[重写]whmcs nginx rewrite规则

之前发的太拉胯了, 重新写了一份.

针对后台文件夹更名后, 用try_files判断,免去写白名单验证了, 官方爱咋折腾出了问题再说了.

CUSTOMADMINPATH为匹配后台自定义admin目录

location ~ [^/]\.php(/|$) { YOUR php-fpm configure in HERE }
location ~  ^/{ try_files $uri $uri/ /index.php?rp=$uri; }
location ~  ^/(admin|CUSTOMADMINPATH_1|CUSTOMADMINPATH_2)/ { try_files $uri $uri/ index.php?rp=$uri; }

 

原始的弃用了:

location ~ /templates/.*\.tpl$ { return 404; }
location ^~ /vendor/ { return 404; }
location ~  ^/(images/em|invoice|login|password|account|store|download|knowledgebase|announcements|clientarea/ssl-certificates|user/(verification|accounts|profile|password|security|verify)|cart/(domain/renew)|domain/pricing|cart/order|images/kb)/?(.*)$  {  rewrite (.*)  /index.php?rp=$uri last; }
location ~  ^/(.*)/(client|client!\.php|client/(.*)|table/(.*)|search!\.php|search/(.*)|apps|billing|setup|user|services|addons|domains|utilitiesemailmarketer!\.php|utilities/(.*)|logs|help!\.php|help/license|modules|image/(recent|upload)|validation_com/(.*))/?(.*)$ {  try_files $uri $uri/ /$1/index.php?rp=$uri;  }

如果whmcs放在二级目录下则小改一下.

把uri改成rewrite 的正则匹配.

centos9安装openresty导入gpg报错解决办法

解决办法:

update-crypto-policies --set LEGACY
rpm --import https://openresty.org/package/pubkey.gpg

或者是dnf带上 --nogpgcheck参数

dnf install -y --nogpgcheck openresty 

把gpgcheck检查去掉也行.

sed -i 's/gpgcheck=1/gpgcheck=0/g'  /etc/yum.repos.d/openresty.repo

 

没导入时候报错提示

GPG Keys are configured as: https://openresty.org/package/pubkey.gpg
Error: GPG check FAILED

当导入时候的错误提示

warning: Signature not supported. Hash algorithm SHA1 not available.
error: https://openresty.org/package/pubkey.gpg: key 1 import failed

总结:更新update-crypto-policies设置

文章内容源自:https://www.redhat.com/en/blog/rhel-security-sha-1-package-signatures-distrusted-rhel-9

nginx反向代理解决googleapis字体库问题

虽然有第三方的,但是自己nginx里面写死配置来得安稳些.

用法就是在网站目录里面直接引用一下配置文件include googleapis.conf;

这里做了一个虚拟目录/assets/vendor/, 可以根据自己的需求设置.

 

# cat ../googleapis.conf
sub_filter_once off;
sub_filter_types text/css text/xml text/javascript;
sub_filter "https://fonts.googleapis.com" "/assets/vendor/googleapis";
sub_filter "//fonts.googleapis.com" "/assets/vendor/googleapis";
sub_filter "https://ajax.googleapis.com" "/assets/vendor/ajax";
sub_filter "https://fonts.gstatic.com" "/assets/vendor/fonts_gstatic";
proxy_hide_header Link;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;

location ~  ^/assets/vendor/googleapis/ {
proxy_set_header Accept-Encoding "";
  rewrite ^/assets/vendor/googleapis/(.+)$ /$1 break;
  proxy_pass https://fonts.googleapis.com;
  proxy_set_header Host "fonts.googleapis.com";
  proxy_set_header User-Agent "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0";
  expires 1d;
  sub_filter "https://fonts.gstatic.com" "/assets/vendor/fonts_gstatic";
}

location ~ ^/assets/vendor/fonts_gstatic/ {
  rewrite ^/assets/vendor/fonts_gstatic/(.+)$ /$1 break;
  proxy_pass https://fonts.gstatic.com;
  proxy_set_header Host "fonts.gstatic.com";
  proxy_set_header User-Agent "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0";
  expires 1y;
}

location ~  ^/assets/vendor/gstatic/ {
  rewrite ^/assets/vendor/gstatic/(.+)$ /$1 break;
  proxy_pass https://www.gstatic.com;
  proxy_set_header Host "www.gstatic.com";
  expires 1y;
}

location ~  ^/assets/vendor/ajax/ {
  rewrite ^/assets/vendor/ajax/(.+)$ /$1 break;
  proxy_pass https://gajax.googleapis.com;
  proxy_set_header Host ajax.googleapis.com;
  expires 1y;
}

nginx fastcgi中SCRIPT_FILENAME的设置

在官方wiki找到的

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name

在alias下路径报错

-----------------------------------------------------------------------------

fastcgi_param SCRIPT_FILENAME $request_filename

index取值忽略fastcgi_index的设定, 直接取http或者server字段下的index设定值.

 

https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/

whmcs的nginx伪静态规则

  location ~ /(announcements|knowledgebase|download|store|password|cart|account|subscription)(.*) { rewrite (.*) /index.php; }
  location ~ /(.*)/(addons|apps|search|domains|help|services|setup|utilities|clients)(.*) { rewrite (.*) /admin/index.php;}

方案一:

if (!-f $request_filename){ rewrite (.*) /index.php;  }

方案二:

 rewrite ^/(announcements|knowledgebase|download|store|password|cart|account|subscription)(.*)$ /index.php;

其他设置:

  location ~* \.(tpl|inc|cfg)$ {  deny all; }
  location ^~ /vendor/ { deny all; }


方案一主要匹配本地没有的就丢index.php上去,  也可以用try_files

方案二主要是直接进行rewrite.


其他配置主要是隐藏一些目录和文件不让访问.


 总的来说用 location来匹配稍微稳妥一些, 例如 /admin/clientsservices.php 会被为静态匹配到, 还是得运用if来判断匹配.

nginx正向代理

server {  
    listen 8080;  
    resolver 114.114.114.114; 
    location / {  
        proxy_pass $scheme://$http_host$request_uri;
        proxy_set_header HOST $http_host;
        proxy_buffers 256 4k;
        proxy_max_temp_file_size 0k; 
        proxy_connect_timeout 30;
        proxy_send_timeout 60;
        proxy_read_timeout 60;
        proxy_next_upstream error timeout invalid_header http_502;
    }  
deny 127.0.0.1;
}


nginx php.conf配置

location ~ .*\.(php)?$ {
        try_files $uri = 404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass  unix:/dev/shm/php-cgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
        include fastcgi_params;
        }
location ~ .*\.(htm|gif|jpg|jpeg|png|bmp|ico|flv|swf|txt|wma)$ { expires  30d;}
location ~ .*\.(js|css)?$ { expires   1d;}
location ~ .*\.(tpl|svn|asp|aspx|jsp|do|mdb|zip|rar|bak|htc)?${ deny all; }
location ~ /0.* { deny all; }
if (!-e $request_filename) { return 444; }


