From 3a7aa5d9c017da48fcb62f58a66e763da566e819 Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Wed, 2 Dec 2020 10:41:50 +0100
Subject: [PATCH] block bad referrers

---
 confs/global/map-referrer.conf |  5 +++++
 confs/global/nginx.conf        |  3 +++
 confs/site/block-referrer.conf |  3 +++
 confs/site/server.conf         |  1 +
 entrypoint/defaults.sh         |  1 +
 entrypoint/global-config.sh    | 15 +++++++++++++++
 entrypoint/site-config.sh      |  7 +++++++
 scripts/referrers.sh           | 25 +++++++++++++++++++++++++
 8 files changed, 60 insertions(+)
 create mode 100644 confs/global/map-referrer.conf
 create mode 100644 confs/site/block-referrer.conf
 create mode 100755 scripts/referrers.sh

diff --git a/confs/global/map-referrer.conf b/confs/global/map-referrer.conf
new file mode 100644
index 0000000..d7e24d2
--- /dev/null
+++ b/confs/global/map-referrer.conf
@@ -0,0 +1,5 @@
+map $http_referer $bad_referrer {
+	hostnames;
+	default no;
+	%BLOCK_REFERRER%
+}
diff --git a/confs/global/nginx.conf b/confs/global/nginx.conf
index 08c5875..a49761f 100644
--- a/confs/global/nginx.conf
+++ b/confs/global/nginx.conf
@@ -90,6 +90,9 @@ http {
 	# list of blocked user agents
 	%BLOCK_USER_AGENT%
 
+	# list of blocked referrers
+	%BLOCK_REFERRER%
+
 	# zone for proxy_cache
 	%PROXY_CACHE_PATH%
 
diff --git a/confs/site/block-referrer.conf b/confs/site/block-referrer.conf
new file mode 100644
index 0000000..1d596d8
--- /dev/null
+++ b/confs/site/block-referrer.conf
@@ -0,0 +1,3 @@
+if ($bad_referrer = yes) {
+	return 444;
+}
diff --git a/confs/site/server.conf b/confs/site/server.conf
index 9c14019..cb6608b 100644
--- a/confs/site/server.conf
+++ b/confs/site/server.conf
@@ -25,6 +25,7 @@ server {
 	%FEATURE_POLICY%
 	%PERMISSIONS_POLICY%
 	%BLOCK_USER_AGENT%
+	%BLOCK_REFERRER%
 	%BLOCK_TOR_EXIT_NODE%
 	%BLOCK_PROXIES%
 	%BLOCK_ABUSERS%
diff --git a/entrypoint/defaults.sh b/entrypoint/defaults.sh
index ecaeb4c..dd0fc12 100644
--- a/entrypoint/defaults.sh
+++ b/entrypoint/defaults.sh
@@ -44,6 +44,7 @@ DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}"
 SERVER_NAME="${SERVER_NAME-www.bunkerity.com}"
 ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}"
 BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}"
+BLOCK_REFERRER="${BLOCK_REFERRER-yes}"
 BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-yes}"
 BLOCK_PROXIES="${BLOCK_PROXIES-yes}"
 BLOCK_ABUSERS="${BLOCK_ABUSERS-yes}"
diff --git a/entrypoint/global-config.sh b/entrypoint/global-config.sh
index bf544ee..64a6cc7 100644
--- a/entrypoint/global-config.sh
+++ b/entrypoint/global-config.sh
@@ -95,6 +95,21 @@ else
 	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" ""
 fi
 
+# block bad refferer
+if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_REFERRER%" "include /etc/nginx/map-referrer.conf;"
+	echo "0 0 * * * /opt/scripts/referrers.sh" >> /etc/crontabs/root
+	if [ -f "/cache/map-referrer.conf" ] ; then
+		echo "[*] Copying cached map-referrer.conf ..."
+		cp /cache/map-referrer.conf /etc/nginx/map-referrer.conf
+	else
+		echo "[*] Downloading bad referrer list (in background) ..."
+		/opt/scripts/referrers.sh &
+	fi
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_REFERRER%" ""
+fi
+
 # block TOR exit nodes
 if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
 	echo "0 * * * * /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root
diff --git a/entrypoint/site-config.sh b/entrypoint/site-config.sh
index 237c162..56f234a 100644
--- a/entrypoint/site-config.sh
+++ b/entrypoint/site-config.sh
@@ -264,6 +264,13 @@ else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_USER_AGENT%" ""
 fi
 
+# block bad referrer
+if [ "$BLOCK_REFERRER" = "yes" ] ; then
+	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_REFERRER%" "include ${NGINX_PREFIX}block-referrer.conf;"
+else
+	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_REFERRER%" ""
+fi
+
 # block TOR exit nodes
 if [ "$BLOCK_TOR_EXIT_NODE" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_TOR_EXIT_NODE%" "include /etc/nginx/block-tor-exit-node.conf;"
diff --git a/scripts/referrers.sh b/scripts/referrers.sh
new file mode 100755
index 0000000..40b49fb
--- /dev/null
+++ b/scripts/referrers.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+# replace pattern in file
+function replace_in_file() {
+        # escape slashes
+        pattern=$(echo "$2" | sed "s/\//\\\\\//g")
+        replace=$(echo "$3" | sed "s/\//\\\\\//g")
+        replace=$(echo "$replace" | sed "s/\\ /\\\\ /g")
+        sed -i "s/$pattern/$replace/g" "$1"
+}
+
+BLACKLIST="$(curl -s https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-referrers.list)"
+DATA=""
+IFS=$'\n'
+for ref in $BLACKLIST ; do
+        DATA="${DATA}\"~${ref}\" yes;\n"
+done
+
+cp /opt/confs/global/map-referrer.conf /etc/nginx/map-referrer.conf
+replace_in_file "/etc/nginx/map-referrer.conf" "%BLOCK_REFERRER%" "$DATA"
+cp /etc/nginx/map-referrer.conf /cache
+
+if [ -f /tmp/nginx.pid ] ; then
+	/usr/sbin/nginx -s reload
+fi