From 8ff42c1253a6546a5815127e1400d102a6dff212 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 26 Aug 2014 00:19:25 +0200 Subject: [PATCH] Initial commit --- .gitignore | 1 + conf.d/default.conf_disabled | 45 +++++++++++ conf.d/example_ssl.conf_disabled | 20 +++++ conf.d/gzip.conf | 12 +++ conf.d/mail.conf | 19 +++++ conf.d/optimizations.conf | 3 + conf.d/security.conf | 28 +++++++ fastcgi_params | 24 ++++++ koi-utf | 109 ++++++++++++++++++++++++++ koi-win | 103 ++++++++++++++++++++++++ mime.types | 89 +++++++++++++++++++++ naxsi-ui.conf | 16 ++++ naxsi.rules | 13 +++ naxsi_core.rules | 75 ++++++++++++++++++ nginx.conf | 58 ++++++++++++++ proxy_params | 3 + scgi_params | 16 ++++ sites-available/default_ffhh | 19 +++++ sites-available/formular_ffhh | 16 ++++ sites-available/graph_ffhh | 51 ++++++++++++ sites-available/media_ffhh | 28 +++++++ sites-available/meta_ffhh | 28 +++++++ sites-available/monitor_ffhh | 81 +++++++++++++++++++ sites-available/postfixadmin_ffhh | 66 ++++++++++++++++ sites-available/website_ffhh | 54 +++++++++++++ sites-available/wordpress_ffhh | 62 +++++++++++++++ sites-enabled/default_ffhh | 1 + sites-enabled/formular_ffhh | 1 + sites-enabled/graph_ffhh | 1 + sites-enabled/media_ffhh | 1 + sites-enabled/meta_ffhh | 1 + sites-enabled/postfixadmin_ffhh | 1 + sites-enabled/wordpress_ffhh | 1 + uwsgi_params | 16 ++++ win-utf | 126 ++++++++++++++++++++++++++++++ 35 files changed, 1188 insertions(+) create mode 100644 .gitignore create mode 100644 conf.d/default.conf_disabled create mode 100644 conf.d/example_ssl.conf_disabled create mode 100644 conf.d/gzip.conf create mode 100644 conf.d/mail.conf create mode 100644 conf.d/optimizations.conf create mode 100644 conf.d/security.conf create mode 100644 fastcgi_params create mode 100644 koi-utf create mode 100644 koi-win create mode 100644 mime.types create mode 100644 naxsi-ui.conf create mode 100644 naxsi.rules create mode 100644 naxsi_core.rules create mode 100644 nginx.conf create mode 100644 proxy_params create mode 100644 scgi_params create mode 100644 sites-available/default_ffhh create mode 100644 sites-available/formular_ffhh create mode 100644 sites-available/graph_ffhh create mode 100644 sites-available/media_ffhh create mode 100644 sites-available/meta_ffhh create mode 100644 sites-available/monitor_ffhh create mode 100644 sites-available/postfixadmin_ffhh create mode 100644 sites-available/website_ffhh create mode 100644 sites-available/wordpress_ffhh create mode 120000 sites-enabled/default_ffhh create mode 120000 sites-enabled/formular_ffhh create mode 120000 sites-enabled/graph_ffhh create mode 120000 sites-enabled/media_ffhh create mode 120000 sites-enabled/meta_ffhh create mode 120000 sites-enabled/postfixadmin_ffhh create mode 120000 sites-enabled/wordpress_ffhh create mode 100644 uwsgi_params create mode 100644 win-utf diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3d212b8 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/ssl/ diff --git a/conf.d/default.conf_disabled b/conf.d/default.conf_disabled new file mode 100644 index 0000000..34aeb9a --- /dev/null +++ b/conf.d/default.conf_disabled @@ -0,0 +1,45 @@ +server { + listen 80; + server_name localhost; + + #charset koi8-r; + #access_log /var/log/nginx/log/host.access.log main; + + location / { + root /usr/share/nginx/html; + index index.html index.htm; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + # proxy the PHP scripts to Apache listening on 127.0.0.1:80 + # + #location ~ \.php$ { + # proxy_pass http://127.0.0.1; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # root html; + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; + # include fastcgi_params; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} + diff --git a/conf.d/example_ssl.conf_disabled b/conf.d/example_ssl.conf_disabled new file mode 100644 index 0000000..67ad4a1 --- /dev/null +++ b/conf.d/example_ssl.conf_disabled @@ -0,0 +1,20 @@ +# HTTPS server +# +#server { +# listen 443 ssl; +# server_name localhost; + +# ssl_certificate /etc/nginx/cert.pem; +# ssl_certificate_key /etc/nginx/cert.key; + +# ssl_session_cache shared:SSL:1m; +# ssl_session_timeout 5m; + +# ssl_ciphers HIGH:!aNULL:!MD5; +# ssl_prefer_server_ciphers on; + +# location / { +# root /usr/share/nginx/html; +# index index.html index.htm; +# } +#} diff --git a/conf.d/gzip.conf b/conf.d/gzip.conf new file mode 100644 index 0000000..7390573 --- /dev/null +++ b/conf.d/gzip.conf @@ -0,0 +1,12 @@ +# Gzip settings + +gzip on; +gzip_disable "msie6"; +gzip_static on; +gzip_vary on; +gzip_proxied any; +gzip_comp_level 