Nginx 常用配置(学习笔记三)

#drop_sql为防爬虫、SQL注入等常用配置

user www www;

worker_processes 1;

error_log  /usr/local/local/logs/nginx_error.log crit;

pid        /usr/local/nginx/logs/nginx.pid;

#Specifies the value for maximum file descriptors that can be opened by this process.

worker_rlimit_nofile 51200;

events

{

use epoll;

worker_connections 51200;

}

http

{

include      mime.types;

default_type  application/octet-stream;

server_names_hash_bucket_size 128;

client_header_buffer_size 32k;

large_client_header_buffers 4 32k;

client_max_body_size 50m;

              access_log off;

                ssi on;

                ssi_types text/shtml;

sendfile on;

tcp_nopush    on;

add_header Hit slb-1.keyibao.com;

keepalive_timeout 180;

tcp_nodelay on;

fastcgi_intercept_errors on;

proxy_intercept_errors on;

fastcgi_connect_timeout 1200;

fastcgi_send_timeout 1200;

fastcgi_read_timeout 1200;

fastcgi_buffer_size 128k;

fastcgi_buffers 8 128k;

fastcgi_busy_buffers_size 256k;

fastcgi_temp_file_write_size 256k;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        send_timeout 1200;

        proxy_connect_timeout 1200;

        proxy_read_timeout 1200;

        proxy_send_timeout 1200;

                set_real_ip_from 10.159.0.0/16;

                real_ip_header X-Forwarded-For;

gzip on;

gzip_proxied any;

gzip_http_version 1.0;

gzip_vary on;

gzip_comp_level 6;

gzip_min_length  2k;

gzip_buffers    4 16k;

gzip_types text/plain text/css application/json application/x-javascript application/xml text/javascript image/jpeg image/gif image/png application/x-shockwave-flash;

gzip_disable “MSIE [1-6].(?!.*SV1)”;

#limit_req_zone $limit zone=ConnLimitZone:20m rate=30r/s;

#limit_conn_zone $limit zone=limit:10m;

#limit_req zone=ConnLimitZone;

include drop_sql.conf;

}

####drop_sql.conf

if ($request_uri ~* "(cost\()|(concat\()") {

return 404;

}

if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {

return 404;

}

if ($query_string ~ "GLOBALS(=|[|%[0-9A-Z]{0,2})") {

return 404;

}

if ($query_string ~ "_REQUEST(=|[|%[0-9A-Z]{0,2})") {

return 404;

}

if ($query_string ~ "proc/self/environ") {

return 404;

}

if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") {

return 404;

}

if ($query_string ~ "base64_(en|de)code(.*)") {

return 404;

}

if ($http_user_agent ~ "Python-urllib") {

return 404;

}

## Block SQL injections

set $block_sql_injections 0;

if ($query_string ~ "union.*select.*\(") {

set $block_sql_injections 1;

}

if ($query_string ~ "union.*all.*select.*") {

set $block_sql_injections 1;

}

if ($query_string ~ "concat.*\(") {

set $block_sql_injections 1;

}

if ($block_sql_injections = 1) {

return 403;

}

## Block file injections

set $block_file_injections 0;

#if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {

#set $block_file_injections 1;

#}

if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {

set $block_file_injections 1;

}

if ($block_file_injections = 1) {

return 404;

}

## Block common exploits

set $block_common_exploits 0;

if ($query_string ~ "(<|<).*script.*(>|>)") {

set $block_common_exploits 1;

}

if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {

set $block_common_exploits 1;

}

if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {

set $block_common_exploits 1;

}

if ($query_string ~ "proc/self/environ") {

set $block_common_exploits 1;

}

if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\=)") {

set $block_common_exploits 1;

}

if ($query_string ~ "base64_(en|de)code\(.*\)") {

set $block_common_exploits 1;

}

if ($block_common_exploits = 1) {

return 404;

}

## Block spam

set $block_spam 0;

if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {

set $block_spam 1;

}

if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {

set $block_spam 1;

}

if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {

set $block_spam 1;

}

if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {

set $block_spam 1;

}

if ($block_spam = 1) {

return 404;

}

## Block user agents

set $block_user_agents 0;

# Don't disable wget if you need it to run cron jobs!

#if ($http_user_agent ~ "Wget") {

# set $block_user_agents 1;

#}

# Disable Akeeba Remote Control 2.5 and earlier

if ($http_user_agent ~ "Indy Library") {

set $block_user_agents 1;

}

# Common bandwidth hoggers and hacking tools.

if ($http_user_agent ~ "libwww-perl") {

set $block_user_agents 1;

}

if ($http_user_agent ~ "GetRight") {

set $block_user_agents 1;

}

if ($http_user_agent ~ "GetWeb!") {

set $block_user_agents 1;

}

if ($http_user_agent ~ "Go!Zilla") {

set $block_user_agents 1;

}

if ($http_user_agent ~ "Download Demon") {

set $block_user_agents 1;

}

if ($http_user_agent ~ "Go-Ahead-Got-It") {

set $block_user_agents 1;

}

if ($http_user_agent ~ "TurnitinBot") {

set $block_user_agents 1;

}

if ($http_user_agent ~ "GrabNet") {

set $block_user_agents 1;

}

if ($block_user_agents = 1) {

return 404;

}