# For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. include /usr/share/nginx/modules/*.conf; events { worker_connections 1024; } http { log_format main '$fmt_localtime $request_time $server_addr $server_port $remote_addr $remote_port $status $body_bytes_sent $request_method $server_protocol' ' "$host" "$uri" "$query_string" "$http_referer" "$http_user_agent" "$ssl_protocol" "$ssl_cipher" "-" "$remote_user" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; map $host $fmt_localtime { default ''; } log_by_lua_block { ngx.var.fmt_localtime = ngx.localtime(); } sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 4096; include /etc/nginx/mime.types; default_type application/octet-stream; # Load modular configuration files from the /etc/nginx/conf.d directory. # See http://nginx.org/en/docs/ngx_core_module.html#include # for more information. include /etc/nginx/conf.d/*.conf; server { listen 48888; listen [::]:48888; server_name _; root /usr/share/nginx/html; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; error_page 404 /404.html; location = /404.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } # 文件上传的限制 client_max_body_size 100m; if ($query_string ~* ".*('|--|(%20)union|(%20)insert|(%20)drop|(%20)truncate|(%20)update|(%20)from|(%20)grant|(%20)where|(%20)select|(%20)and|(%20)chr|(%20)mid|(%20)like).*") { return 403; } #if ($uri ~* (.*)(insert|select|delete|update|count|master|truncate|declare|\*|%|\')(.*)$ ) { return 403; } if ($http_user_agent ~ ApacheBench|WebBench|Jmeter|JoeDog|Havij|GetRight|TurnitinBot|GrabNet|masscan|mail2000|github|wget|curl) { return 444; } if ($http_user_agent ~ "Go-Ahead-Got-It") { return 444; } if ($http_user_agent ~ "GetWeb!") { return 444; } if ($http_user_agent ~ "Go!Zilla") { return 444; } if ($http_user_agent ~ "Download Demon") { return 444; } if ($http_user_agent ~ "Indy Library") { return 444; } if ($http_user_agent ~ "libwww-perl") { return 444; } if ($http_user_agent ~ "Nmap Scripting Engine") { return 444; } if ($http_user_agent ~ "Load Impact") { return 444; } if ($http_user_agent ~ "~17ce.com") { return 444; } if ($http_user_agent ~ "WebBench*") { return 444; } if ($http_referer ~* 17ce.com) { return 444; } if ($http_user_agent ~* qiyunce) { return 444; } if ($http_user_agent ~* YunGuanCe) { return 403; } if ($http_referer ~* WebBench*") { return 444; } if ($http_user_agent ~ "BLEXBot") { return 403; } if ($http_user_agent ~ "MJ12bot") { return 403; } if ($http_user_agent ~ "semalt.com") { return 403; } if ($http_user_agent ~ "sqlmap") { return 403; } #自动防护 if ($request_uri ~* \.(htm|do)\?(.*)$) { set $req $2; } if ($req ~* "(cost\()|(concat\()") { return 503; } if ($req ~* "union[+|(%20)]") { return 503; } if ($req ~* "and[+|(%20)]") { return 503; } if ($req ~* "select[+|(%20)]") { return 503; } #溢出过滤 if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { return 403; } if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { return 403; } if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { return 403; } if ($query_string ~ "proc/self/environ") { return 403; } if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { return 403; } if ($query_string ~ "base64_(en|de)code\(.*\)") { return 403; } #文件注入禁止 if ($query_string ~ "[a-zA-Z0-9_]=http://") { return 403; } if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { return 403; } if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { return 403; } location / { lua_need_request_body on; access_by_lua_block { local body = ngx.var.request_body if ngx.var.request_method == "POST" and body ~= nil then local regex0 = "(.*?((sqlwhere)|(c0-param0)).*?){1,}" local m0 = ngx.re.match(body, regex0, "i") local regex1 = "(.*?((insert)|(drop)|(truncate)|(update)|(grant)|(chr)|(webscan)|(dbappsecurity)|(WAITFOR)).