9; +gzip_buffers 256 8k; +gzip_http_version 1.1; +gzip_min_length 0; +gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; diff --git a/conf.d/mail.conf b/conf.d/mail.conf new file mode 100644 index 0000000..157ba27 --- /dev/null +++ b/conf.d/mail.conf @@ -0,0 +1,19 @@ +#mail { +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } +# +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } +#} diff --git a/conf.d/optimizations.conf b/conf.d/optimizations.conf new file mode 100644 index 0000000..8766d42 --- /dev/null +++ b/conf.d/optimizations.conf @@ -0,0 +1,3 @@ +# Server optimizations + +server_names_hash_bucket_size 128; diff --git a/conf.d/security.conf b/conf.d/security.conf new file mode 100644 index 0000000..afd48d8 --- /dev/null +++ b/conf.d/security.conf @@ -0,0 +1,28 @@ +# Global security settings for nginx + +ignore_invalid_headers on; +sendfile on; +server_name_in_redirect off; +server_tokens off; + +## +# This section does not work yet... don't know why +# Only requests to our Host are allowed +# if ( $host !~ ^($server_name)$ ) +# { +# return 444; +# } + +# Only allow these request methods +# Do not accept DELETE, SEARCH and other methods +# if ( $request_method !~ ^(GET|HEAD|POST)$ ) +# { +# return 444; +# } + +## Deny certain Referers ### +# if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen) ) +# { +# return 404; +# return 403; +# } diff --git a/fastcgi_params b/fastcgi_params new file mode 100644 index 0000000..71e2c2e --- /dev/null +++ b/fastcgi_params @@ -0,0 +1,24 @@ + +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/koi-utf b/koi-utf new file mode 100644 index 0000000..e7974ff --- /dev/null +++ b/koi-utf @@ -0,0 +1,109 @@ + +# This map is not a full koi8-r <> utf8 map: it does not contain +# box-drawing and some other characters. Besides this map contains +# several koi8-u and Byelorussian letters which are not in koi8-r. +# If you need a full and standard map, use contrib/unicode2nginx/koi-utf +# map instead. + +charset_map koi8-r utf-8 { + + 80 E282AC ; # euro + + 95 E280A2 ; # bullet + + 9A C2A0 ; #   + + 9E C2B7 ; # · + + A3 D191 ; # small yo + A4 D194 ; # small Ukrainian ye + + A6 D196 ; # small Ukrainian i + A7 D197 ; # small Ukrainian yi + + AD D291 ; # small Ukrainian soft g + AE D19E ; # small Byelorussian short u + + B0 C2B0 ; # ° + + B3 D081 ; # capital YO + B4 D084 ; # capital Ukrainian YE + + B6 D086 ; # capital Ukrainian I + B7 D087 ; # capital Ukrainian YI + + B9 E28496 ; # numero sign + + BD D290 ; # capital Ukrainian soft G + BE D18E ; # capital Byelorussian short U + + BF C2A9 ; # (C) + + C0 D18E ; # small yu + C1 D0B0 ; # small a + C2 D0B1 ; # small b + C3 D186 ; # small ts + C4 D0B4 ; # small d + C5 D0B5 ; # small ye + C6 D184 ; # small f + C7 D0B3 ; # small g + C8 D185 ; # small kh + C9 D0B8 ; # small i + CA D0B9 ; # small j + CB D0BA ; # small k + CC D0BB ; # small l + CD D0BC ; # small m + CE D0BD ; # small n + CF D0BE ; # small o + + D0 D0BF ; # small p + D1 D18F ; # small ya + D2 D180 ; # small r + D3 D181 ; # small s + D4 D182 ; # small t + D5 D183 ; # small u + D6 D0B6 ; # small zh + D7 D0B2 ; # small v + D8 D18C ; # small soft sign + D9 D18B ; # small y + DA D0B7 ; # small z + DB D188 ; # small sh + DC D18D ; # small e + DD D189 ; # small shch + DE D187 ; # small ch + DF D18A ; # small hard sign + + E0 D0AE ; # capital YU + E1 D090 ; # capital A + E2 D091 ; # capital B + E3 D0A6 ; # capital TS + E4 D094 ; # capital D + E5 D095 ; # capital YE + E6 D0A4 ; # capital F + E7 D093 ; # capital G + E8 D0A5 ; # capital KH + E9 D098 ; # capital I + EA D099 ; # capital J + EB D09A ; # capital K + EC D09B ; # capital L + ED D09C ; # capital M + EE D09D ; # capital N + EF D09E ; # capital O + + F0 D09F ; # capital P + F1 D0AF ; # capital YA + F2 D0A0 ; # capital R + F3 D0A1 ; # capital S + F4 D0A2 ; # capital T + F5 D0A3 ; # capital U + F6 D096 ; # capital ZH + F7 D092 ; # capital V + F8 D0AC ; # capital soft sign + F9 D0AB ; # capital Y + FA D097 ; # capital Z + FB D0A8 ; # capital SH + FC D0AD ; # capital E + FD D0A9 ; # capital SHCH + FE D0A7 ; # capital CH + FF D0AA ; # capital hard sign +} diff --git a/koi-win b/koi-win new file mode 100644 index 0000000..72afabe --- /dev/null +++ b/koi-win @@ -0,0 +1,103 @@ + +charset_map koi8-r windows-1251 { + + 80 88 ; # euro + + 95 95 ; # bullet + + 9A A0 ; #   + + 9E B7 ; # · + + A3 B8 ; # small yo + A4 BA ; # small Ukrainian ye + + A6 B3 ; # small Ukrainian i + A7 BF ; # small Ukrainian yi + + AD B4 ; # small Ukrainian soft g + AE A2 ; # small Byelorussian short u + + B0 B0 ; # ° + + B3 A8 ; # capital YO + B4 AA ; # capital Ukrainian YE + + B6 B2 ; # capital Ukrainian I + B7 AF ; # capital Ukrainian YI + + B9 B9 ; # numero sign + + BD A5 ; # capital Ukrainian soft G + BE A1 ; # capital Byelorussian short U + + BF A9 ; # (C) + + C0 FE ; # small yu + C1 E0 ; # small a + C2 E1 ; # small b + C3 F6 ; # small ts + C4 E4 ; # small d + C5 E5 ; # small ye + C6 F4 ; # small f + C7 E3 ; # small g + C8 F5 ; # small kh + C9 E8 ; # small i + CA E9 ; # small j + CB EA ; # small k + CC EB ; # small l + CD EC ; # small m + CE ED ; # small n + CF EE ; # small o + + D0 EF ; # small p + D1 FF ; # small ya + D2 F0 ; # small r + D3 F1 ; # small s + D4 F2 ; # small t + D5 F3 ; # small u + D6 E6 ; # small zh + D7 E2 ; # small v + D8 FC ; # small soft sign + D9 FB ; # small y + DA E7 ; # small z + DB F8 ; # small sh + DC FD ; # small e + DD F9 ; # small shch + DE F7 ; # small ch + DF FA ; # small hard sign + + E0 DE ; # capital YU + E1 C0 ; # capital A + E2 C1 ; # capital B + E3 D6 ; # capital TS + E4 C4 ; # capital D + E5 C5 ; # capital YE + E6 D4 ; # capital F + E7 C3 ; # capital G + E8 D5 ; # capital KH + E9 C8 ; # capital I + EA C9 ; # capital J + EB CA ; # capital K + EC CB ; # capital L + ED CC ; # capital M + EE CD ; # capital N + EF CE ; # capital O + + F0 CF ; # capital P + F1 DF ; # capital YA + F2 D0 ; # capital R + F3 D1 ; # capital S + F4 D2 ; # capital T + F5 D3 ; # capital U + F6 C6 ; # capital ZH + F7 C2 ; # capital V + F8 DC ; # capital soft sign + F9 DB ; # capital Y + FA C7 ; # capital Z + FB D8 ; # capital SH + FC DD ; # capital E + FD D9 ; # capital SHCH + FE D7 ; # capital CH + FF DA ; # capital hard sign +} diff --git a/mime.types b/mime.types new file mode 100644 index 0000000..89be9a4 --- /dev/null +++ b/mime.types @@ -0,0 +1,89 @@ + +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + image/svg+xml svg svgz; + image/webp webp; + + application/font-woff woff; + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.wap.wmlc wmlc; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; + application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/naxsi-ui.conf b/naxsi-ui.conf new file mode 100644 index 0000000..f4eb9d4 --- /dev/null +++ b/naxsi-ui.conf @@ -0,0 +1,16 @@ +[nx_extract] +username = naxsi_web +password = test +port = 8081 +rules_path = /etc/nginx/naxsi_core.rules + +[nx_intercept] +port = 8080 + +[sql] +dbtype = sqlite +username = root +password = +hostname = 127.0.0.1 +dbname = naxsi_sig + diff --git a/naxsi.rules b/naxsi.rules new file mode 100644 index 0000000..fec21ea --- /dev/null +++ b/naxsi.rules @@ -0,0 +1,13 @@ +# Sample rules file for default vhost. + +LearningMode; +SecRulesEnabled; +#SecRulesDisabled; +DeniedUrl "/RequestDenied"; + +## check rules +CheckRule "$SQL >= 8" BLOCK; +CheckRule "$RFI >= 8" BLOCK; +CheckRule "$TRAVERSAL >= 4" BLOCK; +CheckRule "$EVADE >= 4" BLOCK; +CheckRule "$XSS >= 8" BLOCK; diff --git a/naxsi_core.rules b/naxsi_core.rules new file mode 100644 index 0000000..c922020 --- /dev/null +++ b/naxsi_core.rules @@ -0,0 +1,75 @@ +################################## +## INTERNAL RULES IDS:1-10 ## +################################## +#weird_request : 1 +#big_body : 2 +#no_content_type : 3 + +#MainRule "str:yesone" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1999; + +################################## +## SQL Injections IDs:1000-1099 ## +################################## +MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000; +MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1001; +MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002; +## Hardcore rules +MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003; +MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004; +MainRule "str:|" "msg:mysql keyword (|)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005; +MainRule "rx:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006; +## end of hardcore rules +MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007; +MainRule "str:;" "msg:; in stuff" "mz:BODY|URL|ARGS" "s:$SQL:4" id:1008; +MainRule "str:=" "msg:equal in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009; +MainRule "str:(" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1010; +MainRule "str:)" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1011; +MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1013; +MainRule "str:\"" "msg:double quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1014; +MainRule "str:," "msg:, in stuff" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015; +MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016; + +############################### +## OBVIOUS