# Bot/scanner blocking - injected into every server{} block
# Depends on maps in conf.d/bot-protection.conf

# Block sites under rebuild (ordereats.ca)
if ($site_blocked_for_rebuild) { return 503; }

if ($blocked_ip) { return 444; }
if ($bad_bot)    { return 444; }

# Block webshell probes and common exploit paths - drop connection immediately
location ~* ^/(\.env|\.git|\.aws|\.netrc|\.pgpass|\.boto|\.s3cfg|\.yarnrc|\.npmrc|\.htpasswd|\.DS_Store|wp-config\.php\.?|adminfuns|debug\.php|pinfo\.php|pi\.php|dev\.php|inputs\.php|shell\.php|cmd\.php|eval\.php|config\.php\.bak|backup\.zip|database\.sql|xmlrpc\.php)$ {
    access_log off;
    return 444;
}


# Block path-traversal loop attacks (cmptv pattern: index.php/index.php/...)
location ~* "(index\.php/){3,}" {
    access_log off;
    return 444;
}

# Block .env variants
location ~* /\.env {
    access_log off;
    return 444;
}

# Rate-limit WordPress admin-ajax (ordereats bot hammering)
location ~* ^/wp-admin/admin-ajax\.php$ {
    limit_req zone=wordpress burst=10 nodelay;
    limit_req_status 429;
    include conf.d/includes-optional/cpanel-proxy.conf;
    proxy_pass $CPANEL_APACHE_PROXY_PASS;
}

# Rate-limit expensive JomSocial dynamic pages
location ~* ^/index\.php.*option=com_community.*view=(videos|groups|followers|search) {
    limit_req zone=expensive burst=5 nodelay;
    limit_req_status 429;
    include conf.d/includes-optional/cpanel-proxy.conf;
    proxy_pass $CPANEL_APACHE_PROXY_PASS;
}
