add high-level IP blocking

GrapheneOS · Dec 18, 2023 · 853f620 · 853f620
1 parent 2f45212
commit 853f620
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -2,5 +2,6 @@
 /backup-public-key.txt
 /backup/
 /cloud-archive-password.txt
+/nginx/snippets/blocked.conf
 /lock
 /venv/
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -140,6 +140,13 @@ http {
         default $same_origin_lax;
     }
 
+    geo $blocked {
+        default 0;
+        include stopforumspam-toxic_ip_cidr.conf;
+        include stopforumspam-bannedips.conf;
+        include snippets/blocked.conf;
+    }
+
     upstream backend {
         zone backend 32k;
         server unix:/run/php-fpm/php-fpm.sock max_conns=1024 max_fails=0;
@@ -232,6 +239,10 @@ http {
             text/javascript
             text/plain;
 
+        if ($blocked = 1) {
+            return 403;
+        }
+
         location = /404.html {
             internal;
             include snippets/security-headers.conf;