Commit f4c43a21 authored by bunkerity's avatar bunkerity
Browse files

block proxies and abusers

parent 3a9afa47
limit_req_status 429;
limit_req zone=limit burst=%LIMIT_REQ_BURST% nodelay;
......@@ -25,6 +25,8 @@ server {
%BLOCK_COUNTRY%
%BLOCK_USER_AGENT%
%BLOCK_TOR_EXIT_NODE%
%BLOCK_PROXIES%
%BLOCK_ABUSERS%
%COOKIE_FLAGS%
%ERRORS%
%USE_FAIL2BAN%
......
......@@ -83,7 +83,9 @@ SERVER_NAME="${SERVER_NAME-www.bunkerity.com}"
ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}"
BLOCK_COUNTRY="${BLOCK_COUNTRY-}"
BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}"
BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-no}"
BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-yes}"
BLOCK_PROXIES="${BLOCK_PROXIES-yes}"
BLOCK_ABUSERS="${BLOCK_ABUSERS-yes}"
AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT-no}"
HTTP2="${HTTP2-yes}"
STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}"
......@@ -245,7 +247,7 @@ fi
if [ "$BLOCK_USER_AGENT" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/block-user-agent.conf;"
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;"
/opt/scripts/user-agents.sh
/opt/scripts/user-agents.sh &
echo "0 0 * * * /opt/scripts/user-agents.sh" >> /etc/crontabs/root
else
replace_in_file "/etc/nginx/server.conf" "%BLOCK_USER_AGENT%" ""
......@@ -253,11 +255,25 @@ else
fi
if [ "$BLOCK_TOR_EXIT_NODE" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%BLOCK_TOR_EXIT_NODE%" "include /etc/nginx/block-tor-exit-node.conf;"
/opt/scripts/exit-nodes.sh
/opt/scripts/exit-nodes.sh &
echo "0 * * * * /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root
else
replace_in_file "/etc/nginx/server.conf" "%BLOCK_TOR_EXIT_NODE%" ""
fi
if [ "$BLOCK_PROXIES" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%BLOCK_PROXIES%" "include /etc/nginx/block-proxies.conf;"
/opt/scripts/proxies.sh &
echo "0 0 * * * /opt/scripts/proxies.sh" >> /etc/crontabs/root
else
replace_in_file "/etc/nginx/server.conf" "%BLOCK_PROXIES%" ""
fi
if [ "$BLOCK_ABUSERS" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%BLOCK_ABUSERS%" "include /etc/nginx/block-abusers.conf;"
/opt/scripts/abusers.sh &
echo "0 0 * * * /opt/scripts/abusers.sh" >> /etc/crontabs/root
else
replace_in_file "/etc/nginx/server.conf" "%BLOCK_ABUSERS%" ""
fi
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
......
#!/bin/sh
echo "" > /etc/nginx/block-abusers.conf
curl -s "https://iplists.firehol.org/files/firehol_abusers_30d.netset" | grep -v "^\#.*" |
while read entry ; do
echo "deny ${entry};" >> /etc/nginx/block-abusers.conf
done
if [ -f /run/nginx/nginx.pid ] ; then
/usr/sbin/nginx -s reload
fi
#!/bin/sh
BLACKLIST=$(curl -s "https://iplists.firehol.org/files/tor_exits.ipset")
DATA=""
for ip in $BLACKLIST ; do
DATA="${DATA}deny ${ip};\n"
echo "" > /etc/nginx/block-tor-exit-node.conf
curl -s "https://iplists.firehol.org/files/tor_exits.ipset" | grep -v "^\#.*" |
while read entry ; do
echo "deny ${entry};" >> /etc/nginx/block-tor-exit-node.conf
done
echo $DATA > /etc/nginx/block-tor-exit-node.conf
if [ -f /run/nginx/nginx.pid ] ; then
/usr/sbin/nginx -s reload
fi
#!/bin/sh
echo "" > /etc/nginx/block-proxies.conf
curl -s "https://iplists.firehol.org/files/firehol_proxies.netset" | grep -v "^\#.*" |
while read entry ; do
echo "deny ${entry};" >> /etc/nginx/block-proxies.conf
done
if [ -f /run/nginx/nginx.pid ] ; then
/usr/sbin/nginx -s reload
fi
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment