nginx 防注入xss跨站等安全规则

以谁为师

denysql.conf


将配置载入到虚拟主机配置文件中

        server {
......
include /xxx/nginx/conf/denysql.conf;
        }

将配置载入到虚拟主机配置文件中

[C] 纯文本查看 复制代码

## 禁SQL注入 Block SQL injections
    set $block_sql_injections 0;
    if ($query_string ~ "union.*select.*\(") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "union.*all.*select.*") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "concat.*\(") {
        set $block_sql_injections 1;
    }
    if ($block_sql_injections = 1) {
        return 403;
    }
 
  ## 禁掉文件注入
    set $block_file_injections 0;
    if ($query_string ~ "[a-zA-Z0-9_]=http://") {
        set $block_file_injections 1;
    }
    if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
        set $block_file_injections 1;
    }
    if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
        set $block_file_injections 1;
    }
    if ($block_file_injections = 1) {
        return 403;
    }
 
   ## 禁掉溢出攻击
    set $block_common_exploits 0;
    if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "proc/self/environ") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "base64_(en|de)code\(.*\)") {
        set $block_common_exploits 1;
    }
    if ($block_common_exploits = 1) {
        return 403;
    }
 
## 禁spam字段
    set $block_spam 0;
    if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
        set $block_spam 1;
    }
    if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
        set $block_spam 1;
    }
    if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
        set $block_spam 1;
    }
    if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
        set $block_spam 1;
    }
    if ($block_spam = 1) {
        return 403;
    }
 
  

agent_deny.conf

[C] 纯文本查看 复制代码

#禁止Scrapy等工具的抓取
if ($http_user_agent ~* (Scrapy|Curl|HttpClient)) {
     return 403;
}
#禁止指定UA及UA为空的访问
if ($http_user_agent ~ "FeedDemon|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|HttpClient|MJ12bot|heritrix|EasouSpider|Ezooms|^$" ) {
     return 403;             
}
#禁止非GET|HEAD|POST方式的抓取
if ($request_method !~ ^(GET|HEAD|POST)$) {
    return 403;
}

#然后，在网站相关配置中的  location / {  之后插入如下代码：
#include agent_deny.conf;

defend.conf

[C] 纯文本查看 复制代码

if ($uri ~* .*(viewsource.jsp)$) { return 404; }
if ($uri ~* .*(/~).*) { return 404; }

#修补空字节小三资源网解析漏洞
if ($query_string ~* ".*[;'<>].*") { return 444; }
if ($request_uri ~ " ") { return 444; }

#内部：
if ($uri ~* (.*)(insert|select|delete|update|count|master|truncate|declare|exec|\*|%|\')(.*)$ ) { return 403; } 

#外部： 
if ($request_uri ~* "(cost\()|(concat\()") { return 403; }
if ($request_uri ~* "[+|(%20)]union[+|(%20)]") { return 403; }
if ($request_uri ~* "[+|(%20)]and[+|(%20)]") { return 403; }
if ($request_uri ~* "[+|(%20)]select[+|(%20)]") { return 403; }
if ($request_uri ~* "[+|(%20)]or[+|(%20)]") { return 403; }
if ($request_uri ~* "[+|(%20)]delete[+|(%20)]") { return 403; }
if ($request_uri ~* "[+|(%20)]update[+|(%20)]") { return 403; }
if ($request_uri ~* "[+|(%20)]insert[+|(%20)]") { return 403; }

幸福就在下一秒

谢谢分享 赞一下

a136

加油！干倒冰儿和酒仙！

Sty，涛

学习学习技术，加油！

xiaoqqf4

还是不错的哦，顶了

云游者

感谢楼主的分享~

wanmznh

感谢楼主的分享~

arctic

感谢楼主的分享~

wanmznh

感谢楼主的分享~

wtsqq123

还是不错的哦，顶了