joby/webserver-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

more cleanup

Browse source
This commit is contained in:
Joby 2024-10-23 17:58:30 -06:00
parent 94f57a5f00
commit 2f32ec7077
3 changed files with 13 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
install/01-nginx-default-root.sh
View file

@ -44,7 +44,7 @@ server {
# Check for banned IPs # Check for banned IPs
if (\$is_banned) { if (\$is_banned) {
return 403 "Forbidden"; return 403 "IP banned for bad behavior";
} }
location / { location / {

21
install/nginx-cloudflare-fail2ban.sh
View file

@ -6,34 +6,35 @@ if [ "$EUID" -ne 0 ]; then
exit 1 exit 1
fi fi
# Create maps directory if it doesn't exist
echo "Creating maps directory..."
mkdir -p /etc/nginx/maps
# Create banned IPs file # Create banned IPs file
echo "Creating banned IPs file..." echo "Creating banned IPs file..."
touch /etc/nginx/conf.d/banned_ips.conf touch /etc/nginx/maps/banned_ips.conf
chown www-data:www-data /etc/nginx/conf.d/banned_ips.conf chown www-data:www-data /etc/nginx/maps/banned_ips.conf
# Create NGINX configuration for fail2ban check # Create NGINX configuration for fail2ban check
echo "Creating NGINX configuration..." echo "Creating NGINX configuration..."
tee /etc/nginx/conf.d/10-fail2ban-check.conf << 'CONFFILE' tee /etc/nginx/conf.d/10-fail2ban-check.conf << 'CONFFILE'
map $http_cf_connecting_ip $is_banned { map $http_cf_connecting_ip $is_banned {
default 0; default 0;
include /etc/nginx/conf.d/banned_ips.conf; volatile;
include /etc/nginx/maps/banned_ips.conf;
} }
CONFFILE CONFFILE
# Create fail2ban action # Create fail2ban action
tee /etc/fail2ban/action.d/nginx-banned-ips.conf << 'ACTIONFILE' cat > /etc/fail2ban/action.d/nginx-banned-ips.conf << 'ACTIONFILE'
[Definition] [Definition]
actionstart = actionstart =
actionstop = actionstop =
actioncheck = actioncheck =
actionban = grep -q '^<ip> 1;$' /etc/nginx/conf.d/banned_ips.conf || echo '<ip> 1;' >> /etc/nginx/conf.d/banned_ips.conf && nginx -s reload actionban = grep -q '^<ip> 1;$' /etc/nginx/maps/banned_ips.conf || echo '<ip> 1;' >> /etc/nginx/maps/banned_ips.conf && nginx -s reload
actionunban = sed -i '/^<ip> 1;$/d' /etc/nginx/conf.d/banned_ips.conf && nginx -s reload actionunban = sed -i '/^<ip> 1;$/d' /etc/nginx/maps/banned_ips.conf && nginx -s reload
ACTIONFILE ACTIONFILE
# Clean up existing duplicates
sort -u /etc/nginx/conf.d/banned_ips.conf > /etc/nginx/conf.d/banned_ips.conf.tmp && \
mv /etc/nginx/conf.d/banned_ips.conf.tmp /etc/nginx/conf.d/banned_ips.conf
# Test NGINX configuration # Test NGINX configuration
echo "Testing NGINX configuration..." echo "Testing NGINX configuration..."
nginx -t nginx -t

2
site-config.conf
View file

@ -19,7 +19,7 @@ server {
# Check for banned IPs # Check for banned IPs
if ($is_banned) { if ($is_banned) {
return 403 "Forbidden"; return 403 "IP banned for bad behavior";
} }
# Apply general rate limit # Apply general rate limit