# Security Maps and Variables
# Include this file in nginx.conf http block

# Bad Bot Detection
map $http_user_agent $is_bad_bot {
    default 0;
    ~*(nikto|sqlmap|wpscan|gobuster|dirbuster|feroxbuster|nessus|nmap|curl) 1;
}

# Suspicious URI Detection
map $request_uri $is_suspicious_uri {
    default 0;
    ~*(\.env|\.git|/vendor/|/setup\.php|/\.well-known/|/phpmyadmin|/config\.php|composer\.json) 1;
}

# Combined Block Request
map $is_bad_bot$is_suspicious_uri $block_request {
    default 0;
    ~1 1;
}

# Internal IP Detection
geo $is_internal {
    default 0;
    10.10.0.0/16 1; 10.11.0.0/16 1; 10.12.0.0/16 1; 172.16.0.0/16 1;
    45.169.73.155 1; 201.73.213.130 1; 177.74.160.17 1; 177.74.160.18 1;
    177.74.160.19 1; 177.74.160.20 1; 177.74.160.21 1; 177.74.160.22 1;
    177.74.160.23 1; 45.169.87.168 1; 45.169.87.169 1; 45.169.87.170 1;
    45.169.87.171 1; 45.169.87.172 1; 45.169.87.173 1; 45.169.87.174 1;
    45.169.87.175 1; 45.169.73.154 1; 201.73.213.129 1;
}

# Rate Limit Key (excludes internal IPs)
map $is_internal $limit_key {
    0 $binary_remote_addr;
    1 "";
}

# Bad Bot Rate Limit Key
map $is_bad_bot $bad_bot_key {
    1 $binary_remote_addr;
    default "";
}

# Cache Asset TTL
map $request_uri $cache_asset {
    ~*\.(css|js|mjs|svg|gif|png|jpg|jpeg|ico|wasm|woff|woff2|ttf|otf)$ 1y;
    default off;
}