From 853f620ce9fad1822b56fd6ee094f461c40e1357 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Wed, 15 Nov 2023 04:52:43 -0500
Subject: [PATCH] add high-level IP blocking

---
 .gitignore       |  1 +
 nginx/nginx.conf | 11 +++++++++++
 2 files changed, 12 insertions(+)

diff --git a/.gitignore b/.gitignore
index 907658e..fc2966a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,5 +2,6 @@
 /backup-public-key.txt
 /backup/
 /cloud-archive-password.txt
+/nginx/snippets/blocked.conf
 /lock
 /venv/
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index a9508f6..1f13b91 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -140,6 +140,13 @@ http {
         default $same_origin_lax;
     }
 
+    geo $blocked {
+        default 0;
+        include stopforumspam-toxic_ip_cidr.conf;
+        include stopforumspam-bannedips.conf;
+        include snippets/blocked.conf;
+    }
+
     upstream backend {
         zone backend 32k;
         server unix:/run/php-fpm/php-fpm.sock max_conns=1024 max_fails=0;
@@ -232,6 +239,10 @@ http {
             text/javascript
             text/plain;
 
+        if ($blocked = 1) {
+            return 403;
+        }
+
         location = /404.html {
             internal;
             include snippets/security-headers.conf;