thieryl · July 18, 2018 17:58
diff --git a/block.conf b/block.conf
 ## Block by user agent
 if ($http_user_agent ~ (Purebot|Lipperhey|MaMa CaSpEr|libwww-perl|Mail.Ru|gold crawler)) {
 	return 403;
 }

 ## Block by referrer keywords
 if ($http_referer ~* (viagra|cialis|levitra) ) {
 	return 403;
 }

 ## Block based on GeoIP data
 # http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
 geoip_country /etc/nginx/GeoIP.dat;
 # China
 if ($geoip_country_code = CN) {
 	return 403;
 }
 # India
 if ($geoip_country_code = ID) {
 	return 403;
 }
 # Ukraine
 if ($geoip_country_code = UA) {
 	return 403;
 }
 # Russian Federation
 if ($geoip_country_code = RU) {
 	return 403;
 }
 # Lithuania
 if ($geoip_country_code = LT) {
 	return 403;
 }
 # PHP FastCGI variables ###
 fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
 fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3;
 fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;
diff --git a/maintenance.conf b/maintenance.conf
 ## Set real IP when using CloudFlare
 # https://www.cloudflare.com/ips
 set_real_ip_from 204.93.240.0/24;
 set_real_ip_from 204.93.177.0/24;
 set_real_ip_from 199.27.128.0/21;
 set_real_ip_from 173.245.48.0/20;
 set_real_ip_from 103.21.244.0/22;
 set_real_ip_from 103.22.200.0/22;
 set_real_ip_from 103.31.4.0/22;
 set_real_ip_from 141.101.64.0/18;
 set_real_ip_from 108.162.192.0/18;
 set_real_ip_from 190.93.240.0/20;
 set_real_ip_from 188.114.96.0/20;
 set_real_ip_from 197.234.240.0/22;
 set_real_ip_from 198.41.128.0/17;
 set_real_ip_from 2400:cb00::/32;
 set_real_ip_from 2606:4700::/32;
 set_real_ip_from 2803:f800::/32;
 set_real_ip_from 2405:b500::/32;
 set_real_ip_from 2405:8100::/32;
 real_ip_header CF-Connecting-IP;

 ## Set real IP when using Incapsula
 # http://support.incapsula.com/entries/20199668
 set_real_ip_from 199.83.128.0/21;
 set_real_ip_from 198.143.32.0/19;
 set_real_ip_from 149.126.72.0/21;
 set_real_ip_from 103.28.248.0/22;
 set_real_ip_from 185.11.124.0/22;
 real_ip_header X-Forwarded-For;

 ## Maintenance mode
 if ($remote_addr ~ (71.55.222.204|142.32.7.131)) {
 	set $maintenance off;
 }
 if ($maintenance = on) {
 	return 503;
 }

 ## Unavailable page
 location @unavailable {
 	root /home/spout/sites/spout.org/_error/public;
 	#rewrite ^(.*)$ /maintenance.html break;
 	rewrite ^(.*)$ /unavailable.html break;
 }
diff --git a/nginx.conf b/nginx.conf
 # Run as user
 user www-data;

 # For high performance you'll need one worker process per disk spindle
 # but in most cases 1 or 2 is fine.
 worker_processes 8;

 # Open file/directory limit
 worker_rlimit_nofile 30000;

 # Process ID file location
 pid /var/run/nginx.pid;

 events {
 	## Connections
 	# Max concurrent connections = worker_processes * worker_connections
 	# You can increase this past 1024 but you must set the rlimit before starting
 	# nginx using the ulimit command (say ulimit -n 8192)
 	worker_connections 8192;

 	# Performance
 	use epoll;
 }

 http {
 	## Disable Nginx version number in error pages and server header
 	server_tokens off;

 	## Silently block all undefined vhost access
 	server {
 		server_name _;
 		return 444;
 	}

 	## Socket settings : Set buffer size limitations
 	client_header_buffer_size   4k;
 	large_client_header_buffers 8 8k;
 	client_max_body_size 20m;
 	connection_pool_size 8192;
 	request_pool_size 8k;

 	## Default character set
 	# https://developers.google.com/speed/docs/best-practices/rendering#SpecifyCharsetEarly
 	charset UTF-8;

 	## Connections
 	tcp_nopush on;
 	tcp_nodelay off;
 	keepalive_timeout 65;

 	## ???
 	types_hash_max_size 2048;
 	server_names_hash_bucket_size 64;

 	## Files
 	sendfile on;

 	## MIME
 	# Mime-type table
 	include /etc/nginx/mime.types;
 	# Default mime-type if nothing matches from the table
 	default_type application/octet-stream;

 	## Logging
 	# Specify a log format compatible with Apache's combined format
 	log_format main '$remote_addr - $remote_user [$time_local] '
 		'"$request" $status $body_bytes_sent "$http_referer" '
 		'"$http_user_agent" "$http_x_forwarded_for"';
 	access_log off;
 	error_log /var/log/nginx/error.log error;

 	## Compression
 	gzip on;
 	gzip_static on;
 	gzip_disable "msie6";
 	gzip_vary on;
 	gzip_proxied any;
 	gzip_comp_level 6;
 	gzip_buffers 16 8k;
 	gzip_http_version 1.1;
 	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

