feat: nginx security stack with WAF, CrowdSec, and rate limiting #1
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This PR is being reviewed by Cursor Bugbot
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| cap_add: | ||
| - NET_ADMIN | ||
| - NET_RAW | ||
| network_mode: host |
There was a problem hiding this comment.
CrowdSec bouncer cannot reach LAPI endpoint
Medium Severity
The crowdsec-bouncer service is configured with network_mode: host and CROWDSEC_LAPI_URL=http://crowdsec:8080. With host network mode, Docker DNS resolution doesn't work, so the hostname crowdsec cannot be resolved. Additionally, CrowdSec only exposes port 6060 (metrics) to the host, not the LAPI port 8080. When the bouncer profile is enabled, the bouncer will fail to connect to CrowdSec.
Additional Locations (1)
| # ===== RATE LIMITING ZONES ===== | ||
|
|
||
| # OTP/Login endpoints (strict - 5 req/min) | ||
| limit_req_zone $binary_remote_addr zone=auth:10m rate=5r/m; |
| PROXY_SSL_CONFIG | ||
|
|
||
| # Auth endpoints (strict rate limiting) | ||
| location ~ ^/api/auth/(login|verify-otp|send-otp) { |
There was a problem hiding this comment.
We actually have such endpoints in production:
- https://web.paapapay.in/cloudbankin/api/v1/public/los/login
- https://web.paapapay.in/cloudbankin/api/v1/public/los/register
- https://web.paapapay.in/cloudbankin/api/v1/public/los/register-verify
Let's try regex that allow prefixes and postfixes
| location ~ ^/api/auth/(login|verify-otp|send-otp) { | |
| location ~ ^.*?/api(?:/[^/]*)*/[^/]*(?:login|sign-?in|register|sign-?up|verify|otp)[^/]*(?:/.*)?$ { |
| PROXY_SSL_CONFIG | ||
|
|
||
| # Auth endpoints (strict rate limiting) | ||
| location ~ ^/api/auth/(login|verify-otp|send-otp) { |
| # Nginx Security Stack | ||
|
|
||
| Docker-based security stack: WAF (ModSecurity + OWASP CRS), CrowdSec, Rate Limiting. |
There was a problem hiding this comment.
| # Nginx Security Stack | |
| Docker-based security stack: WAF (ModSecurity + OWASP CRS), CrowdSec, Rate Limiting. | |
| # Cloud Native Nginx | |
| Nginx-based security stack for protecting web applications, focused on resolving [OWASP Top 10](https://owasp.org/www-project-top-ten/) security risks out of the box, with minimal configuration. | |
| ## Features | |
| - Solution focused on decreasing false positives to minimize security impact on business operations. | |
| - Includes WAF (ModSecurity + OWASP CRS 4) that prevent from common threats like SQL injection, XSS, command injection, path traversal, SSRF protection | |
| - CrowdSec - Log analysis and threat intelligence | |
| - Rate Limiting - Brute-force protection for auth endpoints | |
| - Container Hardening - Resource limits, security_opt, healthchecks |
|
|
||
| Docker-based security stack: WAF (ModSecurity + OWASP CRS), CrowdSec, Rate Limiting. | ||
|
|
||
| ## Quick Start |
There was a problem hiding this comment.
I not really get what process Cloudbankin team should follow to setup it properly. Does them need to clone repo on production VM and run make start? Or them need just copy docker-compose.yaml and run docker up?
Summary
Complete security stack for protecting web applications:
Changes
Test Plan
Note
Medium Risk
Introduces new edge-security behavior (WAF rules and rate limiting) plus new Docker orchestration, which can block legitimate traffic or affect availability if misconfigured.
Overview
Adds a full Docker-based Nginx security stack via
docker-compose.yml(ModSecurity/OWASP CRS WAF + CrowdSec +nginx-exporter, with optionalloki/promtail/grafanaand anhttpbindefault backend), including container hardening, healthchecks, and resource limits.Introduces custom Nginx config (
config/nginx/default.conf.template) implementing request rate limiting for auth and general API/GraphQL paths with a JSON429response, and adds custom ModSecurity rules plus exclusion rules to reduce false positives.Adds operational tooling and guidance: a new
Makefile,.env.example, tightened.gitignore, security and false-positive test scripts, and docs (README.md,docs/QUICK_REFERENCE.md,docs/EMERGENCY.md) plus a Prometheus scrape config snippet.Written by Cursor Bugbot for commit 68ed348. This will update automatically on new commits. Configure here.