NGINX Allow/Deny based on IP & User Agent combination

Question

I have a question regarding the allow/deny rule for NGINX based on User Agent+IP.

I currently have the following in my nginx.conf to permit all Internet connections based on a certain User Agent Value of "iOS".

server { 
    proxy_set_header    Proxy-Connection "";

    listen      *:8443;
    server_name  myserver.com;

    if ($http_user_agent !~* (ELB|ios)) {
        return 403;
    }

    location / {
        proxy_http_version  1.1;
        proxy_pass        https://myserver;
        proxy_set_header Connection "upgrade";
    }
}

I wanted to permit access to the following combination of:

• Any "IP" + "UserAgent" value of 'iOS'

or

• IP Subnet 192.168.2.0/24 + "UserAgent" value of 'chrome'

Thanks in advance.

Answer 1

Any "IP" + "UserAgent" value of 'iOS'

So all you need to do is deny by default allow any UserAgent that is iOS.

IP Subnet 192.168.2.0/24 + "UserAgent" value of 'chrome'

What you are trying to do in this case if create a compound if in Nginx.

Jrom on GitHub has created a script to do that.

https://gist.github.com/jrom/1760790

If we create a script using Jrom's as an example use some implement a process posted by kolbyjack, we can make what you are looking for.

set $test  DENIED;

geo $good_user {
  default 0;
  192.168.2.0/24 1;
}

if ($http_user_agent ~* (ELB|ios)) { 
  set $test  ALLOWED; 
} 

if ($good_user) { 
  set $test  DE; 
} 

if ($http_user_agent ~* (chrome)) { 
  set $test  "${test}V"; 
} 

if ($test = ALLOWED) { 
  proxy_pass https://myserver; 
  break; 
} 

if ($test = DEV) { 
  proxy_pass https://myserver; 
  break; 
} 

if ($test = DE) {
return 403;
}

if ($test = V) {
return 403;
}

if ($test = DENIED) {
return 403;
}

Answer 2

use this and input your maindomain level server block of nginx conf.

###
# BLOCK USER AGENTS
###

set $block_user_agents 0;

if ($http_user_agent ~ "Screaming Frog SEO Spider") {
    set $block_user_agents 1;
}
if ($http_user_agent ~ "Indy Library") {
    set $block_user_agents 1;
}
if ($http_user_agent ~ "libwww-perl") {
    set $block_user_agents 1;
}
if ($http_user_agent ~ "GetRight") {
    set $block_user_agents 1;
}
if ($http_user_agent ~ "GetWeb!") {
    set $block_user_agents 1;
}
if ($http_user_agent ~ "Go!Zilla") {
    set $block_user_agents 1;
}
if ($http_user_agent ~ "Download Demon") {
    set $block_user_agents 1;
}
if ($http_user_agent ~ "Go-Ahead-Got-It") {
    set $block_user_agents 1;
}
if ($http_user_agent ~ "TurnitinBot") {
    set $block_user_agents 1;
}
if ($http_user_agent ~ "GrabNet") {
    set $block_user_agents 1;
}
if ($http_user_agent ~ "dirbuster") {
    set $block_user_agents 1;
}
if ($http_user_agent ~ "nikto") {
    set $block_user_agents 1;
}
if ($http_user_agent ~ "SF") {
    set $block_user_agents 1;
}
if ($http_user_agent ~ "sqlmap") {
    set $block_user_agents 1;
}
if ($http_user_agent ~ "fimap") {
    set $block_user_agents 1;
}
if ($http_user_agent ~ "nessus") {
    set $block_user_agents 1;
}
if ($http_user_agent ~ "whatweb") {
    set $block_user_agents 1;
}
if ($http_user_agent ~ "Openvas") {
    set $block_user_agents 1;
}
if ($http_user_agent ~ "jbrofuzz") {
    set $block_user_agents 1;
}
if ($http_user_agent ~ "libwhisker") {
    set $block_user_agents 1;
}
if ($http_user_agent ~ "webshag") {
    set $block_user_agents 1;
}
if ($http_user_agent ~ "Acunetix-Product") {
    set $block_user_agents 1;
}
if ($http_user_agent ~ "Acunetix") {
    set $block_user_agents 1;
}
if ($block_user_agents = 1) {
    return 403;
}