Created
September 4, 2021 13:17
-
-
Save lazyjerry/258d2a7cbe969f8a19dbed6981e64a0b to your computer and use it in GitHub Desktop.
防止網址注入的簡單防範
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## 放在 server 區塊中,也可以獨立一個檔案讀取 | |
| ## ref: https://www.howtoforge.com/nginx-how-to-block-exploits-sql-injections-file-injections-spam-user-agents-etc | |
| ## Block SQL injections | |
| set $block_sql_injections 0; | |
| if ($query_string ~ "union.*select.*\(") { | |
| set $block_sql_injections 1; | |
| } | |
| if ($query_string ~ "union.*all.*select.*") { | |
| set $block_sql_injections 1; | |
| } | |
| if ($query_string ~ "concat.*\(") { | |
| set $block_sql_injections 1; | |
| } | |
| if ($block_sql_injections = 1) { | |
| return 403; | |
| } | |
| ## Block file injections | |
| set $block_file_injections 0; | |
| if ($query_string ~ "[a-zA-Z0-9_]=http://") { | |
| set $block_file_injections 1; | |
| } | |
| if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { | |
| set $block_file_injections 1; | |
| } | |
| if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { | |
| set $block_file_injections 1; | |
| } | |
| if ($block_file_injections = 1) { | |
| return 403; | |
| } | |
| ## Block common exploits | |
| set $block_common_exploits 0; | |
| if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { | |
| set $block_common_exploits 1; | |
| } | |
| if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { | |
| set $block_common_exploits 1; | |
| } | |
| if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { | |
| set $block_common_exploits 1; | |
| } | |
| if ($query_string ~ "proc/self/environ") { | |
| set $block_common_exploits 1; | |
| } | |
| if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { | |
| set $block_common_exploits 1; | |
| } | |
| if ($query_string ~ "base64_(en|de)code\(.*\)") { | |
| set $block_common_exploits 1; | |
| } | |
| if ($block_common_exploits = 1) { | |
| return 403; | |
| } | |
| ## Block spam | |
| set $block_spam 0; | |
| if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") { | |
| set $block_spam 1; | |
| } | |
| if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") { | |
| set $block_spam 1; | |
| } | |
| if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") { | |
| set $block_spam 1; | |
| } | |
| if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") { | |
| set $block_spam 1; | |
| } | |
| if ($block_spam = 1) { | |
| return 403; | |
| } | |
| ## 這裡是把奇怪的 user agents 擋下來 | |
| ## Block user agents | |
| set $block_user_agents 0; | |
| # Don't disable wget if you need it to run cron jobs! | |
| #if ($http_user_agent ~ "Wget") { | |
| # set $block_user_agents 1; | |
| #} | |
| # Disable Akeeba Remote Control 2.5 and earlier | |
| if ($http_user_agent ~ "Indy Library") { | |
| set $block_user_agents 1; | |
| } | |
| # Common bandwidth hoggers and hacking tools. | |
| if ($http_user_agent ~ "libwww-perl") { | |
| set $block_user_agents 1; | |
| } | |
| if ($http_user_agent ~ "GetRight") { | |
| set $block_user_agents 1; | |
| } | |
| if ($http_user_agent ~ "GetWeb!") { | |
| set $block_user_agents 1; | |
| } | |
| if ($http_user_agent ~ "Go!Zilla") { | |
| set $block_user_agents 1; | |
| } | |
| if ($http_user_agent ~ "Download Demon") { | |
| set $block_user_agents 1; | |
| } | |
| if ($http_user_agent ~ "Go-Ahead-Got-It") { | |
| set $block_user_agents 1; | |
| } | |
| if ($http_user_agent ~ "TurnitinBot") { | |
| set $block_user_agents 1; | |
| } | |
| if ($http_user_agent ~ "GrabNet") { | |
| set $block_user_agents 1; | |
| } | |
| ## 符合以上特質的顯示 403 錯誤 | |
| if ($block_user_agents = 1) { | |
| return 403; | |
| } | |
| ## 阻擋爬蟲 | |
| set $limit_bots 0; | |
| if ($http_user_agent ~ ^$|FCKFK|no-store|WordPress\/) | |
| { | |
| set $limit_bots 1; | |
| } | |
| if ($http_accept ~ ms-powerpoint) | |
| { | |
| set $limit_bots 1; | |
| } | |
| if ($http_user_agent ~ ^Mozilla...0..compatible..MSIE...0..Windows.NT...1..Trident...0.$|^Mozilla...0..compatible..MSIE...0..Windows.NT...1.$|^Mozilla...0..compatible..MSIE...0..Windows.NT........$) | |
| { | |
| set $limit_bots 1; | |
| } | |
| if ($http_user_agent ~* "python|curl|java|wget|httpclient|okhttp") { | |
| set $limit_bots 1; | |
| } | |
| if ($http_user_agent ~* "google|bing|yandex|msnbot|AltaVista|Googlebot|Slurp|BlackWidow|Bot|ChinaClaw|Custo|DISCo|Download|Demon|eCatch|EirGrabber|EmailSiphon|EmailWolf|SuperHTTP|Surfbot|WebWhacker|Express|WebPictures|ExtractorPro|EyeNetIE|FlashGet|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|GrabNet|Grafula|HMView|Go!Zilla|Go-Ahead-Got-It|rafula|HMView|HTTrack|Stripper|Sucker|Indy|InterGET|Ninja|JetCar|Spider|larbin|LeechFTP|Downloader|tool|Navroad|NearSite|NetAnts|tAkeOut|WWWOFFLE|GrabNet|NetSpider|Vampire|NetZIP|Octopus|Offline|PageGrabber|Foto|pavuk|pcBrowser|RealDownload|ReGet|SiteSnagger|SmartDownload|SuperBot|WebSpider|Teleport|VoidEYE|Collector|WebAuto|WebCopier|WebFetch|WebGo|WebLeacher|WebReaper|WebSauger|eXtractor|Quester|WebStripper|WebZIP|Wget|Widow|Zeus|Twengabot|htmlparser|libwww|Python|perl|urllib|scan|Curl|email|PycURL|Pyth|PyQ|WebCollector|WebCopy|webcraw") | |
| { | |
| set $limit_bots 1; | |
| } | |
| if ($limit_bots = 1) { | |
| return 403; | |
| } | |
| ## 結束 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment