## Block SQL injections
set $block_sql_injections 0;

# Traditional SQL injection patterns
if ($query_string ~ "union.*select.*\(") {
	set $block_sql_injections 1;
}

if ($query_string ~ "union.*all.*select.*") {
	set $block_sql_injections 1;
}

if ($query_string ~ "concat.*\(") {
	set $block_sql_injections 1;
}

# Enhanced SQL injection patterns
if ($query_string ~ "(select|insert|update|delete|drop|create|alter|exec|execute).*[\s\(]") {
	set $block_sql_injections 1;
}

if ($query_string ~ "(or|and).*[\s]*[0-9]+[\s]*[=<>]+[\s]*[0-9]+") {
	set $block_sql_injections 1;
}

if ($query_string ~ "[\s]*['\"`][\s]*(or|and)[\s]*['\"`][\s]*[=<>]") {
	set $block_sql_injections 1;
}

if ($query_string ~ "information_schema|mysql\.user|pg_user|pg_shadow") {
	set $block_sql_injections 1;
}

if ($query_string ~ "(sleep|benchmark|waitfor)\s*\(") {
	set $block_sql_injections 1;
}

# NoSQL injection patterns (MongoDB, CouchDB, etc.)
if ($query_string ~ "(\$ne|\$gt|\$gte|\$lt|\$lte|\$regex|\$where)") {
	set $block_sql_injections 1;
}

if ($query_string ~ "javascript:|constructor|prototype|__proto__") {
	set $block_sql_injections 1;
}

if ($block_sql_injections = 1) {
	return 403;
}

## Block file injections
set $block_file_injections 0;

# Remote file inclusion
if ($query_string ~ "[a-zA-Z0-9_]=(https?|ftp|ftps)://") {
	set $block_file_injections 1;
}

# Directory traversal - enhanced patterns
if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
	set $block_file_injections 1;
}

if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
	set $block_file_injections 1;
}

# Additional traversal patterns
if ($query_string ~ "(\.\./)|(\.\.\\\\)|(\.\.%2f)|(\.\.%5c)") {
	set $block_file_injections 1;
}

if ($query_string ~ "(\.\.%252f)|(\.\.%255c)|(%2e%2e%2f)|(%2e%2e%5c)") {
	set $block_file_injections 1;
}

# Windows system files
if ($query_string ~ "(boot\.ini)|(win\.ini)|(system\.ini)|(\.\.\\\\windows)") {
	set $block_file_injections 1;
}

# Unix system files
if ($query_string ~ "(\/etc\/passwd)|(\/etc\/shadow)|(\/etc\/hosts)") {
	set $block_file_injections 1;
}

# Null bytes and encoding attacks
if ($query_string ~ "(%00|%0a|%0d|%09|%20$)") {
	set $block_file_injections 1;
}

if ($block_file_injections = 1) {
	return 403;
}

## Block common exploits
set $block_common_exploits 0;

# XSS protection - enhanced patterns
if ($query_string ~ "(<|%3C).*(script|iframe|object|embed|applet|meta|link|form|input|img).*(\s|%20).*(>|%3E)") {
	set $block_common_exploits 1;
}

if ($query_string ~ "(javascript|vbscript|onload|onerror|onclick|onmouseover|onfocus|onblur|onchange|onsubmit):") {
	set $block_common_exploits 1;
}

if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
	set $block_common_exploits 1;
}

# Enhanced XSS vectors
if ($query_string ~ "(document\.|window\.|eval\(|setTimeout\(|setInterval\(|function\s*\()") {
	set $block_common_exploits 1;
}

if ($query_string ~ "(expression\s*\(|url\s*\(|@import|behaviour:)") {
	set $block_common_exploits 1;
}

# PHP globals and superglobals
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
	set $block_common_exploits 1;
}

if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
	set $block_common_exploits 1;
}

if ($query_string ~ "(_GET|_POST|_COOKIE|_SESSION|_FILES|_SERVER|_ENV)(=|\[|\%[0-9A-Z]{0,2})") {
	set $block_common_exploits 1;
}

# System information disclosure
if ($query_string ~ "proc/self/environ") {
	set $block_common_exploits 1;
}

if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
	set $block_common_exploits 1;
}

# Encoding attacks
if ($query_string ~ "base64_(en|de)code\(.*\)") {
	set $block_common_exploits 1;
}

# Command injection patterns
if ($query_string ~ "(`|%60|\$\(|%24%28|\|\||%7C%7C|&&|%26%26|;|%3B)") {
	set $block_common_exploits 1;
}

if ($query_string ~ "(cat|ls|pwd|id|whoami|uname|nc|netcat|wget|curl|ping)\s") {
	set $block_common_exploits 1;
}

# LDAP injection
if ($query_string ~ "(\*\)|\(\||\&\(|\|\()") {
	set $block_common_exploits 1;
}

# XML/XXE attacks
if ($query_string ~ "(!DOCTYPE|!ENTITY|SYSTEM|PUBLIC|xmlns)") {
	set $block_common_exploits 1;
}

# Server-side template injection
if ($query_string ~ "(\{\{|\}\}|\{%|%\}|\$\{|\}$)") {
	set $block_common_exploits 1;
}

if ($block_common_exploits = 1) {
	return 403;
}

## Block malicious user agents
set $block_user_agents 0;

# Original user agents
# Disable Akeeba Remote Control 2.5 and earlier
if ($http_user_agent ~ "Indy Library") {
	set $block_user_agents 1;
}

# Common bandwidth hoggers and hacking tools
if ($http_user_agent ~ "libwww-perl") {
	set $block_user_agents 1;
}

if ($http_user_agent ~ "GetRight") {
	set $block_user_agents 1;
}

if ($http_user_agent ~ "GetWeb!") {
	set $block_user_agents 1;
}

if ($http_user_agent ~ "Go!Zilla") {
	set $block_user_agents 1;
}

if ($http_user_agent ~ "Download Demon") {
	set $block_user_agents 1;
}

if ($http_user_agent ~ "Go-Ahead-Got-It") {
	set $block_user_agents 1;
}

if ($http_user_agent ~ "TurnitinBot") {
	set $block_user_agents 1;
}

if ($http_user_agent ~ "GrabNet") {
	set $block_user_agents 1;
}

# Enhanced malicious bots and tools
if ($http_user_agent ~ "(sqlmap|nmap|masscan|zmap|nikto|dirb|dirbuster|gobuster)") {
	set $block_user_agents 1;
}

if ($http_user_agent ~ "(havij|pangolin|sqlninja|bbqsql|NoSQLMap|commix)") {
	set $block_user_agents 1;
}

if ($http_user_agent ~ "(nessus|openvas|nexpose|metasploit|burpsuite|owasp.zap)") {
	set $block_user_agents 1;
}

if ($http_user_agent ~ "(w3af|skipfish|arachni|wpscan|joomscan|cms.scanner)") {
	set $block_user_agents 1;
}

if ($http_user_agent ~ "(hydra|brutus|medusa|ncrack|john.ripper|hashcat)") {
	set $block_user_agents 1;
}

# Scrapers and harvesters
if ($http_user_agent ~ "(harvest|extract|scrape|spider|crawl|bot).*email") {
	set $block_user_agents 1;
}

if ($http_user_agent ~ "(winhttp|urllib|python-requests|curl).*script") {
	set $block_user_agents 1;
}

# Suspicious patterns
if ($http_user_agent ~ "^-$|^$|^\.$") {
	set $block_user_agents 1;
}

if ($http_user_agent ~ "(<|>|\||&|'|\"|;|\$|\(|\)|`|\{|\})") {
	set $block_user_agents 1;
}

# Common attack frameworks
if ($http_user_agent ~ "(exploit|payload|shellcode|backdoor|webshell)") {
	set $block_user_agents 1;
}

if ($block_user_agents = 1) {
	return 403;
}

## Block suspicious request methods
set $block_methods 0;

if ($request_method ~ "^(TRACE|TRACK|DEBUG|OPTIONS|CONNECT)$") {
	set $block_methods 1;
}

if ($block_methods = 1) {
	return 405;
}

## Block suspicious headers
set $block_headers 0;

if ($http_x_forwarded_for ~ "(SELECT|INSERT|UPDATE|DELETE|UNION|SCRIPT|IFRAME|OBJECT|EMBED)") {
	set $block_headers 1;
}

if ($http_referer ~ "(SELECT|INSERT|UPDATE|DELETE|UNION|<script|javascript:|vbscript:)") {
	set $block_headers 1;
}

if ($http_cookie ~ "(SELECT|INSERT|UPDATE|DELETE|UNION|<script|javascript:|vbscript:)") {
	set $block_headers 1;
}

# Block requests with suspicious Host headers
if ($host ~ "[\x00-\x20\x7f-\xff]") {
	set $block_headers 1;
}

if ($block_headers = 1) {
	return 403;
}

## Block excessive request size (basic DoS protection)
set $block_size 0;

if ($content_length ~ "^[0-9]{8,}$") {
	set $block_size 1;
}

if ($block_size = 1) {
	return 413;
}

## Block requests with too many parameters (potential DoS)
set $block_params 0;

if ($args ~ "^([^&]*&){50,}") {
	set $block_params 1;
}

if ($block_params = 1) {
	return 403;
}

## Block protocol attacks
set $block_protocol 0;

# HTTP Request Smuggling patterns
if ($http_transfer_encoding ~ "chunked.*chunked") {
	set $block_protocol 1;
}

if ($http_content_length ~ "^[0-9]+.*[0-9]+$") {
	set $block_protocol 1;
}

# Block requests with null bytes in URI
if ($request_uri ~ "[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]") {
	set $block_protocol 1;
}

# Block requests with control characters
if ($request_uri ~ "%00|%0a|%0d|%27|%3c|%3e|%00") {
	set $block_protocol 1;
}

if ($block_protocol = 1) {
	return 400;
}