nginx防SQL注入与文件注入的相关安全设置

分类:CentOS运维 阅读:94618 次

配置文件可以在一定程度上防止sql与文件形式的注入,放在配置文件的server块里面。

  1. server{

  2. [...]

  3. ## Block SQL injections

  4. set$block_sql_injections0;

  5. if($query_string ~ "union.*select.*\("){

  6. set$block_sql_injections1;

  7. }

  8. if($query_string ~ "union.*all.*select.*"){

  9. set$block_sql_injections1;

  10. }

  11. if($query_string ~ "concat.*\("){

  12. set$block_sql_injections1;

  13. }

  14. if($block_sql_injections = 1){

  15. return403;

  16. }

  17. ## Block file injections

  18. set$block_file_injections0;

  19. if($query_string ~ "[a-zA-Z0-9_]=http://"){

  20. set$block_file_injections1;

  21. }

  22. if($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+"){

  23. set$block_file_injections1;

  24. }

  25. if($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+"){

  26. set$block_file_injections1;

  27. }

  28. if($block_file_injections = 1){

  29. return403;

  30. }

  31. ## Block common exploits

  32. set$block_common_exploits0;

  33. if($query_string ~ "(<|%3C).*script.*(>|%3E)"){

  34. set$block_common_exploits1;

  35. }

  36. if($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})"){

  37. set$block_common_exploits1;

  38. }

  39. if($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})"){

  40. set$block_common_exploits1;

  41. }

  42. if($query_string ~ "proc/self/environ"){

  43. set$block_common_exploits1;

  44. }

  45. if($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)"){

  46. set$block_common_exploits1;

  47. }

  48. if($query_string ~ "base64_(en|de)code\(.*\)"){

  49. set$block_common_exploits1;

  50. }

  51. if($block_common_exploits = 1){

  52. return403;

  53. }

  54. ## Block spam

  55. set$block_spam0;

  56. if($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b"){

  57. set$block_spam1;

  58. }

  59. if($query_string ~"\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b"){

  60. set$block_spam1;

  61. }

  62. if($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b"){

  63. set$block_spam1;

  64. }

  65. if($query_string ~"\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b"){

  66. set$block_spam1;

  67. }

  68. if($block_spam = 1){

  69. return403;

  70. }

  71. ## Block user agents

  72. set$block_user_agents0;

  73. # Don't disable wget if you need it to run cron jobs!

  74. #if ($http_user_agent ~ "Wget") {

  75. # set $block_user_agents 1;

  76. #}

  77. # Disable Akeeba Remote Control 2.5 and earlier

  78. if($http_user_agent ~ "Indy Library"){

  79. set$block_user_agents1;

  80. }

  81. # Common bandwidth hoggers and hacking tools.

  82. if($http_user_agent ~ "libwww-perl"){

  83. set$block_user_agents1;

  84. }

  85. if($http_user_agent ~ "GetRight"){

  86. set$block_user_agents1;

  87. }

  88. if($http_user_agent ~ "GetWeb!"){

  89. set$block_user_agents1;

  90. }

  91. if($http_user_agent ~ "Go!Zilla"){

  92. set$block_user_agents1;

  93. }

  94. if($http_user_agent ~ "Download Demon"){

  95. set$block_user_agents1;

  96. }

  97. if($http_user_agent ~ "Go-Ahead-Got-It"){

  98. set$block_user_agents1;

  99. }

  100. if($http_user_agent ~ "TurnitinBot"){

  101. set$block_user_agents1;

  102. }

  103. if($http_user_agent ~ "GrabNet"){

  104. set$block_user_agents1;

  105. }

  106. if($block_user_agents = 1){

  107. return403;

  108. }

  109. }