Full lifecycle nginx hardening: audit configs, analyze logs, generate rules, respond to IoCs, deploy and monitor
npx claudepluginhub trumb/claude-nginx-hardeningFull lifecycle nginx hardening: audit configs, analyze logs, generate rules, respond to IoCs, deploy and monitor
trumbFull-lifecycle nginx security hardening plugin for Claude Code.
A Claude Code plugin that audits nginx configs, analyzes access logs for attack patterns, generates blocking rules, responds to indicators of compromise, and deploys hardening changes through a gated pipeline. Covers 35 attack categories derived from live honeypot data. Implements a 5-layer security pipeline that never exposes raw attacker data to the LLM. Enforces 18 invariants on every operation. Includes IoC/threat intel with 10 built-in feeds, a recipe system with scheduling, canary deployment, rule aging, and environment profiles.
# Step 1: Add the marketplace (one-time)
claude plugin marketplace add trumb/claude-nginx-hardening
# Step 2: Install the plugin
claude plugin install claude-nginx-hardening
# Clone the repo
git clone https://github.com/trumb/claude-nginx-hardening.git ~/.claude/plugins/custom/claude-nginx-hardening
# Launch Claude Code with the plugin loaded
claude --plugin-dir ~/.claude/plugins/custom/claude-nginx-hardening
# User-wide (default) — available in all projects
claude plugin install claude-nginx-hardening --scope user
# Project-only — available only in the current project
claude plugin install claude-nginx-hardening --scope project
# First run — audit your nginx config
/harden-nginx audit
# Analyze access logs for attack patterns
/harden-nginx analyze-logs
# Full lifecycle: analyze + audit + review + stage + deploy
/harden-nginx full
# Check threat feeds for IoCs
/harden-nginx ioc --feed all
# Run a saved recipe
/harden-nginx recipe run weekly-scan
The plugin auto-detects nginx configs in /etc/nginx/sites-enabled/ and logs in /var/log/nginx/. All operations default to Recommendation Mode (read-only) — no files are modified unless you explicitly opt in.
| Command | Description | Default Mode |
|---|---|---|
/harden-nginx | Main entry — NL routing, explicit subcommands, or interactive menu | R0+R1 |
/harden-nginx audit | Config compliance audit (headers, TLS, blocking rules, 35 categories) | R0+R1 |
/harden-nginx analyze-logs | Log analysis through sanitizer pipeline (scanner detection, attack patterns) | R0+R1 |
/harden-nginx deploy | Staged deployment (backup, validate, write, nginx -t, reload) | W1 (explicit) |
/harden-nginx ioc | IoC/threat intel response — local + feed-based indicator matching, 3 response modes | R0+R1 |
/harden-nginx recipe | Recipe management — create, run, list, edit, install, export saved workflows | R0+R1 |
/harden-nginx aging | Rule aging — scan for stale rules, report staleness, tag for review | R0+R1 |
/harden-nginx exceptions | Exception management — review, create, renew security exceptions | R0+R1 |
/harden-nginx rollback | Rollback — restore config from timestamped backups with safety checks | R0+R1 |
/harden-nginx learnings | Learnings management — list, promote, compact, export | R0+R1 |
Append --apply for local writes or --deploy for full enforcement (writes + git push + remote execution).
All commands support --json for machine-readable output and --profile <name> for environment profile selection.
Layer 1: log-parser agent Read-only, hex-encodes attacker payloads
| Extracts structured events from raw logs
v
Layer 2: sanitizer.py Deterministic (no LLM), allowlist filtering
| Strips PII, validates fields, enforces length limits
v
Layer 3: config-auditor Read + stage only, proposes rules
| Generates findings, maps to categories, drafts rule blocks
v
Layer 4: decision gate Human accept/reject
| Presents diff, risk assessment, rollback plan
v
Layer 5: invariant-checker invariant-checker.py + nginx -t + backup + deploy
Validates rule syntax, checks invariants, tests config
Data flows strictly downward. No layer can invoke a higher-numbered layer. Layer 2 output is the only data Layer 3 ever sees from logs.
| Level | Scope | Checks | Activation |
|---|---|---|---|
| L1 -- Static Config | nginx conf files | Headers, TLS floor, unsafe directives, include hierarchy, location precedence, rate limiting, proxy headers | Always |
| L2 -- Log Analysis | access/error logs | Scanner UAs, brute-force patterns, exploit path probing (categories 1-35), method anomalies, status distributions, IoC matching | If logs present |
| L3 -- Live Verification | HTTP(S) requests | Response header verification, TLS handshake, blocked path checks, deny behavior, health endpoint | Opt-in (--live) |
Claude Code marketplace entries for the plugin-safe Antigravity Awesome Skills library and its compatible editorial bundles.
Production-ready workflow orchestration with 84 marketplace plugins, 192 local specialized agents, and 156 local skills - optimized for granular installation and minimal token usage
Directory of popular Claude Code extensions including development tools, productivity plugins, and MCP integrations