davidherran
673c32d0e1
Deploy to VPS / deploy (push) Has been cancelled
Hardens the edge against the bot noise and IP-based access seen in the
production logs (raw-IP hits, SSRF probes to 169.254.169.254 / localhost /
metadata.google.internal, scans for /config/database.php, /.git-credentials,
wp-admin, etc.).
1. Canonical-host guard — default_server blocks on 80 and 443 that catch
any Host that is NOT rf-flux.com/www.rf-flux.com and return 444 (drop).
- Kills the redirect-to-raw-IP bug at the edge: IP requests never reach
Next.js, so the middleware can't build an IP-based redirect.
- Blocks SSRF probes and most bot scans before they touch the app.
- ACME HTTP-01 still works (acme-challenge location kept on :80).
- Legitimate traffic is unaffected: exact server_name beats
default_server, so the rf-flux.com blocks always win.
2. Scanner-probe blocking — a regex location in the rf-flux.com server
that returns 444 for .php/.env/.git/wp-admin/etc. This is a Next.js app
so none of those are real; the patterns never match real assets
(.jpg/.png/.webp/.mp4/.glb/.pdf) or app routes.
Apply with `nginx -t` then `nginx -s reload` — no rebuild, no downtime.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>