由于给files.gallery开了全部权限, 防止文件泄露针对location /进行了限制访问.
server {
server_name gallery.XX.net;
index index.php;
root /home/gallery/web;
location =/ {}
location / { deny all;}
location /.well-known/acme-challenge/ { return 200; }
location ~ \.php(?:$|/) {
try_files $uri = 404;
fastcgi_pass unix:/dev/shm/php8-fpm.sock;
}
}
设定ssl证书
dnf install epel-release -y
dnf install certbot python3-certbot-nginx -y
certbot --nginx -d XXX.net --agree-tos -m [email protected]
echo "0 3 * * 6 /usr/bin/certbot renew --quiet"> /etc/cron.d/certbot
主要两个地方注意一下, cloudflare会传送一个CF-Connecting-IP的header参数为访客的真实ip,所以 read_ip读取它.
然后设定REMOTE_ADDR读取IP, 可以从FORWARDED也可以用CF-Connecting-IP参数
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
real_ip_header CF-Connecting-IP;
proxy_set_header REMOTE_ADDR $HTTP_X_FORWARDED_FOR;
之前发的太拉胯了, 重新写了一份.
针对后台文件夹更名后, 用try_files判断,免去写白名单验证了, 官方爱咋折腾出了问题再说了.
CUSTOMADMINPATH为匹配后台自定义admin目录
location ~ [^/]\.php(/|$) { YOUR php-fpm configure in HERE }
location ~ ^/{ try_files $uri $uri/ /index.php?rp=$uri; }
location ~ ^/(admin|CUSTOMADMINPATH_1|CUSTOMADMINPATH_2)/ { try_files $uri $uri/ index.php?rp=$uri; }
原始的弃用了:
location ~ /templates/.*\.tpl$ { return 404; }
location ^~ /vendor/ { return 404; }
location ~ ^/(images/em|invoice|login|password|account|store|download|knowledgebase|announcements|clientarea/ssl-certificates|user/(verification|accounts|profile|password|security|verify)|cart/(domain/renew)|domain/pricing|cart/order|images/kb)/?(.*)$ { rewrite (.*) /index.php?rp=$uri last; }
location ~ ^/(.*)/(client|client!\.php|client/(.*)|table/(.*)|search!\.php|search/(.*)|apps|billing|setup|user|services|addons|domains|utilitiesemailmarketer!\.php|utilities/(.*)|logs|help!\.php|help/license|modules|image/(recent|upload)|validation_com/(.*))/?(.*)$ { try_files $uri $uri/ /$1/index.php?rp=$uri; }
如果whmcs放在二级目录下则小改一下.
把uri改成rewrite 的正则匹配.
解决办法:
update-crypto-policies --set LEGACY
rpm --import https://openresty.org/package/pubkey.gpg
或者是dnf带上 --nogpgcheck参数
dnf install -y --nogpgcheck openresty
把gpgcheck检查去掉也行.
sed -i 's/gpgcheck=1/gpgcheck=0/g' /etc/yum.repos.d/openresty.repo
没导入时候报错提示
GPG Keys are configured as: https://openresty.org/package/pubkey.gpg
Error: GPG check FAILED
当导入时候的错误提示
warning: Signature not supported. Hash algorithm SHA1 not available.
error: https://openresty.org/package/pubkey.gpg: key 1 import failed
总结:更新update-crypto-policies设置
文章内容源自:https://www.redhat.com/en/blog/rhel-security-sha-1-package-signatures-distrusted-rhel-9
虽然有第三方的,但是自己nginx里面写死配置来得安稳些.
用法就是在网站目录里面直接引用一下配置文件include googleapis.conf;
这里做了一个虚拟目录/assets/vendor/, 可以根据自己的需求设置.
