nginx-ultimate-bad-bot-blocker icon indicating copy to clipboard operation
nginx-ultimate-bad-bot-blocker copied to clipboard

Published 20 hours ago verified publisher icon mitchellkrogza

[INSTALLATION] if directive not allowed here

Open imunisasi opened this issue 5 years ago • 7 comments

nginx: [emerg] "if" directive is not allowed here in /etc/nginx/bots.d/blockbots.conf:58 nginx: configuration file /etc/nginx/nginx.conf test failed

Ubuntu 19,04 minimal Nginx 1.16.1

imunisasi avatar Feb 20 '20 03:02 imunisasi

Your includes are in the wrong place. Please post your config.

mitchellkrogza avatar Feb 20 '20 06:02 mitchellkrogza

I also have this issue:

sudo nginx -t nginx: [emerg] "if" directive is not allowed here in /etc/nginx/bots.d/blockbots .conf:58 nginx: configuration file /etc/nginx/nginx.conf test failed

my vhost config is a default one so far and not configured for my site, yet...

  listen 80;
  listen [::]:80;
  server_name _;
  root /usr/share/nginx/html/;


    ##
    # Nginx Bad Bot Blocker Includes
    # REPO: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
    ##
        include /etc/nginx/bots.d/ddos.conf;
        include /etc/nginx/bots.d/blockbots.conf;

  index index.php index.html index.htm index.nginx-debian.html;

  location / {
    try_files $uri $uri/ /index.php;
  }

  location ~ \.php$ {
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
    fastcgi_param SCRIPT_FILENAME $request_filename;
    include fastcgi_params;
    include snippets/fastcgi-php.conf;
  }

 # A long browser cache lifetime can speed up repeat visits to your page
  location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
       access_log        off;
       log_not_found     off;
       expires           360d;
  }

  # disable access to hidden files
  location ~ /\.ht {
      access_log off;
      log_not_found off;
      deny all;
  }
}

andrewjs18 avatar May 31 '20 22:05 andrewjs18

also to add, I'm running the following ubuntu & nginx versions:

ubuntu 20.04 nginx version: nginx/1.17.10

andrewjs18 avatar May 31 '20 22:05 andrewjs18

I had this issue as well, and found at least a partial cause: You're inserting content into the wrong place in the config file. You need to not only ignore commented-out lines, you also need to check for multiple server definitions in a single file.

diff of /etc/nginx/sites-available/default 
diff --git a/sites-available/default b/sites-available/default
index d35fb66..f8e356f 100644
--- a/sites-available/default
+++ b/sites-available/default
@@ -96,18 +96,27 @@ server {
 # Virtual Host configuration for example.com
 #
 # You can move that to a different file under sites-available/ and symlink that
 # to sites-enabled/ to enable it.
 #
 #server {
 #      listen 80;
 #      listen [::]:80;
 #
 #      server_name example.com;
 #
+
+
+    ##
+    # Nginx Bad Bot Blocker Includes
+    # REPO: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
+    ##
+       include /etc/nginx/bots.d/ddos.conf;
+       include /etc/nginx/bots.d/blockbots.conf;
+
 #      root /var/www/example.com;
 #      index index.html;
 #
 #      location / {
 #              try_files $uri $uri/ =404;
 #      }
 #}

In the first case, simply ignoring the commented lines would be good enough.

diff of /etc/nginx/sites-available/files.REMOVED.com 
diff --git a/sites-available/files.REMOVED.com b/sites-available/files.REMOVED.com
index dcf95a6..a65b0c7 100644
--- a/sites-available/files.REMOVED.com
+++ b/sites-available/files.REMOVED.com
@@ -21,122 +21,131 @@
 server {

        # SSL configuration
 	#
 	# listen 443 ssl default_server;
 	# listen [::]:443 ssl default_server;
 	#
 	# Note: You should disable gzip for SSL traffic.
 	# See: https://bugs.debian.org/773332
 	#
 	# Read up on ssl_ciphers to ensure a secure configuration.
 	# See: https://bugs.debian.org/765782
 	#
 	# Self signed certs generated by the ssl-cert package
 	# Don't use them in a production server!
 	#
 	# include snippets/snakeoil.conf;
 
 	root /home/efreak/public_html;
 
