update nginx config

2023-03-13 16:25:04 +01:00 · 2023-03-13 16:25:04 +01:00 · f6e3fd60b3
commit f6e3fd60b3
parent 81133c90aa
5 changed files with 129 additions and 14 deletions
--- a/deployment/nginx/conf.d/0realip.conf
+++ b/deployment/nginx/conf.d/0realip.conf
@ -1,3 +1,6 @@
+# set realip header to actual ip, when
+# going through cloudflare
+
 # - IPv4
 set_real_ip_from 173.245.48.0/20;
 set_real_ip_from 103.21.244.0/22;
@ -26,3 +29,31 @@ set_real_ip_from 2c0f:f248::/32;

 real_ip_header CF-Connecting-IP;
 real_ip_recursive on;
+
+# check if request is going through cloudflare
+# use with like: if ($cloudflare_ip != 1) {return 403}
+geo $realip_remote_addr $cloudflare_ip {
+    default          0;
+    173.245.48.0/20  1;
+    103.21.244.0/22  1;
+    103.22.200.0/22  1;
+    103.31.4.0/22    1;
+    141.101.64.0/18  1;
+    108.162.192.0/18 1;
+    190.93.240.0/20  1;
+    188.114.96.0/20  1;
+    197.234.240.0/22 1;
+    198.41.128.0/17  1;
+    162.158.0.0/15   1;
+    104.16.0.0/13    1;
+    104.24.0.0/14    1;
+    172.64.0.0/13    1;
+    131.0.72.0/22    1;
+    2400:cb00::/32   1;
+    2606:4700::/32   1;
+    2803:f800::/32   1;
+    2405:b500::/32   1;
+    2405:8100::/32   1;
+    2a06:98c0::/29   1;
+    2c0f:f248::/32   1;
+}
--- a/deployment/nginx/conf.d/1ratelimiters.conf
+++ b/deployment/nginx/conf.d/1ratelimiters.conf
@ -1,5 +1,7 @@
-limit_req_zone $binary_remote_addr zone=websocket:5m rate=1r/s;
+# halfed because of ddos
+limit_req_zone $binary_remote_addr zone=websocket:5m rate=30r/m;
 limit_req_zone $binary_remote_addr zone=general:5m rate=1r/s;
+# from 40 to 30 because of ddos
 limit_req_zone $binary_remote_addr zone=chunks:5m rate=40r/s;
 limit_req_zone $binary_remote_addr zone=captcha:5m rate=20r/m;
 limit_req_zone $binary_remote_addr zone=authimp:5m rate=5r/m;
--- a/deployment/nginx/conf.d/6denyws.conf
+++ b/deployment/nginx/conf.d/6denyws.conf
@ -1,3 +1,11 @@
+geo $allow_ws {
+    default           0;
+    178.158.0.0/17    1;
+    91.200.160.0/22   1;
+    92.118.132.0/24   1;
+    195.189.44.0/22   1;
+}
+
 geo $deny_ws {
    default           0;
    # Google
@ -39,4 +47,69 @@ geo $deny_ws {
    2a02:6b8:c08::/48 1;
    # PlusWeb
    2a0a:fa40::/29    1;
+    # Some Brazil University
+    200.235.0.0/17    1;
+    # Hohols
+    103.108.94.130 1;
+    104.223.100.81 1;
+    109.236.81.170 1;
+    141.95.54.180 1;
+    146.0.86.196 1;
+    146.70.52.116 1;
+    169.150.196.109 1;
+    176.103.27.246 1;
+    176.105.204.93 1;
+    176.119.68.184 1;
+    176.38.17.17 1;
+    176.39.36.34 1;
+    176.53.147.75 1;
+    176.8.143.17 1;
+    178.17.170.189 1;
+    178.20.142.170 1;
+    185.107.56.163 1;
+    185.231.207.118 1;
+    185.43.191.203 1;
+    185.72.247.151 1;
+    188.163.121.219 1;
+    193.106.56.22 1;
+    193.109.145.47 1;
+    194.242.103.232 1;
+    195.46.35.206 1;
+    199.244.49.79 1;
+    2a01:36d:1400:28d2:bd93:65a6:5e31:e322 1;
+    2a09:bac1:7540:48::84:6d 1;
+    31.192.105.104 1;
+    31.222.253.215 1;
+    31.223.105.113 1;
+    37.120.156.234 1;
+    37.57.120.109 1;
+    37.63.9.104 1;
+    37.78.224.175 1;
+    45.132.194.16 1;
+    46.166.182.34 1;
+    46.166.182.57 1;
+    46.211.166.66 1;
+    46.219.225.169 1;
+    46.229.61.32 1;
+    5.173.158.92 1;
+    5.173.172.228 1;
+    5.180.128.110 1;
+    62.244.51.28 1;
+    77.120.35.184 1;
+    83.71.204.117 1;
+    85.100.66.238 1;
+    85.110.146.67 1;
+    86.120.52.125 1;
+    86.124.56.51 1;
+    88.134.42.187 1;
+    89.43.30.38 1;
+    91.219.238.174 1;
+    91.228.236.175 1;
+    91.237.27.102 1;
+    93.115.28.181 1;
+    94.110.186.197 1;
+    95.69.133.104 1;
+    99.224.5.31 1;
+    141.94.31.178 1;
+    146.70.52.247 1;
 }
--- a/deployment/nginx/includes/canvas.conf
+++ b/deployment/nginx/includes/canvas.conf
@ -8,9 +8,23 @@
 #  root /home/pixelpla/pixelplace-redirect/wait;
 #}

-
 include /etc/nginx/includes/certbotroot.conf;

+set $test 0;
+if ($cloudflare_ip != 1) {
+  # return 302 https://www.youtube.com/watch?v=YkZvwVf7F9k;
+  return 404;
+}
+if ($http_cf_ipcountry = "UA") {
+  set $test 1;
+}
+if ($deny_ws) {
+  set $test 1;
+}
+if ($allow_ws) {
+  set $test 0;
+}
+
 location / {
  limit_req zone=general burst=20 delay=10;
  proxy_set_header X-Real-IP $remote_addr;
@ -66,9 +80,8 @@ location /chunks {
 }

 location /ws {
-  #proxy_no_cache 1;
  limit_req zone=websocket burst=5;
-  if ($deny_ws) {
+  if ($test) {
    return 403;
  }
  proxy_http_version 1.1;
@ -84,8 +97,8 @@ location /captcha.svg {
  proxy_no_cache 1;
  limit_req zone=captcha burst=5;
  limit_req_status 429;
-  if ($http_user_agent ~* (python-requests)) {
-    return 503;
+  if ($test) {
+    return 403;
  }
  proxy_set_header X-Real-IP $remote_addr;
  proxy_pass http://$ppfun$request_uri;
@ -109,6 +122,9 @@ location /mcws {

 location /api/auth {
  proxy_no_cache 1;
+  if ($test) {
+    return 403;
+  }
  limit_req zone=websocket burst=5;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
@ -116,13 +132,6 @@ location /api/auth {
  proxy_pass http://$ppfun$request_uri;
 }

-location /api/captcha {
-  proxy_no_cache 1;
-  limit_req zone=general burst=10 nodelay;
-  proxy_set_header X-Real-IP $remote_addr;
-  proxy_pass http://$ppfun$request_uri;
-}
-
 location /moderation {
  autoindex on;
  expires 15m;
--- a/deployment/nginx/includes/certbotroot.conf
+++ b/deployment/nginx/includes/certbotroot.conf
@ -1,4 +1,4 @@
-# very handy for setting a common webroot for certbot only
+# for letsencrypt certbot webroot
 location /.well-known/acme-challenge {
  root /home/pixelpla/certbotroot;
 }