Merge pull request #141 from 2024-SummerBootcamp-Team/develop

[main] merge 및 최신화
2024-SummerBootcamp-Team · Jul 27, 2024 · 39bf95d · 39bf95d
2 parents cc697f3 + 785e80c
commit 39bf95d
Show file tree

Hide file tree

Showing 7 changed files with 91 additions and 5 deletions.
diff --git a/docker-compose-deploy.yml b/docker-compose-deploy.yml
@@ -127,6 +127,7 @@ services:
     volumes:
       - ./nginx/nginx.conf:/etc/nginx/nginx.conf
       - ./nginx/conf.d:/etc/nginx/conf.d
+      - ./nginx/configs:/etc/nginx/configs
     ports:
       - "80:80"
     restart: always

diff --git a/nginx/configs/bot-block.conf b/nginx/configs/bot-block.conf
@@ -0,0 +1,11 @@
+#Bot
+map $http_user_agent $limit_bots {
+    default 0;
+    ~*(MJ12bot|ltx71|Adsbot/3.1/WordPress|BLEXBot|UCBrowser|Mb2345Browser) 1;
+    ~*(MicroMessenger|LieBaoFast|Headless|netEstate|PetalBot) 1;
+    ~*(bingbot|FeedDemon|GrapeshotCrawler|DuckDuckBot|MegaIndex) 1;
+    ~*(VelenPublicWebCrawler|SimplePie|YandexBot|SCMGUARD|DotBot) 1;
+    ~*(AhrefsBot|SemrushBot) 1;
+	~*(wget|curl) 1;
+	~*(Custom-AsyncHttpClient) 1;
+}
diff --git a/nginx/configs/ip-block-list.conf b/nginx/configs/ip-block-list.conf
@@ -0,0 +1,5 @@
+geo $bad_ip {
+    43.128.149.53 1;
+    172.31.11.235 1;
+    default 0;
+}
diff --git a/nginx/configs/nginx-blue.conf b/nginx/configs/nginx-blue.conf
@@ -8,15 +8,31 @@ http {
         server fastapi-blue:8000;
     }
 
-
     # DOS 공격 방어를 위한 설정
     limit_req_zone $binary_remote_addr zone=limit_per_ip:10m rate=10r/s;
     limit_conn_zone $binary_remote_addr zone=addr:10m;
 
+    # 별도 경로로 빼둔 설정파일들
+    include /etc/nginx/configs/ip-block-list.conf;  #ip block
+    include /etc/nginx/configs/word-block.conf; #Hack word
+    include /etc/nginx/configs/bot-block.conf; #Bot block
+
     server {
         listen 80;
         listen [::]:80;
 
+        #Ban black ip
+        if ($bad_ip) { return 444; }
+
+        #특정 url 패턴을 거부
+        if ($bad_word = 1) { return 444; }
+
+        #특정 user-agent를 거부
+        if ($limit_bots = 1) { return 444; }
+
+        #공백 User-agent를 거부
+        if ($http_user_agent = "") { return 444; }
+
         # 백엔드 프록시 설정
         location / {
             proxy_pass http://backend;

diff --git a/nginx/configs/nginx-green.conf b/nginx/configs/nginx-green.conf
@@ -8,15 +8,32 @@ http {
         server fastapi-green:8000;
     }
 
-
     # DOS 공격 방어를 위한 설정
     limit_req_zone $binary_remote_addr zone=limit_per_ip:10m rate=10r/s;
     limit_conn_zone $binary_remote_addr zone=addr:10m;
 
+    # 별도 경로로 빼둔 설정파일들
+    include /etc/nginx/configs/ip-block-list.conf;  #ip block
+    include /etc/nginx/configs/word-block.conf; #Hack word
+    include /etc/nginx/configs/bot-block.conf; #Bot block
+
+
     server {
         listen 80;
         listen [::]:80;
 
+        #Ban black ip
+        if ($bad_ip) { return 444; }
+
+        #특정 url 패턴을 거부
+        if ($bad_word = 1) { return 444; }
+
+        #특정 user-agent를 거부
+        if ($limit_bots = 1) { return 444; }
+
+        #공백 User-agent를 거부
+        if ($http_user_agent = "") { return 444; }
+
         # 백엔드 프록시 설정
         location / {
             proxy_pass http://backend;

diff --git a/nginx/configs/word-block.conf b/nginx/configs/word-block.conf
@@ -0,0 +1,20 @@
+#Request Bad Word
+map $request_uri $bad_word {
+	default 0;
+	~*(wp-includes|wlwmanifest|xmlrpc|wordpress|administrator|wp-admin|wp-login|owa|a2billing) 1;
+	~*(fgt_lang|flu|stalker_portal|streaming|system_api|exporttool|ecp|vendor|LogService|invoke|phpinfo) 1;
+	~*(Autodiscover|console|eval-stdin|staging|magento|demo|rss|root|mifs|git|graphql|sidekiq|c99|GponForm) 1;
+	~*(header-rollup-554|fckeditor|ajax|misc|plugins|execute-solution|wp-content|php|telescope) 1;
+	~*(idx_config|DS_Store|nginx|wp-json|ads|humans|exec|level|monitoring|configprops|balancer|actuator) 1;
+	~*(meta-data|web_shell_cmd|latest|remote|_asterisk|bash|Bind|binding|appxz|bankCheck|GetAllGameCategory) 1;
+	~*(exchangerateuserconfig|exchange_article|kline_week|anquan|dns-query|nsepa_setup|java_script|gemini-iptv) 1;
+	~*(j_spring_security_check|wps|cgi|asmx|HNAP1|sdk|evox) 1;
+	~*(_ignition|alvzpxkr|ALFA_DATA|wp-plain) 1;
+	~*(ldap|jndi|dns|securityscan|rmi|ldaps|iiop|corba|nds|nis) 1; # log4j
+	~*(.aws|.git|wp-config|wp-config-sample|wp-config.php|wp-config-sample.php|wp-config.bak|wp-config-sample.bak) 1;
+	~*(.env|.env.example|.env.local|.env.development|.env.test|.env.production|.env.local.php|.env.local.php.bak) 1;
+	~*(.env.bak|.env.local.bak|.env.development.bak|.env.test.bak|.env.production.bak|.env.local.php.bak) 1;
+	~*(phpinfo|phpinfo.php|info.php|test.php|test|php|phpmyadmin|pma|myadmin|t.php|i.php) 1;
+	~*(dev|test|staging|app_dev|admin|www|home|app|main|backup|old|new|tmp|temp|temp1|temp2|temp3) 1;
+	~*(vendor|phpunit|lib|V2|ws|cms|tests|blog) 1;
+}
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -5,20 +5,36 @@ events {
 http {
 
     upstream backend { # upstream으로 설정 및 서버 문제시 다른 서버로 이동
-        server fastapi-green:8000 max_fails=1 fail_timeout=3s;
-        server fastapi-blue:8000 max_fails=1 fail_timeout=3s;
+        server fastapi-green:8000;
     }
 
 
-
     # DOS 공격 방어를 위한 설정
     limit_req_zone $binary_remote_addr zone=limit_per_ip:10m rate=10r/s;
     limit_conn_zone $binary_remote_addr zone=addr:10m;
 
+    # 별도 경로로 빼둔 설정파일들
+    include /etc/nginx/configs/ip-block-list.conf;  #ip block
+    include /etc/nginx/configs/word-block.conf; #Hack word
+    include /etc/nginx/configs/bot-block.conf; #Bot block
+
+
     server {
         listen 80;
         listen [::]:80;
 
+        #Ban black ip
+        if ($bad_ip) { return 444; }
+
+        #특정 url 패턴을 거부
+        if ($bad_word = 1) { return 444; }
+
+        #특정 user-agent를 거부
+        if ($limit_bots = 1) { return 444; }
+
+        #공백 User-agent를 거부
+        if ($http_user_agent = "") { return 444; }
+
         # 백엔드 프록시 설정
         location / {
             proxy_pass http://backend;