From f6e3fd60b3af3cd3002eab1188ad37b97dd12eca Mon Sep 17 00:00:00 2001 From: HF Date: Mon, 13 Mar 2023 16:25:04 +0100 Subject: [PATCH] update nginx config --- deployment/nginx/conf.d/0realip.conf | 31 +++++++++ deployment/nginx/conf.d/1ratelimiters.conf | 4 +- deployment/nginx/conf.d/6denyws.conf | 73 ++++++++++++++++++++++ deployment/nginx/includes/canvas.conf | 33 ++++++---- deployment/nginx/includes/certbotroot.conf | 2 +- 5 files changed, 129 insertions(+), 14 deletions(-) diff --git a/deployment/nginx/conf.d/0realip.conf b/deployment/nginx/conf.d/0realip.conf index a3487eb..45f4c1d 100644 --- a/deployment/nginx/conf.d/0realip.conf +++ b/deployment/nginx/conf.d/0realip.conf @@ -1,3 +1,6 @@ +# set realip header to actual ip, when +# going through cloudflare + # - IPv4 set_real_ip_from 173.245.48.0/20; set_real_ip_from 103.21.244.0/22; @@ -26,3 +29,31 @@ set_real_ip_from 2c0f:f248::/32; real_ip_header CF-Connecting-IP; real_ip_recursive on; + +# check if request is going through cloudflare +# use with like: if ($cloudflare_ip != 1) {return 403} +geo $realip_remote_addr $cloudflare_ip { + default 0; + 173.245.48.0/20 1; + 103.21.244.0/22 1; + 103.22.200.0/22 1; + 103.31.4.0/22 1; + 141.101.64.0/18 1; + 108.162.192.0/18 1; + 190.93.240.0/20 1; + 188.114.96.0/20 1; + 197.234.240.0/22 1; + 198.41.128.0/17 1; + 162.158.0.0/15 1; + 104.16.0.0/13 1; + 104.24.0.0/14 1; + 172.64.0.0/13 1; + 131.0.72.0/22 1; + 2400:cb00::/32 1; + 2606:4700::/32 1; + 2803:f800::/32 1; + 2405:b500::/32 1; + 2405:8100::/32 1; + 2a06:98c0::/29 1; + 2c0f:f248::/32 1; +} diff --git a/deployment/nginx/conf.d/1ratelimiters.conf b/deployment/nginx/conf.d/1ratelimiters.conf index a54a65f..20b16d1 100644 --- a/deployment/nginx/conf.d/1ratelimiters.conf +++ b/deployment/nginx/conf.d/1ratelimiters.conf @@ -1,5 +1,7 @@ -limit_req_zone $binary_remote_addr zone=websocket:5m rate=1r/s; +# halfed because of ddos +limit_req_zone $binary_remote_addr zone=websocket:5m rate=30r/m; limit_req_zone $binary_remote_addr zone=general:5m rate=1r/s; +# from 40 to 30 because of ddos limit_req_zone $binary_remote_addr zone=chunks:5m rate=40r/s; limit_req_zone $binary_remote_addr zone=captcha:5m rate=20r/m; limit_req_zone $binary_remote_addr zone=authimp:5m rate=5r/m; diff --git a/deployment/nginx/conf.d/6denyws.conf b/deployment/nginx/conf.d/6denyws.conf index 356923b..821f1ca 100644 --- a/deployment/nginx/conf.d/6denyws.conf +++ b/deployment/nginx/conf.d/6denyws.conf @@ -1,3 +1,11 @@ +geo $allow_ws { + default 0; + 178.158.0.0/17 1; + 91.200.160.0/22 1; + 92.118.132.0/24 1; + 195.189.44.0/22 1; +} + geo $deny_ws { default 0; # Google @@ -39,4 +47,69 @@ geo $deny_ws { 2a02:6b8:c08::/48 1; # PlusWeb 2a0a:fa40::/29 1; + # Some Brazil University + 200.235.0.0/17 1; + # Hohols + 103.108.94.130 1; + 104.223.100.81 1; + 109.236.81.170 1; + 141.95.54.180 1; + 146.0.86.196 1; + 146.70.52.116 1; + 169.150.196.109 1; + 176.103.27.246 1; + 176.105.204.93 1; + 176.119.68.184 1; + 176.38.17.17 1; + 176.39.36.34 1; + 176.53.147.75 1; + 