ini Nginx Block配置不需要的用户代理和contries以及维护

Posted 2021-05-24

# Run as user
user www-data;

# For high performance you'll need one worker process per disk spindle
# but in most cases 1 or 2 is fine.
worker_processes 8;

# Open file/directory limit
worker_rlimit_nofile 30000;

# Process ID file location
pid /var/run/nginx.pid;

events {
	## Connections
	# Max concurrent connections = worker_processes * worker_connections
	# You can increase this past 1024 but you must set the rlimit before starting
	# nginx using the ulimit command (say ulimit -n 8192)
	worker_connections 8192;

	# Performance
	use epoll;
}

http {
	## Disable Nginx version number in error pages and server header
	server_tokens off;

	## Silently block all undefined vhost access
	server {
		server_name _;
		return 444;
	}

	## Socket settings : Set buffer size limitations
	client_header_buffer_size   4k;
	large_client_header_buffers 8 8k;
	client_max_body_size 20m;
	connection_pool_size 8192;
	request_pool_size 8k;

	## Default character set
	# https://developers.google.com/speed/docs/best-practices/rendering#SpecifyCharsetEarly
	charset UTF-8;

	## Connections
	tcp_nopush on;
	tcp_nodelay off;
	keepalive_timeout 65;

	## ???
	types_hash_max_size 2048;
	server_names_hash_bucket_size 64;

	## Files
	sendfile on;

	## MIME
	# Mime-type table
	include /etc/nginx/mime.types;
	# Default mime-type if nothing matches from the table
	default_type application/octet-stream;

	## Logging
	# Specify a log format compatible with Apache's combined format
	log_format main '$remote_addr - $remote_user [$time_local] '
		'"$request" $status $body_bytes_sent "$http_referer" '
		'"$http_user_agent" "$http_x_forwarded_for"';
	access_log off;
	error_log /var/log/nginx/error.log error;

	## Compression
	gzip on;
	gzip_static on;
	gzip_disable "msie6";
	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_buffers 16 8k;
	gzip_http_version 1.1;
	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

	## Virtual hosts
	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;

	## Block configuration
	#include /etc/nginx/block.conf;
}

## Set real IP when using CloudFlare
# https://www.cloudflare.com/ips
set_real_ip_from 204.93.240.0/24;
set_real_ip_from 204.93.177.0/24;
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
real_ip_header CF-Connecting-IP;

## Set real IP when using Incapsula
# http://support.incapsula.com/entries/20199668
set_real_ip_from 199.83.128.0/21;
set_real_ip_from 198.143.32.0/19;
set_real_ip_from 149.126.72.0/21;
set_real_ip_from 103.28.248.0/22;
set_real_ip_from 185.11.124.0/22;
real_ip_header X-Forwarded-For;

## Maintenance mode
if ($remote_addr ~ (71.55.222.204|142.32.7.131)) {
	set $maintenance off;
}
if ($maintenance = on) {
	return 503;
}

## Unavailable page
location @unavailable {
	root /home/spout/sites/spout.org/_error/public;
	#rewrite ^(.*)$ /maintenance.html break;
	rewrite ^(.*)$ /unavailable.html break;
}

## Block by user agent
if ($http_user_agent ~ (Purebot|Lipperhey|MaMa CaSpEr|libwww-perl|Mail.Ru|gold crawler)) {
	return 403;
}

## Block by referrer keywords
if ($http_referer ~* (viagra|cialis|levitra) ) {
	return 403;
}

## Block based on GeoIP data
# http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
geoip_country /etc/nginx/GeoIP.dat;
# China
if ($geoip_country_code = CN) {
	return 403;
}
# India
if ($geoip_country_code = ID) {
	return 403;
}
# Ukraine
if ($geoip_country_code = UA) {
	return 403;
}
# Russian Federation
if ($geoip_country_code = RU) {
	return 403;
}
# Lithuania
if ($geoip_country_code = LT) {
	return 403;
}
# PHP FastCGI variables ###
fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3;
fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;