Here is the map. I truncated my bad agent list, but will get you started. I used the user agent changer in Chromium to make sure it worked. --------------------------------------------------------- map $http_user_agent $badagent { default 0; ~*WordPress 1; ~*kscan 1; ~*ache 1; } -------------------------------------------- if ($badagent) { return 444; } ---------------------------------------------
Of course there is always the problem of "scope", that is where to put this. I have the map after the http {. I assume you have gzip enabled, so my map starts after the "gzip on;" The "if" statement is in the server block. I'm assuming you have the line that stops hotlinking. I put it after that line. Generically the hotlink blocker line looks like: if ($host !~ ^(mydomain.org|www.mydomain.org)$ ) { return 444; } On Sun, 21 May 2017 08:14:52 +1000 Alex Samad <a...@samad.com.au> wrote: > Hi > > can you give an example of using a map instead of the if statement ? > > Thanks > > On 21 May 2017 at 02:35, c0nw0nk <nginx-fo...@forum.nginx.org> wrote: > > > gariac Wrote: > > ------------------------------------------------------- > > > I had run Naxsi with Doxi. Trouble is when it cause problems, it > > > was really hard to figure out what rule was the problem. I > > > suppose if you knew what each rule did, Naxsi would be fine. > > > > > > That said, my websites are so unsophisticated that it is far > > > easier for me just to use maps. > > > > > > Case in point. When all this adobe struts hacking started, I > > > noticed lots of 404s with the word "action" in the url request. I > > > just added "action" to the map map and 444 them. > > > > > > If you have an url containing any word used in SQL, Naxsi/Doxi > > > goes in blocking mode. I recall it was flagging on the word > > > "update". I had a updates.html and Nasxi/Doxi was having a fit. > > > > > > In the end, it was far easier just to use maps. Other than a few > > > modern constructs like "object-fit contain", my sites have a > > > 1990s look. Keeping things simple reduces the attack surface. > > > > > > I think even with Naxsi, you would need to set up a map to block > > > bad referrers. I'm amazed at the nasty websites that link to me > > > for no apparent reason. Case in point, I had a referral from the > > > al Aqsa Martyrs Brigade. Terrorists! And numerous porn sites, > > > all irrelevant. So Naxsi alone isn't sufficient. > > > > > > Original Message > > > From: c0nw0nk > > > Sent: Saturday, May 20, 2017 3:36 AM > > > To: nginx@nginx.org > > > Reply To: nginx@nginx.org > > > Subject: Re: WordPress pingback mitigation > > > > > > I take it you don't use a WAF of any kind i also think you should > > > add it to > > > a MAP at least instead of using IF. > > > > > > The WAF I use for these same rules is found here. > > > > > > https://github.com/nbs-system/naxsi > > > > > > The rules for wordpress and other content management systems are > > > found here. > > > > > > http://spike.nginx-goodies.com/rules/ ( a downloadable list they > > > use https://bitbucket.org/lazy_dogtown/doxi-rules ) > > > > > > > > > Naxsi is the best soloution I have found against problems like > > > this especialy with their XSS and SQL extensions enabled. > > > > > > LibInjectionXss; > > > CheckRule "$LIBINJECTION_XSS >= 8" BLOCK; > > > LibInjectionSql; > > > CheckRule "$LIBINJECTION_SQL >= 8" BLOCK; > > > > > > > > > Blocks allot of zero day exploits and unknown exploits / > > > penetration testing > > > techniques. > > > > > > If you want to protect your sites it is definitely worth the look > > > and use. > > > > > > Posted at Nginx Forum: > > > https://forum.nginx.org/read.php?2,274339,274341#msg-274341 > > > > > > _______________________________________________ > > > nginx mailing list > > > nginx@nginx.org > > > http://mailman.nginx.org/mailman/listinfo/nginx > > > _______________________________________________ > > > nginx mailing list > > > nginx@nginx.org > > > http://mailman.nginx.org/mailman/listinfo/nginx > > > > > > It is not actually that hard to read the rules when you understand > > it. > > > > The error.log file tells you. > > > > As I helped someone before read and understand their error log > > output to tell them what naxsi was telling them so they could learn > > understand and identify what rule is the culprit to their problem. > > > > Here is the prime example : > > https://github.com/nbs-system/naxsi/issues/351#issuecomment-281710763 > > > > If you read that and see their error.log output from naxsi and view > > the log it shows you in the log if it was for example "ARGS" or > > "HEAD" or "POST" etc > > and the rule ID number responsible. So you can either null it out > > or create a whitelist for that method. > > > > I am not trying to shove it down your neck or anything like that > > just trying > > to help and show a decent alternative that once you understand can > > do so much more with. Like Nginx and Lua it pushes the boundaries > > to what can be accomplished. I used to be very stuck in my ways and > > ignorant to these features but once i start using them never looked > > back they are truly fantastic. > > > > As long as you fixed your problem that is all that matters :) > > > > Posted at Nginx Forum: https://forum.nginx.org/read. > > php?2,274339,274345#msg-274345 > > > > _______________________________________________ > > nginx mailing list > > nginx@nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx > > _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx