Caddy: blocked IP ranges involved in botnets. Thanks to return42

README.md

@@ -14,7 +14,7 @@ They are deployed with [Compose files](templates/compose) and load balanced acco
 
 ## Configurations
 
-Our caddy server blocks IP ranges that have been involved in mass spams. The [block range file](https://github.com/ProjectSegfault/ansible/blob/master/privfrontends/blocked-ranges.yaml) is created by [ProjectSegfault](https://projectsegfau.lt/). Thanks to their team.
+Our caddy server blocks IP ranges that have been involved in mass spams or botnets. The [mass spam block range file](https://github.com/ProjectSegfault/ansible/blob/master/privfrontends/blocked-ranges.yaml) is created by [ProjectSegfault](https://projectsegfau.lt/). The [botnet block range file](https://raw.githubusercontent.com/return42/sandbox/main/data/searxng/ipv4_botnet.lst) is created by [return42](https://github.com/return42). Thanks to their team.
 
 Data of our Privatebin, Etherpad, and Gitea instances are backed up periodically.
 

config-tasks/caddy.yaml

@@ -33,6 +33,13 @@
       set_fact:
         blocked_ranges: "{{ result.stdout | from_yaml }}"
 
+# ----------------------------------------------------------------------------------------------------
+
+    - name: Parse IP block range file by return42
+      set_fact:
+        botnet_ranges: "{{ lookup('url', 'https://raw.githubusercontent.com/return42/sandbox/main/data/searxng/ipv4_botnet.lst') | regex_replace(',', ' ') | trim }}"
+      delegate_to: "{{ control_host }}"
+
 # ----------------------------------------------------------------------------------------------------
 
     - name: Set up Caddyfile

templates/conf/Caddyfile.j2

@@ -94,8 +94,12 @@
 	}
 
 	# IP block range by ProjectSegfault
-	@denied client_ip {{ blocked_ranges }}
+	@spam client_ip {{ blocked_ranges }}
-	respond @denied "Unfortunately, your IP is part of a range that has been involved in mass spam to our servers. If you think our action was a mistake, please email us." 403
+	respond @spam "Unfortunately, your IP is part of a range that has been involved in mass spam to our servers. If you think our action was a mistake, please email us." 403
+
+	# IP block range by return42
+	@botnet client_ip {{ botnet_ranges }}
+	respond @botnet "Unfortunately, your IP is part of a range that has been involved in a botnet to our servers. If you think our action was a mistake, please email us." 403
 
 }
 

templates/conf/replace-hosts.yml.j2

@@ -1,7 +1,7 @@
 '(.*\.)?music.youtube\.com$': 'beatbump.io'
-'(.*\.)?youtube\.com$': 'invidious.fdn.fr'
+#'(.*\.)?youtube\.com$': 'invidious.fdn.fr'
-'(.*\.)?youtu\.be$': 'invidious.fdn.fr'
+#'(.*\.)?youtu\.be$': 'invidious.fdn.fr'
-'(.*\.)?youtube-noocookie\.com$': 'invidious.fdn.fr'
+#'(.*\.)?youtube-noocookie\.com$': 'invidious.fdn.fr'
 #'(.*\.)?reddit\.com$': 'redlib.pussthecat.org'
 #'(.*\.)?redd\.it$': 'redlib.pussthecat.org'
 '(.*\.)?reddit\.com$': 'redlib.seasi.dev'

vars/services.yaml

@@ -1,22 +1,10 @@
-compose:
-  oracle1:
-    - searxng
-  oracle2:
-    - searxng
-  oracle3:
-    - searxng
-  oracle4:
-    - searxng
-
 config:
-  oracle1:
-    - searxng
-  oracle2:
-    - searxng
-  oracle3:
-    - searxng
   oracle4:
-    - searxng
+    - caddy
+
+compose:
+  oracle4:
+    - caddy
 
 # ----------------------------------------------------------------------------------------------------