country whitelist/blacklist

2020-11-18 11:21:25 +01:00 · 2020-11-18 11:21:25 +01:00 · fe1d724c9f
parent 0635eb368b
commit fe1d724c9f
6 changed files with 21 additions and 14 deletions
--- a/confs/global/geoip.conf
+++ b/confs/global/geoip.conf
@ -5,6 +5,6 @@ geoip2 /etc/nginx/geoip.mmdb {
 }

 map $geoip2_data_country_code $allowed_country {
-	default yes;
-	%BLOCK_COUNTRY%
+	default %DEFAULT%;
+	%COUNTRY%
 }
--- a/confs/global/nginx.conf
+++ b/confs/global/nginx.conf
@ -84,8 +84,8 @@ http {
 	# shared memory zone for limit_req
 	%LIMIT_REQ_ZONE%

-	# list of blocked country
-	%BLOCK_COUNTRY%
+	# whitelist or blacklist country
+	%USE_COUNTRY%

 	# list of blocked user agents
 	%BLOCK_USER_AGENT%
--- a/confs/site/server.conf
+++ b/confs/site/server.conf
@ -23,7 +23,7 @@ server {
 	%CONTENT_SECURITY_POLICY%
 	%REFERRER_POLICY%
 	%FEATURE_POLICY%
-	%BLOCK_COUNTRY%
+	%USE_COUNTRY%
 	%BLOCK_USER_AGENT%
 	%BLOCK_TOR_EXIT_NODE%
 	%BLOCK_PROXIES%
--- a/entrypoint/defaults.sh
+++ b/entrypoint/defaults.sh
@ -42,7 +42,8 @@ FEATURE_POLICY="${FEATURE_POLICY-accelerometer 'none'; ambient-light-sensor 'non
 DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER-no}"
 SERVER_NAME="${SERVER_NAME-www.bunkerity.com}"
 ALLOWED_METHODS="${ALLOWED_METHODS-GET|POST|HEAD}"
-BLOCK_COUNTRY="${BLOCK_COUNTRY-}"
+BLACKLIST_COUNTRY="${BLOCK_COUNTRY-}"
+WHITELIST_COUNTRY="${WHITELIST_COUNTRY-}"
 BLOCK_USER_AGENT="${BLOCK_USER_AGENT-yes}"
 BLOCK_TOR_EXIT_NODE="${BLOCK_TOR_EXIT_NODE-yes}"
 BLOCK_PROXIES="${BLOCK_PROXIES-yes}"
--- a/entrypoint/global-config.sh
+++ b/entrypoint/global-config.sh
@ -56,10 +56,16 @@ if [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
        openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/self-signed-ssl/key.pem -out /etc/nginx/self-signed-ssl/cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
 fi

-# country ban
-if [ "$BLOCK_COUNTRY" != "" ] ; then
-	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;"
-	replace_in_file "/etc/nginx/geoip.conf" "%BLOCK_COUNTRY%" "$(echo $BLOCK_COUNTRY | sed 's/ / no;\\n/g') no;"
+# country ban/whitelist
+if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%USE_COUNTRY%" "include /etc/nginx/geoip.conf;"
+	if [ "$WHITELIST_COUNTRY" != "" ] ; then
+		replace_in_file "/etc/nginx/geoip.conf" "%DEFAULT%" "no"
+		replace_in_file "/etc/nginx/geoip.conf" "%COUNTRY%" "$(echo $WHITELIST_COUNTRY | sed 's/ / yes;\\n/g') yes;"
+	else
+		replace_in_file "/etc/nginx/geoip.conf" "%DEFAULT%" "yes"
+		replace_in_file "/etc/nginx/geoip.conf" "%COUNTRY%" "$(echo $BLACKLIST_COUNTRY | sed 's/ / no;\\n/g') no;"
+	fi
 	echo "0 0 2 * * /opt/scripts/geoip.sh" >> /etc/crontabs/root
 	if [ -f "/cache/geoip.mmdb" ] ; then
 		echo "[*] Copying cached geoip.mmdb ..."
@ -69,7 +75,7 @@ if [ "$BLOCK_COUNTRY" != "" ] ; then
 		/opt/scripts/geoip.sh &
 	fi
 else
-	replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_COUNTRY%" ""
+	replace_in_file "/etc/nginx/nginx.conf" "%USE_COUNTRY%" ""
 fi

 # block bad UA
--- a/entrypoint/site-config.sh
+++ b/entrypoint/site-config.sh
@ -238,10 +238,10 @@ fi
 replace_in_file "${NGINX_PREFIX}server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS"

 # country ban
-if [ "$BLOCK_COUNTRY" != "" ] ; then
-	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_COUNTRY%" "include ${NGINX_PREFIX}geoip-server.conf;"
+if [ "$BLACKLIST_COUNTRY" != "" ] || [ "$WHITELIST_COUNTRY" != "" ] ; then
+	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_COUNTRY%" "include ${NGINX_PREFIX}geoip-server.conf;"
 else
-	replace_in_file "${NGINX_PREFIX}server.conf" "%BLOCK_COUNTRY%" ""
+	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_COUNTRY%" ""
 fi

 # block bad UA