From 1045ccf592c86bf38e938b607c23235480e6aa07 Mon Sep 17 00:00:00 2001
From: Zoey <zoey@z0ey.de>
Date: Sun, 21 Jan 2024 23:37:59 +0100
Subject: [PATCH] remove nginx perl module & block ai bots

Signed-off-by: Zoey <zoey@z0ey.de>
---
 Dockerfile                                    |  3 +--
 rootfs/usr/local/bin/entrypoint.sh            |  2 +-
 rootfs/usr/local/bin/start.sh                 |  4 ++--
 .../conf/conf.d/include/block-exploits.conf   | 20 +++++++++++++++++++
 4 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index c820ae75..a70c7f51 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -48,7 +48,7 @@ RUN apk add --no-cache ca-certificates git build-base && \
     sed -i "s|BAN_TEMPLATE_PATH=.*|BAN_TEMPLATE_PATH=/data/etc/crowdsec/ban.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
     sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
 
-FROM zoeyvid/nginx-quic:241
+FROM zoeyvid/nginx-quic:243
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 
 ARG CRS_VER=v4.0/dev
@@ -91,7 +91,6 @@ RUN ln -s /usr/local/bin/acmesh/acme.sh /usr/local/bin/acme.sh && \
 
 ENV NODE_ENV=production \
     NODE_CONFIG_DIR=/data/etc/npm \
-    PATH="/usr/local/certbot/bin:$PATH" \
     DB_SQLITE_FILE=/data/etc/npm/database.sqlite
 
 ENV PUID=0 \
diff --git a/rootfs/usr/local/bin/entrypoint.sh b/rootfs/usr/local/bin/entrypoint.sh
index dbeb551d..30a6be04 100755
--- a/rootfs/usr/local/bin/entrypoint.sh
+++ b/rootfs/usr/local/bin/entrypoint.sh
@@ -17,4 +17,4 @@ done
 
 cd /app || exit
 
-start.sh
+exec start.sh
diff --git a/rootfs/usr/local/bin/start.sh b/rootfs/usr/local/bin/start.sh
index 0b9fa8b1..088c9385 100755
--- a/rootfs/usr/local/bin/start.sh
+++ b/rootfs/usr/local/bin/start.sh
@@ -834,7 +834,7 @@ if [ "$PUID" != "0" ]; then
         sed -i "s|group =.*|;group = root|" /data/php/83/php-fpm.d/www.conf
     fi
     sed -i "s|user root;|#user root;|g" /usr/local/nginx/conf/nginx.conf
-    sudo -Eu npm launch.sh
+    exec sudo -Eu npm launch.sh
 else
     chown -R 0:0 /usr/local \
                  /data \
@@ -853,5 +853,5 @@ else
         sed -i "s|;group =.*|group = root|" /data/php/83/php-fpm.d/www.conf
     fi
     sed -i "s|#user root;|user root;|g"  /usr/local/nginx/conf/nginx.conf
-    launch.sh
+    exec launch.sh
 fi
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/block-exploits.conf b/rootfs/usr/local/nginx/conf/conf.d/include/block-exploits.conf
index d139368d..09019997 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/include/block-exploits.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/block-exploits.conf
@@ -16,6 +16,10 @@ if ($query_string ~ "[a-zA-Z0-9_]=http://") {
     return 403;
 }
 
+if ($query_string ~ "[a-zA-Z0-9_]=https://") {
+    return 403;
+}
+
 if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
     return 403;
 }
@@ -48,3 +52,19 @@ if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
 if ($query_string ~ "base64_(en|de)code\(.*\)") {
     return 403;
 }
+
+if ($http_user_agent ~ "Google-Extended") {
+    return 403;
+}
+
+if ($http_user_agent ~ "GPTBot") {
+    return 403;
+}
+
+if ($http_user_agent ~ "ChatGPT-User") {
+    return 403;
+}
+
+if ($http_user_agent ~ "CCBot") {
+    return 403;
+}