 	## Virtual hosts
 	include /etc/nginx/conf.d/*.conf;
 	include /etc/nginx/sites-enabled/*;

 	## Block configuration
 	#include /etc/nginx/block.conf;
 }
	## Block by user agent
	if ($http_user_agent ~ (Purebot\|Lipperhey\|MaMa CaSpEr\|libwww-perl\|Mail.Ru\|gold crawler)) {
	return 403;
	}

	## Block by referrer keywords
	if ($http_referer ~* (viagra\|cialis\|levitra) ) {
	return 403;
	}

	## Block based on GeoIP data
	# http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
	geoip_country /etc/nginx/GeoIP.dat;
	# China
	if ($geoip_country_code = CN) {
	return 403;
	}
	# India
	if ($geoip_country_code = ID) {
	return 403;
	}
	# Ukraine
	if ($geoip_country_code = UA) {
	return 403;
	}
	# Russian Federation
	if ($geoip_country_code = RU) {
	return 403;
	}
	# Lithuania
	if ($geoip_country_code = LT) {
	return 403;
	}
	# PHP FastCGI variables ###
	fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
	fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3;
	fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;
	## Set real IP when using CloudFlare
	# https://www.cloudflare.com/ips
	set_real_ip_from 204.93.240.0/24;
	set_real_ip_from 204.93.177.0/24;
	set_real_ip_from 199.27.128.0/21;
	set_real_ip_from 173.245.48.0/20;
	set_real_ip_from 103.21.244.0/22;
	set_real_ip_from 103.22.200.0/22;
	set_real_ip_from 103.31.4.0/22;
	set_real_ip_from 141.101.64.0/18;
	set_real_ip_from 108.162.192.0/18;
	set_real_ip_from 190.93.240.0/20;
	set_real_ip_from 188.114.96.0/20;
	set_real_ip_from 197.234.240.0/22;
	set_real_ip_from 198.41.128.0/17;
	set_real_ip_from 2400:cb00::/32;
	set_real_ip_from 2606:4700::/32;
	set_real_ip_from 2803:f800::/32;
	set_real_ip_from 2405:b500::/32;
	set_real_ip_from 2405:8100::/32;
	real_ip_header CF-Connecting-IP;

	## Set real IP when using Incapsula
	# http://support.incapsula.com/entries/20199668
	set_real_ip_from 199.83.128.0/21;
	set_real_ip_from 198.143.32.0/19;
	set_real_ip_from 149.126.72.0/21;
	set_real_ip_from 103.28.248.0/22;
	set_real_ip_from 185.11.124.0/22;
	real_ip_header X-Forwarded-For;

	## Maintenance mode
	if ($remote_addr ~ (71.55.222.204\|142.32.7.131)) {
	set $maintenance off;
	}
	if ($maintenance = on) {
	return 503;
	}

	## Unavailable page
	location @unavailable {
	root /home/spout/sites/spout.org/_error/public;
	#rewrite ^(.*)$ /maintenance.html break;
	rewrite ^(.*)$ /unavailable.html break;
	}
	# Run as user
	user www-data;

	# For high performance you'll need one worker process per disk spindle
	# but in most cases 1 or 2 is fine.
	worker_processes 8;

	# Open file/directory limit
	worker_rlimit_nofile 30000;

	# Process ID file location
	pid /var/run/nginx.pid;

	events {
	## Connections
	# Max concurrent connections = worker_processes * worker_connections
	# You can increase this past 1024 but you must set the rlimit before starting
	# nginx using the ulimit command (say ulimit -n 8192)
	worker_connections 8192;

	# Performance
	use epoll;
	}

	http {
	## Disable Nginx version number in error pages and server header
	server_tokens off;

	## Silently block all undefined vhost access
	server {
	server_name _;
	return 444;
	}

	## Socket settings : Set buffer size limitations
	client_header_buffer_size 4k;
	large_client_header_buffers 8 8k;
	client_max_body_size 20m;
	connection_pool_size 8192;
	request_pool_size 8k;

	## Default character set
	# https://developers.google.com/speed/docs/best-practices/rendering#SpecifyCharsetEarly
	charset UTF-8;

	## Connections
	tcp_nopush on;
	tcp_nodelay off;
	keepalive_timeout 65;

	## ???
	types_hash_max_size 2048;
	server_names_hash_bucket_size 64;

	## Files
	sendfile on;

	## MIME
	# Mime-type table
	include /etc/nginx/mime.types;
	# Default mime-type if nothing matches from the table
	default_type application/octet-stream;

	## Logging
	# Specify a log format compatible with Apache's combined format
	log_format main '$remote_addr - $remote_user [$time_local] '
	'"$request" $status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';
	access_log off;
	error_log /var/log/nginx/error.log error;

	## Compression
	gzip on;
	gzip_static on;
	gzip_disable "msie6";
	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_buffers 16 8k;
	gzip_http_version 1.1;
	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

	## Virtual hosts
	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;

	## Block configuration
	#include /etc/nginx/block.conf;
	}