Mod access » History » Revision 28
Revision 27 (gstrauss, 2021-03-18 17:13) → Revision 28/29 (gstrauss, 2021-03-18 18:13)
h1. Module mod_access
{{>toc}}
h2. Description
The access module is used to deny access to files.
h2. Options
*url.access-allow*
Allow access only to files with any of given trailing path names. (since 1.4.40)
Default value:empty
*url.access-deny*
Denies access to all files with any of given trailing path names.
Default value:empty
h2. Usage examples
*url.access-allow*
<pre>
url.access-allow = ( ".jpg", ".gif")
</pre>
You might want to deny access to all files ending with a tilde (~) or .inc because of:
# Text editors often use a trailing tilde for backup files.
# And the .inc extension is often used for include files with code.
*url.access-deny*
<pre>
url.access-deny = ( "~", ".inc")
</pre>
*Directory deny access*
An empty string in @url.access-deny@ matches all requests
<pre>
$HTTP["url"] =~ "^/libraries" {
url.access-deny = ("")
}
</pre>
Note: Creating a very, very large list of conditions is inefficient. If creating conditions from a list, consider batching them with regex alternations into many fewer conditions, each with a large regex. See #3074
*Deny bots* if User-Agent matches robots.txt
Sample one-liner to generate config:
@curl -s https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/robots.txt/robots.txt | perl -e 'while (<>) { /User-agent:\s*(.+)/ && push @x, quotemeta($1); } print "\$HTTP[\"user-agent\"] =~ \"\\b(?i:", join("|",@x), ")\\b\" { url.access-deny = (\"\") }\n"'@
*Deny lots*
https://github.com/mitchellkrogza
https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
The following converts some of the rejections from @globalblacklist.conf@ into lighttpd syntax. You should review the output file @rejections@ before adding @include "/path/to/rejections"@ in @lighttpd.conf@. The IPs might be better off in firewall rules. Yes, this could be cleaned up rather than a huge perl one-liner, but this is a quick response to #3074 that others might find useful, so here is a starting point.
@curl -s https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/conf.d/globalblacklist.conf | perl -e '$/=undef; $list=<>; while ($list =~ /^# START ([^#]+) ### DO NOT EDIT THIS LINE AT ALL ###$(.*?)# END \1 ### DO NOT EDIT THIS LINE AT ALL ###/gms) { $x{$1} = $2; } push @bad_bots, map { /\(\?:\\b\)(.+?)\(\?:\\b\)/ && $1; } split("\n",$x{"BAD BOTS"}); push @bad_referrers, map { /\(\?:\\b\)(.+?)\(\?:\\b\)/ && $1; } split("\n",$x{"BAD REFERRERS"}); push @bad_ips, map { /\s*(\S+)\s*1;/ && $1; } split("\n",$x{"KNOWN BAD IP ADDRESSES"}); undef @strs; $str=""; foreach (@bad_bots) { $str .= $_."|"; if (length($str) > 32000) { substr($str,-1,1,""); push @strs, $str; $str=""; } } substr($str,-1,1,""); push @strs, $str; print "\$HTTP[\"user-agent\"] =~ \"\\b(?i:$_)\\b\" { url.access-deny = ( \"\" ) }\n\n" foreach (@strs); undef @strs; $str=""; foreach (@bad_referrers) { $str .= $_."|"; if (length($str) > 32000) { substr($str,-1,1,""); push @strs, $str; $str=""; } } substr($str,-1,1,""); push @strs, $str; print "\$HTTP[\"referer\"] =~ \"(?:\\.|^)(?i:$_)\$\" { url.access-deny = ( \"\" ) }\n\n" foreach (@strs); undef @strs; $str=""; foreach (@bad_ips) { $str .= quotemeta($_)."|"; if (length($str) > 32000) { substr($str,-1,1,""); push @strs, $str; $str=""; } } substr($str,-1,1,""); push @strs, $str; print "\$HTTP[\"remote-ip\"] =~ \"^(?:$_)\$\" { url.access-deny = ( \"\" ) }\n\n" foreach (@strs);' > rejections@