176.8.143.17 1; + 178.17.170.189 1; + 178.20.142.170 1; + 185.107.56.163 1; + 185.231.207.118 1; + 185.43.191.203 1; + 185.72.247.151 1; + 188.163.121.219 1; + 193.106.56.22 1; + 193.109.145.47 1; + 194.242.103.232 1; + 195.46.35.206 1; + 199.244.49.79 1; + 2a01:36d:1400:28d2:bd93:65a6:5e31:e322 1; + 2a09:bac1:7540:48::84:6d 1; + 31.192.105.104 1; + 31.222.253.215 1; + 31.223.105.113 1; + 37.120.156.234 1; + 37.57.120.109 1; + 37.63.9.104 1; + 37.78.224.175 1; + 45.132.194.16 1; + 46.166.182.34 1; + 46.166.182.57 1; + 46.211.166.66 1; + 46.219.225.169 1; + 46.229.61.32 1; + 5.173.158.92 1; + 5.173.172.228 1; + 5.180.128.110 1; + 62.244.51.28 1; + 77.120.35.184 1; + 83.71.204.117 1; + 85.100.66.238 1; + 85.110.146.67 1; + 86.120.52.125 1; + 86.124.56.51 1; + 88.134.42.187 1; + 89.43.30.38 1; + 91.219.238.174 1; + 91.228.236.175 1; + 91.237.27.102 1; + 93.115.28.181 1; + 94.110.186.197 1; + 95.69.133.104 1; + 99.224.5.31 1; + 141.94.31.178 1; + 146.70.52.247 1; } diff --git a/deployment/nginx/includes/canvas.conf b/deployment/nginx/includes/canvas.conf index 5309e43..7790163 100644 --- a/deployment/nginx/includes/canvas.conf +++ b/deployment/nginx/includes/canvas.conf @@ -8,9 +8,23 @@ # root /home/pixelpla/pixelplace-redirect/wait; #} - include /etc/nginx/includes/certbotroot.conf; +set $test 0; +if ($cloudflare_ip != 1) { + # return 302 https://www.youtube.com/watch?v=YkZvwVf7F9k; + return 404; +} +if ($http_cf_ipcountry = "UA") { + set $test 1; +} +if ($deny_ws) { + set $test 1; +} +if ($allow_ws) { + set $test 0; +} + location / { limit_req zone=general burst=20 delay=10; proxy_set_header X-Real-IP $remote_addr; @@ -66,9 +80,8 @@ location /chunks { } location /ws { - #proxy_no_cache 1; limit_req zone=websocket burst=5; - if ($deny_ws) { + if ($test) { return 403; } proxy_http_version 1.1; @@ -84,8 +97,8 @@ location /captcha.svg { proxy_no_cache 1; limit_req zone=captcha burst=5; limit_req_status 429; - if ($http_user_agent ~* (python-requests)) { - return 503; + if ($test) { + return 403; } proxy_set_header X-Real-IP $remote_addr; proxy_pass http://$ppfun$request_uri; @@ -109,6 +122,9 @@ location /mcws { location /api/auth { proxy_no_cache 1; + if ($test) { + return 403; + } limit_req zone=websocket burst=5; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; @@ -116,13 +132,6 @@ location /api/auth { proxy_pass http://$ppfun$request_uri; } -location /api/captcha { - proxy_no_cache 1; - limit_req zone=general burst=10 nodelay; - proxy_set_header X-Real-IP $remote_addr; - proxy_pass http://$ppfun$request_uri; -} - location /moderation { autoindex on; expires 15m; diff --git a/deployment/nginx/includes/certbotroot.conf b/deployment/nginx/includes/certbotroot.conf index 0b92168..72d215e 100644 --- a/deployment/nginx/includes/certbotroot.conf +++ b/deployment/nginx/includes/certbotroot.conf @@ -1,4 +1,4 @@ -# very handy for setting a common webroot for certbot only +# for letsencrypt certbot webroot location /.well-known/acme-challenge { root /home/pixelpla/certbotroot; }