一些常用的nginx安全规则

2022年07月14日

注:这些规则转自hostloc上的一些网友分享的,如果使用,需要根据需要做修改。

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
#请求这些敏感词时跳转下载10g文件
if ($request_uri ~* "(\.gz)|(")|(\.tar)|(admin)|(\.zip)|(\.sql)|(\.asp)|(\.rar)|(function)|($_GET)|(eval)|(\?php)|(config)|(\')|(\.bak)") {
return 301 http://lg-dene.fdcservers.net/10GBtest.zip;
}
#禁止下载以 XXX 后缀的文件
location ~ \.(zip|rar|sql|bak|gz|7z)$
{
return 444;
}
#访问链接里含有 test 直接跳转到公安网
if ($request_uri ~* test=) {
return 301 https://www.mps.gov.cn;
}
#防止爬虫
if ($http_user_agent ~* (SemrushBot|python|MJ12bot|AhrefsBot|AhrefsBot|hubspot|opensiteexplorer|leiki|webmeup)) {
return 444;
}
#屏蔽非常见蜘蛛爬虫配置
if ($http_user_agent ~* (SemrushBot|python|MJ12bot|AhrefsBot|AhrefsBot|hubspot|opensiteexplorer|leiki|webmeup)) {
return 444;
}
#禁止某个目录执行脚本
#uploads|templets|data 这些目录禁止执行PHP
location ~* ^/(uploads|templets|data)/.*.(php|php5)$ {
return 444;
}
#防止爬虫
if ($http_user_agent ~* (SemrushBot|python|MJ12bot|AhrefsBot|AhrefsBot|hubspot|opensiteexplorer|leiki|webmeup)) {
return 444;
}
if ($http_user_agent ~* "qihoobot|Censys|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot|FeedDemon|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|Scrapy|HttpClient|MJ12bot|heritrix|EasouSpider|LinkpadBot|Ezooms|^$") {
return 404; #禁止爬虫返回404
}
#非指定域名访问返回403
if ($host != 'XX.XX.XX'){
return 403; #非指定域名访问返回403
}
#仅允许特定IP访问并加上帐号密码验证
root /opt/hostloc/www;
allow xx.xx.xx.xx;
allow 2xx.xx.x.xx;
deny all;
auth_basic “test”;
auth_basic_user_file htpasswd;
#禁止访问多个目录
location ~ ^/(cron|templates)/
{
deny all;
break;
}
#隐藏nginx版本号
http块添加
http {
...
server_tokens off;
...
}
#禁止非浏览器访问
if ($http_user_agent ~ ^$) {
return 412;
}
#防止攻击
if ($request_uri ~* "(\.gz)|(")|(\.tar)|(admin)|(\.zip)|(\.sql)|(\.asp)|(\.rar)|(function)|($_GET)|(eval)|(\?php)|(config)|(\')|(\.bak)") {
return 301 http://lg-dene.fdcservers.net/10GBtest.zip;
}
#请求这些敏感词时跳转下载10g文件 if ($request_uri ~* "(\.gz)|(")|(\.tar)|(admin)|(\.zip)|(\.sql)|(\.asp)|(\.rar)|(function)|($_GET)|(eval)|(\?php)|(config)|(\')|(\.bak)") { return 301 http://lg-dene.fdcservers.net/10GBtest.zip; } #禁止下载以 XXX 后缀的文件 location ~ \.(zip|rar|sql|bak|gz|7z)$ { return 444; } #访问链接里含有 test 直接跳转到公安网 if ($request_uri ~* test=) { return 301 https://www.mps.gov.cn; } #防止爬虫 if ($http_user_agent ~* (SemrushBot|python|MJ12bot|AhrefsBot|AhrefsBot|hubspot|opensiteexplorer|leiki|webmeup)) { return 444; } #屏蔽非常见蜘蛛爬虫配置 if ($http_user_agent ~* (SemrushBot|python|MJ12bot|AhrefsBot|AhrefsBot|hubspot|opensiteexplorer|leiki|webmeup)) { return 444; } #禁止某个目录执行脚本 #uploads|templets|data 这些目录禁止执行PHP location ~* ^/(uploads|templets|data)/.*.(php|php5)$ { return 444; } #防止爬虫 if ($http_user_agent ~* (SemrushBot|python|MJ12bot|AhrefsBot|AhrefsBot|hubspot|opensiteexplorer|leiki|webmeup)) { return 444; } if ($http_user_agent ~* "qihoobot|Censys|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot|FeedDemon|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|Scrapy|HttpClient|MJ12bot|heritrix|EasouSpider|LinkpadBot|Ezooms|^$") { return 404; #禁止爬虫返回404 } #非指定域名访问返回403 if ($host != 'XX.XX.XX'){ return 403; #非指定域名访问返回403 } #仅允许特定IP访问并加上帐号密码验证 root /opt/hostloc/www; allow xx.xx.xx.xx; allow 2xx.xx.x.xx; deny all; auth_basic “test”; auth_basic_user_file htpasswd; #禁止访问多个目录 location ~ ^/(cron|templates)/ { deny all; break; } #隐藏nginx版本号 http块添加 http { ... server_tokens off; ... } #禁止非浏览器访问 if ($http_user_agent ~ ^$) { return 412; } #防止攻击 if ($request_uri ~* "(\.gz)|(")|(\.tar)|(admin)|(\.zip)|(\.sql)|(\.asp)|(\.rar)|(function)|($_GET)|(eval)|(\?php)|(config)|(\')|(\.bak)") { return 301 http://lg-dene.fdcservers.net/10GBtest.zip; }
 #请求这些敏感词时跳转下载10g文件
 if ($request_uri ~* "(\.gz)|(")|(\.tar)|(admin)|(\.zip)|(\.sql)|(\.asp)|(\.rar)|(function)|($_GET)|(eval)|(\?php)|(config)|(\')|(\.bak)") {
            return 301 http://lg-dene.fdcservers.net/10GBtest.zip;
        }

 #禁止下载以 XXX 后缀的文件
 location ~ \.(zip|rar|sql|bak|gz|7z)$ 
 { 
   return 444;
  }

 #访问链接里含有 test 直接跳转到公安网
 if ($request_uri ~* test=) {
  return 301 https://www.mps.gov.cn;
 }

 #防止爬虫
 if ($http_user_agent ~* (SemrushBot|python|MJ12bot|AhrefsBot|AhrefsBot|hubspot|opensiteexplorer|leiki|webmeup)) {
      return 444;
    }

 #屏蔽非常见蜘蛛爬虫配置
 if ($http_user_agent ~* (SemrushBot|python|MJ12bot|AhrefsBot|AhrefsBot|hubspot|opensiteexplorer|leiki|webmeup)) {
     return 444;
  }

 #禁止某个目录执行脚本
#uploads|templets|data 这些目录禁止执行PHP
 location ~* ^/(uploads|templets|data)/.*.(php|php5)$ {
    return 444;
  }

#防止爬虫
if ($http_user_agent ~* (SemrushBot|python|MJ12bot|AhrefsBot|AhrefsBot|hubspot|opensiteexplorer|leiki|webmeup)) {
      return 444;
    }

if ($http_user_agent ~* "qihoobot|Censys|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot|FeedDemon|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|Scrapy|HttpClient|MJ12bot|heritrix|EasouSpider|LinkpadBot|Ezooms|^$") {  
        return 404; #禁止爬虫返回404
        }

#非指定域名访问返回403
if ($host != 'XX.XX.XX'){
    return 403; #非指定域名访问返回403
   }

#仅允许特定IP访问并加上帐号密码验证
 root /opt/hostloc/www;
 allow  xx.xx.xx.xx; 
 allow  2xx.xx.x.xx; 
 deny  all;
 auth_basic “test”;
 auth_basic_user_file htpasswd;

#禁止访问多个目录
 location ~ ^/(cron|templates)/
 {
 deny all;
 break;
 }

#隐藏nginx版本号
http块添加
http {
...
server_tokens off;
...
}

#禁止非浏览器访问
if ($http_user_agent ~ ^$) {
        return 412;
}

#防止攻击
if ($request_uri ~* "(\.gz)|(")|(\.tar)|(admin)|(\.zip)|(\.sql)|(\.asp)|(\.rar)|(function)|($_GET)|(eval)|(\?php)|(config)|(\')|(\.bak)") {
return 301 http://lg-dene.fdcservers.net/10GBtest.zip;
}

 

打赏微海报分享

sicnature ---------------------------------------------------------------------
I P 地 址: 216.73.216.111
区 域 位 置: 美国加利福尼亚洛杉矶
系 统 信 息: 美国
Original content, please indicate the source:
同福客栈论坛 | 蟒蛇科普海南乡情论坛 | JiaYu Blog
sicnature ---------------------------------------------------------------------
Welcome to reprint. Please indicate the source https://myzhenai.com/post/4203.html
标签:

没有评论

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注