From caccd81c3eb7954662d20cab10cc3afeeabca615 Mon Sep 17 00:00:00 2001
From: Christian Cleberg <hello@cleberg.net>
Date: Sat, 2 Dec 2023 11:23:08 -0600
Subject: initial commit

---
 blog/2022-11-29-nginx-referrer-ban-list.org | 133 ++++++++++++++++++++++++++++
 1 file changed, 133 insertions(+)
 create mode 100644 blog/2022-11-29-nginx-referrer-ban-list.org

(limited to 'blog/2022-11-29-nginx-referrer-ban-list.org')

diff --git a/blog/2022-11-29-nginx-referrer-ban-list.org b/blog/2022-11-29-nginx-referrer-ban-list.org
new file mode 100644
index 0000000..7995106
--- /dev/null
+++ b/blog/2022-11-29-nginx-referrer-ban-list.org
@@ -0,0 +1,133 @@
++++
+date = 2022-11-29
+title = "Creating a Referrer Ban List on Nginx"
+description = "A quick explanation detailing my own way of banning referral domains on Nginx."
++++
+
+## Creating the Ban List
+
+In order to ban list referral domains or websites with Nginx, you need to 
+create a ban list file.
+The file below will accept regexes for different domains or websites you 
+wish to block.
+
+First, create the file in your nginx directory:
+
+```sh
+doas nano /etc/nginx/banlist.conf
+```
+
+Next, paste the following contents in and fill out the regexes with whichever 
+domains you're blocking.
+
+```conf
+# /etc/nginx/banlist.conf
+
+map $http_referer $bad_referer {
+    hostnames;
+
+    default                           0;
+
+    # Put regexes for undesired referrers here
+    "~news.ycombinator.com"           1;
+}
+```
+
+## Configuring Nginx
+
+In order for the ban list to work, Nginx needs to know it exists and how to 
+handle it. For this, edit the `nginx.conf` file.
+
+```sh
+doas nano /etc/nginx/nginx.conf
+```
+
+Within this file, find the `http` block and add your ban list file location to 
+the end of the block.
+
+```conf
+# /etc/nginx/nginx.conf
+
+http {
+  ...
+
+  # Include ban list
+  include /etc/nginx/banlist.conf;
+}
+```
+
+## Enabling the Ban List
+
+Finally, we need to take action when a bad referral site is found. To do so, 
+edit the configuration file for your website. For example, I have all website 
+configuration files in the `http.d` directory. You may have them in the 
+`sites-available` directory on some distributions.
+
+```sh
+doas nano /etc/nginx/http.d/example.com.conf
+```
+
+Within each website's configuration file, edit the `server` blocks that are 
+listening to ports 80 and 443 and create a check for the `$bad_referrer` 
+variable we created in the ban list file.
+
+If a matching site is found, you can return any [HTTP Status 
+Code](https://en.wikipedia.org/wiki/List_of_HTTP_status_codes) you want. Code 
+403 (Forbidden) is logical in this case since you are preventing a client 
+connection due to a banned domain.
+
+```conf
+server {
+  ...
+
+  # If a referral site is banned, return an error
+  if ($bad_referer) {
+    return 403;
+  }
+  
+  ...
+}
+```
+
+## Restart Nginx
+
+Lastly, restart Nginx to enable all changes made.
+
+```sh
+doas rc-service nginx restart
+```
+
+## Testing Results
+
+In order to test the results, let's curl the contents of our site. To start, 
+I'll curl the site normally:
+
+```sh
+curl https://0x4b1d.org
+```
+
+The HTML contents of the page come back successfully:
+
+```html
+<!doctype html>...</html>
+```
+
+Next, let's include a banned referrer:
+
+```sh
+curl --referer https://news.ycombinator.com https://0x4b1d.org
+```
+
+This time, I'm met with a 403 Forbidden response page. That means we are 
+successful and any clients being referred from a banned domain will be met 
+with this same response code.
+
+```html
+<html>
+<head><title>403 Forbidden</title></head>
+<body>
+<center><h1>403 Forbidden</h1></center>
+<hr><center>nginx</center>
+</body>
+</html>
+```
-- 
cgit v1.2.3-70-g09d2