diff --git a/files/etc/nginx/cdn/cdn-bunny.conf b/files/etc/nginx/cdn/cdn-bunny.conf index 756a538..25b6bcc 100644 --- a/files/etc/nginx/cdn/cdn-bunny.conf +++ b/files/etc/nginx/cdn/cdn-bunny.conf @@ -31,7 +31,6 @@ set_real_ip_from 200.25.11.8; set_real_ip_from 200.25.53.5; set_real_ip_from 200.25.13.98; set_real_ip_from 107.155.21.186; -set_real_ip_from 107.155.27.226; set_real_ip_from 41.242.2.18; set_real_ip_from 200.25.62.5; set_real_ip_from 200.25.38.69; @@ -40,11 +39,9 @@ set_real_ip_from 200.25.36.166; set_real_ip_from 195.206.229.106; set_real_ip_from 92.223.88.123; set_real_ip_from 194.242.11.186; -set_real_ip_from 37.19.203.80; set_real_ip_from 65.108.101.60; set_real_ip_from 185.164.35.8; set_real_ip_from 185.173.226.42; -set_real_ip_from 195.69.143.190; set_real_ip_from 94.20.154.22; set_real_ip_from 185.93.1.244; set_real_ip_from 89.38.224.138; @@ -61,7 +58,6 @@ set_real_ip_from 138.199.46.68; set_real_ip_from 138.199.46.67; set_real_ip_from 185.93.1.246; set_real_ip_from 138.199.37.232; -set_real_ip_from 103.216.222.109; set_real_ip_from 195.181.163.196; set_real_ip_from 107.182.163.162; set_real_ip_from 195.181.163.195; @@ -81,7 +77,6 @@ set_real_ip_from 185.93.3.244; set_real_ip_from 143.244.49.179; set_real_ip_from 143.244.49.180; set_real_ip_from 138.199.9.104; -set_real_ip_from 122.10.251.138; set_real_ip_from 185.152.66.243; set_real_ip_from 143.244.49.178; set_real_ip_from 169.150.221.147; @@ -119,7 +114,6 @@ set_real_ip_from 15.235.54.226; set_real_ip_from 102.67.138.155; set_real_ip_from 156.59.126.78; set_real_ip_from 192.34.87.166; -set_real_ip_from 146.70.80.218; set_real_ip_from 156.146.43.65; set_real_ip_from 195.181.163.203; set_real_ip_from 195.181.163.202; @@ -148,11 +142,8 @@ set_real_ip_from 143.244.50.89; set_real_ip_from 143.244.50.210; set_real_ip_from 143.244.50.211; set_real_ip_from 143.244.50.212; -set_real_ip_from 138.199.4.137; set_real_ip_from 5.42.206.66; set_real_ip_from 94.46.175.183; -set_real_ip_from 38.54.2.20; -set_real_ip_from 38.54.4.6; set_real_ip_from 169.150.207.57; set_real_ip_from 169.150.207.58; set_real_ip_from 169.150.207.213; @@ -180,7 +171,6 @@ set_real_ip_from 138.199.36.10; set_real_ip_from 138.199.36.11; set_real_ip_from 138.199.37.225; set_real_ip_from 84.17.46.49; -set_real_ip_from 138.199.4.177; set_real_ip_from 84.17.37.217; set_real_ip_from 169.150.225.35; set_real_ip_from 169.150.225.36; @@ -273,6 +263,39 @@ set_real_ip_from 169.150.220.230; set_real_ip_from 169.150.220.231; set_real_ip_from 138.199.4.179; set_real_ip_from 207.211.214.145; +set_real_ip_from 109.61.86.193; +set_real_ip_from 38.54.3.97; +set_real_ip_from 103.152.98.207; +set_real_ip_from 103.214.20.95; +set_real_ip_from 178.175.134.51; +set_real_ip_from 138.199.4.178; +set_real_ip_from 172.255.253.140; +set_real_ip_from 185.24.11.19; +set_real_ip_from 109.61.83.244; +set_real_ip_from 109.61.83.245; +set_real_ip_from 84.17.38.250; +set_real_ip_from 84.17.38.251; +set_real_ip_from 146.59.69.202; +set_real_ip_from 146.70.80.218; +set_real_ip_from 154.93.50.48; +set_real_ip_from 200.25.80.74; +set_real_ip_from 79.127.213.214; +set_real_ip_from 79.127.213.215; +set_real_ip_from 79.127.213.216; +set_real_ip_from 79.127.213.217; +set_real_ip_from 195.69.140.112; +set_real_ip_from 109.61.83.247; +set_real_ip_from 109.61.83.246; +set_real_ip_from 185.93.2.251; +set_real_ip_from 185.93.2.248; +set_real_ip_from 109.61.83.249; +set_real_ip_from 109.61.83.250; +set_real_ip_from 109.61.83.251; +set_real_ip_from 46.199.75.115; +set_real_ip_from 141.164.35.160; +set_real_ip_from 109.61.83.97; +set_real_ip_from 109.61.83.98; +set_real_ip_from 109.61.83.99; set_real_ip_from 116.202.155.146; set_real_ip_from 116.202.193.178; set_real_ip_from 116.202.224.168; @@ -281,7 +304,6 @@ set_real_ip_from 88.99.26.189; set_real_ip_from 168.119.39.238; set_real_ip_from 88.99.26.97; set_real_ip_from 168.119.12.188; -set_real_ip_from 199.247.1.226; set_real_ip_from 