update nginx config
This commit is contained in:
parent
81133c90aa
commit
f6e3fd60b3
|
@ -1,3 +1,6 @@
|
|||
# set realip header to actual ip, when
|
||||
# going through cloudflare
|
||||
|
||||
# - IPv4
|
||||
set_real_ip_from 173.245.48.0/20;
|
||||
set_real_ip_from 103.21.244.0/22;
|
||||
|
@ -26,3 +29,31 @@ set_real_ip_from 2c0f:f248::/32;
|
|||
|
||||
real_ip_header CF-Connecting-IP;
|
||||
real_ip_recursive on;
|
||||
|
||||
# check if request is going through cloudflare
|
||||
# use with like: if ($cloudflare_ip != 1) {return 403}
|
||||
geo $realip_remote_addr $cloudflare_ip {
|
||||
default 0;
|
||||
173.245.48.0/20 1;
|
||||
103.21.244.0/22 1;
|
||||
103.22.200.0/22 1;
|
||||
103.31.4.0/22 1;
|
||||
141.101.64.0/18 1;
|
||||
108.162.192.0/18 1;
|
||||
190.93.240.0/20 1;
|
||||
188.114.96.0/20 1;
|
||||
197.234.240.0/22 1;
|
||||
198.41.128.0/17 1;
|
||||
162.158.0.0/15 1;
|
||||
104.16.0.0/13 1;
|
||||
104.24.0.0/14 1;
|
||||
172.64.0.0/13 1;
|
||||
131.0.72.0/22 1;
|
||||
2400:cb00::/32 1;
|
||||
2606:4700::/32 1;
|
||||
2803:f800::/32 1;
|
||||
2405:b500::/32 1;
|
||||
2405:8100::/32 1;
|
||||
2a06:98c0::/29 1;
|
||||
2c0f:f248::/32 1;
|
||||
}
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
limit_req_zone $binary_remote_addr zone=websocket:5m rate=1r/s;
|
||||
# halfed because of ddos
|
||||
limit_req_zone $binary_remote_addr zone=websocket:5m rate=30r/m;
|
||||
limit_req_zone $binary_remote_addr zone=general:5m rate=1r/s;
|
||||
# from 40 to 30 because of ddos
|
||||
limit_req_zone $binary_remote_addr zone=chunks:5m rate=40r/s;
|
||||
limit_req_zone $binary_remote_addr zone=captcha:5m rate=20r/m;
|
||||
limit_req_zone $binary_remote_addr zone=authimp:5m rate=5r/m;
|
||||
|
|
|
@ -1,3 +1,11 @@
|
|||
geo $allow_ws {
|
||||
default 0;
|
||||
178.158.0.0/17 1;
|
||||
91.200.160.0/22 1;
|
||||
92.118.132.0/24 1;
|
||||
195.189.44.0/22 1;
|
||||
}
|
||||
|
||||
geo $deny_ws {
|
||||
default 0;
|
||||
# Google
|
||||
|
@ -39,4 +47,69 @@ geo $deny_ws {
|
|||
2a02:6b8:c08::/48 1;
|
||||
# PlusWeb
|
||||
2a0a:fa40::/29 1;
|
||||
# Some Brazil University
|
||||
200.235.0.0/17 1;
|
||||
# Hohols
|
||||
103.108.94.130 1;
|
||||
104.223.100.81 1;
|
||||
109.236.81.170 1;
|
||||
141.95.54.180 1;
|
||||
146.0.86.196 1;
|
||||
146.70.52.116 1;
|
||||
169.150.196.109 1;
|
||||
176.103.27.246 1;
|
||||
176.105.204.93 1;
|
||||
176.119.68.184 1;
|
||||
176.38.17.17 1;
|
||||
176.39.36.34 1;
|
||||
176.53.147.75 1;
|
||||
176.8.143.17 1;
|
||||
178.17.170.189 1;
|
||||
178.20.142.170 1;
|
||||
185.107.56.163 1;
|
||||
185.231.207.118 1;
|
||||
185.43.191.203 1;
|
||||
185.72.247.151 1;
|
||||
188.163.121.219 1;
|
||||
193.106.56.22 1;
|
||||
193.109.145.47 1;
|
||||
194.242.103.232 1;
|
||||
195.46.35.206 1;
|
||||
199.244.49.79 1;
|
||||
2a01:36d:1400:28d2:bd93:65a6:5e31:e322 1;
|
||||
2a09:bac1:7540:48::84:6d 1;
|
||||
31.192.105.104 1;
|
||||
31.222.253.215 1;
