当前位置: > Linux安全 >

nginx防SQL注入与文件注入的相关安全设置

时间:2014-02-22 01:36来源:www.it.net.cn 作者:IT网

配置文件可以在一定程度上防止sql与文件形式的注入,放在配置文件的server块里面。

  1. server{

  2. [...]

  3.  

  4. ## Block SQL injections

  5. set$block_sql_injections0;

  6. if($query_string ~ "union.*select.*\("){

  7. set$block_sql_injections1;

  8. }

  9. if($query_string ~ "union.*all.*select.*"){

  10. set$block_sql_injections1;

  11. }

  12. if($query_string ~ "concat.*\("){

  13. set$block_sql_injections1;

  14. }

  15. if($block_sql_injections = 1){

  16. return403;

  17. }

  18.  

  19. ## Block file injections

  20. set$block_file_injections0;

  21. if($query_string ~ "[a-zA-Z0-9_]=http://"){

  22. set$block_file_injections1;

  23. }

  24. if($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+"){

  25. set$block_file_injections1;

  26. }

  27. if($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+"){

  28. set$block_file_injections1;

  29. }

  30. if($block_file_injections = 1){

  31. return403;

  32. }

  33.  

  34. ## Block common exploits

  35. set$block_common_exploits0;

  36. if($query_string ~ "(<|%3C).*script.*(>|%3E)"){

  37. set$block_common_exploits1;

  38. }

  39. if($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})"){

  40. set$block_common_exploits1;

  41. }

  42. if($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})"){

  43. set$block_common_exploits1;

  44. }

  45. if($query_string ~ "proc/self/environ"){

  46. set$block_common_exploits1;

  47. }

  48. if($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)"){

  49. set$block_common_exploits1;

  50. }

  51. if($query_string ~ "base64_(en|de)code\(.*\)"){

  52. set$block_common_exploits1;

  53. }

  54. if($block_common_exploits = 1){

  55. return403;

  56. }

  57.  

  58. ## Block spam

  59. set$block_spam0;

  60. if($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b"){

  61. set$block_spam1;

  62. }

  63. if($query_string ~"\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b"){

  64. set$block_spam1;

  65. }

  66. if($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b"){

  67. set$block_spam1;

  68. }

  69. if($query_string ~"\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b"){

  70. set$block_spam1;

  71. }

  72. if($block_spam = 1){

  73. return403;

  74. }

  75.  

  76. ## Block user agents

  77. set$block_user_agents0;

  78.  

  79. # Don't disable wget if you need it to run cron jobs!

  80. #if ($http_user_agent ~ "Wget") {

  81. #    set $block_user_agents 1;

  82. #}

  83.  

  84. # Disable Akeeba Remote Control 2.5 and earlier

  85. if($http_user_agent ~ "Indy Library"){

  86. set$block_user_agents1;

  87. }

  88.  

  89. # Common bandwidth hoggers and hacking tools.

  90. if($http_user_agent ~ "libwww-perl"){

  91. set$block_user_agents1;

  92. }

  93. if($http_user_agent ~ "GetRight"){

  94. set$block_user_agents1;

  95. }

  96. if($http_user_agent ~ "GetWeb!"){

  97. set$block_user_agents1;

  98. }

  99. if($http_user_agent ~ "Go!Zilla"){

  100. set$block_user_agents1;

  101. }

  102. if($http_user_agent ~ "Download Demon"){

  103. set$block_user_agents1;

  104. }

  105. if($http_user_agent ~ "Go-Ahead-Got-It"){

  106. set$block_user_agents1;

  107. }

  108. if($http_user_agent ~ "TurnitinBot"){

  109. set$block_user_agents1;

  110. }

  111. if($http_user_agent ~ "GrabNet"){

  112. set$block_user_agents1;

  113. }

  114.  

  115. if($block_user_agents = 1){

  116. return403;

  117. }

  118. }

 

(责任编辑:IT)
------分隔线----------------------------
栏目列表
推荐内容