176.9.139.55; set_real_ip_from 176.9.139.94; set_real_ip_from 5.161.66.71; @@ -326,6 +348,29 @@ set_real_ip_from 138.199.9.98; set_real_ip_from 143.244.50.155; set_real_ip_from 46.4.113.143; set_real_ip_from 143.244.49.187; +set_real_ip_from 5.161.43.226; +set_real_ip_from 5.161.198.143; +set_real_ip_from 5.161.223.161; +set_real_ip_from 5.161.89.223; +set_real_ip_from 5.161.98.9; +set_real_ip_from 5.161.200.230; +set_real_ip_from 5.161.61.85; +set_real_ip_from 5.161.71.0; +set_real_ip_from 136.243.2.236; +set_real_ip_from 195.201.81.217; +set_real_ip_from 148.251.42.123; +set_real_ip_from 94.130.68.122; +set_real_ip_from 88.198.22.103; +set_real_ip_from 46.4.102.90; +set_real_ip_from 157.90.180.205; +set_real_ip_from 162.55.135.11; +set_real_ip_from 195.201.109.59; +set_real_ip_from 148.251.41.244; +set_real_ip_from 116.202.235.16; +set_real_ip_from 51.161.197.119; +set_real_ip_from 51.161.196.129; +set_real_ip_from 51.161.196.208; +set_real_ip_from 128.140.70.141; set_real_ip_from 109.248.43.116; set_real_ip_from 109.248.43.117; set_real_ip_from 109.248.43.162; @@ -350,7 +395,6 @@ set_real_ip_from 159.69.57.80; set_real_ip_from 139.180.129.216; set_real_ip_from 139.99.174.7; set_real_ip_from 89.187.169.18; -set_real_ip_from 185.180.13.241; set_real_ip_from 185.59.220.203; set_real_ip_from 185.59.220.200; set_real_ip_from 185.59.220.202; @@ -369,7 +413,6 @@ set_real_ip_from 89.187.179.7; set_real_ip_from 143.244.51.70; set_real_ip_from 143.244.51.71; set_real_ip_from 143.244.51.69; -set_real_ip_from 212.102.43.85; set_real_ip_from 212.102.43.86; set_real_ip_from 143.244.62.213; set_real_ip_from 143.244.51.74; @@ -394,6 +437,7 @@ set_real_ip_from 84.17.38.225; set_real_ip_from 169.150.247.139; set_real_ip_from 169.150.247.177; set_real_ip_from 169.150.247.178; +set_real_ip_from 169.150.213.49; set_real_ip_from 109.61.89.53; set_real_ip_from 109.61.89.54; set_real_ip_from 109.61.89.55; @@ -428,7 +472,6 @@ set_real_ip_from 2400:52e0:1500::868:1; set_real_ip_from 2400:52e0:1500::869:1; set_real_ip_from 2400:52e0:1a00::871:1; set_real_ip_from 2400:52e0:1e00::874:1; -set_real_ip_from 2404:f780:0:2::7; set_real_ip_from 2400:52e0:1a02::876:1; set_real_ip_from 2400:52e0:1a02::878:1; set_real_ip_from 2400:52e0:1e01::879:1; @@ -537,6 +580,7 @@ set_real_ip_from 2400:52e0:1a01::1112:1; set_real_ip_from 2400:52e0:1a01::1113:1; set_real_ip_from 2400:52e0:1a01::1114:1; set_real_ip_from 2400:52e0:1a01::1115:1; +set_real_ip_from 2a0c:e082:11::d; set_real_ip_from 2404:f780:0:2::d; set_real_ip_from 2404:f780:0:2::f; set_real_ip_from 2404:f780:0:2::11; @@ -551,6 +595,34 @@ set_real_ip_from 2400:52e0:1501::1150:1; set_real_ip_from 2404:f780:0:2::13; set_real_ip_from 2c0f:fc89:1ff::4; set_real_ip_from 2602:ffe4:c09:106::1154; +set_real_ip_from 2400:52e0:1690::1156:1; +set_real_ip_from 2400:52e0:1690::1157:1; +set_real_ip_from 2400:52e0:1690::1158:1; +set_real_ip_from 2400:52e0:1690::1159:1; +set_real_ip_from 2400:52e0:1690::1160:1; +set_real_ip_from 2a02:6ea0:f904::1163:1; +set_real_ip_from 2404:f780:0:2::15; +set_real_ip_from 2400:52e0:1690::1168:1; +set_real_ip_from 2400:52e0:1501::1171:1; +set_real_ip_from 2400:52e0:1501::1172:1; +set_real_ip_from 2400:52e0:1500::1173:1; +set_real_ip_from 2400:52e0:1500::1174:1; +set_real_ip_from 2001:41d0:605:ca00::1175:1; +set_real_ip_from 2400:52e0:1500::1179:1; +set_real_ip_from 2400:52e0:1500::1180:1; +set_real_ip_from 2400:52e0:1500::1181:1; +set_real_ip_from 2400:52e0:1500::1182:1; +set_real_ip_from 2400:52e0:1501::1184:1; +set_real_ip_from 2400:52e0:1501::1185:1; +set_real_ip_from 2400:52e0:1e02::1186:1; +set_real_ip_from 2400:52e0:1e02::1187:1; +set_real_ip_from 2400:52e0:1501::1188:1; +set_real_ip_from 2400:52e0:1501::1189:1; +set_real_ip_from 2400:52e0:1501::1190:1; +set_real_ip_from 2401:c080:1c01:5a:ba3f:d2ff:fe0a:94b0; +set_real_ip_from 2400:52e0:1501::1193:1; +set_real_ip_from 2400:52e0:1501::1194:1; +set_real_ip_from 2400:52e0:1501::1195:1; set_real_ip_from 2a04:ff07:d9:12::1; set_real_ip_from 2a04:ff07:d9:13::1; set_real_ip_from 2a04:ff07:d9:39::1; diff --git a/files/etc/nginx/include/block-exploits.inc b/files/etc/nginx/include/block-exploits.inc new file mode 100644 index 0000000..6b27b97 --- /dev/null +++ b/files/etc/nginx/include/block-exploits.inc @@ -0,0 +1,138 @@ + ## Block SQL injections + set $block_sql_injections 0; + if ($query_string ~ "union.