全局控制
server {
listen 80 default_server;
server_name blog.tany.com;
allow 127.0.0.1; #白名单模式;
deny all;
[root@draft conf.d]# curl -x127.0.0.1:80 blog.tany.com/admin/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Thu, 17 Oct 2019 07:13:24 GMT
Content-Type: text/plain
Content-Length: 6
Last-Modified: Wed, 16 Oct 2019 13:38:49 GMT
Connection: keep-alive
ETag: "5da71d69-6"
Accept-Ranges: bytes
[root@draft conf.d]# curl -x192.168.87.133:80 blog.tany.com -I
HTTP/1.1 403 Forbidden
Server: nginx/1.16.1
Date: Thu, 17 Oct 2019 07:14:00 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
server {
listen 80 default_server;
server_name blog.tany.com;
deny 127.0.0.1; #黑名单模式;
[root@draft conf.d]# curl -x192.168.87.133:80 blog.tany.com -I
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Thu, 17 Oct 2019 07:18:24 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.3.0
Link: <http://blog.tany.com/index.php?rest_route=/>; rel="https://api.w.org/"
[root@draft conf.d]# curl -x127.0.0.1:80 blog.tany.com -I
HTTP/1.1 403 Forbidden
Server: nginx/1.16.1
Date: Thu, 17 Oct 2019 07:18:38 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
限制某个目录
location /admin/ { #限制对含有/admin/URL或者说限制/admin/目录的访问,如blog.tany.com/admin/123.html;
allow 127.0.0.1;
allow 192.168.87.133;
deny all;
}
[root@draft conf.d]# curl -x127.0.0.1:80 blog.tany.com/admin/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Thu, 17 Oct 2019 07:23:38 GMT
Content-Type: text/plain
Content-Length: 6
Last-Modified: Wed, 16 Oct 2019 13:38:49 GMT
Connection: keep-alive
ETag: "5da71d69-6"
Accept-Ranges: bytes
[root@draft conf.d]# curl -x192.168.87.133:80 blog.tany.com/admin/1.txt
admin
[root@draft conf.d]# curl -x192.168.87.137:80 blog.tany.com/admin/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.16.0
Date: Wed, 16 Oct 2019 16:00:55 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
限制某个目录下的某些文件的读取
- 网站的目录有一些是可以让用户自己上传文件的,例如在发帖子、写文章、写评论的时候,所以这些目录会给用户写的权限,这些目录相对会处在较为危险的位置;这些目录一般有固定的名字,如upload, imange, attachment, cahe等;
- 服务器返回数据的过程:静态文件是保存在网站的目录里的,当用户请求到,没有特别限制时,服务器直接返回数据;结合浏览器有缓存功能,推测服务器是把请求数据发给用户,用户在自己机器上通过浏览器打开;
- 服务器返回数据的过程2:用户打开一个php页面,web服务器是把数据发送给php-fpm,由php服务器接手;制作phpinfo页面,只是简单的一个语句,用户打开这个页面,可以看到相当多的信息,这些信息是通过php服务器根据这个语句,把信息读取出来,再返回给用户的;结论是 用户打开服务器上的php文件,服务器会根据语句做操作;如果语句是有破坏性能的,就会破坏服务器,所以要警惕非法放置在服务器上的php文件;
- 如果把phpinfo页面,改成.html,返回为空,浏览器识别出语言,但是不懂这个语句,不会根据语句操作,这个文件并没有交给php服务器,所以服务器是以后缀名识别是否提交给php服务器;
- 综上所述,我们要限制用户在可上传目录里打开php等编程语言的文件,理解为链接里出现可上传目录时不能有php等文件,通过location的匹配功能实现;
- 事实上,用户上传时,是不可以上传后缀为php的文件,如wordpress默认有这个功能;
- 虚拟主机语句如下
location ~ .*(upload|image|attachment|cache)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ #非必要,防止可以上传文件的目录上传了脚本;
{ #.*为贪婪匹配,转义字符\将.变成点不会指代任意一个字母;
deny all; #符合的格式,都是403;
}
- 测试结果:
[root@draft conf.d]# curl -x192.168.87.133:80 blog.tany.com/attachment/klklsjkf/kkjdf.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.16.1
Date: Thu, 17 Oct 2019 08:01:30 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
[root@draft conf.d]# curl -x192.168.87.133:80 blog.tany.com/attachment-/klklsjkf/kkjdf.php -I
HTTP/1.1 404 Not Found
Server: nginx/1.16.1
Date: Thu, 17 Oct 2019 08:01:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.3.0
限制user_agent
- user_agent就是指浏览网站的媒介吧,包括浏览器,curl命令,机器人等,要做的就是防止一些机器人,机器人的访问也会浪费流量和资源,需要查看日志,摸索才知道怎么设置更好;
- 虚拟主机设置语句
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato') #识别发送信息的浏览器,屏敝掉一些浪费流量的机器人;
{
return 403; #返回代码可以自已选择;
}
[root@draft conf.d]# curl -A 'Tomato' -x127.0.0.1:80 blog.tany.com -I #-A可让curl模拟agent;
HTTP/1.1 403 Forbidden
Server: nginx/1.16.1
Date: Tue, 15 Oct 2019 14:36:11 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
限制URI
if ($request_uri ~ (abc|123)) #限制指定的URL,带有abc或123的URL都返回404;
{
return 404; #返回代码可以自已选择;
}
[root@draft conf.d]# curl -x192.168.87.133:80 blog.tany.com/abc/jj -I
HTTP/1.1 403 Forbidden
Server: nginx/1.16.1
Date: Thu, 17 Oct 2019 15:10:38 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
[root@draft conf.d]# curl -x192.168.87.133:80 blog.tany.com/ab/jj -I
HTTP/1.1 404 Not Found
Server: nginx/1.16.1
Date: Thu, 17 Oct 2019 15:10:43 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive