yanistyle/AS_Network_List
1
0
Fork 0
mirror of https://github.com/C24Be/AS_Network_List.git synced 2026-03-25 19:09:48 +03:00
Code Issues Packages Projects Releases Wiki Activity

README, nginx, iptables, vk, mail.ru

Browse Source
This commit is contained in:
C24Be
2025-10-23 12:17:01 +02:00
parent 036bcdfa25
commit c7732b817c
19 changed files with 4839 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

302
blacklists_nginx/README.md Normal file
View File

@@ -0,0 +1,302 @@
# Nginx Blacklist Configurations
Auto-generated nginx configuration files for blocking networks and IP addresses.
## Available Files
### Mixed IPv4/IPv6
- **`blacklist.conf`** - Contains both IPv4 and IPv6 deny rules (809 entries)
### IPv4 Only
- **`blacklist-v4.conf`** - Contains only IPv4 deny rules (806 entries)
### IPv6 Only
- **`blacklist-v6.conf`** - Contains only IPv6 deny rules (3 entries)
## Usage
### Basic Usage
Include the desired configuration file in your nginx `server` or `location` block:
```nginx
server {
listen 80;
server_name example.com;
# Include the blacklist
include /path/to/blacklist.conf;
location / {
# your configuration
}
}
```
### Separate IPv4/IPv6 Files
For more granular control, use separate files:
```nginx
server {
listen 80;
listen [::]:80;
server_name example.com;
# Include both IPv4 and IPv6 blacklists
include /path/to/blacklist-v4.conf;
include /path/to/blacklist-v6.conf;
location / {
# your configuration
}
}
```
### HTTP Block Level
Apply the blacklist globally to all virtual hosts:
```nginx
http {
# Apply blacklist globally
include /path/to/blacklist.conf;
server {
listen 80;
server_name example.com;
# ...
}
server {
listen 80;
server_name another.com;
# ...
}
}
```
### Location Block Level
For selective blocking within specific locations:
```nginx
server {
listen 80;
server_name example.com;
location /admin {
# Apply blacklist only to admin area
include /path/to/blacklist.conf;
# ...
}
location /public {
# Public area without blacklist
# ...
}
}
```
## Testing Configuration
After adding the blacklist, always test your nginx configuration:
```bash
# Test configuration
nginx -t
# Reload nginx if test passes
nginx -s reload
# or
systemctl reload nginx
```
## Custom Response
By default, denied IPs receive a connection drop. To customize the response:
```nginx
server {
listen 80;
server_name example.com;
# Return custom error page
error_page 403 /403.html;
include /path/to/blacklist.conf;
location = /403.html {
root /usr/share/nginx/html;
internal;
}
}
```
Note: For large blacklists, using `deny` directives (as in these files) is more efficient than `if` statements.
## Performance Considerations
- **Deny directives** are processed in order and stop at the first match
- For optimal performance, most frequently matched IPs should be at the top
- Current files are sorted for consistency
- Nginx handles hundreds of deny rules efficiently
- For very large blacklists (10,000+ entries), consider using:
- Nginx GeoIP2 module for geographic blocking
- nftables/iptables at the firewall level for better performance
- Stream module for TCP/UDP level blocking
## Integration Examples
### Docker Deployment
```dockerfile
FROM nginx:alpine
# Copy blacklist
COPY blacklist.conf /etc/nginx/blacklist.conf
# Copy nginx config that includes the blacklist
COPY nginx.conf /etc/nginx/nginx.conf
EXPOSE 80 443
CMD ["nginx", "-g", "daemon off;"]
```
### Kubernetes ConfigMap
```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-blacklist
data:
blacklist.conf: |
# Include blacklist content here
deny 109.124.119.88/29;
deny 109.124.66.128/30;
# ...
```
### Automated Updates
Set up a cron job to automatically fetch the latest blacklist:
```bash
#!/bin/bash
# /etc/cron.daily/update-nginx-blacklist
# Download latest blacklist
wget -q https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nginx/blacklist.conf \
-O /etc/nginx/blacklist.conf.new
# Test nginx configuration
nginx -t -c /etc/nginx/nginx.conf
# If test passes, reload nginx
if [ $? -eq 0 ]; then
mv /etc/nginx/blacklist.conf.new /etc/nginx/blacklist.conf
systemctl reload nginx
echo "Blacklist updated successfully"
else
rm /etc/nginx/blacklist.conf.new
echo "Nginx config test failed, blacklist not updated"
fi
```
## Logging Blocked Requests
To log denied requests:
```nginx
server {
listen 80;
server_name example.com;
# Custom log format for denied IPs
log_format blocked '$remote_addr - $remote_user [$time_local] '
'"$request" 403 0 '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/blocked.log blocked;
include /path/to/blacklist.conf;
location / {
# your configuration
}
}
```
## Monitoring
Check how many IPs are being blocked:
```bash
# Count deny rules
grep -c "deny" /path/to/blacklist.conf
# Check blocked access logs
tail -f /var/log/nginx/blocked.log
# Count blocked requests today
grep "$(date +%d/%b/%Y)" /var/log/nginx/access.log | grep " 403 " | wc -l
```
## Troubleshooting
### Configuration Test Fails
```bash
# Check syntax
nginx -t
# Check for duplicate includes
grep -r "include.*blacklist" /etc/nginx/
# Verify file permissions
ls -l /path/to/blacklist.conf
```
### Legitimate Users Blocked
Check if their IP is in the blacklist:
```bash
grep "YOUR_IP" /path/to/blacklist.conf
```
Whitelist specific IPs before applying the blacklist:
```nginx
server {
listen 80;
server_name example.com;
# Whitelist before blacklist
allow 192.168.1.100; # Trusted IP
# Then apply blacklist
include /path/to/blacklist.conf;
# Deny all others not explicitly allowed
# deny all; # Optional
}
```
## Automatic Updates
These files are automatically regenerated daily when the blacklists are updated via the GitHub Actions workflow.
## Source
Generated from the blacklist files in the `blacklists/` directory by `blacklists_updater_nginx.sh`.
## See Also
- [IPTables/IPSet Format](../blacklists_iptables/README.md) - For firewall-level blocking
- [Text Format](../blacklists/README.md) - For custom integrations
- [Main Repository](https://github.com/C24Be/AS_Network_List) - Complete documentation