search

mitchellkrogza / nginx-ultimate-bad-bot-blocker

Nginx Block Bad Bots, Spam Referrer Blocker, Vulnerability Scanners, User-Agents, Malware, Adware, Ransomware, Malicious Sites, with anti-DDOS, Wordpress Theme Detector Blocking and Fail2Ban Jail for Repeat Offenders
Other
3.97k stars 477 forks source link

[INSTALLATION] "server_names_hash_bucket_size" directive is duplicate #324

Closed solracsf closed 4 years ago

solracsf commented 4 years ago

Did you look through existing ISSUES ?

Yes, but what i found explicitly demonstrates duplicates, but not in my case...

Describe the problem you are experiencing

Just can't have nginx pass tests unless config options are commented out...

Error Messages

nginx: [emerg] "server_names_hash_bucket_size" directive is duplicate in /etc/nginx/conf.d/botblocker-nginx-settings.conf:16
nginx: configuration file /etc/nginx/nginx.conf test failed

Tried to search that string, it only founds one instance:

ubuntu@proxy:/etc/nginx# grep -rl "server_names_hash_bucket_size" .
./conf.d/botblocker-nginx-settings.conf

If i comment out line 16, it complains about line 17, if comment 17 it complains about line 18 of that same file, etc...

Only way to nginx pass tests, is to comment out the two lines on nginx.conf

#include     /etc/nginx/conf.d/botblocker-nginx-settings.conf;
#include     /etc/nginx/conf.d/globalblacklist.conf;

Copy of nginx.conf

worker_processes auto;
worker_priority -10;
pid /run/nginx.pid;

include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 1024;
    multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile    on;
    tcp_nopush  on;

    tcp_nodelay on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    server_tokens       off;

    proxy_connect_timeout       1000;
    proxy_send_timeout  1000;
    proxy_read_timeout  1000;
    send_timeout        1000;

    client_body_buffer_size     10M;
    client_max_body_size        10G;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # Pass CF-Connecting-IP header from Cloudflare IPs
    set_real_ip_from    103.21.244.0/22;
    set_real_ip_from    103.22.200.0/22;
    set_real_ip_from    103.31.4.0/22;
    set_real_ip_from    104.16.0.0/12;
    set_real_ip_from    108.162.192.0/18;
    set_real_ip_from    131.0.72.0/22;
    set_real_ip_from    141.101.64.0/18;
    set_real_ip_from    162.158.0.0/15;
    set_real_ip_from    172.64.0.0/13;
    set_real_ip_from    173.245.48.0/20;
    set_real_ip_from    188.114.96.0/20;
    set_real_ip_from    190.93.240.0/20;
    set_real_ip_from    197.234.240.0/22;
    set_real_ip_from    198.41.128.0/17;
    set_real_ip_from    2400:cb00::/32;
    set_real_ip_from    2405:b500::/32;
    set_real_ip_from    2606:4700::/32;
    set_real_ip_from    2803:f800::/32;
    set_real_ip_from    2c0f:f248::/32;
    set_real_ip_from    2a06:98c0::/29;

    real_ip_header      CF-Connecting-IP;

    ##
    # SSL Settings
    ##

    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_tickets off;

    ssl_dhparam /etc/letsencrypt/dhparam.pem;

    # intermediate configuration
    ssl_protocols       TLSv1.3 TLSv1.2;
    ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
    ssl_ecdh_curve      X448:secp521r1:secp384r1:prime256v1;
    ssl_prefer_server_ciphers   on;
    ssl_buffer_size     1400;

    # OCSP stapling
    ssl_stapling        on;
    ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate     /etc/letsencrypt/live/example.com/chain.pem;

    ssl_client_certificate      /etc/letsencrypt/origin-pull-ca.pem;
    ssl_verify_client   on;

    resolver    127.0.0.53;

    ##
    # Logging Settings
    ##

    access_log  /var/log/nginx/access.log;
    error_log   /var/log/nginx/error.log warn;

    ##
    # Gzip Settings
    ##

    gzip        on;

    ##
    # Nginx Bad Bot Blocker Includes
    # REPO: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
    ##
    include     /etc/nginx/conf.d/botblocker-nginx-settings.conf;
    include     /etc/nginx/conf.d/globalblacklist.conf;

    ##
    # Virtual Host Configs
    ##

    include     /etc/nginx/conf.d/*.conf;
    include     /etc/nginx/vhosts/*.conf;
}

Copy of vhost / website / host .conf file

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name www.example.com;

        include includes/common.conf;

        # Bad Bot Blocker
        include bots.d/ddos.conf;
        include bots.d/blockbots.conf;

        location / {
                include includes/proxy.conf;
                include includes/headers.conf;

                # Internal IP
                proxy_pass http://10.0.0.4;
        }

        include includes/locations.conf;
}

Copy of common.conf

client_max_body_size 0;
underscores_in_headers on;

# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

Copy of proxy.conf

proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;

proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 64;

proxy_buffering off;
proxy_redirect off;
proxy_max_temp_file_size 0;

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

aio threads;
directio 5m;

Copy of headers.conf

add_header Front-End-Https on;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;";
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy "no-referrer" always;
add_header X-Frame-Options "SAMEORIGIN";

# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;

Copy of locations.conf

location = /.well-known/carddav {
        return 301 https://$host/remote.php/dav;
}

location = /.well-known/caldav {
        return 301 https://$host/remote.php/dav;
}

location = /robots.txt {
        return 200 "User-agent: *\nDisallow: /\n";
}

location = /favicon.ico {
        return 301 /core/img/favicon.ico;
}

location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
        deny all;
}

location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
}

Server (please complete the following information):

Linux proxy 5.0.0-36-generic #39~18.04.1-Ubuntu SMP Tue Nov 12 11:09:50 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
nginx version: nginx/1.17.3
mitchellkrogza commented 4 years ago

You don't need the includes in your nginx.conf as they will already get loaded because of

    include     /etc/nginx/conf.d/*.conf;
    include     /etc/nginx/vhosts/*.conf;

This would be causing the duplication and EMERG error So comment them out, reload nginx and test the blocker.

solracsf commented 4 years ago

Lol, what a newbie error....

mitchellkrogza commented 4 years ago

We all make them. Enjoy it.