虽然有第三方的,但是自己nginx里面写死配置来得安稳些.
sub_filter_once off;
sub_filter_types text/css;
sub_filter "//fonts.googleapis.com" "/assets/vendor/googleapis";
sub_filter "https://fonts.googleapis.com" "/assets/vendor/googleapis";
location /assets/vendor/googleapis {
rewrite ^/assets/vendor/googleapis/(.+)$ /$1 break;
proxy_pass https://fonts.googleapis.com;
proxy_set_header Host "fonts.googleapis.com";
proxy_set_header User-Agent "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0";
expires 1d;
sub_filter_once off;
sub_filter_types text/css;
sub_filter "https://fonts.gstatic.com" "/assets/vendor/gstatic";
}
location /assets/vendor/gstatic {
rewrite ^/assets/vendor/gstatic/(.+)$ /$1 break;
proxy_pass https://fonts.gstatic.com:443;
proxy_set_header Host "fonts.gstatic.com";
expires 1y;
}
curl https://openresty.org/package/centos/openresty.repo -so /etc/yum.repos.d/openresty.repo
yum -y -q install wget vim-enhanced tcpdump iftop net-tools rsync
yum -y -q install openresty
systemctl enable openresty
ln -s /usr/local/openresty/nginx/sbin/nginx /usr/sbin/ #把nginx文件引用到常规sbin目录
ln -s /usr/local/openresty/nginx/conf /etc/nginx #把目录软连接到常规目录
ln -s /usr/lib/systemd/system/openresty.service /usr/lib/systemd/system/nginx.service #Centos7的服务启动管理nginx别名
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
基础部署完成后,用rsync同步数据后再做其他基础配置基本完成管理.
原文地址:http://jtwo.me/use-lua-to-protect-nginx-away-from-cc-attack
好像原文出处的页面已经打不开了,原生的nginx需要编译lua,openresty可以直接用。
location ~ \.php$ {
rewrite_by_lua '
local md5token = ngx.md5(ngx.var.remote_addr .. ngx.var.http_user_agent)
if (ngx.var.cookie_humanflag ~= md5token) then
ngx.header["Set-Cookie"] = "humanflag=" .. md5token
return ngx.redirect(ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri)
end
';
... ...
}
location ~ \.php$ {
if ($cookie_ipaddr != "$remote_addr"){
add_header Set-Cookie "ipaddr=$remote_addr";
rewrite .* "$scheme://$host$uri" redirect;
}
... ...
}