From 7aa4f415f5f90bcbd6b4225454ac93975a4b38ce Mon Sep 17 00:00:00 2001 From: Opnxng Date: Thu, 30 May 2024 23:29:39 +0800 Subject: [PATCH] Caddy: blocked IP ranges involved in spam. Thanks to ProjectSegfault --- README.md | 4 +++- config-tasks/caddy.yaml | 25 ++++++++++++++++++++++++- templates/conf/Caddyfile.j2 | 10 ++++++++++ vars/services.yaml | 14 ++++++-------- 4 files changed, 43 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 2eaa2ee..42ebfff 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,9 @@ They are deployed with [Compose files](templates/compose) and load balanced acco ## Configurations -Our SearXNG instance uses a custom [settings.yml](templates/conf/settings.yml.j2) that always include upstream changes. It is updated by hand with reference to [Pussthecat.org's configuration](https://github.com/PussTheCat-org/PussTheCat.org-Configs/tree/master/Services/SearXNG). Thanks to [TheFrenchGhosty](https://github.com/PussTheCat-org). +Our caddy server blocks IP ranges that have been involved in mass spams. The [block range file](https://github.com/ProjectSegfault/ansible/blob/master/privfrontends/blocked-ranges.yaml) is created by [ProjectSegfault](https://projectsegfau.lt/). Thanks to their team. + +Our SearXNG instance uses a custom [settings.yml](templates/conf/settings.yml.j2). It is updated by hand with reference to [Pussthecat.org's configuration](https://github.com/PussTheCat-org/PussTheCat.org-Configs/tree/master/Services/SearXNG). Thanks to [TheFrenchGhosty](https://github.com/PussTheCat-org). Data of our Privatebin, Etherpad, and Gitea instances are backed up periodically. diff --git a/config-tasks/caddy.yaml b/config-tasks/caddy.yaml index 1175abf..db2b091 100644 --- a/config-tasks/caddy.yaml +++ b/config-tasks/caddy.yaml @@ -10,6 +10,29 @@ - not geolite.stat.exists tags: never +# ---------------------------------------------------------------------------------------------------- + + - name: Install yq on control host + apt: + name: + - yq + state: latest + install_recommends: false + delegate_to: "{{ control_host }}" + + - name: Curl IP block range file by ProjectSegfault + command: curl --output /tmp/blocked-ranges.yaml https://raw.githubusercontent.com/ProjectSegfault/ansible/master/privfrontends/blocked-ranges.yaml + delegate_to: "{{ control_host }}" + + - name: Read IP block range file by ProjectSegfault + ansible.builtin.shell: "yq -e '.blocked_ranges' /tmp/blocked-ranges.yaml" + register: result + delegate_to: "{{ control_host }}" + + - name: Parse IP block range file by ProjectSegfault + set_fact: + blocked_ranges: "{{ result.stdout | from_yaml }}" + # ---------------------------------------------------------------------------------------------------- - name: Set up Caddyfile @@ -18,4 +41,4 @@ dest: "{{ docker_dir }}/caddy/Caddyfile" owner: 1000 group: 1000 - mode: 0755 \ No newline at end of file + mode: 0755 diff --git a/templates/conf/Caddyfile.j2 b/templates/conf/Caddyfile.j2 index 6c3b5b4..6c0048c 100755 --- a/templates/conf/Caddyfile.j2 +++ b/templates/conf/Caddyfile.j2 @@ -92,6 +92,11 @@ header_up X-Forwarded-Proto {http.request.scheme} } } + + # IP block range by ProjectSegfault + @denied client_ip {{ blocked_ranges }} + respond @denied "Unfortunately, your IP is part of a range that has been involved in mass spam to our servers. If you think our action was a mistake, please email us." 403 + } # ---------------------------------------------------------------------------------------------------- @@ -100,6 +105,7 @@ *.{$HOSTNAME} { + log { output discard } @@ -121,6 +127,10 @@ -Server } + # IP block range by ProjectSegfault + @denied client_ip {{ blocked_ranges }} + respond @denied "Unfortunately, your IP is part of a range that has been involved in mass spam to our servers. If you think our action was a mistake, please email us." 403 + @about host about.{$HOSTNAME} handle @about { root * /www diff --git a/vars/services.yaml b/vars/services.yaml index a226c75..61c69ac 100644 --- a/vars/services.yaml +++ b/vars/services.yaml @@ -1,12 +1,10 @@ -compose: - oracle1: - - redlib - oracle2: - - redlib - oracle3: - - redlib +config: oracle4: - - redlib + - caddy + +compose: + oracle4: + - caddy # ----------------------------------------------------------------------------------------------------