| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556 |
- #!/usr/bin/env bash
- # Pull the IRDB blocklist and write an nginx `deny` include file.
- # Reload nginx atomically only if the file changed.
- #
- # Usage (cron):
- # IRDB_URL=http://localhost:8081 IRDB_TOKEN=irdb_con_... \
- # OUTPUT=/etc/nginx/conf.d/irdb-deny.conf \
- # examples/consumers/nginx-deny-include.sh
- #
- # In your nginx config, include the file inside a `server {}` block:
- #
- # server {
- # ...
- # include /etc/nginx/conf.d/irdb-deny.conf;
- # }
- #
- # The script is idempotent: if the new file content matches what's
- # already on disk, nginx is left alone.
- set -euo pipefail
- : "${IRDB_URL:?must be set}"
- : "${IRDB_TOKEN:?must be set}"
- OUTPUT="${OUTPUT:-/etc/nginx/conf.d/irdb-deny.conf}"
- TIMEOUT="${IRDB_TIMEOUT:-30}"
- TMP=$(mktemp)
- trap 'rm -f "$TMP"' EXIT
- # Header makes the include file self-describing.
- {
- echo "# Generated by examples/consumers/nginx-deny-include.sh"
- echo "# Updated: $(date -u +%Y-%m-%dT%H:%M:%SZ)"
- } > "$TMP"
- curl -fsS --max-time "$TIMEOUT" \
- -H "Authorization: Bearer $IRDB_TOKEN" \
- -H "Accept: text/plain" \
- "$IRDB_URL/api/v1/blocklist" \
- | while IFS= read -r line; do
- [ -z "$line" ] && continue
- echo "deny $line;"
- done >> "$TMP"
- # Only reload nginx if the file actually changed.
- if [ -f "$OUTPUT" ] && cmp -s "$OUTPUT" "$TMP"; then
- echo "irdb-blocklist unchanged; nginx not reloaded"
- exit 0
- fi
- mv "$TMP" "$OUTPUT"
- trap - EXIT
- # `nginx -t` first so we never reload onto a syntax error.
- nginx -t
- nginx -s reload
- echo "irdb-blocklist written to $OUTPUT; nginx reloaded"
|
