Sindbad~EG File Manager

# Activation de la limitation de vitesse, par ip, par requetes
limit_conn perip 15;
limit_conn max_conn_to_server 150;

#####################################
# 0, no challenge
# cookie, simple test cookie challenge with 307
# js, more complex JS challenge with 503
set $challengetype 0;

### DDos Filter

####### Blacklist requetes POST
if ($blackpost) { set $blpost O; }
if ($request_method ~* POST) { set $blpost "${blpost}K"; }

####### JS Challenge GET
if ($jsget) { set $jschallenge O; }
if ($request_method ~* GET) { set $jschallenge "${jschallenge}K"; }

####### Si user-agent navigateur, requete post, et non en liste blanche, verifier par test cookie challenge
## Si different des pays..
if ($tcallow) { set $jabnav O; }
## Choix Navigateurs
if ($http_user_agent ~* Mozilla|Firefox|Chrome) { set $jabnav "${jabnav}K"; }
## Exceptions navigateurs
if ($exjabua) { set $jabnav NO; }
if ($request_method ~* POST) { set $jabnav "${jabnav}I"; }

####### Si url en verification forcee
## Si different des pays..
if ($tcallow) { set $jaburi O; }
## Exceptions navigateurs
if ($exjabua) { set $jaburi NO; }
if ($verifuri) { set $jaburi "${jaburi}K"; }

####### Si adresse ip potentiellement malveillante
if ($jabatus) { set $jab O; }
## Exceptions navigateurs
if ($exjabua) { set $jab NO; }
if ($request_method ~* POST) { set $jab "${jab}K"; }

####### Si adresse ip cloudflare, verif POST imposée
if ($cloudflare_ip = 1) { set $jabcloud O; }
## Exceptions navigateurs
if ($exjabua) { set $jabcloud NO; }
if ($request_uri ~* wc_stripe) { set $jabcloud NO; }
if ($request_method ~* POST) { set $jabcloud "${jabcloud}K"; }

# Listes Blanches
if ($jabatuswl) { set $jab NO; }
if ($jabatuswl) { set $jabnav NO; }
if ($jabatuswl) { set $jaburi NO; }
if ($jabatuswl) { set $jabcloud NO; }
if ($jabatuswl) { set $blpost NO; }
if ($jabatuswl) { set $jschallenge NO; }
if ($jabatuswlhost) { set $jab NO; }
if ($jabatuswlhost) { set $jabnav NO; }
if ($jabatuswlhost) { set $jaburi NO; }
if ($jabatuswlhost) { set $jabcloud NO; }
if ($jabatuswlhost) { set $blpost NO; }
if ($jabatuswlhost) { set $jschallenge NO; }

# Applique les mesures
if ($blpost = OK) {
    return 403;
}
if ($jschallenge = OK) {
    set $challengetype 'js';
}
if ($jabcloud = OK) {
    set $challengetype 'cookie';
}
if ($jabnav = OKI) {
    set $challengetype 'cookie';
}
if ($jab = OK) {
    set $challengetype 'cookie';
}
if ($jaburi = OK) {
    set $challengetype 'cookie';
}

# Exception IP
if ($server_addr = '109.234.166.187') {
     set $challengetype 0;
}

# Dont block purge request
if ($request_method  = 'PURGE') {
     set $challengetype 0;
}

# Blocage abuse host
if ($abusehost) { return 403; }
if ($abuseuri) { return 403; }

# Ratelimit des user-agents vides
set $empty_user_agents 0;

if ($http_user_agent = "") {
   set $uavide OK;
}
if ($http_user_agent = "-") {
   set $uavide OK;
}
if ($whitelist) {
   set $uavide NO;
}
if ($uavide = OK) {
   set $empty_user_agents 1;
}
if ($empty_user_agents = 1) {
        set $limit_empty $binary_remote_addr;
        break;
}
limit_req zone=emptyua nodelay;

# Ratelimit des user-agents robots
set $rate_user_agents 0;

if ($ualimit) {
   set $rateua OK;
}
if ($whitelist) {
   set $rateua NO;
}
if ($rateua = OK) {
   set $rate_user_agents 1;
}
if ($rate_user_agents = 1) {
        set $limit_speedbot $binary_remote_addr;
        break;
}
limit_req zone=speedbots burst=2 nodelay;

# Interdictions de user-agents
set $forbid_user_agents 0;

if ($uadeny) {
   set $forbidua OK;
}
if ($whitelist) {
   set $forbidua NO;
}
if ($forbidua = OK) {
   set $forbid_user_agents 1;
}
if ($forbid_user_agents = 1) {
   return 444;
}

# Rate-limit uri
set $ratelimit_uri 0;

if ($verifuri) {
   set $urirate OK;
}
if ($urirate = OK) {
	set $limit_urirate $binary_remote_addr;
	break;
}
limit_req zone=login burst=2;

##############################

if ($http_user_agent ~* jetmon) { return 200; }

################################

if ($host ~ "^(cpanel|webmail|autoconfig|autodiscover|cpcalendars|cpcontacts|webdisk)."){
	set $challengetype 0;
}

if ($host ~ "^whm."){
	return 444;
}

# exclusivement accepter ..
if ($request_uri !~ rest|json|api) { set $incompat O; }
if ($request_method !~ ^(PURGE|GET|HEAD|OPTIONS|POST|PUT|DELETE)$ ) { set $incompat "${incompat}K"; }
if ($jabatuswlhost) { set $incompat NO; }
if ($incompat = OK) {
   return 444;
}

### WordPress Hardening
if ($request_uri ~* wp-content|wp-includes) { set $wph O; }
if ($request_uri ~ ^/(.*)\.php$) { set $wph "${wph}K"; }
if ($request_method ~* POST) { set $wph "${wph}I"; }

if ($jabatuswl) { set $wph NO; }

if ($wph = OKI) {
    set $challengetype 'cookie';
}

## Block SQL injections
set $block_sql_injections 0;
if ($query_string ~ "union.*select.*\(") {
   set $block_sql_injections 1;
}
if ($query_string ~ "union.*all.*select.*") {
   set $block_sql_injections 1;
}
if ($query_string ~ "concat.*\(") {
   set $block_sql_injections 1;
}
if ($block_sql_injections = 1) {
   return 403;
}

################################

set $ajaxChallenge '';
if ($http_x_requested_with = "XMLHttpRequest") {
   set $ajaxChallenge 'O';
}
if ($challengetype = "js") {
   set $ajaxChallenge "${ajaxChallenge}K";
}
if ($ajaxChallenge = 'OK') {
   set $challengetype 'cookie';
}