*select.*\(") { + set $block_sql_injections 1; + } + + if ($query_string ~ "union.*all.*select.*") { + set $block_sql_injections 1; + } + + if ($query_string ~ "concat.*\(") { + set $block_sql_injections 1; + } + + if ($block_sql_injections = 1) { + return 403; + } + + + ## Block file injections + set $block_file_injections 0; + if ($query_string ~ "[a-zA-Z0-9_]=http://") { + set $block_file_injections 1; + } + + if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { + set $block_file_injections 1; + } + + if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { + set $block_file_injections 1; + } + + if ($block_file_injections = 1) { + return 403; + } + + + ## Block common exploits + set $block_common_exploits 0; + if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { + set $block_common_exploits 1; + } + + if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { + set $block_common_exploits 1; + } + + if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { + set $block_common_exploits 1; + } + + if ($query_string ~ "proc/self/environ") { + set $block_common_exploits 1; + } + + if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { + set $block_common_exploits 1; + } + + if ($query_string ~ "base64_(en|de)code\(.*\)") { + set $block_common_exploits 1; + } + + if ($block_common_exploits = 1) { + return 403; + } + + + ## Block spam + set $block_spam 0; + if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") { + set $block_spam 1; + } + + if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") { + set $block_spam 1; + } + + if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") { + set $block_spam 1; + } + + if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") { + set $block_spam 1; + } + + if ($block_spam = 1) { + return 403; + } + + + ## Block user agents + set $block_user_agents 0; + + + # Disable Akeeba Remote Control 2.5 and earlier + if ($http_user_agent ~ "Indy Library") { + set $block_user_agents 1; + } + + # Common bandwidth hoggers and hacking tools. + if ($http_user_agent ~ "libwww-perl") { + set $block_user_agents 1; + } + + if ($http_user_agent ~ "GetRight") { + set $block_user_agents 1; + } + + if ($http_user_agent ~ "GetWeb!") { + set $block_user_agents 1; + } + + if ($http_user_agent ~ "Go!Zilla") { + set $block_user_agents 1; + } + + if ($http_user_agent ~ "Download Demon") { + set $block_user_agents 1; + } + + if ($http_user_agent ~ "Go-Ahead-Got-It") { + set $block_user_agents 1; + } + + if ($http_user_agent ~ "TurnitinBot") { + set $block_user_agents 1; + } + + if ($http_user_agent ~ "GrabNet") { + set $block_user_agents 1; + } + + if ($block_user_agents = 1) { + return 403; + } + diff --git a/files/etc/nginx/include/generic.common b/files/etc/nginx/include/generic.common new file mode 100644 index 0000000..27c7db8 --- /dev/null +++ b/files/etc/nginx/include/generic.common @@ -0,0 +1,29 @@ +include /etc/nginx/include/proxy-hide-headers.common; +include /etc/nginx/include/block-exploits.inc; + +resolver 8.8.8.8 8.8.4.4 ipv6=off; + +add_header Access-Control-Allow-Origin *; +proxy_set_header X-Forwarded-For $realip; +proxy_ssl_verify off; +proxy_ssl_server_name on; + +# Disable .htaccess and other hidden files +location ~ /\.(?!well-known).* { + deny all; + access_log off; + log_not_found off; + return 444; +} + +location /robots.txt { + access_log off; + default_type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; +} + +location /healthcheck { + access_log off; + default_type text/plain; + return 200 "OK"; +}