虽然有第三方的,但是自己nginx里面写死配置来得安稳些.
用法就是在网站目录里面直接引用一下配置文件include googleapis.conf;
这里做了一个虚拟目录/assets/vendor/, 可以根据自己的需求设置.
# cat ../googleapis.conf
sub_filter_once off;
sub_filter_types text/css text/xml text/javascript;
sub_filter "https://fonts.googleapis.com" "/assets/vendor/googleapis";
sub_filter "//fonts.googleapis.com" "/assets/vendor/googleapis";
sub_filter "https://ajax.googleapis.com" "/assets/vendor/ajax";
sub_filter "https://fonts.gstatic.com" "/assets/vendor/gstatic";
location /assets/vendor/googleapis {
rewrite ^/assets/vendor/googleapis/(.+)$ /$1 break;
sub_filter "https://fonts.gstatic.com" "/assets/vendor/gstatic";
proxy_set_header Accept-Encoding "";
proxy_pass https://fonts.googleapis.com;
proxy_set_header Host "fonts.googleapis.com";
proxy_set_header User-Agent "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0";
expires 1y;
}
location /assets/vendor/gstatic {
rewrite ^/assets/vendor/gstatic/(.+)$ /$1 break;
proxy_pass https://fonts.gstatic.com:443;
proxy_set_header Host "fonts.gstatic.com";
expires 1y;
}
location /assets/vendor/ajax {
rewrite ^/assets/vendor/ajax/(.+)$ /$1 break;
proxy_pass https://gajax.googleapis.com;
proxy_set_header Host ajax.googleapis.com;
expires 1y;
}
在官方wiki找到的
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name
在alias下路径报错
-----------------------------------------------------------------------------
fastcgi_param SCRIPT_FILENAME $request_filename
index取值忽略fastcgi_index的设定, 直接取http或者server字段下的index设定值.
https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
location ~ /(announcements|knowledgebase|download|store|password|cart|account|subscription)(.*) { rewrite (.*) /index.php; }
location ~ /(.*)/(addons|apps|search|domains|help|services|setup|utilities|clients)(.*) { rewrite (.*) /admin/index.php;}方案一:
if (!-f $request_filename){ rewrite (.*) /index.php; }方案二:
rewrite ^/(announcements|knowledgebase|download|store|password|cart|account|subscription)(.*)$ /index.php;
其他设置:
location ~* \.(tpl|inc|cfg)$ { deny all; }
location ^~ /vendor/ { deny all; }
方案一主要匹配本地没有的就丢index.php上去, 也可以用try_files
方案二主要是直接进行rewrite.
其他配置主要是隐藏一些目录和文件不让访问.
总的来说用 location来匹配稍微稳妥一些, 例如 /admin/clientsservices.php 会被为静态匹配到, 还是得运用if来判断匹配.
server {
listen 8080;
resolver 114.114.114.114;
location / {
proxy_pass $scheme://$http_host$request_uri;
proxy_set_header HOST $http_host;
proxy_buffers 256 4k;
proxy_max_temp_file_size 0k;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_next_upstream error timeout invalid_header http_502;
}
deny 127.0.0.1;
}
location ~ .*\.(php)?$ {
try_files $uri = 404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/dev/shm/php-cgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
include fastcgi_params;
}
location ~ .*\.(htm|gif|jpg|jpeg|png|bmp|ico|flv|swf|txt|wma)$ { expires 30d;}
location ~ .*\.(js|css)?$ { expires 1d;}
location ~ .*\.(tpl|svn|asp|aspx|jsp|do|mdb|zip|rar|bak|htc)?${ deny all; }
location ~ /0.* { deny all; }
if (!-e $request_filename) { return 444; }
在http字段下加入一个map做匹配引导
map $http_user_agent $limit_bots {
default 0;
~*(baiduspider|google|soso|bing|yandex|sogou|yahoo|sohu-search|yodao|YoudaoBot|robozilla|msnbot|MJ12bot|NHN|Twiceler) 1;
~*(AltaVista|Googlebot|Slurp|BlackWidow|Bot|ChinaClaw|Custo|DISCo|Download|Demon|eCatch|EirGrabber|EmailSiphon|EmailWolf|SuperHTTP|Surfbot|WebWhacker) 1;
~*(Express|WebPictures|ExtractorPro|EyeNetIE|FlashGet|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|GrabNet|Grafula|HMView|Go!Zilla|Go-Ahead-Got-It) 1;
~*(rafula|HMView|HTTrack|Stripper|Sucker|Indy|InterGET|Ninja|JetCar|Spider|larbin|LeechFTP|Downloader|tool|Navroad|NearSite|NetAnts|tAkeOut|WWWOFFLE) 1;
~*(GrabNet|NetSpider|Vampire|NetZIP|Octopus|Offline|PageGrabber|Foto|pavuk|pcBrowser|RealDownload|ReGet|SiteSnagger|SmartDownload|SuperBot|WebSpider) 1;
~*(Teleport|VoidEYE|Collector|WebAuto|WebCopier|WebFetch|WebGo|WebLeacher|WebReaper|WebSauger|eXtractor|Quester|WebStripper|WebZIP|Wget|Widow|Zeus) 1;
~*(Twengabot|htmlparser|libwww|Python|perl|urllib|scan|Curl|email|PycURL|Pyth|PyQ|WebCollector|WebCopy|webcraw) 1;
}
再到server字段或者是location字段下加入if判断
if ($limit_bots = 1) { return 403; }
需要安装一个openresty或者nginx, 版本大于1.15.10
编译安装参考http://www.kvm.la/1043.html , openresty二进制包版本较低没有更新, 建议编译安装一份.
首先把IPMI的IP丢进一个ip.list的文件里面, 一行一个IP.
#/bin/bash
i=1000 #vnc start port
b=2000
# hextoip() { hex=$1; printf "%d." 0x${hex:0:2}; printf "%d." 0x${hex:2:2}; printf "%d." 0x${hex:4:2}; printf "%d" 0x${hex:6:2}; }
#gethostip -x 10.0.12.1
stream_route_map=/etc/nginx/stream.route.map.conf
http_route_map=/etc/nginx/http.route.map.conf
echo " default 0;" > $stream_route_map
echo " default 0;" > $http_route_map
for IP in `cat /root/ipmi/ip.list | uniq -c |awk '{ print $2 }'`;
do
i=`expr $i + 1` ;
b=`expr $b + 1` ;
HEXIP=`gethostip -x $IP | tr 'A-Z' 'a-z'` ;
echo " ~*($IP|$i|$b|$HEXIP)$ IP<$IP>|VNC<$i>|BMC<$b>|HEX<$HEXIP>;" >>$http_route_map;
echo " ~*($b|$i)$ $IP;" >> $stream_route_map
done
nginx -s reload阅读剩余部分...
curl https://openresty.org/package/centos/openresty.repo -so /etc/yum.repos.d/openresty.repo
yum -y -q install wget vim-enhanced tcpdump iftop net-tools rsync
yum -y -q install openresty
systemctl enable openresty
ln -s /usr/local/openresty/nginx/sbin/nginx /usr/sbin/ #把nginx文件引用到常规sbin目录
ln -s /usr/local/openresty/nginx/conf /etc/nginx #把目录软连接到常规目录
ln -s /usr/lib/systemd/system/openresty.service /usr/lib/systemd/system/nginx.service #Centos7的服务启动管理nginx别名
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
基础部署完成后,用rsync同步数据后再做其他基础配置基本完成管理.
原文地址:http://jtwo.me/use-lua-to-protect-nginx-away-from-cc-attack
好像原文出处的页面已经打不开了,原生的nginx需要编译lua,openresty可以直接用。
location ~ \.php$ {
rewrite_by_lua '
local md5token = ngx.md5(ngx.var.remote_addr .. ngx.var.http_user_agent)
if (ngx.var.cookie_humanflag ~= md5token) then
ngx.header["Set-Cookie"] = "humanflag=" .. md5token
return ngx.redirect(ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri)
end
';
... ...
}
location ~ \.php$ {
if ($cookie_ipaddr != "$remote_addr"){
add_header Set-Cookie "ipaddr=$remote_addr";
rewrite .* "$scheme://$host$uri" redirect;
}
... ...
}
