nginx 防注入xss跨站等安全规则
本帖最后由 以谁为师 于 2015-6-8 12:00 编辑denysql.conf
将配置载入到虚拟主机配置文件中
server {
......
include /xxx/nginx/conf/denysql.conf;
}
将配置载入到虚拟主机配置文件中
## 禁SQL注入 Block SQL injections
set $block_sql_injections 0;
if ($query_string ~ "union.*select.*\(") {
set $block_sql_injections 1;
}
if ($query_string ~ "union.*all.*select.*") {
set $block_sql_injections 1;
}
if ($query_string ~ "concat.*\(") {
set $block_sql_injections 1;
}
if ($block_sql_injections = 1) {
return 403;
}
## 禁掉文件注入
set $block_file_injections 0;
if ($query_string ~ "=http://") {
set $block_file_injections 1;
}
if ($query_string ~ "=(\.\.//?)+") {
set $block_file_injections 1;
}
if ($query_string ~ "=/(//?)+") {
set $block_file_injections 1;
}
if ($block_file_injections = 1) {
return 403;
}
## 禁掉溢出攻击
set $block_common_exploits 0;
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
set $block_common_exploits 1;
}
if ($query_string ~ "GLOBALS(=|\[|\%{0,2})") {
set $block_common_exploits 1;
}
if ($query_string ~ "_REQUEST(=|\[|\%{0,2})") {
set $block_common_exploits 1;
}
if ($query_string ~ "proc/self/environ") {
set $block_common_exploits 1;
}
if ($query_string ~ "mosConfig_{1,21}(=|\%3D)") {
set $block_common_exploits 1;
}
if ($query_string ~ "base64_(en|de)code\(.*\)") {
set $block_common_exploits 1;
}
if ($block_common_exploits = 1) {
return 403;
}
## 禁spam字段
set $block_spam 0;
if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
set $block_spam 1;
}
if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
set $block_spam 1;
}
if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
set $block_spam 1;
}
if ($query_string ~ "\b(lipitor|phentermin|proac|sandyauer|tramadol|troyhamby)\b") {
set $block_spam 1;
}
if ($block_spam = 1) {
return 403;
}
agent_deny.conf
#禁止Scrapy等工具的抓取
if ($http_user_agent ~* (Scrapy|Curl|HttpClient)) {
return 403;
}
#禁止指定UA及UA为空的访问
if ($http_user_agent ~ "FeedDemon|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|HttpClient|MJ12bot|heritrix|EasouSpider|Ezooms|^$" ) {
return 403;
}
#禁止非GET|HEAD|POST方式的抓取
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 403;
}
#然后,在网站相关配置中的location / {之后插入如下代码:
#include agent_deny.conf;
defend.conf
if ($uri ~* .*(viewsource.jsp)$) { return 404; }
if ($uri ~* .*(/~).*) { return 404; }
#修补空字节小三资源网解析漏洞
if ($query_string ~* ".*[;'<>].*") { return 444; }
if ($request_uri ~ " ") { return 444; }
#内部:
if ($uri ~* (.*)(insert|select|delete|update|count|master|truncate|declare|exec|\*|%|\')(.*)$ ) { return 403; }
#外部:
if ($request_uri ~* "(cost\()|(concat\()") { return 403; }
if ($request_uri ~* "[+|(%20)]union[+|(%20)]") { return 403; }
if ($request_uri ~* "[+|(%20)]and[+|(%20)]") { return 403; }
if ($request_uri ~* "[+|(%20)]select[+|(%20)]") { return 403; }
if ($request_uri ~* "[+|(%20)]or[+|(%20)]") { return 403; }
if ($request_uri ~* "[+|(%20)]delete[+|(%20)]") { return 403; }
if ($request_uri ~* "[+|(%20)]update[+|(%20)]") { return 403; }
if ($request_uri ~* "[+|(%20)]insert[+|(%20)]") { return 403; }
谢谢分享 赞一下 加油!干倒冰儿和酒仙! 学习学习技术,加油! 还是不错的哦,顶了 感谢楼主的分享~ 感谢楼主的分享~ 感谢楼主的分享~ 感谢楼主的分享~ 还是不错的哦,顶了