Skip to content

Instantly share code, notes, and snippets.

@0xdade

0xdade/wildcard_nginx_config.md

Last active June 28, 2020 03:07
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save 0xdade/d6dd7dadba2c48295dde0b3260d072d2 to your computer and use it in GitHub Desktop.
Save 0xdade/d6dd7dadba2c48295dde0b3260d072d2 to your computer and use it in GitHub Desktop.
Download ZIP
Distribute the denial of secrets
Raw
wildcard_nginx_config.md

Distributing the denial of secrets

Twitter made ddosecrets.com a forbidden place. I don't like being forbidden from going places or sharing links to said places.

It's dangerous to go alone, take these:

What do we block?

  • AWS
  • GCP
  • Azure
  • AS24940 (Hetzner)
  • AS13414 (Twitter)
  • AS25046 (Check point)

/etc/nginx/nginx.conf

Get the nginx-cloud-block.conf from my gists. Alternatively you can build your own using 0xdade/sephiroth.

Add the following include line to your /etc/nginx/nginx.conf

http {
[...]
  include /etc/nginx/nginx-cloud-block.conf;
[...]
}

Getting a wildcard cert

Here's a random guide on wildcard certs for certbot. If you already have certbot installed, here's the meat of the process.

certbot certonly --manual --preferred-challenges=dns --agree-tos -d *.exploit.party

/etc/nginx/sites-enabled/yourdomain.conf

Replace exploit.party with your domain. Redirect to whatever you want in the if ($block_ip) block.

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name ~^(.*)\.exploit\.party$;
    ssl_certificate /etc/letsencrypt/live/exploit.party-0001/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/exploit.party-0001/privkey.pem;
    if ($block_ip) {
        return 302 https://rickrolled.com;
    }
    return https://$1.ddosecrets.com$request_uri;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment