add config + utilities + instructions for `nginx`-level domain blocks
parent
2ff40d3788
commit
5e3ab78fa4
|
@ -0,0 +1,37 @@
|
|||
#!/bin/sh
|
||||
|
||||
# to use this you need to set JANITOR_BLOCKLIST_OUTPUT in your .env.production
|
||||
# ex:
|
||||
# JANITOR_BLOCKLIST_OUTPUT='/var/lib/mastodon/conf/blocklist.txt'
|
||||
# remember to adjust these paths to match your setup!
|
||||
|
||||
# path to nginx conf file to store generated map
|
||||
export NGINX_BLOCKED_DOMAINS_CONF="/etc/nginx/conf.d/blocked-domains.conf"
|
||||
|
||||
# path to blocklist generated by JanitorWorker
|
||||
export BLOCKED_DOMAINS_FILE="/var/lib/mastodon/conf/blocklist.txt"
|
||||
|
||||
# path to nginx-blocklist-generator.sh script
|
||||
NGINX_BLOCKLIST_GENERATOR_BIN='/usr/local/bin/nginx-blocklist-generator.sh'
|
||||
|
||||
if ! [ $(id -u) = 0 ]; then
|
||||
echo 'This utility requires root privileges.' >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -f "$NGINX_BLOCKLIST_GENERATOR_BIN" ]; then
|
||||
echo "Blocklist generator script not found at '$NGINX_BLOCKLIST_GENERATOR_BIN'." >&2
|
||||
echo 'Check $NGINX_BLOCKLIST_GENERATOR_BIN variable.' >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if sh "$NGINX_BLOCKLIST_GENERATOR_BIN"; then
|
||||
if which service >/dev/null 2>&1; then
|
||||
service nginx reload
|
||||
elif which systemctl >/dev/null 2>&1; then
|
||||
systemctl reload nginx
|
||||
else
|
||||
echo 'This tool only supports reloading nginx with initscripts or systemd.' >&2
|
||||
echo 'Reload nginx for the new blocklist to take effect.' >&2
|
||||
fi
|
||||
fi
|
|
@ -0,0 +1,48 @@
|
|||
#!/bin/sh
|
||||
|
||||
if ! [ $(id -u) = 0 ]; then
|
||||
echo 'This utility requires root privileges.' >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -z "$NGINX_BLOCKED_DOMAINS_CONF" ]
|
||||
NGINX_BLOCKED_DOMAINS_CONF='/etc/nginx/conf.d/blocked-domains.conf'
|
||||
fi
|
||||
|
||||
if [ -z "$BLOCKED_DOMAINS_FILE" ]; then
|
||||
BLOCKED_DOMAINS_FILE='/var/lib/mastodon/conf/blocklist.txt'
|
||||
fi
|
||||
|
||||
# does the domain blocks file exist?
|
||||
if [ ! -f "$BLOCKED_DOMAINS_FILE" ]; then
|
||||
echo "No blocked domains file exists at '$BLOCKED_DOMAINS_FILE'." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# does the domain block map file for nginx exist?
|
||||
if [ ! -f "$NGINX_BLOCKED_DOMAINS_CONF" ]; then
|
||||
# try to create the parent directory if needed
|
||||
parent_dir=$(dirname "$NGINX_BLOCKED_DOMAINS_CONF")
|
||||
mkdir -p "$parent_dir"
|
||||
|
||||
# then try to create the file if needed
|
||||
if ! touch -a "$f"
|
||||
echo "Can't create '$NGINX_BLOCKED_DOMAINS_CONF'." >&2
|
||||
echo 'Check $NGINX_BLOCKED_DOMAINS_CONF variable or directory permissions.' >&2
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
generate_map () {
|
||||
echo '# to use, include the following in the "server" block of your nginx conf'
|
||||
echo '# for mastodon **before any "location" blocks**:'
|
||||
echo '#'
|
||||
echo '# if ($blocked_domain = "1") { return 444; }'
|
||||
echo
|
||||
echo 'map $http_user_agent $blocked_domain {'
|
||||
echo ' default 0;'
|
||||
awk '/^[[:word:]]\.[[:word:]][[:word:].]*$/ { gsub("\\.", "\\.", $1); print " \"~*(?:\\b)"$1"(?:\\b)\" 1;" }' "$BLOCKED_DOMAINS_FILE"
|
||||
echo '}'
|
||||
}
|
||||
|
||||
generate_map > "$NGINX_BLOCKED_DOMAINS_CONF"
|
|
@ -43,6 +43,11 @@ server {
|
|||
gzip_http_version 1.1;
|
||||
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
||||
|
||||
# uncommenet to enable blocking suspended domains
|
||||
# use the included nginx-blocklist-generator.sh tool to generate the needed
|
||||
# map
|
||||
# if ($block_domains = '1') { return 444; }
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000";
|
||||
|
||||
location / {
|
||||
|
|
Loading…
Reference in New Issue