RFI IDs:1100-1199 ## +############################### +MainRule "str:http://" "msg:html comment tag" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100; +MainRule "str:https://" "msg:html comment tag" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101; +MainRule "str:ftp://" "msg:html comment tag" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102; +MainRule "str:php://" "msg:html comment tag" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103; + +####################################### +## Directory traversal IDs:1200-1299 ## +####################################### +MainRule "str:.." "msg:html comment tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200; +MainRule "str:/etc/passwd" "msg:html comment tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202; +MainRule "str:c:\\" "msg:html comment tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203; +MainRule "str:cmd.exe" "msg:html comment tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204; +MainRule "str:\\" "msg:html comment tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205; +#MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206; +######################################## +## Cross Site Scripting IDs:1300-1399 ## +######################################## +MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302; +MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303; +MainRule "str:'" "msg:simple quote" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1306; +MainRule "str:\"" "msg:double quote" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1307; +MainRule "str:(" "msg:parenthesis" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1308; +MainRule "str:)" "msg:parenthesis" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1309; +MainRule "str:[" "msg:html close comment tag" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310; +MainRule "str:]" "msg:html close comment tag" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311; +MainRule "str:~" "msg:html close comment tag" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312; +MainRule "str:;" "msg:semi coma" "mz:ARGS|URL|BODY" "s:$XSS:8" id:1313; +MainRule "str:`" "msg:grave accent !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314; +MainRule "rx:%[2|3]." "msg:double encoding !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315; + +#################################### +## Evading tricks IDs: 1400-1500 ## +#################################### +MainRule "str:&#" "msg: utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400; +MainRule "str:%U" "msg: M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401; +MainRule negative "rx:multipart/form-data|application/x-www-form-urlencoded" "msg:Content is neither mulipart/x-www-form.." "mz:$HEADERS_VAR:Content-type" "s:$EVADE:4" id:1402; + +############################# +## File uploads: 1500-1600 ## +############################# +MainRule "rx:.ph*|.asp*" "msg:asp/php file upload!" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500; diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..d5f87ee --- /dev/null +++ b/nginx.conf @@ -0,0 +1,58 @@ +user www-data; +worker_processes 4; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; + # multi_accept on; +} + + +http { + + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65 65; + client_body_timeout 65; + client_header_timeout 65; + send_timeout 65; + types_hash_max_size 2048; + + ############################################## + # Mime types + ## + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ############################################## + # Logging Settings + ## + access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen. + + # Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen. + # So stellen wir sicher, dass keine IPs geloggt werden. + error_log /dev/null crit; + #error_log /var/log/nginx/error.log crit; + + ############################################## + # nginx-naxsi config + ## + #include /etc/nginx/naxsi_core.rules; + + ############################################## + # nginx-passenger config + ## + + #passenger_root /usr; + #passenger_ruby /usr/bin/ruby; + + ############################################## + # Atomized configs + ## + include /etc/nginx/conf.d/*.conf; + + ############################################## + # Virtual Host Configs + ## + include /etc/nginx/sites-enabled/*; +} diff --git a/proxy_params b/proxy_params new file mode 100644 index 0000000..7fc3792 --- /dev/null +++ b/proxy_params @@ -0,0 +1,3 @@ +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/scgi_params