How to drop requests with an empty user agent?

CubeCoders · March 22, 2023, 4:38pm

I’m getting a lot of bad bots/crawlers hitting my Discourse site with an empty user agent. Normally I’d edit the nginx configuration to do this, but this isn’t accessible when using the Docker installation method. I don’t really want to add an extra RP just for this if I can avoid it.

pfaffman · March 22, 2023, 11:27pm

You can look at discourse_docker/web.ratelimited.template.yml at main · discourse/discourse_docker · GitHub as an example of how to modify the nginx config inside the container.

CubeCoders · March 26, 2023, 11:53am

For anyone else wanting to do this specifically, I created /var/discourse/templates/web.blockemptyua.yml with the following contents:

run:
  - replace:
     filename: "/etc/nginx/conf.d/discourse.conf"
     from: /listen 443 ssl http2;/
     to: |
       listen 443 ssl http2;
       if ($http_user_agent = "") { return 403; }

Then in /var/discourse/containers/app.yml I added this new template file to the end of the list of templates at the top of the file, followed by ./launcher rebuild app

Nginx now rejects all requests with an empty UA.

Edit: Changed the match/replace to be in a better place.

Jagster · March 26, 2023, 12:50pm

I don’t know docker, so just to be on safe side, because I’ll be nervous everytime I see replace anywhere…

This isn’t replacing totally content of discourse.conf but adding that, is it?

CubeCoders · March 26, 2023, 1:46pm

It’s replacing a line within the file. So it finds the first instance of:

listen 443 ssl http2;

And replaces it with

listen 443 ssl http2;
if ($http_user_agent = "") { return 403; }

So that we’re just adding a new line to the file in the correct place. None of the rest of the file is touched. It uses the same mechanism as the official templates to patch the file safely.

Jagster · March 26, 2023, 9:49pm

As I said earlier I don’t know docker. I’m just poor end user with PhD of copy&paste.

That’s why one notice to future searchers:

web.blockemptyua.yml can’t be very first one of declared templates. More precisely it has to come after web.template.yml (of perhaps even after every web.* templates).

Order has meaning here I reckon and if I/we are trying to work with it as first one rebuilding/bootstrapping stops with error because there isn’t any /etc/nginx/conf.d/discourse.conf at that moment.

Well, every day something new

CubeCoders · March 27, 2023, 11:05am

Indeed, it does need to go at the end. I’ve edited my post to include that

system · April 26, 2023, 11:05am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Centminmod + discourse Installation	3	821	August 25, 2022
Discourse headless? Installation	6	1626	February 7, 2020
Best practices for customizing deployment Installation	2	353	December 30, 2023
301 redirect not working after editing app.yml file and rebuilding the app Installation	1	408	February 1, 2021
Cannot disable ssl with discourse-setup (initial simple docker) Installation docker	3	647	June 17, 2022

How to drop requests with an empty user agent?

Related Topics