分享一些Nginx安全规则

随风 • 2022-07-11 • 分享, 经验分享 • 700 阅读

能有效防止70%攻击。

if ($request_uri ~* "(\.gz)|(\")|(\.tar)|(admin)|(\.zip)|(\.sql)|(\.asp)|(\.rar)|(function)|($_GET)|(eval)|(\?php)|(config)|(\')|(\.bak)") {
            return 301 http://lg-dene.fdcservers.net/10GBtest.zip;
        }

宝塔点击网站，配置文件添加即可

 #请求这些敏感词时跳转下载10g文件
 if ($request_uri ~* "(\.gz)|(")|(\.tar)|(admin)|(\.zip)|(\.sql)|(\.asp)|(\.rar)|(function)|($_GET)|(eval)|(\?php)|(config)|(\')|(\.bak)") {
            return 301 http://lg-dene.fdcservers.net/10GBtest.zip;
        }


 #禁止下载以 XXX 后缀的文件
 location ~ \.(zip|rar|sql|bak|gz|7z)$ 
 { 
   return 444;
  }


 #访问链接里含有 test 直接跳转到公安网
 if ($request_uri ~* test=) {
  return 301 https://www.mps.gov.cn;
 }


 #防止SB爬虫
 if ($http_user_agent ~* (SemrushBot|python|MJ12bot|AhrefsBot|AhrefsBot|hubspot|opensiteexplorer|leiki|webmeup)) {
      return 444;
    }


 #屏蔽非常见蜘蛛爬虫配置
 if ($http_user_agent ~* (SemrushBot|python|MJ12bot|AhrefsBot|AhrefsBot|hubspot|opensiteexplorer|leiki|webmeup)) {
     return 444;
  }


 #禁止某个目录执行脚本
#uploads|templets|data 这些目录禁止执行PHP
 location ~* ^/(uploads|templets|data)/.*.(php|php5)$ {
    return 444;
  }

防止SB爬虫

if ($http_user_agent ~* (SemrushBot|python|MJ12bot|AhrefsBot|AhrefsBot|hubspot|opensiteexplorer|leiki|webmeup)) {
      return 444;
    }

禁止爬虫

        if ($http_user_agent ~* "qihoobot|Censys|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot|FeedDemon|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|Scrapy|HttpClient|MJ12bot|heritrix|EasouSpider|LinkpadBot|Ezooms|^$") {  
        return 404; #禁止爬虫返回404
        }

非指定域名访问403

        if ($host != 'XX.XX.XX'){
    return 403; #非指定域名访问返回403
        }

仅允许特定IP访问并加上帐号密码验证

 root /opt/hostloc/www;
 allow  xx.xx.xx.xx; 
 allow  2xx.xx.x.xx; 
 deny  all;
 auth_basic “test”;
 auth_basic_user_file htpasswd;

禁止访问多个目录

 location ~ ^/(cron|templates)/
 {
 deny all;
 break;
 }

隐藏nginx版本号
http块添加

http {
...
server_tokens off;
...
}

禁止非浏览器访问

if ($http_user_agent ~ ^$) {
        return 412;
}

总结一下

if ($request_uri ~* "(\.gz)|(")|(\.tar)|(admin)|(\.zip)|(\.sql)|(\.asp)|(\.rar)|(function)|($_GET)|(eval)|(\?php)|(config)|(\')|(\.bak)") {
return 301 http://lg-dene.fdcservers.net/10GBtest.zip;
}

#禁止下载以 XXX 后缀的文件
location ~ \.(zip|rar|sql|bak|gz|7z)$
{
    return 444;
}


#访问链接里含有 test 直接跳转到公安网
if ($request_uri ~* test=) {
return 301 https://www.mps.gov.cn;
}
if ($http_user_agent ~* (SemrushBot|python|MJ12bot|AhrefsBot|AhrefsBot|hubspot|opensiteexplorer|leiki|webmeup)) {
      return 444;
    }

总结了下(使用把#删掉即可

    #禁止下载以 zip|rar|sql|bak|gz|7z 后缀的文件
    #location ~ \.(zip|rar|sql|bak|gz|7z)$
    #{
    #   return 444;
    #}
    #访问链接里含有 test 直接跳转到公安网
    #if ($request_uri ~* test=) 
    #{
    #  return 301 https://www.mps.gov.cn;
    #}
    
    #防止部分所谓的攻击
    #if ($request_uri ~* "(\.gz)|(")|(\.tar)|(admin)|(\.zip)|(\.sql)|(\.asp)|(\.rar)|(function)|($_GET)|(eval)|(\?php)|(config)|(\')|(\.bak)") 
    #{
    #    return 301 http://lg-dene.fdcservers.net/10GBtest.zip;
    #}
    
    # 防止机器人
    #if ($http_user_agent ~* (SemrushBot|python|MJ12bot|AhrefsBot|AhrefsBot|hubspot|opensiteexplorer|leiki|webmeup)) 
    #{
    #  return 444;
    #}

本站文章资源均来源自网络，除非特别声明，否则均不代表站方观点，并仅供查阅，不作为任何参考依据！
如有侵权请及时跟我们联系，本站将及时删除！
如遇版权问题，请查看本站版权声明

THE END

nginx