b/scgi_params new file mode 100644 index 0000000..47348ca --- /dev/null +++ b/scgi_params @@ -0,0 +1,16 @@ + +scgi_param REQUEST_METHOD $request_method; +scgi_param REQUEST_URI $request_uri; +scgi_param QUERY_STRING $query_string; +scgi_param CONTENT_TYPE $content_type; + +scgi_param DOCUMENT_URI $document_uri; +scgi_param DOCUMENT_ROOT $document_root; +scgi_param SCGI 1; +scgi_param SERVER_PROTOCOL $server_protocol; +scgi_param HTTPS $https if_not_empty; + +scgi_param REMOTE_ADDR $remote_addr; +scgi_param REMOTE_PORT $remote_port; +scgi_param SERVER_PORT $server_port; +scgi_param SERVER_NAME $server_name; diff --git a/sites-available/default_ffhh b/sites-available/default_ffhh new file mode 100644 index 0000000..f449b36 --- /dev/null +++ b/sites-available/default_ffhh @@ -0,0 +1,19 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + + root /var/www/wordpress; #/usr/share/nginx/html; + index index.php index.html index.htm; + + # Make site accessible from http://localhost/ +# server_name *.hamburg.freifunk.net; + + return 302 http://hamburg.freifunk.net; + +# location ~ \.php$ { +# fastcgi_pass unix:/var/run/php5-fpm.sock; +# fastcgi_index index.php; +# fastcgi_param SCRIPT_FILENAME /var/www/default$fastcgi_script_name; +# include /etc/nginx/fastcgi_params; +# } +} diff --git a/sites-available/formular_ffhh b/sites-available/formular_ffhh new file mode 100644 index 0000000..847c19e --- /dev/null +++ b/sites-available/formular_ffhh @@ -0,0 +1,16 @@ +server { + listen 80; + listen [::]:80; + server_name formular.hamburg.freifunk.net formular.services.ffhh formular.ffhh; + + access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen. + + # Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen. + # So stellen wir sicher, dass keine IPs geloggt werden. + error_log /dev/null crit; + + #return 301 $scheme://formular.hamburg.freifunk.net:8080$request_uri; + location / { + proxy_pass http://formular.hamburg.freifunk.net:8080; + } +} diff --git a/sites-available/graph_ffhh b/sites-available/graph_ffhh new file mode 100644 index 0000000..bb01f6e --- /dev/null +++ b/sites-available/graph_ffhh @@ -0,0 +1,51 @@ +server { + listen 80; + listen [::]:80; + server_name graph.hamburg.freifunk.net knotengraph.ffhh; + + access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen. + + # Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen. + # So stellen wir sicher, dass keine IPs geloggt werden. + error_log /dev/null crit; + + root /var/www/nodes_ffhh; + index graph.html; + + if_modified_since before; + + location ~ \.php$ { + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME /var/www/default$fastcgi_script_name; + include /etc/nginx/fastcgi_params; + } + + location ~ \.cgi$ { + gzip off; #gzip makes scripts feel slower since they have to complete before getting gzipped + fastcgi_pass unix:/var/run/nginx/cgiwrap-dispatch.sock; + fastcgi_index index.cgi; + fastcgi_param SCRIPT_FILENAME /var/www/nodes_ffhh/$fastcgi_script_name; + fastcgi_param QUERY_STRING $query_string; + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + fastcgi_param GATEWAY_INTERFACE CGI/1.1; + fastcgi_param SERVER_SOFTWARE nginx; + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + fastcgi_param REQUEST_URI $request_uri; + fastcgi_param DOCUMENT_URI $document_uri; + fastcgi_param DOCUMENT_ROOT $document_root; + fastcgi_param SERVER_PROTOCOL $server_protocol; + fastcgi_param REMOTE_ADDR $remote_addr; + fastcgi_param REMOTE_PORT $remote_port; + fastcgi_param SERVER_ADDR $server_addr; + fastcgi_param SERVER_PORT $server_port; + fastcgi_param SERVER_NAME $server_name; + } + + location = /nodes.json { + gzip_types application/octet-stream; + gzip on; + } +} diff --git a/sites-available/media_ffhh b/sites-available/media_ffhh new file mode 100644 index 0000000..c918a54 --- /dev/null +++ b/sites-available/media_ffhh @@ -0,0 +1,28 @@ +server { + listen 80; + listen [::]:80; + server_name media.hamburg.freifunk.net media.services.ffhh; + + access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen. + + # Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen. + # So stellen wir sicher, dass keine IPs geloggt werden. + error_log /dev/null crit; + + root /var/www/media_ffhh; + + disable_symlinks on from=$document_root; + + location / { + autoindex on; + autoindex_exact_size on; + autoindex_localtime off; + } + + location ~ /\. { + deny all; + access_log off; + log_not_found off; + } +} + diff --git a/sites-available/meta_ffhh b/sites-available/meta_ffhh new file mode 100644 index 0000000..ddfe1b8 --- /dev/null +++ b/sites-available/meta_ffhh @@ -0,0 +1,28 @@ +server { + listen 80; + listen [::]:80; + server_name meta.hamburg.freifunk.net; + + access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen. + + # Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen. + # So stellen wir sicher, dass keine IPs geloggt werden. + error_log /dev/null crit; + + root /var/www/meta_ffhh; + + disable_symlinks on from=$document_root; + + location / { + autoindex on; + autoindex_exact_size on; + autoindex_localtime off; + } + + location ~ /\. { + deny all; + access_log off; + log_not_found off; + } +} + diff --git a/sites-available/monitor_ffhh b/sites-available/monitor_ffhh new file mode 100644 index 0000000..adb4074 --- /dev/null +++ b/sites-available/monitor_ffhh @@ -0,0 +1,81 @@ +server { + listen 80; + server_name dev.hamburg.freifunk.net; + + access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen. + + # Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen. + # So stellen wir sicher, dass keine IPs geloggt werden. + error_log /dev/null crit; + + index index.php index.html index.htm; + + location = / { + rewrite ^/$ /icinga-web/index.php permanent; + } + + # Security - Basic configuration + location = /favicon.ico { + log_not_found off; + access_log off; + expires max; + } + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + # Deny access to hidden files + location ~ /\. { + deny all; + access_log off; + log_not_found off; + } + + location /icinga-web/styles { + alias /usr/share/icinga-web/pub/styles; + } + + location /icinga-web/images { + alias /usr/share/icinga-web/pub/images; + } + + location /icinga-web/js { + alias /usr/share/icinga-web/lib; + } + + location /icinga-web/modules/([A-Za-z0-9]*)/resources/images/([A-Za-z_\-0-9]*\.(png|gif|jpg))$ { + alias /usr/share/icinga-web/app/modules/$1/pub/images/$2; + } + + location /icinga-web/modules/([A-Za-z0-9]*)/resources/styles/([A-Za-z0-9]*\.css)$ { + alias /usr/share/icinga-web/app/modules/$1/pub/styles/$2; + } + + location /icinga-web/modules { + rewrite ^/icinga-web/(.*)$ /icinga-web/index.php?/$1 last; + } + + location /icinga-web/web { + rewrite ^/icinga-web/(.*)$ /icinga-web/index.php?/$1 last; + } + + location ~ ^/modules { + rewrite ^/modules/(.*)$ /icinga-web/modules/$1 permanent; + } + + location /icinga-web { + alias /usr/share/icinga-web/pub; + index index.php; + try_files $uri $uri/ /icinga-web/index.php?$args; + } + + location ~ /icinga-web/(.*)\.php($|/) { + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; + fastcgi_split_path_info ^(/icinga-web/.*\.php)(.*); + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param SCRIPT_FILENAME /usr/share/icinga-web/pub/index.php; + } +} diff --git a/sites-available/postfixadmin_ffhh b/sites-available/postfixadmin_ffhh new file mode 100644 index 0000000..7e91405 --- /dev/null +++ b/sites-available/postfixadmin_ffhh @@ -0,0 +1,66 @@ +# HTTP redirect to HTTPS + +server { + listen 80; + listen [::]:80; +# listen 443; + server_name postmaster.hamburg.freifunk.net postmaster.services.ffhh; +# rewrite ^ https://postmaster.hamburg.freifunk.net permanent; + rewrite ^ https://$server_name$request_uri? permanent; + access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen. + + # Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen. + # So stellen wir sicher, dass keine IPs geloggt werden. + error_log /dev/null crit; +} + + +# HTTPS server + +server { + listen 443; + server_name postmaster.hamburg.freifunk.net postmaster.services.ffhh; + access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen. + # Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen. + # So stellen wir sicher, dass keine IPs geloggt werden. + + error_log /dev/null crit; +# error_log /var/log/nginx/error.log; + + root /var/www/postfixadmin_ffhh; + index index.php index.html index.htm; + + ssl on; + ssl_certificate /etc/nginx/ssl/postfix_ssl/server.crt; + ssl_certificate_key /etc/nginx/ssl/postfix_ssl/server.key; + +# ssl_certificate /etc/nginx/ssl/ffhh.crt; +# ssl_certificate_key /etc/nginx/ssl/hamburg.freifunk.net.key; + + ssl_session_timeout 5m; +# +# # NEW SETTINGS +# ssl_prefer_server_ciphers on; +# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +# ssl_ciphers "EECDH+AESGCM EDH+AESGCM !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; +# ssl_ciphers "EECDH+AESGCM EDH+AESGCM EECDH -RC4 EDH -CAMELLIA -SEED !