Hello everyone, I’m trying to configure nginx-ultimate-bad-bot-blocker, and I’m faced with a lack of understanding where to add blocks [from this example.](GitHub - mitchellkrogza/nginx-ultimate-bad-bot-blocker: Nginx Block Bad Bots, Spam Referrer Blocker, Vulnerability Scanners, User-Agents, Malware, Adware, Ransomware, Malicious Sites, with anti-DDOS, Wordpress Theme Detector Blocking and Fail2Ban Jail for Repeat Offenders blob/master/_sample_config_files/SAMPLE-Nginx-SSL-Site-Config-Example.md)
What did I do
- I installed nginx-ultimate-bad-bot-blocker manually according to the instructions . When installing, please note that the botblocker-nginx-settings.conf file has entries that conflict with the Nginx Hestia configuration (they should be deleted)
- After the basic installation, the example shows what is added
include /etc/nginx/bots.d/blockbots.conf;
include /etc/nginx/bots.d/ddos.conf;
server {
# SSL configuration
listen 443 ssl http2;
root /var/www/yourdomain.com;
server_name yourdomain.com www.yourdomain.com;
charset UTF-8;
# Logging for the SSL version of our site
access_log /var/log/nginx/yourdomain.com-access.log;
error_log /var/log/nginx/yourdomain.com-error.log;
# SSL Configuration
# First include our certificates and chain of trust - Using Let's Encrypt Free SSL
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:128m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ciphers recommended by https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
ssl_stapling on;
ssl_stapling_verify on;
# Include our X- Headers for Browser Cross-Sniffing
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
# ADD THE NGINX BAD BOT BLOCKER HERE (Please read full setup instructions)
include /etc/nginx/bots.d/blockbots.conf;
include /etc/nginx/bots.d/ddos.conf;
# Include Any Custom Configurations and Location Directives Here
# END OF SSL HOST CONFIG - CLOSING BRACE BELOW THIS LINE
and
server {
# NOW WE REDIRECT ALL PORT 80 TRAFFIC TO PORT 443
listen 80;
server_name yourdomain.com www.yourdomain.com;
# Block Bad Bots even before they even get redirected
include /etc/nginx/bots.d/blockbots.conf;
include /etc/nginx/bots.d/ddos.conf;
return 301 https://yourdomain.com$request_uri;
# HAVE SEPARATE LOGGING FOR PORT 80 (otherwise use same log location as SSL site)
access_log /var/log/nginx/yourdomain.com-80-access.log;
error_log /var/log/nginx/yourdomain.com-80-error.log;
# END OF HTTP PORT 80 HOST CONFIG - CLOSING BRACE BELOW THIS LINE
}
I did this on my third-party resource PeerTube, and everything is fine
server {
listen 80;
listen [::]:80;
server_name angeltales.angellive.ru;
#nginx-ultimate-bad-bot-blocker
include /etc/nginx/bots.d/blockbots.conf;
include /etc/nginx/bots.d/ddos.conf;
return 301 https://angeltales.angellive.ru$request_uri;
location /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/certbot;
}
location / { return 301 https://$host$request_uri; }
}
upstream backend {
server 127.0.0.1:9000;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
listen 443 quic reuseport;
listen [::]:443 quic reuseport;
server_name angeltales.angellive.ru;
access_log /var/log/nginx/peertube.access.log; # reduce I/0 with buffer=10m flush=5m
error_log /var/log/nginx/peertube.error.log;
##
# Certificates
# you need a certificate to run in production. see https://letsencrypt.org/
##
ssl_certificate /etc/letsencrypt/live/angeltales.angellive.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/angeltales.angellive.ru/privkey.pem;
location ^~ '/.well-known/acme-challenge' {
default_type "text/plain";
root /var/www/certbot;
}
##
# Security hardening (as of Nov 15, 2020)
# based on Mozilla Guideline v5.6
##
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
ssl_session_timeout 1d; # defaults to 5m
ssl_session_cache shared:SSL:10m; # estimated to 40k sessions
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
# HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
# ADD THE NGINX BAD BOT BLOCKER HERE (Please read full setup instructions)
include /etc/nginx/bots.d/blockbots.conf;
include /etc/nginx/bots.d/ddos.conf;
# Advertise HTTP/3 support
add_header Alt-Svc 'h3=":443"; ma=86400';
add_header QUIC-Status $http3;
..............
# rest of the configuration
Since we have templates in Hestia, adding a redirect creates errors, while I do not touch the main Nginx configuration file. but only templates from /usr/local/hestia/data/templates/web/nginx/php-fpm
server {
listen %ip%:%web_port%;
server_name %domain_idn% %alias_idn%;
#nginx-ultimate-bad-bot-blocker
include /etc/nginx/bots.d/blockbots.conf;
include /etc/nginx/bots.d/ddos.conf;
return 301 https://%domain_idn%$request_uri;
root %docroot%;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
access_log /var/log/nginx/domains/%domain%.bytes bytes;
error_log /var/log/nginx/domains/%domain%.error.log error;
include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*;
#nginx-ultimate-bad-bot-blocker
include /etc/nginx/bots.d/blockbots.conf;
include /etc/nginx/bots.d/ddos.conf;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
try_files $uri $uri/ /index.php?$args;
log_not_found off;
access_log off;
}
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location / {
try_files $uri $uri/ /index.php?$args;
location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|pdf|jar)$ {
expires 365d;
fastcgi_hide_header "Set-Cookie";
}
location ~* /(?:uploads|files)/.*.php$ {
deny all;
return 404;
}
location = /xmlrpc.php {
deny all;
access_log off;
log_not_found off;
return 403;
}
location ~ [^/]\.php(/|$) {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param HTTP_HOST $host;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass %backend_lsnr%;
include %home%/%user%/conf/web/%domain%/nginx.fastcgi_cache.conf*;
if ($request_uri ~* "/wp-admin/|/wp-json/|wp-.*.php|xmlrpc.php|index.php|/store.*|/cart.*|/my-account.*|/checkout.*") {
set $no_cache 1;
}
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|woocommerce_items_in_cart|woocommerce_cart_hash|PHPSESSID") {
set $no_cache 1;
}
}
}
location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}
location /vstats/ {
alias %home%/%user%/web/%domain%/stats/;
include %home%/%user%/web/%domain%/stats/auth.conf*;
}
include /etc/nginx/conf.d/phpmyadmin.inc*;
include /etc/nginx/conf.d/phppgadmin.inc*;
include %home%/%user%/conf/web/%domain%/nginx.conf_*;
}
After building v-rebuild-web-domains user and checking nginx -t I get
nginx: [emerg] "limit_conn" directive is duplicate in /etc/nginx/bots.d/blockbots.conf:55
nginx: configuration file /etc/nginx/nginx.conf test failed
root@hestia:~# grep -r "limit_conn" /etc/nginx/
/etc/nginx/bots.d/ddos.conf:limit_conn addr 200;
/etc/nginx/bots.d/blockbots.conf:#limit_conn bot1_connlimit 100;
/etc/nginx/bots.d/blockbots.conf:limit_conn bot2_connlimit 10;
/etc/nginx/bots.d/blockbots.conf:#limit_conn bot4_connlimit 10;
/etc/nginx/conf.d/botblocker-nginx-settings.conf:limit_conn_zone $binary_remote_addr zone=addr:50m;
/etc/nginx/conf.d/globalblacklist.conf: #limit_conn bot1_connlimit 100;
/etc/nginx/conf.d/globalblacklist.conf: limit_conn_zone $bot_iplimit zone=bot2_connlimit:16m;
/etc/nginx/conf.d/globalblacklist.conf: limit_conn_zone $bot_iplimit2 zone=bot4_connlimit:16m;
However, on a server without Hestia everything is fine. If anyone has experience using this product on Hestia, please tell me what can be fixed and where. Thank you