docs: add lab11 — nginx reverse proxy hardening

[ph1larmon1a]

Goal

Harden the OWASP Juice Shop deployment by placing it behind an Nginx reverse proxy, enabling industry-standard security headers, configuring HTTPS with a self-signed certificate, and enforcing rate limiting and timeout protections. Evaluate the resulting setup through live header validation, TLS scanning, and login-endpoint stress testing to understand practical hardening techniques for web applications without modifying backend code.

Changes

• Implemented a fully configured Nginx reverse proxy that front-ends the Juice Shop application

• Ensured the backend container is not directly exposed; only Nginx publishes ports (8080, 8443)

• Added a complete set of security headers, including XFO, XCTO, HSTS, Referrer-Policy, Permissions-Policy, COOP/CORP, and CSP-Report-Only

• Generated and configured TLS certificates, enabling HTTPS on port 8443

• Performed a comprehensive TLS scan using testssl.sh and documented protocol/cipher behavior

• Implemented rate limiting (10r/m, burst=5) on /rest/user/login and validated 401→429 behavior

• Added and analyzed timeout directives to reduce DoS/slowloris risk

• Created final, detailed documentation in:

  • labs/submission11.md
  • labs/lab11/analysis/ - header tests, rate-limit tests, TLS scans
  • labs/lab11/logs/ - Nginx access/error logs showing security behavior
  • labs/lab11/reverse-proxy/ - proxy configuration + TLS certs

Testing

1. Reverse Proxy Verification

   • Started environment with docker compose up -d
   • Validated HTTP → HTTPS redirect with a 308 response from port 8080

2. Security Header Validation

   • Ran:

     curl -sI http://localhost:8080/
     curl -skI https://localhost:8443/

   • Confirmed presence of all configured headers and correct HSTS behavior (HTTPS only)

3. TLS Scan

   • Executed testssl.sh against the HTTPS endpoint

   • Verified:

     • TLSv1.2 and TLSv1.3 only
     • No legacy/weak ciphers
     • Expected warnings due to self-signed local certificate

   • Saved output under analysis/testssl.txt

4. Rate Limiting Test

   • Performed 12 rapid login attempts
   • Observed 6×401 followed by 6×429 responses
   • Verified Nginx blocking behavior in logs/access.log

5. Timeout Behavior Review

   • Reviewed client_*_timeout, proxy_*_timeout, and keepalive_timeout settings
   • Confirmed Nginx correctly enforces protective connection limits

6. Reproducibility

   • Reviewers can:

     • Run the same curl commands
     • Run testssl.sh
     • Inspect logs and header output
     • Validate rate-limiting behavior

   • All evidence is checked into the repository under labs/lab11/

---

Artifacts & Screenshots

• Documentation:

  • labs/submission11.md

• Security Headers Evidence:

  • labs/lab11/analysis/headers-http.txt
  • labs/lab11/analysis/headers-https.txt

• Rate Limiting Evidence:

  • labs/lab11/analysis/rate-limit-test.txt

• TLS Scan:

  • labs/lab11/analysis/testssl.txt

• Proxy Logs:

  • labs/lab11/logs/access.log
  • labs/lab11/logs/error.log

• Configuration Files:

  • labs/lab11/docker-compose.yml
  • labs/lab11/reverse-proxy/nginx.conf
  • labs/lab11/reverse-proxy/certs/

Checklist

• PR has a clear and descriptive title
• Documentation updated if needed
• No secrets or large temporary files committed
• Task 1 — Reverse proxy compose setup
• Task 2 — Security headers verification
• Task 3 — TLS + HSTS + rate limiting + timeouts (+ testssl)