Closed Bluscream closed 3 years ago
9mido
commented
3 years ago I have the same question and concern. I am not currently using this package but would like to know how to get rid of it if something goes wrong if I decide to use it.
@Bluscream curious how is it breaking your previous nginx configuration? Maybe you could provide errors/tracebacks/details?
Bluscream
commented
3 years ago 9mido
commented
3 years ago @itoffshore
Thanks for that commit but how do we make a backup and then restore it? What are the steps / commands? Directions should be added to the docs / instructions.
dwisiswant0
commented
3 years ago Commit referencing this issue has just been merged, that means if you haven't backed up there won't be an old nginx config file.
9mido
commented
3 years ago What do you mean @dwisiswant0 ? Are you implying that another commit should be made forcing a backup every time before someone tries to install this?
dwisiswant0
commented
3 years ago I mean, the backup option for original config file is just released now (after this issue was made). In other words, your original/old config file will be lost if you don't manually prepare the backup. That's what I think, @9mido.
itoffshore
commented
3 years ago @9mido - by default the scripts do not change anything - changes have to be forced by the user with -x (& the scripts first print the changes that are made during the dry run)
When setup-ngxblocker is run now with -x it first backs up nginx configuration as shown in the commit.
mitchellkrogza
commented
3 years ago Never had the blocker ever break any nginx. Each build is tested against all versions from 1.10 > mainstream including config files of all different formats from different linux distributions. A simple nginx -t would easily point to where it was misconfigured.
Bluscream
commented
3 years ago Haven't you seen the issue i referenced?
mitchellkrogza
commented
3 years ago @Bluscream yes, did you see how many commits and tests spanning several days were added to fix that initial issue? Without a copy of your original nginx.conf file from your OS (unmodified) so I can add it to the tests it's very hard to provide any fix.
These are the current config files against which setup-ngxblocker is tested on every single build - https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/tree/master/.dev-tools/setup-ngxblocker/original
GitHub
Nginx Block Bad Bots, Spam Referrer Blocker, Vulnerability Scanners, User-Agents, Malware, Adware, Ransomware, Malicious Sites, with anti-DDOS, Wordpress Theme Detector Blocking and Fail2Ban Jail f...
Bluscream
commented
3 years ago the problem maybe is that i don't and can't use .vhost extensions because other software relies on these files differently (webmin)
blu@domain:/etc/nginx/sites-enabled $ source ~/autorun.sh
aarch64
No LSB modules are available.
Distributor ID: Raspbian
Description: Raspbian GNU/Linux 10 (buster)
Release: 10
Codename: buster
total used free shared buff/cache available
Mem: 3.5Gi 367Mi 1.9Gi 90Mi 1.3Gi 3.0Gi
Swap: 1.0Gi 0B 1.0Gi
Device Boot Start End Sectors Size Id Type
/dev/mmcblk0p1 8192 96663 88472 43.2M c W95 FAT32 (LBA)
/dev/mmcblk0p2 98304 249737215 249638912 119G 83 Linux
blu@domain:/etc/nginx/sites-enabled $ uname -a
Linux domain.de 4.19.118-v8+ #1311 SMP PREEMPT Mon Apr 27 14:32:38 BST 2020 aarch64 GNU/Linuxthis is my /etc/nginx.conf:
user www-data www-data;
worker_processes 1;
error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
server_names_hash_bucket_size 64;
include mime.types;
default_type application/octet-stream;
# log_format main '$remote_addr - $remote_user [$time_local] "$host" "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
log_format main '[$time_local] IP:"$remote_addr" (FWD:"$http_x_forwarded_for") USER:"$remote_user" DOMAIN:"$host" REQUEST:"$request" STATUS:$status BYTES_SENT:$body_bytes_sent REFERER:"$http_referer" UA:"$http_user_agent"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
disable_symlinks on;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost
root html;
include /etc/nginx/conf.d/*.conf;
}
include /etc/nginx/sites-enabled/*;
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
##
# Nginx Bad Bot Blocker
##
include nginx-badbot-blocker/blacklist.conf;
include nginx-badbot-blocker/blockips.conf;