# cat ../googleapis.conf
sub_filter_once off;
sub_filter_types text/css text/xml text/javascript;
sub_filter "https://fonts.googleapis.com" "/assets/vendor/googleapis";
sub_filter "//fonts.googleapis.com" "/assets/vendor/googleapis";
sub_filter "https://ajax.googleapis.com" "/assets/vendor/ajax";
sub_filter "https://fonts.gstatic.com" "/assets/vendor/fonts_gstatic";
proxy_hide_header Link;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
location ~ ^/assets/vendor/googleapis/ {
proxy_set_header Accept-Encoding "";
rewrite ^/assets/vendor/googleapis/(.+)$ /$1 break;
proxy_pass https://fonts.googleapis.com;
proxy_set_header Host "fonts.googleapis.com";
proxy_set_header User-Agent "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0";
expires 1d;
sub_filter "https://fonts.gstatic.com" "/assets/vendor/fonts_gstatic";
}
location ~ ^/assets/vendor/fonts_gstatic/ {
rewrite ^/assets/vendor/fonts_gstatic/(.+)$ /$1 break;
proxy_pass https://fonts.gstatic.com;
proxy_set_header Host "fonts.gstatic.com";
proxy_set_header User-Agent "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0";
expires 1y;
}
location ~ ^/assets/vendor/gstatic/ {
rewrite ^/assets/vendor/gstatic/(.+)$ /$1 break;
proxy_pass https://www.gstatic.com;
proxy_set_header Host "www.gstatic.com";
expires 1y;
}
location ~ ^/assets/vendor/ajax/ {
rewrite ^/assets/vendor/ajax/(.+)$ /$1 break;
proxy_pass https://gajax.googleapis.com;
proxy_set_header Host ajax.googleapis.com;
expires 1y;
}
在官方wiki找到的
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name
在alias下路径报错
-----------------------------------------------------------------------------
fastcgi_param SCRIPT_FILENAME $request_filename
index取值忽略fastcgi_index的设定, 直接取http或者server字段下的index设定值.
https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
location ~ /(announcements|knowledgebase|download|store|password|cart|account|subscription)(.*) { rewrite (.*) /index.php; }
location ~ /(.*)/(addons|apps|search|domains|help|services|setup|utilities|clients)(.*) { rewrite (.*) /admin/index.php;}
方案一:
if (!-f $request_filename){ rewrite (.*) /index.php; }
方案二:
rewrite ^/(announcements|knowledgebase|download|store|password|cart|account|subscription)(.*)$ /index.php;
其他设置:
location ~* \.(tpl|inc|cfg)$ { deny all; }
location ^~ /vendor/ { deny all; }
方案一主要匹配本地没有的就丢index.php上去, 也可以用try_files
方案二主要是直接进行rewrite.
其他配置主要是隐藏一些目录和文件不让访问.
总的来说用 location来匹配稍微稳妥一些, 例如 /admin/clientsservices.php 会被为静态匹配到, 还是得运用if来判断匹配.
server {
listen 8080;
resolver 1.1.1.1;
location / {
proxy_bind $server_addr;
proxy_pass $scheme://$http_host$request_uri;
proxy_set_header Host $http_host;
proxy_buffers 256 4k;
proxy_max_temp_file_size 0k;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_next_upstream error timeout invalid_header http_502;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
deny 127.0.0.1;
}
连接那个IP 出口就是那个 IP
location ~ .*\.(php)?$ {
try_files $uri = 404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/dev/shm/php-cgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
include fastcgi_params;
}
location ~ .*\.(htm|gif|jpg|jpeg|png|bmp|ico|flv|swf|txt|wma)$ { expires 30d;}
location ~ .*\.(js|css)?$ { expires 1d;}