nginx屏蔽搜索引擎

在http字段下加入一个map做匹配引导

map $http_user_agent $limit_bots {
     default 0;
     ~*(baiduspider|google|soso|bing|yandex|sogou|yahoo|sohu-search|yodao|YoudaoBot|robozilla|msnbot|MJ12bot|NHN|Twiceler) 1;
     ~*(AltaVista|Googlebot|Slurp|BlackWidow|Bot|ChinaClaw|Custo|DISCo|Download|Demon|eCatch|EirGrabber|EmailSiphon|EmailWolf|SuperHTTP|Surfbot|WebWhacker) 1;
     ~*(Express|WebPictures|ExtractorPro|EyeNetIE|FlashGet|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|GrabNet|Grafula|HMView|Go!Zilla|Go-Ahead-Got-It) 1;
     ~*(rafula|HMView|HTTrack|Stripper|Sucker|Indy|InterGET|Ninja|JetCar|Spider|larbin|LeechFTP|Downloader|tool|Navroad|NearSite|NetAnts|tAkeOut|WWWOFFLE) 1;
     ~*(GrabNet|NetSpider|Vampire|NetZIP|Octopus|Offline|PageGrabber|Foto|pavuk|pcBrowser|RealDownload|ReGet|SiteSnagger|SmartDownload|SuperBot|WebSpider) 1;
     ~*(Teleport|VoidEYE|Collector|WebAuto|WebCopier|WebFetch|WebGo|WebLeacher|WebReaper|WebSauger|eXtractor|Quester|WebStripper|WebZIP|Wget|Widow|Zeus) 1;
     ~*(Twengabot|htmlparser|libwww|Python|perl|urllib|scan|Curl|email|PycURL|Pyth|PyQ|WebCollector|WebCopy|webcraw) 1;
 }


再到server字段或者是location字段下加入if判断

  if ($limit_bots = 1) {  return 403;  }


Supermicro IPMI/BMC nginx proxy

需要安装一个openresty或者nginx, 版本大于1.15.10

编译安装参考http://www.kvm.la/1043.html , openresty二进制包版本较低没有更新, 建议编译安装一份.

首先把IPMI的IP丢进一个ip.list的文件里面, 一行一个IP.

#/bin/bash
i=1000  #vnc start port
b=2000
# hextoip() { hex=$1;  printf "%d." 0x${hex:0:2};  printf "%d." 0x${hex:2:2};  printf "%d." 0x${hex:4:2};  printf "%d" 0x${hex:6:2};  }
#gethostip -x 10.0.12.1
stream_route_map=/etc/nginx/stream.route.map.conf
http_route_map=/etc/nginx/http.route.map.conf
echo " default 0;" > $stream_route_map
echo " default 0;" > $http_route_map
for IP in `cat /root/ipmi/ip.list | uniq -c |awk   '{ print $2 }'`;
do
i=`expr $i + 1` ;
b=`expr $b + 1` ;
HEXIP=`gethostip -x $IP | tr 'A-Z' 'a-z'` ;
echo "	   ~*($IP|$i|$b|$HEXIP)$ 	IP<$IP>|VNC<$i>|BMC<$b>|HEX<$HEXIP>;" >>$http_route_map;
echo "     ~*($b|$i)$  $IP;" >> $stream_route_map

done

nginx -s reload

阅读剩余部分...

Centos7快速部署openresty

curl https://openresty.org/package/centos/openresty.repo -so /etc/yum.repos.d/openresty.repo
yum -y -q install wget  vim-enhanced tcpdump iftop net-tools rsync 
yum -y -q install openresty 
systemctl enable openresty
ln -s  /usr/local/openresty/nginx/sbin/nginx /usr/sbin/ #把nginx文件引用到常规sbin目录
ln -s /usr/local/openresty/nginx/conf /etc/nginx #把目录软连接到常规目录
ln -s /usr/lib/systemd/system/openresty.service /usr/lib/systemd/system/nginx.service #Centos7的服务启动管理nginx别名
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

基础部署完成后,用rsync同步数据后再做其他基础配置基本完成管理.

nginx lua暴力简单过滤cc攻击

原文地址:http://jtwo.me/use-lua-to-protect-nginx-away-from-cc-attack

好像原文出处的页面已经打不开了,原生的nginx需要编译lua,openresty可以直接用。

location ~ \.php$ {
    rewrite_by_lua '
        local md5token = ngx.md5(ngx.var.remote_addr .. ngx.var.http_user_agent)
        if (ngx.var.cookie_humanflag ~= md5token) then
            ngx.header["Set-Cookie"] = "humanflag=" .. md5token
            return ngx.redirect(ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri)
        end
    ';
    ... ...
}

location ~ \.php$ {
    if ($cookie_ipaddr != "$remote_addr"){
        add_header Set-Cookie "ipaddr=$remote_addr";
        rewrite .* "$scheme://$host$uri" redirect;
    }

    ... ...
}