50 lines
1.3 KiB
Plaintext
50 lines
1.3 KiB
Plaintext
# Security Maps and Variables
|
|
# Include this file in nginx.conf http block
|
|
|
|
# Bad Bot Detection
|
|
map $http_user_agent $is_bad_bot {
|
|
default 0;
|
|
~*(nikto|sqlmap|wpscan|gobuster|dirbuster|feroxbuster|nessus|nmap|curl) 1;
|
|
}
|
|
|
|
# Suspicious URI Detection
|
|
map $request_uri $is_suspicious_uri {
|
|
default 0;
|
|
~*(\.env|\.git|/vendor/|/setup\.php|/\.well-known/|/phpmyadmin|/config\.php|composer\.json) 1;
|
|
}
|
|
|
|
# Combined Block Request
|
|
map $is_bad_bot$is_suspicious_uri $block_request {
|
|
default 0;
|
|
~1 1;
|
|
}
|
|
|
|
# Internal IP Detection
|
|
geo $is_internal {
|
|
default 0;
|
|
10.10.0.0/16 1; 10.11.0.0/16 1; 10.12.0.0/16 1; 172.16.0.0/16 1;
|
|
45.169.73.155 1; 201.73.213.130 1; 177.74.160.17 1; 177.74.160.18 1;
|
|
177.74.160.19 1; 177.74.160.20 1; 177.74.160.21 1; 177.74.160.22 1;
|
|
177.74.160.23 1; 45.169.87.168 1; 45.169.87.169 1; 45.169.87.170 1;
|
|
45.169.87.171 1; 45.169.87.172 1; 45.169.87.173 1; 45.169.87.174 1;
|
|
45.169.87.175 1; 45.169.73.154 1; 201.73.213.129 1;
|
|
}
|
|
|
|
# Rate Limit Key (excludes internal IPs)
|
|
map $is_internal $limit_key {
|
|
0 $binary_remote_addr;
|
|
1 "";
|
|
}
|
|
|
|
# Bad Bot Rate Limit Key
|
|
map $is_bad_bot $bad_bot_key {
|
|
1 $binary_remote_addr;
|
|
default "";
|
|
}
|
|
|
|
# Cache Asset TTL
|
|
map $request_uri $cache_asset {
|
|
~*\.(css|js|mjs|svg|gif|png|jpg|jpeg|ico|wasm|woff|woff2|ttf|otf)$ 1y;
|
|
default off;
|
|
}
|