From befcc1e731e941273caa50638d85a35d6313a845 Mon Sep 17 00:00:00 2001
From: kalsteve <kalgansteve@gmail.com>
Date: Sat, 27 Jul 2024 09:04:21 +0900
Subject: [PATCH 1/2] =?UTF-8?q?set:=20nginx=20=ED=95=84=ED=84=B0=EB=A7=81?=
 =?UTF-8?q?=20=EC=B6=94=EA=B0=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 docker-compose-deploy.yml        |  1 +
 nginx/configs/bot-block.conf     | 11 +++++++++++
 nginx/configs/ip-block-list.conf |  5 +++++
 nginx/configs/nginx-blue.conf    | 18 +++++++++++++++++-
 nginx/configs/nginx-green.conf   | 19 ++++++++++++++++++-
 nginx/configs/word-block.conf    | 20 ++++++++++++++++++++
 nginx/nginx.conf                 | 22 +++++++++++++++++++---
 7 files changed, 91 insertions(+), 5 deletions(-)
 create mode 100644 nginx/configs/bot-block.conf
 create mode 100644 nginx/configs/ip-block-list.conf
 create mode 100644 nginx/configs/word-block.conf

diff --git a/docker-compose-deploy.yml b/docker-compose-deploy.yml
index bea7f91..e78fca1 100644
--- a/docker-compose-deploy.yml
+++ b/docker-compose-deploy.yml
@@ -127,6 +127,7 @@ services:
     volumes:
       - ./nginx/nginx.conf:/etc/nginx/nginx.conf
       - ./nginx/conf.d:/etc/nginx/conf.d
+      - ./nginx/configs:/etc/nginx/configs
     ports:
       - "80:80"
     restart: always
diff --git a/nginx/configs/bot-block.conf b/nginx/configs/bot-block.conf
new file mode 100644
index 0000000..66cf1ad
--- /dev/null
+++ b/nginx/configs/bot-block.conf
@@ -0,0 +1,11 @@
+#Bot
+map $http_user_agent $limit_bots {
+    default 0;
+    ~*(MJ12bot|ltx71|Adsbot/3.1/WordPress|BLEXBot|UCBrowser|Mb2345Browser) 1;
+    ~*(MicroMessenger|LieBaoFast|Headless|netEstate|PetalBot) 1;
+    ~*(bingbot|FeedDemon|GrapeshotCrawler|DuckDuckBot|MegaIndex) 1;
+    ~*(VelenPublicWebCrawler|SimplePie|YandexBot|SCMGUARD|DotBot) 1;
+    ~*(AhrefsBot|SemrushBot) 1;
+	~*(wget|curl) 1;
+	~*(Custom-AsyncHttpClient) 1;
+}
\ No newline at end of file
diff --git a/nginx/configs/ip-block-list.conf b/nginx/configs/ip-block-list.conf
new file mode 100644
index 0000000..d2e42ed
--- /dev/null
+++ b/nginx/configs/ip-block-list.conf
@@ -0,0 +1,5 @@
+geo $bad_ip {
+    43.128.149.53 1;
+    172.31.11.235 1;
+    default 0;
+}
\ No newline at end of file
diff --git a/nginx/configs/nginx-blue.conf b/nginx/configs/nginx-blue.conf
index 319dd42..6452247 100644
--- a/nginx/configs/nginx-blue.conf
+++ b/nginx/configs/nginx-blue.conf
@@ -8,15 +8,31 @@ http {
         server fastapi-blue:8000;
     }
 
-
     # DOS 공격 방어를 위한 설정
     limit_req_zone $binary_remote_addr zone=limit_per_ip:10m rate=10r/s;
     limit_conn_zone $binary_remote_addr zone=addr:10m;
 
+    # 별도 경로로 빼둔 설정파일들
+	include /etc/nginx/configs/ip-block-list.conf;  #ip block
+  	include /etc/nginx/configs/word-block.conf; #Hack word
+  	include /etc/nginx/configs/bot-block.conf; #Bot block
+
     server {
         listen 80;
         listen [::]:80;
 
+        #Ban black ip
+        if ($bad_ip) { return 444; }
+
+        #특정 url 패턴을 거부
+        if ($bad_word = 1) { return 444; }
+
+        #특정 user-agent를 거부
+        if ($limit_bots = 1) { return 444; }
+
+        #공백 User-agent를 거부
+        if ($http_user_agent = "") { return 444; }
+
         # 백엔드 프록시 설정
         location / {
             proxy_pass http://backend;
diff --git a/nginx/configs/nginx-green.conf b/nginx/configs/nginx-green.conf
index 6248ef3..e165205 100644
--- a/nginx/configs/nginx-green.conf
+++ b/nginx/configs/nginx-green.conf
@@ -8,15 +8,32 @@ http {
         server fastapi-green:8000;
     }
 
-
     # DOS 공격 방어를 위한 설정
     limit_req_zone $binary_remote_addr zone=limit_per_ip:10m rate=10r/s;
     limit_conn_zone $binary_remote_addr zone=addr:10m;
 
+    # 별도 경로로 빼둔 설정파일들
+	include /etc/nginx/configs/ip-block-list.conf;  #ip block
+  	include /etc/nginx/configs/word-block.conf; #Hack word
+  	include /etc/nginx/configs/bot-block.conf; #Bot block
+
+
     server {
         listen 80;
         listen [::]:80;
 
+        #Ban black ip
+        if ($bad_ip) { return 444; }
+
+        #특정 url 패턴을 거부
+        if ($bad_word = 1) { return 444; }
+
+        #특정 user-agent를 거부
+        if ($limit_bots = 1) { return 444; }
+
+        #공백 User-agent를 거부
+        if ($http_user_agent = "") { return 444; }
+
         # 백엔드 프록시 설정
         location / {
             proxy_pass http://backend;
diff --git a/nginx/configs/word-block.conf b/nginx/configs/word-block.conf
new file mode 100644
index 0000000..6ad7c07
--- /dev/null
+++ b/nginx/configs/word-block.conf
@@ -0,0 +1,20 @@
+#Request Bad Word
+map $request_uri $bad_word {
+	default 0;
+	~*(wp-includes|wlwmanifest|xmlrpc|wordpress|administrator|wp-admin|wp-login|owa|a2billing) 1;
+	~*(fgt_lang|flu|stalker_portal|streaming|system_api|exporttool|ecp|vendor|LogService|invoke|phpinfo) 1;
+	~*(Autodiscover|console|eval-stdin|staging|magento|demo|rss|root|mifs|git|graphql|sidekiq|c99|GponForm) 1;
+	~*(header-rollup-554|fckeditor|ajax|misc|plugins|execute-solution|wp-content|php|telescope) 1;
+	~*(idx_config|DS_Store|nginx|wp-json|ads|humans|exec|level|monitoring|configprops|balancer|actuator) 1;
+	~*(meta-data|web_shell_cmd|latest|remote|_asterisk|bash|Bind|binding|appxz|bankCheck|GetAllGameCategory) 1;
+	~*(exchangerateuserconfig|exchange_article|kline_week|anquan|dns-query|nsepa_setup|java_script|gemini-iptv) 1;
+	~*(j_spring_security_check|wps|cgi|asmx|HNAP1|sdk|evox) 1;
+	~*(_ignition|alvzpxkr|ALFA_DATA|wp-plain) 1;
+	~*(ldap|jndi|dns|securityscan|rmi|ldaps|iiop|corba|nds|nis) 1; # log4j
+	~*(.aws|.git|wp-config|wp-config-sample|wp-config.php|wp-config-sample.php|wp-config.bak|wp-config-sample.bak) 1;
+	~*(.env|.env.example|.env.local|.env.development|.env.test|.env.production|.env.local.php|.env.local.php.bak) 1;
+	~*(.env.bak|.env.local.bak|.env.development.bak|.env.test.bak|.env.production.bak|.env.local.php.bak) 1;
+	~*(phpinfo|phpinfo.php|info.php|test.php|test|php|phpmyadmin|pma|myadmin|t.php|i.php) 1;
+	~*(dev|test|staging|app_dev|admin|www|home|app|main|backup|old|new|tmp|temp|temp1|temp2|temp3) 1;
+	~*(vendor|phpunit|lib|V2|ws|cms|tests|blog) 1;
+}
\ No newline at end of file
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 69fdfeb..1323cc3 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -5,20 +5,36 @@ events {
 http {
 
     upstream backend { # upstream으로 설정 및 서버 문제시 다른 서버로 이동
-        server fastapi-green:8000 max_fails=1 fail_timeout=3s;
-        server fastapi-blue:8000 max_fails=1 fail_timeout=3s;
+        server fastapi-green:8000;
     }
 
 
-
     # DOS 공격 방어를 위한 설정
     limit_req_zone $binary_remote_addr zone=limit_per_ip:10m rate=10r/s;
     limit_conn_zone $binary_remote_addr zone=addr:10m;
 
+    # 별도 경로로 빼둔 설정파일들
+	include /etc/nginx/configs/ip-block-list.conf;  #ip block
+  	include /etc/nginx/configs/word-block.conf; #Hack word
+  	include /etc/nginx/configs/bot-block.conf; #Bot block
+
+
     server {
         listen 80;
         listen [::]:80;
 
+        #Ban black ip
+        if ($bad_ip) { return 444; }
+
+        #특정 url 패턴을 거부
+        if ($bad_word = 1) { return 444; }
+
+        #특정 user-agent를 거부
+        if ($limit_bots = 1) { return 444; }
+
+        #공백 User-agent를 거부
+        if ($http_user_agent = "") { return 444; }
+
         # 백엔드 프록시 설정
         location / {
             proxy_pass http://backend;

From 387bdb7d803d29c29781a93660233dee16c8ecb6 Mon Sep 17 00:00:00 2001
From: kalsteve <kalgansteve@gmail.com>
Date: Sat, 27 Jul 2024 09:37:22 +0900
Subject: [PATCH 2/2] =?UTF-8?q?fix:=20nginx=20=EB=9D=84=EC=96=B4=EC=93=B0?=
 =?UTF-8?q?=EA=B8=B0=EB=A1=9C=20=EB=B3=80=EA=B2=BD?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 nginx/configs/nginx-blue.conf  | 6 +++---
 nginx/configs/nginx-green.conf | 6 +++---
 nginx/nginx.conf               | 6 +++---
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/nginx/configs/nginx-blue.conf b/nginx/configs/nginx-blue.conf
index 6452247..f059dc6 100644
--- a/nginx/configs/nginx-blue.conf
+++ b/nginx/configs/nginx-blue.conf
@@ -13,9 +13,9 @@ http {
     limit_conn_zone $binary_remote_addr zone=addr:10m;
 
     # 별도 경로로 빼둔 설정파일들
-	include /etc/nginx/configs/ip-block-list.conf;  #ip block
-  	include /etc/nginx/configs/word-block.conf; #Hack word
-  	include /etc/nginx/configs/bot-block.conf; #Bot block
+    include /etc/nginx/configs/ip-block-list.conf;  #ip block
+    include /etc/nginx/configs/word-block.conf; #Hack word
+    include /etc/nginx/configs/bot-block.conf; #Bot block
 
     server {
         listen 80;
diff --git a/nginx/configs/nginx-green.conf b/nginx/configs/nginx-green.conf
index e165205..05ceb6b 100644
--- a/nginx/configs/nginx-green.conf
+++ b/nginx/configs/nginx-green.conf
@@ -13,9 +13,9 @@ http {
     limit_conn_zone $binary_remote_addr zone=addr:10m;
 
     # 별도 경로로 빼둔 설정파일들
-	include /etc/nginx/configs/ip-block-list.conf;  #ip block
-  	include /etc/nginx/configs/word-block.conf; #Hack word
-  	include /etc/nginx/configs/bot-block.conf; #Bot block
+    include /etc/nginx/configs/ip-block-list.conf;  #ip block
+    include /etc/nginx/configs/word-block.conf; #Hack word
+    include /etc/nginx/configs/bot-block.conf; #Bot block
 
 
     server {
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 1323cc3..f60dd0f 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -14,9 +14,9 @@ http {
     limit_conn_zone $binary_remote_addr zone=addr:10m;
 
     # 별도 경로로 빼둔 설정파일들
-	include /etc/nginx/configs/ip-block-list.conf;  #ip block
-  	include /etc/nginx/configs/word-block.conf; #Hack word
-  	include /etc/nginx/configs/bot-block.conf; #Bot block
+    include /etc/nginx/configs/ip-block-list.conf;  #ip block
+    include /etc/nginx/configs/word-block.conf; #Hack word
+    include /etc/nginx/configs/bot-block.conf; #Bot block
 
 
     server {