From 5fdb1a9f7bd0f58c02cf37f62608ab5a60bb9219 Mon Sep 17 00:00:00 2001
From: phil <phil@systemausfall.org>
Date: Sat, 11 Mar 2023 20:20:42 +0100
Subject: [PATCH] Add bad bot block list

---
 README.md                  | 9 +++++++++
 defaults/main.yaml         | 2 ++
 tasks/configure.yml        | 5 +++++
 templates/bad_bots.conf.j2 | 8 ++++++++
 4 files changed, 24 insertions(+)
 create mode 100644 templates/bad_bots.conf.j2

diff --git a/README.md b/README.md
index da5c945..117baef 100644
--- a/README.md
+++ b/README.md
@@ -35,3 +35,12 @@ You can also limit the number of [connection](https://docs.nginx.com/nginx/admin
 | Zone name | Filter | Limit |
 |--|--|--|
 | `con_ip_one` | IP address | No default limit |
+
+## Bad Bot Blocker
+
+This roles uses a deny list from the [nginx-ultimate-bad-bot-blocker](https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker) repository.
+
+Include the list in your `server` block with:
+```Shell
+if ($bad_bots = 1) {return 444;}
+```
diff --git a/defaults/main.yaml b/defaults/main.yaml
index 3d1454a..785e788 100644
--- a/defaults/main.yaml
+++ b/defaults/main.yaml
@@ -1 +1,3 @@
 dhparam_path: /etc/ssl/private/dhparam.pem
+
+bad_user_agents_url: https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/09071c4b8016f7d59b84a3f941035ce1872aaf7a/_generator_lists/bad-user-agents.list
diff --git a/tasks/configure.yml b/tasks/configure.yml
index ecec942..2686eca 100644
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -4,6 +4,10 @@
     path: "{{ dhparam_path }}"
     size: "{{ dhparam_size | default(4096) }}"
 
+- name: "Configuration | Get bad user agents"
+  ansible.builtin.shell: "curl {{ bad_user_agents_url }}"
+  register: bad_user_agents
+
 - name: "Configuration | Copy main configuration"
   ansible.builtin.template:
     src: nginx.conf.j2
@@ -28,6 +32,7 @@
     mode: 0644
   loop:
     - bad_clients.conf
+    - bad_bots.conf
     - reverse_proxy.conf
     - ssl.conf
   notify: reload nginx
diff --git a/templates/bad_bots.conf.j2 b/templates/bad_bots.conf.j2
new file mode 100644
index 0000000..15a1a67
--- /dev/null
+++ b/templates/bad_bots.conf.j2
@@ -0,0 +1,8 @@
+# Manages by Ansible
+
+map $http_user_agent $bad_bots {
+    default 0;
+{% for user_agent in bad_user_agents.stdout_lines %}
+    "~*{{ user_agent }}" 1;
+{% endfor %}
+}