 	# Add index.php to the list if you are using PHP
 	index index.html index.htm index.nginx-debian.html;
 
 	server_name files.REMOVED.com;
 
 	location /files {
 		alias /home/efreak/public_html;
 		client_body_temp_path /var/www/webdav/temp;
 		dav_methods PUT DELETE MKCOL COPY MOVE;
 		dav_ext_methods PROPFIND OPTIONS;
 
 		location ~ \.(zip|rar|7z|tar|tgz|txz|tbz2|gz|xz|bz2)$ {
 			auth_basic "Restricted site.";
 			auth_basic_user_file /home/efreak/webdav-users.passwd;
 		}
 
 		limit_except GET PROPFIND OPTIONS HEAD {
 			auth_basic "Restricted site.";
 			auth_basic_user_file /home/efreak/webdav-users.passwd;
 		}
 
 		create_full_put_path on;
 		dav_access user:rw group:rw all:rw;
 		autoindex on;
 		autoindex_exact_size off;
 	}
 
     location / {
         proxy_pass http://127.0.0.1:8883;
         proxy_pass_request_headers on;
         proxy_set_header        X-Forwarded-Host        $http_host;
 	proxy_set_header X-Forwarded-For $remote_addr;
     }
 	# pass PHP scripts to FastCGI server
 	#
 	#location ~ \.php$ {
 	#	include snippets/fastcgi-php.conf;
 	#
 	#	# With php-fpm (or other unix sockets):
 	#	fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
 	#	# With php-cgi (or other tcp sockets):
 	#	fastcgi_pass 127.0.0.1:9000;
 	#}
 
 	# deny access to .htaccess files, if Apache's document root
 	# concurs with nginx's one
 	#
 	#location ~ /\.ht {
 	#	deny all;
 	#}
 
     listen [::]:443 ssl; # managed by Certbot
     listen 443 ssl; # managed by Certbot
     ssl_certificate /etc/letsencrypt/live/files.REMOVED.com-0001/fullchain.pem; # managed by Certbot
     ssl_certificate_key /etc/letsencrypt/live/files.REMOVED.com-0001/privkey.pem; # managed by Certbot
     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 
 
 
 
 
 
 }
 
 
 # Virtual Host configuration for example.com
 #
 # You can move that to a different file under sites-available/ and symlink that
 # to sites-enabled/ to enable it.
 #
 #server {
 #	listen 80;
 #	listen [::]:80;
 #
 #	server_name example.com;
 #
 #	root /var/www/example.com;
 #	index index.html;
 #
 #	location / {
 #		try_files $uri $uri/ =404;
 #	}
 #}
 server {
 	if ($host ~ ^files-web\.REMOVED\.com$) {
 		return 301 https://files.REMOVED.com$request_uri;
 	} # managed by Certbot
 
 
 	listen [::]:443 ssl; # managed by Certbot
 	listen 443 ssl; # managed by Certbot
     ssl_certificate /etc/letsencrypt/live/files.REMOVED.com-0001/fullchain.pem; # managed by Certbot
     ssl_certificate_key /etc/letsencrypt/live/files.REMOVED.com-0001/privkey.pem; # managed by Certbot
 	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
 	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 
 	server_name files-web.REMOVED.com;
 	return 404; # managed by Certbot
+ 	
+
+    ##
+    # Nginx Bad Bot Blocker Includes
+    # REPO: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
+    ##
+	include /etc/nginx/bots.d/ddos.conf; 
+ 	include /etc/nginx/bots.d/blockbots.conf;
+ 
 
 
 }

In this second case, there's a second server definition with a redirect to change a subdomain. In this case you need to also check each file for multiple server definitions.

Efreak avatar Sep 08 '20 22:09 Efreak

the code that controls where the includes are inserted is around line 460 of setup-ngxblocker:

line=$(find_includes $MAIN_CONF sendfile last http first '\}' last )

different distributions use different style nginx.conf so it is difficult to cover every use case

itoffshore avatar Sep 09 '20 10:09 itoffshore

Bump @mitchellkrogza

L8X avatar Jan 12 '23 16:01 L8X