add config + utilities + instructions for `nginx`-level domain blocks

3 files changed, 90 insertions, 0 deletions

diff --git a/dist/nginx-blocklist-cron.sh b/dist/nginx-blocklist-cron.sh
new file mode 100755
index 000000000..b37963670
--- /dev/null
+++ b/dist/nginx-blocklist-cron.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+
+# to use this you need to set JANITOR_BLOCKLIST_OUTPUT in your .env.production
+# ex:
+#   JANITOR_BLOCKLIST_OUTPUT='/var/lib/mastodon/conf/blocklist.txt'
+# remember to adjust these paths to match your setup!
+
+# path to nginx conf file to store generated map
+export NGINX_BLOCKED_DOMAINS_CONF="/etc/nginx/conf.d/blocked-domains.conf"
+
+# path to blocklist generated by JanitorWorker
+export BLOCKED_DOMAINS_FILE="/var/lib/mastodon/conf/blocklist.txt"
+
+# path to nginx-blocklist-generator.sh script
+NGINX_BLOCKLIST_GENERATOR_BIN='/usr/local/bin/nginx-blocklist-generator.sh'
+
+if ! [ $(id -u) = 0 ]; then
+  echo 'This utility requires root privileges.' >&2
+  exit 1
+fi
+
+if [ ! -f "$NGINX_BLOCKLIST_GENERATOR_BIN" ]; then
+  echo "Blocklist generator script not found at '$NGINX_BLOCKLIST_GENERATOR_BIN'." >&2
+  echo 'Check $NGINX_BLOCKLIST_GENERATOR_BIN variable.' >&2
+  exit 1
+fi
+
+if sh "$NGINX_BLOCKLIST_GENERATOR_BIN"; then
+  if which service >/dev/null 2>&1; then
+    service nginx reload
+  elif which systemctl >/dev/null 2>&1; then
+    systemctl reload nginx
+  else
+    echo 'This tool only supports reloading nginx with initscripts or systemd.' >&2
+    echo 'Reload nginx for the new blocklist to take effect.' >&2
+  fi
+fi
diff --git a/dist/nginx-blocklist-generator.sh b/dist/nginx-blocklist-generator.sh
new file mode 100755
index 000000000..a2bbded17
--- /dev/null
+++ b/dist/nginx-blocklist-generator.sh
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+if ! [ $(id -u) = 0 ]; then
+  echo 'This utility requires root privileges.' >&2
+  exit 1
+fi
+
+if [ -z "$NGINX_BLOCKED_DOMAINS_CONF" ]
+  NGINX_BLOCKED_DOMAINS_CONF='/etc/nginx/conf.d/blocked-domains.conf'
+fi
+
+if [ -z "$BLOCKED_DOMAINS_FILE" ]; then
+  BLOCKED_DOMAINS_FILE='/var/lib/mastodon/conf/blocklist.txt'
+fi
+
+# does the domain blocks file exist?
+if [ ! -f "$BLOCKED_DOMAINS_FILE" ]; then
+  echo "No blocked domains file exists at '$BLOCKED_DOMAINS_FILE'." >&2
+  exit 1
+fi
+
+# does the domain block map file for nginx exist?
+if [ ! -f "$NGINX_BLOCKED_DOMAINS_CONF" ]; then
+  # try to create the parent directory if needed
+  parent_dir=$(dirname "$NGINX_BLOCKED_DOMAINS_CONF")
+  mkdir -p "$parent_dir"
+
+  # then try to create the file if needed
+  if ! touch -a "$f"
+    echo "Can't create '$NGINX_BLOCKED_DOMAINS_CONF'." >&2
+    echo 'Check $NGINX_BLOCKED_DOMAINS_CONF variable or directory permissions.' >&2
+    exit 1
+  fi
+fi
+
+generate_map () {
+  echo '# to use, include the following in the "server" block of your nginx conf'
+  echo '# for mastodon **before any "location" blocks**:'
+  echo '#'
+  echo '# if ($blocked_domain = "1") { return 444; }'
+  echo
+  echo 'map $http_user_agent $blocked_domain {'
+  echo '  default 0;'
+  awk '/^[[:word:]]\.[[:word:]][[:word:].]*$/ { gsub("\\.", "\\.", $1); print "  \"~*(?:\\b)"$1"(?:\\b)\" 1;" }' "$BLOCKED_DOMAINS_FILE"
+  echo '}'
+}
+
+generate_map > "$NGINX_BLOCKED_DOMAINS_CONF"
diff --git a/dist/nginx.conf b/dist/nginx.conf
index 7c429bad4..1a14872b4 100644
--- a/dist/nginx.conf
+++ b/dist/nginx.conf
@@ -43,6 +43,11 @@ server {
   gzip_http_version 1.1;
   gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
 
+  # uncommenet to enable blocking suspended domains
+  # use the included nginx-blocklist-generator.sh tool to generate the needed
+  # map
+  # if ($block_domains = '1') { return 444; }
+
   add_header Strict-Transport-Security "max-age=31536000";
 
   location / {