漏洞扫描结果:
Severity:High
Upload Function Can be Used to Upload Malicious Files
解决方法:
禁止可疑的上传文件格式和危险的请求方式,location添加一些适当的策略
server {
listen 8888;
server_name xxxx.xxxx.com;
#charset koi8-r;
#access_log logs/host.access.log main;
if ($http_user_agent ~* (Scrapy|Curl|HttpClient)) {
return 403;
}
if ($http_user_agent ~ "FeedDemon|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|HttpClient|MJ12bot|heritrix|EasouSpider|LinkpadBot|Googlebot|Ezooms|^$" ) {
return 403;
}
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 403;
}
#location ~* \.(html|htm|php|gif|jpg|jpeg|bmp|png|ico|js|css|avi|mp4|wmv|vob|flv|rmvb|mpg|mkv|mpeg)$ {
location / {
root /usr/local/var/www;
index index.html index.htm;
add_header X-Frame-Options SAMEORIGIN; # 只允许本站用 frame 来嵌套
add_header X-Content-Type-Options nosniff; # 禁止嗅探文件类型
add_header X-XSS-Protection "1; mode=block"; # XSS 保护
proxy_pass https://www.baidu.com;
}
#location / {
location ~* \.(exe|bat|com|pif|scr|php|php5)$ {
deny all;
add_header X-Frame-Options SAMEORIGIN; # 只允许本站用 frame 来嵌套
add_header X-Content-Type-Options nosniff; # 禁止嗅探文件类型
add_header X-XSS-Protection "1; mode=block"; # XSS 保护
}