In this tutorial, you will learn how to block bad bots, referrer spam, and prevent DDOS on your Nginx web server. To accomplish this, we will be using the open-source project called Nginx Ultimate Bad Bot and Referrer Blocker.
By the end of this tutorial, your Nginx server will block unwanted user-agent, spam referrer, adware, malware, ransomware, and clickjackers.
1. Download Nginx Bad Bot Blocker
To download the Ultimate Bad Bot Blocker, execute the following commands on your system.
sudo wget https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/install-ngxblocker -O /usr/local/sbin/install-ngxblocker sudo chmod +x /usr/local/sbin/install-ngxblocker sudo install-ngxblocker -x sudo chmod +x /usr/local/sbin/setup-ngxblocker sudo chmod +x /usr/local/sbin/update-ngxblocker sudo setup-ngxblocker -x
2. Check Proper Placement of Includes
Sometimes, especially if you have an Let’s Encrypt SSL certificate installed, the setup script from above will incorrectly place the includes in your Nginx config file. Make that the “Nginx Bad Bot Blocker Includes” come before the first location block in your config files at /etc/nginx/sites-available/
.
# configuration of the server server { server_name micro.domains www.micro.domains; root /home/microdomains/public/; ## # Nginx Bad Bot Blocker Includes # REPO: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker ## include /etc/nginx/bots.d/ddos.conf; include /etc/nginx/bots.d/blockbots.conf; location /static { alias /home/microdomains/public/static; } ....
3. How to Automatically Update Nginx Bad Bot Blocker
Execute the sudo crontab -e
command and add the following statement to automatically update the Nginx Bad Bot Blocker everyday at 10 PM server time. You can optionally add the -e flag and provide an email address for notifications.
00 22 * * * /usr/local/sbin/update-ngxblocker -e you@example.com
4. Configure Nginx Bad Bot Blocker
The default rules for Nginx Bad Bot Blocker at located at /etc/nginx/conf.d/globalblacklist.conf
. Do not edit this file! If you would like to add custom rules, you can in one of the following config files at /etc/nginx/bots.d/
.
- bad-referrer-words.conf
- blacklist-ips.conf
- blacklist-user-agents.conf
- blockbot.conf
- custom-bad-referreres.conf
- ddos.conf
- whitelist-domains.conf
- whitelist-ips.conf
5. Test it Out
From another IP address, you can execute on of the following curl commands to see if the blocker is working. If you get an empty reply from the server, it is working as expected.
curl -A "Xenu Link Sleuth/1.3.8" -I https://micro.domains curl -I https://micro.domains -e http://zx6.ru
As a temporary test, you can also blacklist yourself by adding your IP address to /etc/nginx/bots.d/blacklist-ips.conf
. After restarting the Nginx server to apply your changes with systemctl restart nginx
, when you visit your website, you should see an error similar to ERR_EMPTY_RESPONSE.
Here is a full tutorial that will show you how to install and configure the Nginx Bad Bot Blocker in more detail.