nginx-ultimate-bad-bot-blocker
nginx-ultimate-bad-bot-blocker copied to clipboard
mitchellkrogza
Block $bad_uri_words prototype
I have created a new rule to block some injection attempts by testing the incoming $request_uri.
I don't know how to correctly add these changes to the repo :(
Maybe it is worth adding a similar rule based on $uri, which is a normalized version of $request_uri.
Thank your for raising your pull request. Please make sure you have followed our contributing guidelines. We will review it as soon as possible
![auto-comment[bot] avatar](https://avatars.githubusercontent.com/in/14394?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thanks for your PR @duzun introducing a new include and mapping can and will break many installations out there who update and have a missing include file. Multiple include files were added from the beginning to allow such customization. Your best approach this to your /bots.d/bad-referrer-words.conf include file as follows.
"~*(?:\b)phpunit(?:\b)" 1;
"~*(?:\b)eval-stdin(?:\b)" 1;
This will work instead of having a complex regex.
I get your point.
But with the current configuration, there is no way to catch the spam words in the $request_uri, and the $http_referer is not enough.
Maybe it makes sense to add the new rule using the existing files, like bots.d/bad-referrer-words.conf?
Users who do not update their bots.d/blockbots.conf would not use the new rule, but it would not brack either.
ah ok I get you, I'll have to think about how we could do this without breaking anything. Using the existing include files could work.