search

mitchellkrogza / nginx-ultimate-bad-bot-blocker

Nginx Block Bad Bots, Spam Referrer Blocker, Vulnerability Scanners, User-Agents, Malware, Adware, Ransomware, Malicious Sites, with anti-DDOS, Wordpress Theme Detector Blocking and Fail2Ban Jail for Repeat Offenders
Other
4.08k stars 484 forks source link

Include directives fail outside nginx.conf #248

Closed ovitech closed 5 years ago

ovitech commented 5 years ago

Dear Mitchell, I'm trying to secure my nginx web server with your bots blocker, however I'm having difficulties getting nginx to load it. I've followed your manual config tutorial and I haven't had any probs until step 10.

However because I didn't want to include the 2 directives in nginx.conf , I pasted them in a new file in /etc/nginx/badbotscall.conf then I tested nginx (all ok), and then I reloaded nginx - all ok as well.

Unfortunately the tests at your step 12 are failing because my domain is not loading the block lists. Your advice would be most appreciated.

My /etc/nginx/badbotscall.conf

include /etc/nginx/bots.d/blockbots.conf
include /etc/nginx/bots.d/ddos.conf

My Vhost nginx.config :

    #ATTENTION!
    #
    #DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
    #SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

Thank you.

mitchellkrogza commented 5 years ago

@ovitech you've misread the instructions.

This include

    # Block Bad Bots
    include /etc/nginx/bots.d/blockbots.conf;
    include /etc/nginx/bots.d/ddos.conf;

ONLY gets placed into your vhost configuration (not nginx.conf) the above include must be inside the server {} block of every vhost on your server where you want the blocker to operate not in an http {} block

Make sure you also have the two main blocker files in your /etc/nginx/conf.d/ folder, those are botblocker-nginx-settings.conf and globalblacklist.conf

Make sure you have all the other includes in your /etc/nginx/bots.d folder

ovitech commented 5 years ago

@mitchellkrogza Thank you for your quick reply. I haven't misunderstood your instructions, I am stuck because of an incompatibility between my Plesk and your guide.

I'm on Plesk Onlyx CP and as you've seen from Vhost nginx.config (I know that this is the nginx.config that you're reffering to), if I paste the 2 directives there, they will be gone by the next nginx restart.

And if I paste them in vhost_nginx.conf (the only file where Plesk allows me to paste custom nginx directives) then nginx -t won't validate...

So do you understand why I had to use a workaround with that new file /etc/nginx/badbotscall.conf ? I was hoping that nginx will load the directives from this file, but it doesn't.
Or if it does, they don't apply to the vhost nginx.conf as well.

/Edit: and yes, I do have all your files in all the right folders. I even manually checked their content (I used the manual installation option to see & check what's happening on the server). The main problem is loading the directives in Plesk vhost nginx.conf , not the presence of the files.

ScrewLooseDan commented 5 years ago

I believe Plesk uses templates to dynamically create the server config files. I'm not sure if this applies to Plesk Onlyx CP, but this document gives some instructions on modifying the Plesk templates. And, this page shows the file layout.

It doesn't look straightforward as it appears the templates are php files using variables, but that seems like it would be the correct way?

mitchellkrogza commented 5 years ago

Ok @ovitech now I understand. I've never written instructions for Plesk yet, I did however write some for the Apache blocker and the same steps should apply for the nginx blocker, give this a read https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/blob/master/_Plesk_Onyx_Instructions/PLESK-ONYX-APACHE-CONFIGURATION.md

mitchellkrogza commented 5 years ago

@ovitech any luck with the above?

ovitech commented 5 years ago

Thank you @ScrewLooseDan for your answer. Indeed you are correct and your links to the PLesk documentation are spot on. However while I could do modify my vhost template and integrate the blocklist, I was advised by other Pleskians to not implement @mitchellkrogza solution that way.

The advice I received was to not implement this solution at all in Plesk (because it requires vhost template custom modification) and to implement the following instead:

1) Config Nginx + custom Fail2Ban actions (+ 1 cronjob to reload Nginx config) -this (combined) solution uses (custom) Fail2Ban actions to :

2) Secure Plesk as per Advisor's recommendation

3) Since I'm on AWS, config AWS Shield and CloudFront: https://aws.amazon.com/shield/

Thank you both for your replies and for sharing your work on blocklists!

mitchellkrogza commented 5 years ago

No worries @ovitech just keep in mind none of the above security solutions for Plesk will in any way help you deal with referrer spam or to block our extensive list of bad bots which is a big part of this blocker. Have a number of people using it on Plesk with said modifications and without problems

ovitech commented 5 years ago

I'm sure lots of Plesk admins have successfully integrated your blocklist @mitchellkrogza , however I must mention this small note: I'm a Plesk newbie. And if I learned something in all my years of xp in IT, is that I prefer to not do something which may lead to a big "ups I didn't know that" later...

In a few month's time or maybe a year, when I'm much more confortable customising plesk to my linking (and fully understanding the reprecussions of my customization), then I'll come back to this and integrate your trully brilliant blocklist into my Plesk and Nginx.

I'm also a user and big fan of @StevenBlack ' blocklist on my machines and I know blocklists work wonders agains ads, spam, bots and other malware. Now I just need to learn some more and then integrate yours into my webserver. Cheers!

mitchellkrogza commented 5 years ago

It's refreshing @ovitech to see someone not attempt complex things early on that could break their servers, good on you :+1: you are learning the right way :smile_cat: