block bad referrers

confs/global/map-referrer.conf

@@ -0,0 +1,5 @@
+map $http_referer $bad_referrer {
+	hostnames;
+	default no;
+	%BLOCK_REFERRER%
+}

confs/global/nginx.conf

@@ -90,6 +90,9 @@ http {
 	# list of blocked user agents
 	%BLOCK_USER_AGENT%
 
+	# list of blocked referrers
+	%BLOCK_REFERRER%
+
 	# zone for proxy_cache
 	%PROXY_CACHE_PATH%
 

confs/site/block-referrer.conf

@@ -0,0 +1,3 @@
+if ($bad_referrer = yes) {
+	return 444;
+}

confs/site/server.conf

@@ -25,6 +25,7 @@ server {
 	%FEATURE_POLICY%
 	%PERMISSIONS_POLICY%
 	%BLOCK_USER_AGENT%
+	%BLOCK_REFERRER%
 	%BLOCK_TOR_EXIT_NODE%
 	%BLOCK_PROXIES%
 	%BLOCK_ABUSERS%

entrypoint/defaults.sh

@@ -44,6 +44,7 @@ DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}"
 SERVER_NAME="${SERVER_NAME-www.bunkerity.com}"
 ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}"
 BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}"
+BLOCK_REFERRER="${BLOCK_REFERRER-yes}"
 BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-yes}"
 BLOCK_PROXIES="${BLOCK_PROXIES-yes}"
 BLOCK_ABUSERS="${BLOCK_ABUSERS-yes}"

entrypoint/global-config.sh

@@ -95,6 +95,21 @@ else
 	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" ""
 fi
 
+# block bad refferer
+if [ "$(has_value BLOCK_REFERRER yes)" != "" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_REFERRER%" "include /etc/nginx/map-referrer.conf;"
+	echo "0 0 * * * /opt/scripts/referrers.sh" >> /etc/crontabs/root
+	if [ -f "/cache/map-referrer.conf" ] ; then
+		echo "[*] Copying cached map-referrer.conf ..."
+		cp /cache/map-referrer.conf /etc/nginx/map-referrer.conf
+	else
+		echo "[*] Downloading bad referrer list (in background) ..."
+		/opt/scripts/referrers.sh &
+	fi
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_REFERRER%" ""
+fi
+
 # block TOR exit nodes
 if [ "$(has_value BLOCK_TOR_EXIT_NODE yes)" != "" ] ; then
 	echo "0 * * * * /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root

entrypoint/site-config.sh

@@ -264,6 +264,13 @@ else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_USER_AGENT%" ""
 fi
 
+# block bad referrer
+if [ "$BLOCK_REFERRER" = "yes" ] ; then
+	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_REFERRER%" "include ${NGINX_PREFIX}block-referrer.conf;"
+else
+	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_REFERRER%" ""
+fi
+
 # block TOR exit nodes
 if [ "$BLOCK_TOR_EXIT_NODE" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_TOR_EXIT_NODE%" "include /etc/nginx/block-tor-exit-node.conf;"

scripts/referrers.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+# replace pattern in file
+function replace_in_file() {
+        # escape slashes
+        pattern=$(echo "$2" | sed "s/\//\\\\\//g")
+        replace=$(echo "$3" | sed "s/\//\\\\\//g")
+        replace=$(echo "$replace" | sed "s/\\ /\\\\ /g")
+        sed -i "s/$pattern/$replace/g" "$1"
+}
+
+BLACKLIST="$(curl -s https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-referrers.list)"
+DATA=""
+IFS=$'\n'
+for ref in $BLACKLIST ; do
+        DATA="${DATA}\"~${ref}\" yes;\n"
+done
+
+cp /opt/confs/global/map-referrer.conf /etc/nginx/map-referrer.conf
+replace_in_file "/etc/nginx/map-referrer.conf" "%BLOCK_REFERRER%" "$DATA"
+cp /etc/nginx/map-referrer.conf /cache
+
+if [ -f /tmp/nginx.pid ] ; then
+	/usr/sbin/nginx -s reload
+fi