|
||||
31.223.105.113 1;
|
||||
37.120.156.234 1;
|
||||
37.57.120.109 1;
|
||||
37.63.9.104 1;
|
||||
37.78.224.175 1;
|
||||
45.132.194.16 1;
|
||||
46.166.182.34 1;
|
||||
46.166.182.57 1;
|
||||
46.211.166.66 1;
|
||||
46.219.225.169 1;
|
||||
46.229.61.32 1;
|
||||
5.173.158.92 1;
|
||||
5.173.172.228 1;
|
||||
5.180.128.110 1;
|
||||
62.244.51.28 1;
|
||||
77.120.35.184 1;
|
||||
83.71.204.117 1;
|
||||
85.100.66.238 1;
|
||||
85.110.146.67 1;
|
||||
86.120.52.125 1;
|
||||
86.124.56.51 1;
|
||||
88.134.42.187 1;
|
||||
89.43.30.38 1;
|
||||
91.219.238.174 1;
|
||||
91.228.236.175 1;
|
||||
91.237.27.102 1;
|
||||
93.115.28.181 1;
|
||||
94.110.186.197 1;
|
||||
95.69.133.104 1;
|
||||
99.224.5.31 1;
|
||||
141.94.31.178 1;
|
||||
146.70.52.247 1;
|
||||
}
|
||||
|
|
|
@ -8,9 +8,23 @@
|
|||
# root /home/pixelpla/pixelplace-redirect/wait;
|
||||
#}
|
||||
|
||||
|
||||
include /etc/nginx/includes/certbotroot.conf;
|
||||
|
||||
set $test 0;
|
||||
if ($cloudflare_ip != 1) {
|
||||
# return 302 https://www.youtube.com/watch?v=YkZvwVf7F9k;
|
||||
return 404;
|
||||
}
|
||||
if ($http_cf_ipcountry = "UA") {
|
||||
set $test 1;
|
||||
}
|
||||
if ($deny_ws) {
|
||||
set $test 1;
|
||||
}
|
||||
if ($allow_ws) {
|
||||
set $test 0;
|
||||
}
|
||||
|
||||
location / {
|
||||
limit_req zone=general burst=20 delay=10;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
|
@ -66,9 +80,8 @@ location /chunks {
|
|||
}
|
||||
|
||||
location /ws {
|
||||
#proxy_no_cache 1;
|
||||
limit_req zone=websocket burst=5;
|
||||
if ($deny_ws) {
|
||||
if ($test) {
|
||||
return 403;
|
||||
}
|
||||
proxy_http_version 1.1;
|
||||
|
@ -84,8 +97,8 @@ location /captcha.svg {
|
|||
proxy_no_cache 1;
|
||||
limit_req zone=captcha burst=5;
|
||||
limit_req_status 429;
|
||||
if ($http_user_agent ~* (python-requests)) {
|
||||
return 503;
|
||||
if ($test) {
|
||||
return 403;
|
||||
}
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_pass http://$ppfun$request_uri;
|
||||
|
@ -109,6 +122,9 @@ location /mcws {
|
|||
|
||||
location /api/auth {
|
||||
proxy_no_cache 1;
|
||||
if ($test) {
|
||||
return 403;
|
||||
}
|
||||
limit_req zone=websocket burst=5;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
||||
|
@ -116,13 +132,6 @@ location /api/auth {
|
|||
proxy_pass http://$ppfun$request_uri;
|
||||
}
|
||||
|
||||
location /api/captcha {
|
||||
proxy_no_cache 1;
|
||||
limit_req zone=general burst=10 nodelay;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_pass http://$ppfun$request_uri;
|
||||
}
|
||||
|
||||
location /moderation {
|
||||
autoindex on;
|
||||
expires 15m;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# very handy for setting a common webroot for certbot only
|
||||
# for letsencrypt certbot webroot
|
||||
location /.well-known/acme-challenge {
|
||||
root /home/pixelpla/certbotroot;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user