6cdd1 100644
--- a/etc/nginx/nginx-tlsv12.conf
+++ b/etc/nginx/nginx-tlsv12.conf
@@ -30,7 +30,7 @@ http
 
     # Limit Request
     limit_req_status 403;
-    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
+    limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
 
     #Simple DOS mitigation
     ##Max c/s by ip
@@ -95,9 +95,12 @@ http
     error_log /var/log/nginx/error.log;
 
     # Log format Settings
-    log_format rt_cache '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] '
+    log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
     '$http_host "$request" $status $body_bytes_sent '
-    '"$http_referer" "$http_user_agent"';
+    '"$http_referer" "$http_user_agent" $server_protocol';
+    
+    # ipscrub settings
+    ipscrub_period_seconds 3600;
 
     ##
     # Gzip Settings
diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf
index 5ac0ca6..0cb9e59 100644
--- a/etc/nginx/nginx.conf
+++ b/etc/nginx/nginx.conf
@@ -30,7 +30,7 @@ http
 
     # Limit Request
     limit_req_status 403;
-    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
+    limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
 
     #Simple DOS mitigation
     ##Max c/s by ip
@@ -96,9 +96,12 @@ http
     error_log /var/log/nginx/error.log;
 
     # Log format Settings
-    log_format rt_cache '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] '
+    log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
     '$http_host "$request" $status $body_bytes_sent '
-    '"$http_referer" "$http_user_agent"';
+    '"$http_referer" "$http_user_agent" $server_protocol';
+    
+    # ipscrub settings
+    ipscrub_period_seconds 3600;
 
     ##
     # Gzip Settings
diff --git a/etc/nginx/sites-available/22222 b/etc/nginx/sites-available/22222
index bf1b13e..78310ac 100644
--- a/etc/nginx/sites-available/22222
+++ b/etc/nginx/sites-available/22222
@@ -4,7 +4,7 @@ server {
 
   listen 22222 default_server ssl http2;
 
-  access_log   /var/log/nginx/22222.access.log rt_cache;
+  access_log   off;
   error_log    /var/log/nginx/22222.error.log;
 
   ssl_certificate /var/www/22222/cert/22222.crt;
diff --git a/etc/nginx/sites-available/default b/etc/nginx/sites-available/default
index 6b6deb9..a936715 100644
--- a/etc/nginx/sites-available/default
+++ b/etc/nginx/sites-available/default
@@ -37,6 +37,9 @@ server {
 	index index.html index.htm index.nginx-debian.html;
 
 	server_name _;
+	
+	access_log off;
+	error_log /var/log/nginx/default.error.log;
 
 	location / {
 		# First attempt to serve request as file, then
diff --git a/scripts/freshclam b/scripts/freshclam
new file mode 100644
index 0000000..b710e62
--- /dev/null
+++ b/scripts/freshclam
@@ -0,0 +1,9 @@
+#!/bin/sh
+# make sure the process is stopped
+/etc/init.d/clamav-freshclam stop
+
+# check if database is outdated 
+/usr/bin/freshclam -v >> /var/log/result_freshclam.log
+
+# update virus database
+/etc/init.d/clamav-freshclam start
\ No newline at end of file