akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Remove overly restrictive rules based on feedback - PUT/DELETE methods, spam filtering, scanner detection, and rate limiting

Browse Source 
Co-authored-by: fuomag9 <1580624+fuomag9@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2025-09-19 16:05:22 +00:00
parent 21e1697b8a
commit dd2e443da6
1 changed files with 0 additions and 104 deletions
Download Patch File Download Diff File Expand all files Collapse all files

104
docker/rootfs/etc/nginx/conf.d/include/block-exploits.conf
View File

@@ -173,60 +173,6 @@ if ($block_common_exploits = 1) {
return 403;
}
## Block spam
set $block_spam 0;
# Original spam keywords
if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
set $block_spam 1;
}
if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
set $block_spam 1;
}
if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
set $block_spam 1;
}
if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
set $block_spam 1;
}
# Enhanced spam keywords
if ($query_string ~ "\b(casino|poker|gambling|betting|lottery|jackpot|slot)\b") {
set $block_spam 1;
}
if ($query_string ~ "\b(loan|credit|mortgage|insurance|investment|forex|crypto)\b") {
set $block_spam 1;
}
if ($query_string ~ "\b(escort|adult|xxx|porn|sex|dating|hookup|webcam)\b") {
set $block_spam 1;
}
if ($query_string ~ "\b(replica|fake|counterfeit|knockoff|imitation)\b") {
set $block_spam 1;
}
if ($query_string ~ "\b(weight.?loss|diet.?pill|muscle|steroid|supplement)\b") {
set $block_spam 1;
}
# Common spam patterns
if ($query_string ~ "(\[url=|\[link=|\[email=|email.*@.*\..*\])") {
set $block_spam 1;
}
if ($query_string ~ "(click.here|visit.site|buy.now|free.trial|limited.offer)") {
set $block_spam 1;
}
if ($block_spam = 1) {
return 403;
}
## Block malicious user agents
set $block_user_agents 0;
@@ -324,10 +270,6 @@ if ($request_method ~ "^(TRACE|TRACK|DEBUG|OPTIONS|CONNECT)$") {
set $block_methods 1;
}
if ($request_method ~ "^(PUT|DELETE)$") {
set $block_methods 1;
}
if ($block_methods = 1) {
return 405;
}
@@ -403,49 +345,3 @@ if ($request_uri ~ "%00|%0a|%0d|%27|%3c|%3e|%00") {
if ($block_protocol = 1) {
return 400;
}
## Block common vulnerability scanners
set $block_scanners 0;
if ($request_uri ~ "(wp-admin|wp-login|wp-content|wp-includes|xmlrpc\.php)") {
set $block_scanners 1;
}
if ($request_uri ~ "(phpmyadmin|pma|mysql|admin|administrator|manager)") {
set $block_scanners 1;
}
if ($request_uri ~ "(\.php|\.asp|\.aspx|\.jsp|\.cgi)$") {
set $block_scanners 1;
}
if ($request_uri ~ "(config|backup|log|tmp|temp|cache)") {
set $block_scanners 1;
}
# Common paths used by vulnerability scanners
if ($request_uri ~ "(robots\.txt|sitemap\.xml|\.well-known|\.git|\.svn|\.env)") {
set $block_scanners 1;
}
if ($block_scanners = 1) {
return 404;
}
## Rate limiting marker (basic implementation)
set $block_rate_limit 0;
# This requires additional nginx modules for proper rate limiting
# but we set the variable for potential future use
if ($remote_addr ~ "^(127\.|10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)") {
set $block_rate_limit 0;
}
# Block requests from suspicious countries (placeholder for GeoIP)
# if ($geoip_country_code ~ "^(CN|RU|KP|IR)$") {
# set $block_rate_limit 1;
# }
if ($block_rate_limit = 1) {
return 429;
}