homelab/roles/nginx/files/snippets/block-exploits.conf

## Block SQL injections
set $block_sql_injections 0;

if ($query_string ~ "union.*select.*\(") {
	set $block_sql_injections 1;
}

if ($query_string ~ "union.*all.*select.*") {
	set $block_sql_injections 1;
}

if ($query_string ~ "concat.*\(") {
	set $block_sql_injections 1;
}

if ($block_sql_injections = 1) {
	return 403;
}

## Block file injections
set $block_file_injections 0;

if ($query_string ~ "[a-zA-Z0-9_]=http://") {
	set $block_file_injections 1;
}

if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
	set $block_file_injections 1;
}

if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
	set $block_file_injections 1;
}

if ($block_file_injections = 1) {
	return 403;
}

## Block common exploits
set $block_common_exploits 0;

if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
	set $block_common_exploits 1;
}

if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
	set $block_common_exploits 1;
}

if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
	set $block_common_exploits 1;
}

if ($query_string ~ "proc/self/environ") {
	set $block_common_exploits 1;
}

if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
	set $block_common_exploits 1;
}

if ($query_string ~ "base64_(en|de)code\(.*\)") {
	set $block_common_exploits 1;
}

if ($block_common_exploits = 1) {
	return 403;
}

## Block spam
set $block_spam 0;

if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
	set $block_spam 1;
}

if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
	set $block_spam 1;
}

if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
	set $block_spam 1;
}

if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
	set $block_spam 1;
}

if ($block_spam = 1) {
	return 403;
}

## Block user agents
set $block_user_agents 0;

# Disable Akeeba Remote Control 2.5 and earlier
if ($http_user_agent ~ "Indy Library") {
	set $block_user_agents 1;
}

# Common bandwidth hoggers and hacking tools.
if ($http_user_agent ~ "libwww-perl") {
	set $block_user_agents 1;
}

if ($http_user_agent ~ "GetRight") {
	set $block_user_agents 1;
}

if ($http_user_agent ~ "GetWeb!") {
	set $block_user_agents 1;
}

if ($http_user_agent ~ "Go!Zilla") {
	set $block_user_agents 1;
}

if ($http_user_agent ~ "Download Demon") {
	set $block_user_agents 1;
}

if ($http_user_agent ~ "Go-Ahead-Got-It") {
	set $block_user_agents 1;
}

if ($http_user_agent ~ "TurnitinBot") {
	set $block_user_agents 1;
}

if ($http_user_agent ~ "GrabNet") {
	set $block_user_agents 1;
}

if ($block_user_agents = 1) {
	return 403;
}

# # read more here http://tautt.com/best-nginx-configuration-for-security/

# # don't send the nginx version number in error pages and Server header
# server_tokens off;

# # config to don't allow the browser to render the page inside an frame or iframe
# # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
# # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
# add_header X-Frame-Options SAMEORIGIN;

# # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# # to disable content-type sniffing on some browsers.
# # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
# # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
# # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
# add_header X-Content-Type-Options nosniff;

# # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# # this particular website if it was disabled by the user.
# # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# add_header X-XSS-Protection "1; mode=block";