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; +# +# # OLD SETTINGS + ssl_prefer_server_ciphers on; + ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; + + location ~ \.php$ { + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME /var/www/postfixadmin_ffhh$fastcgi_script_name; + #fastcgi_param SCRIPT_FILENAME /var/www/default$fastcgi_script_name; + include /etc/nginx/fastcgi_params; + } + + location / { + index index.php; # hinzugefuegt + try_files $uri $uri/index.php; + } # geaendert von ez am 28.02.2014; + +} diff --git a/sites-available/website_ffhh b/sites-available/website_ffhh new file mode 100644 index 0000000..18fd706 --- /dev/null +++ b/sites-available/website_ffhh @@ -0,0 +1,54 @@ +#server { +# listen 80; +# server_name www.hamburg.freifunk.net; +# +# #return 301 http://hamburg.freifunk.net$request_uri; +#} + +server { + listen 80; + server_name hamburg.freifunk.net default; + + ## rewrite from /wiki to wiki.hamburg.freifunk.net + rewrite ^(/wiki/)$ http://wiki.hamburg.freifunk.net/ permanent; + + access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen. + + # Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen. + # So stellen wir sicher, dass keine IPs geloggt werden. + error_log /dev/null crit; + + + root /var/www/website_ffhh/; + + # HIDDEN FILES AND FOLDERS + rewrite ^(.*)\/\.(.*)$ @404 break; + + autoindex off; + + location = @404 { + return 404; + } +} + +#server { +# listen 443; +# server_name hamburg.freifunk.net default; +# +# ssl on; +# +# access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen. + + # Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen. + # So stellen wir sicher, dass keine IPs geloggt werden. +# error_log /dev/null crit; +# +# root /var/www/website_ffhh/; +# +# # HIDDEN FILES AND FOLDERS +# rewrite ^(.*)\/\.(.*)$ @404 break; +# +# location = @404 { +# return 404; +# } +#} diff --git a/sites-available/wordpress_ffhh b/sites-available/wordpress_ffhh new file mode 100644 index 0000000..d42b58d --- /dev/null +++ b/sites-available/wordpress_ffhh @@ -0,0 +1,62 @@ +server { + listen 80; # ipv4 http + listen [::]:80; # ipv6 http + + listen 443 ssl; # ipv4 https + listen [::]:443 ssl; # ipv6 https + + server_name hamburg.freifunk.net www.hamburg.freifunk.net freifunk.ffhh; + + access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen. + + # Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen. + # So stellen wir sicher, dass keine IPs geloggt werden. + error_log /dev/null crit; + + client_max_body_size 16M; + + root /var/www/wordpress; + index index.php index.html index.htm; + + + ssl_certificate /etc/nginx/ssl/ffhh.crt; + ssl_certificate_key /etc/nginx/ssl/hamburg.freifunk.net.key; + + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + # Only strong ciphers in PFS mode + ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA; + ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; + + + # Don't allow to get framed by sites that aren't on the same domain + add_header X-Frame-Options SAMEORIGIN; + + # Tell clients never to use http or self-signed (!) certificates + # There's no way to bypass this option after it has been cached! + #add_header Strict-Transport-Security max-age=31536000; + + # This order might seem weird - this is attempted to match last if rules below fail. + # http://wiki.nginx.org/HttpCoreModule + location / { + index index.php; + try_files $uri $uri/ /index.php?$args; + } + + # Directives to send expires headers and turn off 404 error logging. + location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { + expires 24h; + log_not_found off; + } + + location ~ \.php$ { + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME /var/www/wordpress$fastcgi_script_name; +# fastcgi_param SCRIPT_FILENAME /var/www/default$fastcgi_script_name; + include /etc/nginx/fastcgi_params; + } +} + diff --git a/sites-enabled/default_ffhh b/sites-enabled/default_ffhh new file mode 120000 index 0000000..9a6a74b --- /dev/null +++ b/sites-enabled/default_ffhh @@ -0,0 +1 @@ +../sites-available/default_ffhh \ No newline at end of file diff --git a/sites-enabled/formular_ffhh b/sites-enabled/formular_ffhh new file mode 120000 index 0000000..4031bd0 --- /dev/null +++ b/sites-enabled/formular_ffhh @@ -0,0 +1 @@ +../sites-available/formular_ffhh \ No newline at end of file diff --git a/sites-enabled/graph_ffhh b/sites-enabled/graph_ffhh new file mode 120000 index 0000000..40c3b39 --- /dev/null +++ b/sites-enabled/graph_ffhh @@ -0,0 +1 @@ +../sites-available/graph_ffhh \ No newline at end of file diff --git a/sites-enabled/media_ffhh b/sites-enabled/media_ffhh new file mode 120000 index 0000000..d53307c --- /dev/null +++ b/sites-enabled/media_ffhh @@ -0,0 +1 @@ +../sites-available/media_ffhh \ No newline at end of file diff --git a/sites-enabled/meta_ffhh b/sites-enabled/meta_ffhh new file mode 120000 index 0000000..679e6f2 --- /dev/null +++ b/sites-enabled/meta_ffhh @@ -0,0 +1 @@ +../sites-available/meta_ffhh \ No newline at end of file diff --git a/sites-enabled/postfixadmin_ffhh b/sites-enabled/postfixadmin_ffhh new file mode 120000 index 0000000..62e0d94 --- /dev/null +++ b/sites-enabled/postfixadmin_ffhh @@ -0,0 +1 @@ +../sites-available/postfixadmin_ffhh \ No newline at end of file diff --git a/sites-enabled/wordpress_ffhh b/sites-enabled/wordpress_ffhh new file mode 120000 index 0000000..0f65e9e --- /dev/null +++ b/sites-enabled/wordpress_ffhh @@ -0,0 +1 @@ +../sites-available/wordpress_ffhh \ No newline at end of file diff --git a/uwsgi_params b/uwsgi_params new file mode 100644 index 0000000..f539451 --- /dev/null +++ b/uwsgi_params @@ -0,0 +1,16 @@ + +uwsgi_param QUERY_STRING $query_string; +uwsgi_param REQUEST_METHOD $request_method; +uwsgi_param CONTENT_TYPE $content_type; +uwsgi_param CONTENT_LENGTH $content_length; + +uwsgi_param REQUEST_URI $request_uri; +uwsgi_param PATH_INFO $document_uri; +uwsgi_param DOCUMENT_ROOT $document_root; +uwsgi_param SERVER_PROTOCOL $server_protocol; +uwsgi_param HTTPS $https if_not_empty; + +uwsgi_param REMOTE_ADDR $remote_addr; +uwsgi_param REMOTE_PORT $remote_port; +uwsgi_param SERVER_PORT $server_port; +uwsgi_param SERVER_NAME $server_name; diff --git a/win-utf b/win-utf new file mode 100644 index 0000000..ed8bc00 --- /dev/null +++ b/win-utf @@ -0,0 +1,126 @@ + +# This map is not a full windows-1251 <> utf8 map: it does not +# contain Serbian and Macedonian letters. If you need a full map, +# use contrib/unicode2nginx/win-utf map instead. + +charset_map windows-1251 utf-8 { + + 82 E2809A ; # single low-9 quotation mark + + 84 E2809E ; # double low-9 quotation mark + 85 E280A6 ; # ellipsis + 86 E280A0 ; # dagger + 87 E280A1 ; # double dagger + 88 E282AC ; # euro + 89 E280B0 ; # per mille + + 91 E28098 ; # left single quotation mark + 92 E28099 ; # right single quotation mark + 93 E2809C ; # left double quotation mark + 94 E2809D ; # right double quotation mark + 95 E280A2 ; # bullet + 96 E28093 ; # en dash + 97 E28094 ; # em dash + + 99 E284A2 ; # trade mark sign + + A0 C2A0 ; #   + A1 D18E ; # capital Byelorussian short U + A2 D19E ; # small Byelorussian short u + + A4 C2A4 ; # currency sign + A5 D290 ; # capital Ukrainian soft G + A6 C2A6 ; # borken bar + A7 C2A7 ; # section sign + A8 D081 ; # capital YO + A9 C2A9 ; # (C) + AA D084 ; # capital Ukrainian YE + AB C2AB ; # left-pointing double angle quotation mark + AC C2AC ; # not sign + AD C2AD ; # soft hypen + AE C2AE ; # (R) + AF D087 ; # capital Ukrainian YI + + B0 C2B0 ; # ° + B1 C2B1 ; # plus-minus sign + B2 D086 ; # capital Ukrainian I + B3 D196 ; # small Ukrainian i + B4 D291 ; # small Ukrainian soft g + B5 C2B5 ; # micro sign + B6 C2B6 ; # pilcrow sign + B7 C2B7 ; # · + B8 D191 ; # small yo + B9 E28496 ; # numero sign + BA D194 ; # small Ukrainian ye + BB C2BB ; # right-pointing double angle quotation mark + + BF D197 ; # small Ukrainian yi + + C0 D090 ; # capital A + C1 D091 ; # capital B + C2 D092 ; # capital V + C3 D093 ; # capital G + C4 D094 ; # capital D + C5 D095 ; # capital YE + C6 D096 ; # capital ZH + C7 D097 ; # capital Z + C8 D098 ; # capital I + C9 D099 ; # capital J + CA D09A ; # capital K + CB D09B ; # capital L + CC D09C ; # capital M + CD D09D ; # capital N + CE D09E ; # capital O + CF D09F ; # capital P + + D0 D0A0 ; # capital R + D1 D0A1 ; # capital S + D2 D0A2 ; # capital T + D3 D0A3 ; # capital U + D4 D0A4 ; # capital F + D5 D0A5 ; # capital KH + D6 D0A6 ; # capital TS + D7 D0A7 ; # capital CH + D8 D0A8 ; # capital SH + D9 D0A9 ; # capital SHCH + DA D0AA ; # capital hard sign + DB D0AB ; # capital Y + DC D0AC ; # capital soft sign + DD D0AD ; # capital E + DE D0AE ; # capital YU + DF D0AF ; # capital YA + + E0 D0B0 ; # small a + E1 D0B1 ; # small b + E2 D0B2 ; # small v + E3 D0B3 ; # small g + E4 D0B4 ; # small d + E5 D0B5 ; # small ye + E6 D0B6 ; # small zh + E7 D0B7 ; # small z + E8 D0B8 ; # small i + E9 D0B9 ; # small j + EA D0BA ; # small k + EB D0BB ; # small l + EC D0BC ; # small m + ED D0BD ; # small n + EE D0BE ; # small o + EF D0BF ; # small p + + F0 D180 ; # small r + F1 D181 ; # small s + F2 D182 ; # small t + F3 D183 ; # small u + F4 D184 ; # small f + F5 D185 ; # small kh + F6 D186 ; # small ts + F7 D187 ; # small ch + F8 D188 ; # small sh + F9 D189 ; # small shch + FA D18A ; # small hard sign + FB D18B ; # small y + FC D18C ; # small soft sign + FD D18D ; # small e + FE D18E ; # small yu + FF D18F ; # small ya +}