location ~ .*\.(tpl|svn|asp|aspx|jsp|do|mdb|zip|rar|bak|htc)?${ deny all; }
location ~ /0.* { deny all; }
if (!-e $request_filename) { return 444; }
在http字段下加入一个map做匹配引导
map $http_user_agent $limit_bots {
default 0;
~*(baiduspider|google|soso|bing|yandex|sogou|yahoo|sohu-search|yodao|YoudaoBot|robozilla|msnbot|MJ12bot|NHN|Twiceler) 1;
~*(AltaVista|Googlebot|Slurp|BlackWidow|Bot|ChinaClaw|Custo|DISCo|Download|Demon|eCatch|EirGrabber|EmailSiphon|EmailWolf|SuperHTTP|Surfbot|WebWhacker) 1;
~*(Express|WebPictures|ExtractorPro|EyeNetIE|FlashGet|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|GrabNet|Grafula|HMView|Go!Zilla|Go-Ahead-Got-It) 1;
~*(rafula|HMView|HTTrack|Stripper|Sucker|Indy|InterGET|Ninja|JetCar|Spider|larbin|LeechFTP|Downloader|tool|Navroad|NearSite|NetAnts|tAkeOut|WWWOFFLE) 1;
~*(GrabNet|NetSpider|Vampire|NetZIP|Octopus|Offline|PageGrabber|Foto|pavuk|pcBrowser|RealDownload|ReGet|SiteSnagger|SmartDownload|SuperBot|WebSpider) 1;
~*(Teleport|VoidEYE|Collector|WebAuto|WebCopier|WebFetch|WebGo|WebLeacher|WebReaper|WebSauger|eXtractor|Quester|WebStripper|WebZIP|Wget|Widow|Zeus) 1;
~*(Twengabot|htmlparser|libwww|Python|perl|urllib|scan|Curl|email|PycURL|Pyth|PyQ|WebCollector|WebCopy|webcraw) 1;
}
再到server字段或者是location字段下加入if判断
if ($limit_bots = 1) { return 403; }
需要安装一个openresty或者nginx, 版本大于1.15.10
编译安装参考http://www.kvm.la/1043.html , openresty二进制包版本较低没有更新, 建议编译安装一份.
首先把IPMI的IP丢进一个ip.list的文件里面, 一行一个IP.
#/bin/bash
i=1000 #vnc start port
b=2000
# hextoip() { hex=$1; printf "%d." 0x${hex:0:2}; printf "%d." 0x${hex:2:2}; printf "%d." 0x${hex:4:2}; printf "%d" 0x${hex:6:2}; }
#gethostip -x 10.0.12.1
stream_route_map=/etc/nginx/stream.route.map.conf
http_route_map=/etc/nginx/http.route.map.conf
echo " default 0;" > $stream_route_map
echo " default 0;" > $http_route_map
for IP in `cat /root/ipmi/ip.list | uniq -c |awk '{ print $2 }'`;
do
i=`expr $i + 1` ;
b=`expr $b + 1` ;
HEXIP=`gethostip -x $IP | tr 'A-Z' 'a-z'` ;
echo " ~*($IP|$i|$b|$HEXIP)$ IP<$IP>|VNC<$i>|BMC<$b>|HEX<$HEXIP>;" >>$http_route_map;
echo " ~*($b|$i)$ $IP;" >> $stream_route_map
done
nginx -s reload
阅读剩余部分...
curl https://openresty.org/package/centos/openresty.repo -so /etc/yum.repos.d/openresty.repo
yum -y -q install wget vim-enhanced tcpdump iftop net-tools rsync
yum -y -q install openresty
systemctl enable openresty
ln -s /usr/local/openresty/nginx/sbin/nginx /usr/sbin/ #把nginx文件引用到常规sbin目录
ln -s /usr/local/openresty/nginx/conf /etc/nginx #把目录软连接到常规目录
ln -s /usr/lib/systemd/system/openresty.service /usr/lib/systemd/system/nginx.service #Centos7的服务启动管理nginx别名
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
基础部署完成后,用rsync同步数据后再做其他基础配置基本完成管理.
原文地址:http://jtwo.me/use-lua-to-protect-nginx-away-from-cc-attack
好像原文出处的页面已经打不开了,原生的nginx需要编译lua,openresty可以直接用。
location ~ \.php$ {
rewrite_by_lua '
local md5token = ngx.md5(ngx.var.remote_addr .. ngx.var.http_user_agent)
if (ngx.var.cookie_humanflag ~= md5token) then
ngx.header["Set-Cookie"] = "humanflag=" .. md5token
return ngx.redirect(ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri)
end
';
... ...
}
location ~ \.php$ {
if ($cookie_ipaddr != "$remote_addr"){
add_header Set-Cookie "ipaddr=$remote_addr";
rewrite .* "$scheme://$host$uri" redirect;
}
... ...
}