diff --git a/dist/nginx-blocklist-cron.sh b/dist/nginx-blocklist-cron.sh new file mode 100755 index 000000000..b37963670 --- /dev/null +++ b/dist/nginx-blocklist-cron.sh @@ -0,0 +1,37 @@ +#!/bin/sh + +# to use this you need to set JANITOR_BLOCKLIST_OUTPUT in your .env.production +# ex: +# JANITOR_BLOCKLIST_OUTPUT='/var/lib/mastodon/conf/blocklist.txt' +# remember to adjust these paths to match your setup! + +# path to nginx conf file to store generated map +export NGINX_BLOCKED_DOMAINS_CONF="/etc/nginx/conf.d/blocked-domains.conf" + +# path to blocklist generated by JanitorWorker +export BLOCKED_DOMAINS_FILE="/var/lib/mastodon/conf/blocklist.txt" + +# path to nginx-blocklist-generator.sh script +NGINX_BLOCKLIST_GENERATOR_BIN='/usr/local/bin/nginx-blocklist-generator.sh' + +if ! [ $(id -u) = 0 ]; then + echo 'This utility requires root privileges.' >&2 + exit 1 +fi + +if [ ! -f "$NGINX_BLOCKLIST_GENERATOR_BIN" ]; then + echo "Blocklist generator script not found at '$NGINX_BLOCKLIST_GENERATOR_BIN'." >&2 + echo 'Check $NGINX_BLOCKLIST_GENERATOR_BIN variable.' >&2 + exit 1 +fi + +if sh "$NGINX_BLOCKLIST_GENERATOR_BIN"; then + if which service >/dev/null 2>&1; then + service nginx reload + elif which systemctl >/dev/null 2>&1; then + systemctl reload nginx + else + echo 'This tool only supports reloading nginx with initscripts or systemd.' >&2 + echo 'Reload nginx for the new blocklist to take effect.' >&2 + fi +fi diff --git a/dist/nginx-blocklist-generator.sh b/dist/nginx-blocklist-generator.sh new file mode 100755 index 000000000..a2bbded17 --- /dev/null +++ b/dist/nginx-blocklist-generator.sh @@ -0,0 +1,48 @@ +#!/bin/sh + +if ! [ $(id -u) = 0 ]; then + echo 'This utility requires root privileges.' >&2 + exit 1 +fi + +if [ -z "$NGINX_BLOCKED_DOMAINS_CONF" ] + NGINX_BLOCKED_DOMAINS_CONF='/etc/nginx/conf.d/blocked-domains.conf' +fi + +if [ -z "$BLOCKED_DOMAINS_FILE" ]; then + BLOCKED_DOMAINS_FILE='/var/lib/mastodon/conf/blocklist.txt' +fi + +# does the domain blocks file exist? +if [ ! -f "$BLOCKED_DOMAINS_FILE" ]; then + echo "No blocked domains file exists at '$BLOCKED_DOMAINS_FILE'." >&2 + exit 1 +fi + +# does the domain block map file for nginx exist? +if [ ! -f "$NGINX_BLOCKED_DOMAINS_CONF" ]; then + # try to create the parent directory if needed + parent_dir=$(dirname "$NGINX_BLOCKED_DOMAINS_CONF") + mkdir -p "$parent_dir" + + # then try to create the file if needed + if ! touch -a "$f" + echo "Can't create '$NGINX_BLOCKED_DOMAINS_CONF'." >&2 + echo 'Check $NGINX_BLOCKED_DOMAINS_CONF variable or directory permissions.' >&2 + exit 1 + fi +fi + +generate_map () { + echo '# to use, include the following in the "server" block of your nginx conf' + echo '# for mastodon **before any "location" blocks**:' + echo '#' + echo '# if ($blocked_domain = "1") { return 444; }' + echo + echo 'map $http_user_agent $blocked_domain {' + echo ' default 0;' + awk '/^[[:word:]]\.[[:word:]][[:word:].]*$/ { gsub("\\.", "\\.", $1); print " \"~*(?:\\b)"$1"(?:\\b)\" 1;" }' "$BLOCKED_DOMAINS_FILE" + echo '}' +} + +generate_map > "$NGINX_BLOCKED_DOMAINS_CONF" diff --git a/dist/nginx.conf b/dist/nginx.conf index 7c429bad4..1a14872b4 100644 --- a/dist/nginx.conf +++ b/dist/nginx.conf @@ -43,6 +43,11 @@ server { gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + # uncommenet to enable blocking suspended domains + # use the included nginx-blocklist-generator.sh tool to generate the needed + # map + # if ($block_domains = '1') { return 444; } + add_header Strict-Transport-Security "max-age=31536000"; location / {