nginx访问控制
Posted 烟头
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了nginx访问控制相关的知识,希望对你有一定的参考价值。
1.限制ip访问:
白名单
allow 127.0.0.1;##允许127.0.0.1访问
deny all;##其他ip全部拒绝
黑名单
deny 127.0.0.1;##拒绝这个ip访问
deny 1.1.1.1;##拒绝访问
配置
allow 127.0.0.1; ##允许这个ip访问
allow 192.168.222.0/24; ##允许这个网段访问
deny all; ##剩下全部拒绝
测试
# curl -x127.0.0.1:80 bbs.centos.com -I ##127.0.0.1可以访问 HTTP/1.1 200 OK Server: nginx/1.17.0 Date: Sun, 13 Oct 2019 05:03:38 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive X-Powered-By: php/7.3.0 Set-Cookie: d0iK_2132_saltkey=h6XT6j4q; expires=Tue, 12-Nov-2019 05:03:38 GMT; Max-Age=2592000; path=/; HttpOnly Set-Cookie: d0iK_2132_lastvisit=1570939418; expires=Tue, 12-Nov-2019 05:03:38 GMT; Max-Age=2592000; path=/ Set-Cookie: d0iK_2132_sid=F03I81; expires=Mon, 14-Oct-2019 05:03:38 GMT; Max-Age=86400; path=/ Set-Cookie: d0iK_2132_lastact=1570943018%09index.php%09; expires=Mon, 14-Oct-2019 05:03:38 GMT; Max-Age=86400; path=/ Set-Cookie: d0iK_2132_onlineusernum=3; expires=Sun, 13-Oct-2019 05:08:38 GMT; Max-Age=300; path=/ Set-Cookie: d0iK_2132_sid=F03I81; expires=Mon, 14-Oct-2019 05:03:38 GMT; Max-Age=86400; path=/
# curl -x192.168.109.133:80 http://bbs.centos.com -I ##拒绝访问我们设置了192.168.222.0的网段才能允许 HTTP/1.1 403 Forbidden Server: nginx/1.17.0 Date: Sun, 13 Oct 2019 05:04:33 GMT Content-Type: text/html Content-Length: 153 Connection: keep-aliv
# curl -x192.168.109.133:80 http://bbs.centos.com -I ##拒绝访问我们设置了192.168.222.0的网段才能允许 HTTP/1.1 403 Forbidden Server: nginx/1.17.0 Date: Sun, 13 Oct 2019 05:04:33 GMT Content-Type: text/html Content-Length: 153 Connection: keep-aliv
2.需求:访问/admin.php/目录的请求,只允许管理员ip才能访问,配置如下:
location ~ /admin.php
{
allow 127.0.0.1;
allow 192.168.109.0/24;
deny all;
}
测试.
# curl -x127.0.0.1:80 bbs.centos.com/admin.php -I HTTP/1.1 403 Forbidden Server: nginx/1.17.0 Date: Sun, 13 Oct 2019 05:15:25 GMT Content-Type: text/html Content-Length: 153 Connection: keep-alive
# curl -x192.168.109.133:80 bbs.centos.com/admin.php -I HTTP/1.1 200 OK Server: nginx/1.17.0 Date: Sun, 13 Oct 2019 05:15:57 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive X-Powered-By: PHP/7.3.0 Set-Cookie: d0iK_2132_saltkey=FGZc2tc6; expires=Tue, 12-Nov-2019 05:15:57 GMT; Max-Age=2592000; path=/; HttpOnly Set-Cookie: d0iK_2132_lastvisit=1570940157; expires=Tue, 12-Nov-2019 05:15:57 GMT; Max-Age=2592000; path=/ Set-Cookie: d0iK_2132_sid=MRRJ88; expires=Mon, 14-Oct-2019 05:15:57 GMT; Max-Age=86400; path=/ Set-Cookie: d0iK_2132_lastact=1570943757%09admin.php%09; expires=Mon, 14-Oct-2019 05:15:57 GMT; Max-Age=86400; path=/
这些ip都能访问,其他ip都不能访问这个目录。
3.限制某个目录下的某类文件
网站上传图片,日志等可以生成木马文件,非常危险。可以一步步拿到root权限。
安全考虑对一些可写的目录,对这些php请求限制
配置如下:
location ~ .*(upload|abc|image|attachment|cache)/.*\\.php$
{
deny all;
}
限制了upload|abc|image|attachment|cache这些目录,你在这些目录下都执行不了php文件
测试
# curl -x127.0.0.1:80 bbs.centos.com/upload/sdasdasd/sdasdasd/1.php -I HTTP/1.1 403 Forbidden Server: nginx/1.17.0 Date: Sun, 13 Oct 2019 05:27:11 GMT Content-Type: text/html Content-Length: 153 Connection: keep-alive
# curl -x127.0.0.1:80 bbs.centos.com/image/sdasdasd/sdasdasd/1.php -I HTTP/1.1 403 Forbidden Server: nginx/1.17.0 Date: Sun, 13 Oct 2019 05:27:52 GMT Content-Type: text/html Content-Length: 153 Connection: keep-alive
# curl -x127.0.0.1:80 bbs.centos.com/abc/sdasdasd/sdasdasd/1.php -I HTTP/1.1 403 Forbidden Server: nginx/1.17.0 Date: Sun, 13 Oct 2019 05:28:26 GMT Content-Type: text/html Content-Length: 153 Connection: keep-alive
测试一个没在限制的目录
# curl -x127.0.0.1:80 bbs.centos.com/accc/sdasdasd/sdasdasd/1.php -I HTTP/1.1 404 Not Found Server: nginx/1.17.0 Date: Sun, 13 Oct 2019 05:31:11 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/7.3.0
显示404只是页面不存在,还是可以访问的。
4.限制user-agent
什么是user-agent?
