diff --git a/confs/site/block-referrer.conf b/confs/site/block-referrer.conf deleted file mode 100644 index 1d596d8..0000000 --- a/confs/site/block-referrer.conf +++ /dev/null @@ -1,3 +0,0 @@ -if ($bad_referrer = yes) { - return 444; -} diff --git a/confs/site/block-user-agent.conf b/confs/site/block-user-agent.conf deleted file mode 100644 index 712b4b3..0000000 --- a/confs/site/block-user-agent.conf +++ /dev/null @@ -1,3 +0,0 @@ -if ($bad_user_agent = yes) { - return 444; -} diff --git a/confs/site/main-lua.conf b/confs/site/main-lua.conf index 8f05181..13b5d55 100644 --- a/confs/site/main-lua.conf +++ b/confs/site/main-lua.conf @@ -5,6 +5,8 @@ access_by_lua_block { local use_whitelist_ip = %USE_WHITELIST_IP% local use_whitelist_reverse = %USE_WHITELIST_REVERSE% +local use_user_agent = %USE_USER_AGENT% +local use_referrer = %USE_REFERRER% local use_country = %USE_COUNTRY% local use_blacklist_ip = %USE_BLACKLIST_IP% local use_blacklist_reverse = %USE_BLACKLIST_REVERSE% @@ -35,6 +37,16 @@ if use_whitelist_reverse and whitelist.reverse_cached_ok() then ngx.exit(ngx.OK) end +-- check if user-agent is allowed +if use_user_agent and ngx.var.bad_user_agent == "yes" then + ngx.exit(ngx.HTTP_FORBIDDEN) +end + +-- check if referrer is allowed +if use_referrer and ngx.var.bad_referrer == "yes" then + ngx.exit(ngx.HTTP_FORBIDDEN) +end + -- check if country is allowed if use_country and ngx.var.allowed_country == "no" then ngx.exit(ngx.HTTP_FORBIDDEN) diff --git a/confs/site/server.conf b/confs/site/server.conf index cb6608b..daf36cc 100644 --- a/confs/site/server.conf +++ b/confs/site/server.conf @@ -24,8 +24,6 @@ server { %REFERRER_POLICY% %FEATURE_POLICY% %PERMISSIONS_POLICY% - %BLOCK_USER_AGENT% - %BLOCK_REFERRER% %BLOCK_TOR_EXIT_NODE% %BLOCK_PROXIES% %BLOCK_ABUSERS% diff --git a/entrypoint/defaults.sh b/entrypoint/defaults.sh index 328390f..5995668 100644 --- a/entrypoint/defaults.sh +++ b/entrypoint/defaults.sh @@ -81,7 +81,7 @@ LOGROTATE_MINSIZE="${LOGROTATE_MINSIZE-10M}" LOGROTATE_MAXAGE="${LOGROTATE_MAXAGE-7}" DNS_RESOLVERS="${DNS_RESOLVERS-127.0.0.11}" USE_WHITELIST_IP="${USE_WHITELIST_IP-yes}" -WHITELIST_IP_LIST="${WHITELIST_IP_LIST-23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8}" +WHITELIST_IP_LIST="${WHITELIST_IP_LIST-127.0.0.1 23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8}" USE_WHITELIST_REVERSE="${USE_WHITELIST_REVERSE-yes}" WHITELIST_REVERSE_LIST="${WHITELIST_REVERSE_LIST-.googlebot.com .google.com .search.msn.com .crawl.yahoot.net .crawl.baidu.jp .crawl.baidu.com .yandex.com .yandex.ru .yandex.net}" USE_BLACKLIST_IP="${USE_BLACKLIST_IP-yes}" diff --git a/entrypoint/site-config.sh b/entrypoint/site-config.sh index 9923b1a..855ce2b 100644 --- a/entrypoint/site-config.sh +++ b/entrypoint/site-config.sh @@ -266,16 +266,16 @@ fi # block bad UA if [ "$BLOCK_USER_AGENT" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_USER_AGENT%" "include ${NGINX_PREFIX}block-user-agent.conf;" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_USER_AGENT%" "true" else - replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_USER_AGENT%" "" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_USER_AGENT%" "false" fi # block bad referrer if [ "$BLOCK_REFERRER" = "yes" ] ; then - replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_REFERRER%" "include ${NGINX_PREFIX}block-referrer.conf;" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_REFERRER%" "true" else - replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_REFERRER%" "" + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_REFERRER%" "false" fi # block TOR exit nodes