}here's /etc/nginx/sites-enabled/domain.de:
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/ssl/certs/cloudflare_new.crt;
ssl_certificate_key /etc/ssl/certs/cloudflare_new.key;
server_name 192.168.2.38 domain.de www.domain.de;
root /var/www/html;
index index.php index.html index.htm;
include /etc/nginx/conf.d/security.conf;
include /etc/nginx/conf.d/hideserver.conf;
include /etc/nginx/conf.d/realip.conf;
# include /etc/nginx/conf.d/php.conf;
# include /etc/nginx/conf.d/maintainance.conf;
#
#
rewrite ^/ts/(.*)$ http://ts.domain.de/$1? permanent;
# location /ts {
# if (!-e $request_filename){
# rewrite ^(.*)$ /$1.php;
# }
# }
location ~* \.php$ {
fastcgi_pass unix:/run/php/php7.3-fpm.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
}
location /admin {
access_log off;
auth_basic "NSA Confidential";
auth_basic_user_file /home/blu/.htpasswds/web.htpasswd;
# add_before_body /betterlisting/top.html;
# add_after_body /betterlisting/bot.html;
autoindex on;
autoindex_localtime on;
autoindex_exact_size off;
location /admin/nginx {
stub_status on;
}
}
location /archive {
add_before_body /betterlisting/top.html;
add_after_body /betterlisting/bot.html;
autoindex on;
autoindex_localtime on;
autoindex_exact_size off;
}
location /dl {
disable_symlinks off;
add_before_body /betterlisting/top.html;
add_after_body /betterlisting/bot.html;
autoindex on;
autoindex_localtime on;
autoindex_exact_size off;
}
location /dl/vrchat/ripped {
add_before_body /betterlisting/top.html;
add_after_body /betterlisting/bot.html;
autoindex on;
autoindex_localtime on;
autoindex_exact_size off;
# auth_basic "Nur für lolis";
# auth_basic_user_file /home/blu/.htpasswds/ripped.htpasswd;
}
}yes, did you see how many commits and tests spanning several days were added to fix that initial issue?
yeah, i also tried reinstalling/updating later on with no success
itoffshore
commented
3 years ago all of the scripts can be run with --help to show usage:
sudo ./setup-ngxblocker --help
setup-ngxblocker: SETUP Nginx Bad Bot Blocker configuration in [ /etc/nginx/nginx.conf ] [ /etc/nginx/sites-available/* ]
Usage: setup-ngxblocker [OPTIONS]
[ -w ] : WWW path (default: /var/www)
[ -e ] : Vhost file extension (default: .vhost)
[ -v ] : Vhost directory (default: /etc/nginx/sites-available)
[ -b ] : Bot rules directory (default: /etc/nginx/bots.d)
[ -c ] : NGINX conf directory (default: /etc/nginx/conf.d)
[ -m ] : NGINX main configuration (default: /etc/nginx/nginx.conf)
[ -i ] : Change installer path (default: /usr/local/sbin/install-ngxblocker)
[ -l ] : Manual whitelist of domain (default: none)
[ -n ] : NO whitelist of .names only (default: Y)
[ -d ] : NO insert of DDOS rule (default: Y)
[ -z ] : NO configuration of vhosts (default: configure files in /etc/nginx/sites-available)
[ -x ] : Actually change the files (default: don't change anything)
[ -h ] : this help message
Examples:
setup-ngxblocker -n (Whitelist all directory names in /var/www as domains: not just dot.name directories)
setup-ngxblocker -l domain1.com -l domain2.com (Whitelist these manual domain name args)
setup-ngxblocker -d (Do not insert DDOS rule: these may clash with existing 'limit_conn addr' rules)
setup-ngxblocker (Don't change anything: display results on stdout)
setup-ngxblocker -x (Change / update config files)to use a different vhost extension specifiy it with the -e switch - e.g:
setup-ngxblocker -e de => do a dry run first & do not make any changes
setup-ngxblocker -e de -x (to actually change files)
Bluscream
commented
3 years ago not every file has the .de extension:
blu@domain:/etc/nginx/sites-enabled $ ls
blacklist2.teamspeak.com exagear.domain.de rss.domain.de
blacklist.teamspeak.com fdroid.domain.de ts.domain.de
bs.domain.de mail.domain.de vrchat.domain.de
default domain.de
escapefromtarkov.domain.de quest.domain.de
read find_vhosts() in setup-ngxblocker lines 101 - 113
if no vhost files are found the script gives you the option to configure every file as a vhost
run setup-ngxblocker from a proper shell
-e * does the same thing
~/tmp]$ find ./test -type f -name "*.*"
./test/test.com
./test/test.org
./test/test.uk
./test/test.de
./test/test.be
~/tmp]$ ls test
default test.be test.com test.de test.org test.uk
It breaks my nginx so i want to get rid of it!