feat: manual ip blocks

justfile

@@ -26,7 +26,7 @@ destroy:
   tofu  destroy
 
 # Create a list of blocked IP ranges. Traffic we don't want.
-ingress-blocked-list:
+update-blocked-list:
   #!/usr/bin/env bash
   GOOGLE_BOT_IPV4=$(curl -s https://raw.githubusercontent.com/lord-alfred/ipranges/main/googlebot/ipv4_merged.txt)
   GOOGLE_BOT_IPV6=$(curl -s https://raw.githubusercontent.com/lord-alfred/ipranges/main/googlebot/ipv6_merged.txt)

root/etc/nginx/nginx.conf

@@ -105,6 +105,7 @@ stream {
     proxy_protocol on;
     include        /etc/nginx/partials/server.conf;
     include        /etc/nginx/partials/blocked.conf;
+    include        /etc/nginx/partials/manual-blocks.conf;
   }
 
   # GIT
@@ -116,6 +117,7 @@ stream {
     proxy_protocol on;
     include        /etc/nginx/partials/server.conf;
     include        /etc/nginx/partials/blocked.conf;
+    include        /etc/nginx/partials/manual-blocks.conf;
   }
 
   # EMAIL
@@ -137,5 +139,6 @@ stream {
     proxy_protocol off; # Configure downstream first.
     include        /etc/nginx/partials/server.conf;
     include        /etc/nginx/partials/blocked.conf;
+    include        /etc/nginx/partials/manual-blocks.conf;
   }
 }

root/etc/nginx/partials/blocked.conf

@@ -21,7 +21,7 @@ deny 185.60.216.0/22;
 deny 185.89.216.0/22;
 deny 191.233.204.224/28;
 deny 192.178.5.0/27;
-deny 192.178.6.0/27;
+deny 192.178.6.0/26;
 deny 196.49.68.0/23;
 deny 199.201.64.0/22;
 deny 199.30.24.0/23;
@@ -46,6 +46,7 @@ deny 2001:4860:4801:80::/61;
 deny 2001:4860:4801:88::/64;
 deny 2001:4860:4801:90::/62;
 deny 2001:4860:4801:94::/64;
+deny 2001:4860:4801:a0::/64;
 deny 2001:4860:4801:c::/64;
 deny 2001:4860:4801:f::/64;
 deny 20.125.163.80/28;

root/etc/nginx/partials/manual-blocks.conf

@@ -0,0 +1,8 @@
+##
+# Manual Block List
+##
+
+# Reason: Too many requests.
+# Date:   2024-11-26
+# Ref:    https://www.abuseipdb.com/check/65.108.110.26
+deny '65.108.110.26/32';