Last active
August 6, 2020 15:56
-
-
Save lazyjerry/7d83c054bce7e804bda95f7a931b2dc6 to your computer and use it in GitHub Desktop.
設定防止注入、檔案防護的機制。放在 nginx 的 server block 中
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## 放在 server 區塊中,也可以獨立一個檔案讀取 | |
## ref: https://www.howtoforge.com/nginx-how-to-block-exploits-sql-injections-file-injections-spam-user-agents-etc | |
## Block SQL injections | |
set $block_sql_injections 0; | |
if ($query_string ~ "union.*select.*\(") { | |
set $block_sql_injections 1; | |
} | |
if ($query_string ~ "union.*all.*select.*") { | |
set $block_sql_injections 1; | |
} | |
if ($query_string ~ "concat.*\(") { | |
set $block_sql_injections 1; | |
} | |
if ($block_sql_injections = 1) { | |
return 403; | |
} | |
## Block file injections | |
set $block_file_injections 0; | |
if ($query_string ~ "[a-zA-Z0-9_]=http://") { | |
set $block_file_injections 1; | |
} | |
if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { | |
set $block_file_injections 1; | |
} | |
if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { | |
set $block_file_injections 1; | |
} | |
if ($block_file_injections = 1) { | |
return 403; | |
} | |
## Block common exploits | |
set $block_common_exploits 0; | |
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { | |
set $block_common_exploits 1; | |
} | |
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { | |
set $block_common_exploits 1; | |
} | |
if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { | |
set $block_common_exploits 1; | |
} | |
if ($query_string ~ "proc/self/environ") { | |
set $block_common_exploits 1; | |
} | |
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { | |
set $block_common_exploits 1; | |
} | |
if ($query_string ~ "base64_(en|de)code\(.*\)") { | |
set $block_common_exploits 1; | |
} | |
if ($block_common_exploits = 1) { | |
return 403; | |
} | |
## Block spam | |
set $block_spam 0; | |
if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") { | |
set $block_spam 1; | |
} | |
if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") { | |
set $block_spam 1; | |
} | |
if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") { | |
set $block_spam 1; | |
} | |
if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") { | |
set $block_spam 1; | |
} | |
if ($block_spam = 1) { | |
return 403; | |
} | |
## 這裡是把奇怪的 user agents 擋下來 | |
## Block user agents | |
set $block_user_agents 0; | |
# Don't disable wget if you need it to run cron jobs! | |
#if ($http_user_agent ~ "Wget") { | |
# set $block_user_agents 1; | |
#} | |
# Disable Akeeba Remote Control 2.5 and earlier | |
if ($http_user_agent ~ "Indy Library") { | |
set $block_user_agents 1; | |
} | |
# Common bandwidth hoggers and hacking tools. | |
if ($http_user_agent ~ "libwww-perl") { | |
set $block_user_agents 1; | |
} | |
if ($http_user_agent ~ "GetRight") { | |
set $block_user_agents 1; | |
} | |
if ($http_user_agent ~ "GetWeb!") { | |
set $block_user_agents 1; | |
} | |
if ($http_user_agent ~ "Go!Zilla") { | |
set $block_user_agents 1; | |
} | |
if ($http_user_agent ~ "Download Demon") { | |
set $block_user_agents 1; | |
} | |
if ($http_user_agent ~ "Go-Ahead-Got-It") { | |
set $block_user_agents 1; | |
} | |
if ($http_user_agent ~ "TurnitinBot") { | |
set $block_user_agents 1; | |
} | |
if ($http_user_agent ~ "GrabNet") { | |
set $block_user_agents 1; | |
} | |
## 符合以上特質的顯示 403 錯誤 | |
if ($block_user_agents = 1) { | |
return 403; | |
} | |
## 附上檔案 deny 設定 | |
location ~* \.(vscode|workspace|real|cfg|env|env_sample|svn|git|bak|bk|old|save|swp|svn|git|DS_Store|gitignore|disable|sample|conf) { deny all; } | |
location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { deny all; } | |
location ~* /(system|vendors)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { deny all; } | |
location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { deny all; } | |
location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { deny all; } | |
location ~ /(goaccess_report\.html|LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { deny all; } | |
location ~* \.(jpg|jpeg|png|css|js)$ { | |
expires 7d; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## 放在 server 區塊中,也可以獨立一個檔案讀取 | |
## ref: https://www.howtoforge.com/nginx-how-to-block-exploits-sql-injections-file-injections-spam-user-agents-etc | |
## Block SQL injections | |
set $block_sql_injections 0; | |
if ($query_string ~ "union.*select.*\(") { | |
set $block_sql_injections 1; | |
} | |
if ($query_string ~ "union.*all.*select.*") { | |
set $block_sql_injections 1; | |
} | |
if ($query_string ~ "concat.*\(") { | |
set $block_sql_injections 1; | |
} | |
if ($block_sql_injections = 1) { | |
return 403; | |
} | |
## Block file injections | |
set $block_file_injections 0; | |
if ($query_string ~ "[a-zA-Z0-9_]=http://") { | |
set $block_file_injections 1; | |
} | |
if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { | |
set $block_file_injections 1; | |
} | |
if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { | |
set $block_file_injections 1; | |
} | |
if ($block_file_injections = 1) { | |
return 403; | |
} | |
## Block common exploits | |
set $block_common_exploits 0; | |
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { | |
set $block_common_exploits 1; | |
} | |
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { | |
set $block_common_exploits 1; | |
} | |
if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { | |
set $block_common_exploits 1; | |
} | |
if ($query_string ~ "proc/self/environ") { | |
set $block_common_exploits 1; | |
} | |
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { | |
set $block_common_exploits 1; | |
} | |
if ($query_string ~ "base64_(en|de)code\(.*\)") { | |
set $block_common_exploits 1; | |
} | |
if ($block_common_exploits = 1) { | |
return 403; | |
} | |
## Block spam | |
set $block_spam 0; | |
if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") { | |
set $block_spam 1; | |
} | |
if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") { | |
set $block_spam 1; | |
} | |
if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") { | |
set $block_spam 1; | |
} | |
if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") { | |
set $block_spam 1; | |
} | |
if ($block_spam = 1) { | |
return 403; | |
} | |
## 這裡是把奇怪的 user agents 擋下來 | |
## Block user agents | |
set $block_user_agents 0; | |
# Don't disable wget if you need it to run cron jobs! | |
#if ($http_user_agent ~ "Wget") { | |
# set $block_user_agents 1; | |
#} | |
# Disable Akeeba Remote Control 2.5 and earlier | |
if ($http_user_agent ~ "Indy Library") { | |
set $block_user_agents 1; | |
} | |
# Common bandwidth hoggers and hacking tools. | |
if ($http_user_agent ~ "libwww-perl") { | |
set $block_user_agents 1; | |
} | |
if ($http_user_agent ~ "GetRight") { | |
set $block_user_agents 1; | |
} | |
if ($http_user_agent ~ "GetWeb!") { | |
set $block_user_agents 1; | |
} | |
if ($http_user_agent ~ "Go!Zilla") { | |
set $block_user_agents 1; | |
} | |
if ($http_user_agent ~ "Download Demon") { | |
set $block_user_agents 1; | |
} | |
if ($http_user_agent ~ "Go-Ahead-Got-It") { | |
set $block_user_agents 1; | |
} | |
if ($http_user_agent ~ "TurnitinBot") { | |
set $block_user_agents 1; | |
} | |
if ($http_user_agent ~ "GrabNet") { | |
set $block_user_agents 1; | |
} | |
## 符合以上特質的顯示 403 錯誤 | |
if ($block_user_agents = 1) { | |
return 403; | |
} | |
## 附上檔案 deny 設定 | |
location ~* \.(vscode|workspace|real|cfg|env|env_sample|svn|git|bak|bk|old|save|swp|svn|git|DS_Store|gitignore|disable|sample|conf) { deny all; } | |
location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { deny all; } | |
location ~* /(system|vendors)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { deny all; } | |
location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { deny all; } | |
location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { deny all; } | |
location ~ /(goaccess_report\.html|LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { deny all; } | |
location ~* \.(jpg|jpeg|png|css|js)$ { | |
expires 7d; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment