search

mitchellkrogza / nginx-ultimate-bad-bot-blocker

Nginx Block Bad Bots, Spam Referrer Blocker, Vulnerability Scanners, User-Agents, Malware, Adware, Ransomware, Malicious Sites, with anti-DDOS, Wordpress Theme Detector Blocking and Fail2Ban Jail for Repeat Offenders
Other
4.05k stars 482 forks source link

[BUG] installer script sets bad bot blocker includes behind existing includes #343

Open BigAndini opened 4 years ago

BigAndini commented 4 years ago

First of all: pretty awesome collection! Thank you very much!

Describe the bug

I'm using wp rocket as cache plugin for my wordpress website. They have a configuration set that let wp rocket work in combination with nginx: https://github.com/SatelliteWP/rocket-nginx When their config include is stated before the ddos and blockbots conf files the webserver gives a response even if it shouldn't.

To Reproduce

Steps to reproduce the behavior: Their tool is quite simple and generates a simple config to include in the server part without adjusting servername or anything else. So maybe you can have a try, generate their config and put it right before your includes. Then you should see the responses even if the user agents or referers are in the blacklist. I've tested only with user agents and referers, I did no ip spoofing to check if that's not working as well.

Expected behavior

A clear and concise description of what you expected to happen. I would simply be a bit arrogant and put my includes right at the top of the configuration file before everything else. Blocking bad clients quite early is a good idea. If sysadmins want to do anything else beforehand, they normally know how to adjust the configurations.

Copy of vhost / website / host .conf file

If applicable please paste your site/vhost configuration file in between the code ticks (paste in between the markers)

This is the difference:

doesn't work:

    include snippets/rocket-nginx.conf;

    ##
    # Nginx Bad Bot Blocker Includes
    # REPO: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
    ##
    include /etc/nginx/bots.d/ddos.conf;
    include /etc/nginx/bots.d/blockbots.conf;

while this works pretty well:

    ##
    # Nginx Bad Bot Blocker Includes
    # REPO: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
    ##
    include /etc/nginx/bots.d/ddos.conf;
    include /etc/nginx/bots.d/blockbots.conf;

    include snippets/rocket-nginx.conf;

Server (please complete the following information):

nginx version: nginx/1.16.1

Paste any log / error messages here (paste in between the ```     ``` markers)

Additional information

Add any other context about the problem here.

mitchellkrogza commented 4 years ago

Hi @inbaz the best way always is to load the blocker first before anything else. So your config 2 is actually correct. You want the blocker to stop anything at first point of contact before sending it onto something else first and then trying to intercept later, it simply won't work. The whole idea is to not send rubbish traffic to wordpress, a plugin or even Nginx to have it's time and resources wasted.

Just remember all we are doing is blocking traffic that we don't want to waste time and resources on.

What happens after it passes through the blocker is entirely up to Nginx, Wordpress and WP Rocket from thereon.

BigAndini commented 4 years ago

Hi @mitchellkrogza, I absolutely agree. The "bug" goes rather against the installer, because the installer doesn't include the lines before the first include within the server definition.

mitchellkrogza commented 4 years ago

It's been very tricky with the installer to cater for all possible placements of the include. Very difficult to detect other includes which may or may not be present.

On my own servers I have a central include that goes into every vhost and is placed at the highest level before any further customizations, just after my ssl includes and just before my Location / block. This makes it impossible for me to stop it working further down with other rules.