- +在此添加单个AI新笔记
Nginx高级 - server{}防守脚本 - serverSafe.conf
在每一个server{}加上一个脚本
server{listen 80;include conf.d/serverSafe.conf # 在conf.d文件夹加上safe.conf}
一些知识
Nginx的444状态比较特殊,如果返回444那么客户端将不会收到服务端返回的信息,就像是网站无法连接一样
serverSafe.conf
fastcgi_hide_header X-Powered-By;if ($request_method !~* ^(GET|POST)$) {return 444;}# $request_method能够获取到请求nginx的method# 配置只允许GET\POST方法访问,其他的method返回444# *号表示,不区分大小写# 禁止Scrapy等工具的抓取if ($http_user_agent ~* (LWP::Simple|BBBike|pytho[n]?|wget|Scrapy|Curl|curl|FeedDemon|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|HttpClient|MJ12bot|heritrix|EasouSpider|LinkpadBot|Ezooms)) {return 444;}if ($http_user_agent ~* "LWP::Simple|BBBike|pytho[n]?|wget|Scrapy|Curl|curl|FeedDemon|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|HttpClient|MJ12bot|heritrix|EasouSpider|LinkpadBot|Ezooms|^$" ){return 444;}# 可能有一些不法者会利用wget/curl等工具扫描我们的网站,我们可以通过禁止相应的user-agent来简单的防范# 图片防盗链location /images/ {valid_referers none blocked www.xxx.cn xxx.cn;# valid_referers blocked www.xxx.cn xxx.cnif ($invalid_referer) {return 403; # 否则返回403# rewrite ^/images/.*\.(gif|jpg|jpeg|png)$ /static/qrcode.jpg last; # 你也可以给不符合referer规则的请求重定向rewrite到一个默认的图片}}valid_referers: 验证referer,其中none允许referer为空,blocked允许不带协议的请求除了以上两类外仅允许referer为www.xxx.cn或xxx.cn时访问images下的图片资源# 防止外部直接thinkphp漏洞攻击if ($request_uri ~* ^/index\.php) {return 405;}# letsencrypt需要访问这个地址下文件location ^~ /.well-known {try_files $uri $uri/ =404;access_log off;}# 禁止所以点开头的访问#eg: /upload/../index.phplocation ~ /\. {deny all;}# upload下php无运行权限,防止上传漏洞location ~* /upload[s]?/.*\.php$ {return 404;}# 静态文件就不需要记录在日志了location ~* \.(map|gif|jpg|png|css|js|ico|swf|pdf|apk|exe|eot|otf|ttf|woff|woff2)$ {try_files $uri =404;access_log off;}location = /favicon.ico {try_files $uri =404;access_log off;}