| $http_user_agent | 客户端的详细信息,也就是浏览器的标识,用curl -A可以指定 |
可以百度nginx的内置参数
配置
if ($http_user_agent ~ \'Spider/3.0|YoudaoBot|Tomato\')
{
return 403;
}
当这个$http_user_agent字段,匹配到Spider/3.0|YoudaoBot|Tomato这些就会返回403
测试
# curl -A \'aaa.Spider/3.0\' -x127.0.0.1:80 bbs.centos.com -I HTTP/1.1 403 Forbidden Server: nginx/1.17.0 Date: Sun, 13 Oct 2019 05:41:54 GMT Content-Type: text/html Content-Length: 153 Connection: keep-alive
Spider换成小写spider
# curl -A \'aaa.spider/3.0\' -x127.0.0.1:80 bbs.centos.com -I HTTP/1.1 200 OK Server: nginx/1.17.0 Date: Sun, 13 Oct 2019 05:42:35 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive X-Powered-By: PHP/7.3.0 Set-Cookie: d0iK_2132_saltkey=Q92MZZ26; expires=Tue, 12-Nov-2019 05:42:35 GMT; Max-Age=2592000; path=/; HttpOnly Set-Cookie: d0iK_2132_lastvisit=1570941755; expires=Tue, 12-Nov-2019 05:42:35 GMT; Max-Age=2592000; path=/ Set-Cookie: d0iK_2132_sid=aHo524; expires=Mon, 14-Oct-2019 05:42:35 GMT; Max-Age=86400; path=/ Set-Cookie: d0iK_2132_lastact=1570945355%09index.php%09; expires=Mon, 14-Oct-2019 05:42:35 GMT; Max-Age=86400; path=/ Set-Cookie: d0iK_2132_sid=aHo524; expires=Mon, 14-Oct-2019 05:42:35 GMT; Max-Age=86400; path=/
补充:多次用到cuel命令
curl命令用法:
# curl -v -A \'aaa.spider/3.0\' -x127.0.0.1:80 bbs.centos.com -I
-A指定user-agent -e指定referer -x指定访问目标服务器来源ip和port -I只显示header信息,不显示具体的网页内容 -v显示详细的通信过程
5.限制url
什么是url
| $request_uri | 请求的链接,包括$document_uri和$args |
| $document_uri | 当前请求中不包含指令的URI,如www.123.com/1.php?a=1&b=2的$document_uri就是1.php,不包含后面的参数 |
| $args | 请求中的参数,如www.123.com/1.php?a=1&b=2的$args就是a=1&b=2 |
配置
if ($request_uri ~ (viewthread|adc|123))
{
return 404;
$request_uri匹配到viewthread|adc|123都会返回404
测试
# curl -x127.0.0.1:80 bbs.centos.com/forum.php?mod=viewthread -I HTTP/1.1 404 Not Found Server: nginx/1.17.0 Date: Sun, 13 Oct 2019 06:00:23 GMT Content-Type: text/html Content-Length: 153 Connection: keep-alive
# curl -x127.0.0.1:80 bbs.centos.com/forum.php?mod=adc -I HTTP/1.1 404 Not Found Server: nginx/1.17.0 Date: Sun, 13 Oct 2019 06:00:44 GMT Content-Type: text/html Content-Length: 153 Connection: keep-alive
以上是关于nginx访问控制的主要内容,如果未能解决你的问题,请参考以下文章
Nginx防盗链Nginx访问控制Nginx解析php相关配置Nginx代理
Nginx防盗链访问控制 解析php相关配置及Nginx代理
Nginx——Nginx启动报错Job for nginx.service failed because the control process exited with error code(代码片段