Nginx高级 - server{}防守脚本 - serverSafe.conf

在每一个server{}加上一个脚本

server{
        listen 80;
        include conf.d/serverSafe.conf     # 在conf.d文件夹加上safe.conf
}

一些知识

Nginx的444状态比较特殊，如果返回444那么客户端将不会收到服务端返回的信息，就像是网站无法连接一样

serverSafe.conf

fastcgi_hide_header X-Powered-By;
if ($request_method !~* ^(GET|POST)$) {
    return 444;
}
# $request_method能够获取到请求nginx的method
# 配置只允许GET\POST方法访问，其他的method返回444
# *号表示，不区分大小写
# 禁止Scrapy等工具的抓取
if ($http_user_agent ~* (LWP::Simple|BBBike|pytho[n]?|wget|Scrapy|Curl|curl|FeedDemon|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|HttpClient|MJ12bot|heritrix|EasouSpider|LinkpadBot|Ezooms)) {
   return 444;
}
if ($http_user_agent ~* "LWP::Simple|BBBike|pytho[n]?|wget|Scrapy|Curl|curl|FeedDemon|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|HttpClient|MJ12bot|heritrix|EasouSpider|LinkpadBot|Ezooms|^$" ){
  return 444;
}
# 可能有一些不法者会利用wget/curl等工具扫描我们的网站，我们可以通过禁止相应的user-agent来简单的防范
# 图片防盗链
location /images/ {
    valid_referers none blocked www.xxx.cn xxx.cn;
    # valid_referers blocked www.xxx.cn xxx.cn
    if ($invalid_referer) {
        return  403;  # 否则返回403
        # rewrite ^/images/.*\.(gif|jpg|jpeg|png)$ /static/qrcode.jpg last;  # 你也可以给不符合referer规则的请求重定向rewrite到一个默认的图片
    }
}
valid_referers： 验证referer，其中none允许referer为空，blocked允许不带协议的请求
除了以上两类外仅允许referer为www.xxx.cn或xxx.cn时访问images下的图片资源
# 防止外部直接thinkphp漏洞攻击
if ($request_uri ~* ^/index\.php) {
    return 405;
}
# letsencrypt需要访问这个地址下文件
location ^~ /.well-known {
    try_files $uri $uri/ =404;
    access_log off;
}
# 禁止所以点开头的访问
#eg： /upload/../index.php
location ~ /\. {
    deny all;
}
# upload下php无运行权限，防止上传漏洞
location ~* /upload[s]?/.*\.php$ {
    return 404;
}
# 静态文件就不需要记录在日志了
location ~* \.(map|gif|jpg|png|css|js|ico|swf|pdf|apk|exe|eot|otf|ttf|woff|woff2)$ {
    try_files $uri =404;
    access_log off;
}
location = /favicon.ico {
    try_files $uri =404;
    access_log off;
}