From f4c43a2148de562226808fa27893f50f1aa3e6ee Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Sun, 4 Oct 2020 21:07:39 +0200
Subject: [PATCH] block proxies and abusers

---
 confs/limit-req.conf  |  3 +++
 confs/server.conf     |  2 ++
 entrypoint.sh         | 22 +++++++++++++++++++---
 scripts/abusers.sh    | 10 ++++++++++
 scripts/exit-nodes.sh |  9 ++++-----
 scripts/proxies.sh    | 10 ++++++++++
 6 files changed, 48 insertions(+), 8 deletions(-)
 create mode 100644 confs/limit-req.conf
 create mode 100755 scripts/abusers.sh
 create mode 100755 scripts/proxies.sh

diff --git a/confs/limit-req.conf b/confs/limit-req.conf
new file mode 100644
index 0000000..395d838
--- /dev/null
+++ b/confs/limit-req.conf
@@ -0,0 +1,3 @@
+limit_req_status 429;
+limit_req zone=limit burst=%LIMIT_REQ_BURST% nodelay;
+
diff --git a/confs/server.conf b/confs/server.conf
index 176647a..e70eec6 100644
--- a/confs/server.conf
+++ b/confs/server.conf
@@ -25,6 +25,8 @@ server {
 	%BLOCK_COUNTRY%
 	%BLOCK_USER_AGENT%
 	%BLOCK_TOR_EXIT_NODE%
+	%BLOCK_PROXIES%
+	%BLOCK_ABUSERS%
 	%COOKIE_FLAGS%
 	%ERRORS%
 	%USE_FAIL2BAN%
diff --git a/entrypoint.sh b/entrypoint.sh
index f3bf5e5..967272b 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -83,7 +83,9 @@ SERVER_NAME="${SERVER_NAME-www.bunkerity.com}"
 ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}"
 BLOCK_COUNTRY="${BLOCK_COUNTRY-}"
 BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}"
-BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-no}"
+BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-yes}"
+BLOCK_PROXIES="${BLOCK_PROXIES-yes}"
+BLOCK_ABUSERS="${BLOCK_ABUSERS-yes}"
 AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT-no}"
 HTTP2="${HTTP2-yes}"
 STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}"
@@ -245,7 +247,7 @@ fi
 if [ "$BLOCK_USER_AGENT" = "yes" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/block-user-agent.conf;"
 	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;"
-	/opt/scripts/user-agents.sh
+	/opt/scripts/user-agents.sh &
 	echo "0 0 * * * /opt/scripts/user-agents.sh" >> /etc/crontabs/root
 else
 	replace_in_file "/etc/nginx/server.conf" "%BLOCK_USER_AGENT%" ""
@@ -253,11 +255,25 @@ else
 fi
 if [ "$BLOCK_TOR_EXIT_NODE" = "yes" ] ; then
 	replace_in_file "/etc/nginx/server.conf" "%BLOCK_TOR_EXIT_NODE%" "include /etc/nginx/block-tor-exit-node.conf;"
-	/opt/scripts/exit-nodes.sh
+	/opt/scripts/exit-nodes.sh &
 	echo "0 * * * * /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root
 else
 	replace_in_file "/etc/nginx/server.conf" "%BLOCK_TOR_EXIT_NODE%" ""
 fi
+if [ "$BLOCK_PROXIES" = "yes" ] ; then
+	replace_in_file "/etc/nginx/server.conf" "%BLOCK_PROXIES%" "include /etc/nginx/block-proxies.conf;"
+	/opt/scripts/proxies.sh &
+	echo "0 0 * * * /opt/scripts/proxies.sh" >> /etc/crontabs/root
+else
+	replace_in_file "/etc/nginx/server.conf" "%BLOCK_PROXIES%" ""
+fi
+if [ "$BLOCK_ABUSERS" = "yes" ] ; then
+	replace_in_file "/etc/nginx/server.conf" "%BLOCK_ABUSERS%" "include /etc/nginx/block-abusers.conf;"
+	/opt/scripts/abusers.sh &
+	echo "0 0 * * * /opt/scripts/abusers.sh" >> /etc/crontabs/root
+else
+	replace_in_file "/etc/nginx/server.conf" "%BLOCK_ABUSERS%" ""
+fi
 if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
 
 	FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
diff --git a/scripts/abusers.sh b/scripts/abusers.sh
new file mode 100755
index 0000000..7c94084
--- /dev/null
+++ b/scripts/abusers.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+echo "" > /etc/nginx/block-abusers.conf
+curl -s "https://iplists.firehol.org/files/firehol_abusers_30d.netset" | grep -v "^\#.*" |
+while read entry ; do
+	echo "deny ${entry};" >> /etc/nginx/block-abusers.conf
+done
+if [ -f /run/nginx/nginx.pid ] ; then
+	/usr/sbin/nginx -s reload
+fi
diff --git a/scripts/exit-nodes.sh b/scripts/exit-nodes.sh
index 1a650ce..256ef27 100644
--- a/scripts/exit-nodes.sh
+++ b/scripts/exit-nodes.sh
@@ -1,11 +1,10 @@
 #!/bin/sh
 
-BLACKLIST=$(curl -s "https://iplists.firehol.org/files/tor_exits.ipset")
-DATA=""
-for ip in $BLACKLIST ; do
-	DATA="${DATA}deny ${ip};\n"
+echo "" > /etc/nginx/block-tor-exit-node.conf
+curl -s "https://iplists.firehol.org/files/tor_exits.ipset" | grep -v "^\#.*" |
+while read entry ; do
+	echo "deny ${entry};" >> /etc/nginx/block-tor-exit-node.conf
 done
-echo $DATA > /etc/nginx/block-tor-exit-node.conf
 if [ -f /run/nginx/nginx.pid ] ; then
 	/usr/sbin/nginx -s reload
 fi
diff --git a/scripts/proxies.sh b/scripts/proxies.sh
new file mode 100755
index 0000000..0dd1de0
--- /dev/null
+++ b/scripts/proxies.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+echo "" > /etc/nginx/block-proxies.conf
+curl -s "https://iplists.firehol.org/files/firehol_proxies.netset" | grep -v "^\#.*" |
+while read entry ; do
+	echo "deny ${entry};" >> /etc/nginx/block-proxies.conf
+done
+if [ -f /run/nginx/nginx.pid ] ; then
+	/usr/sbin/nginx -s reload
+fi