*?){1,}" local m1 = ngx.re.match(body, regex1, "i") local regex2 = "(.*?((union)|(insert)|(drop)|(truncate)|(grant)|(chr)|(alert)|(webscan)|(dbappsecurity)|(WAITFOR)|(confirm)|(innerhtml)|(innertext)|(class)).*?){1,}" local m2 = ngx.re.match(body, regex2, "i") if (m0 and m1) or (not m0 and m2) then ngx.log(ngx.ERR, "error: ", body) ngx.status = 402 ngx.say('{"code": 402, "msg": "非法参数","ok": false,"runningTime": "0ms"}') end end ngx.req.read_body() local args, err = ngx.req.get_post_args() if args then for k, v in pairs(args) do if k == "j_username" or k == "j_password" then local regex = "(.*?((union)|(insert)|(drop)|(truncate)|(update)|(from)|(grant)|(where)|(select)|(chr)|(mid)|(like)|(iframe)|(alert)|(webscan)|(dbappsecurity)|(WAITFOR)|(confirm)|(innerhtml)|(innertext)|(class)).*?){1,}" local m = ngx.re.match(v, regex, "i") if m then ngx.log(ngx.ERR, "error: ", v) ngx.status = 404 ngx.say('{"code": 404, "msg": "非法参数","ok": false,"runningTime": "0ms"}') end end end end } proxy_http_version 1.1; proxy_set_header Connection ""; proxy_next_upstream http_502 error timeout invalid_header; proxy_pass http://192.168.100.199:8888/; proxy_set_header Host $http_host; proxy_connect_timeout 300; proxy_read_timeout 300; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } server { listen 49090; listen [::]:49090; server_name _; root /usr/share/nginx/html; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; error_page 404 /404.html; location = /404.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } if ($query_string ~* ".*('|--|(%20)union|(%20)insert|(%20)drop|(%20)truncate|(%20)update|(%20)from|(%20)grant|(%20)where|(%20)select|(%20)and|(%20)chr|(%20)mid|(%20)like).*") { return 403; } #if ($uri ~* (.*)(insert|select|delete|update|count|master|truncate|declare|\*|%|\')(.*)$ ) { return 403; } if ($http_user_agent ~ ApacheBench|WebBench|Jmeter|JoeDog|Havij|GetRight|TurnitinBot|GrabNet|masscan|mail2000|github|wget|curl) { return 444; } if ($http_user_agent ~ "Go-Ahead-Got-It") { return 444; } if ($http_user_agent ~ "GetWeb!") { return 444; } if ($http_user_agent ~ "Go!Zilla") { return 444; } if ($http_user_agent ~ "Download Demon") { return 444; } if ($http_user_agent ~ "Indy Library") { return 444; } if ($http_user_agent ~ "libwww-perl") { return 444; } if ($http_user_agent ~ "Nmap Scripting Engine") { return 444; } if ($http_user_agent ~ "Load Impact") { return 444; } if ($http_user_agent ~ "~17ce.com") { return 444; } if ($http_user_agent ~ "WebBench*") { return 444; } if ($http_referer ~* 17ce.com) { return 444; } if ($http_user_agent ~* qiyunce) { return 444; } if ($http_user_agent ~* YunGuanCe) { return 403; } if ($http_referer ~* WebBench*") { return 444; } if ($http_user_agent ~ "BLEXBot") { return 403; } if ($http_user_agent ~ "MJ12bot") { return 403; } if ($http_user_agent ~ "semalt.com") { return 403; } if ($http_user_agent ~ "sqlmap") { return 403; } #自动防护 if ($request_uri ~* \.(htm|do)\?(.*)$) { set $req $2; } if ($req ~* "(cost\()|(concat\()") { return 503; } if ($req ~* "union[+|(%20)]") { return 503; } if ($req ~* "and[+|(%20)]") { return 503; } if ($req ~* "select[+|(%20)]") { return 503; } #溢出过滤 if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { return 403; } if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { return 403; } if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { return 403; } if ($query_string ~ "proc/self/environ") { return 403; } if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { return 403; } if ($query_string ~ "base64_(en|de)code\(.*\)") { return 403; } #文件注入禁止 if ($query_string ~ "[a-zA-Z0-9_]=http://") { return 403; } if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { return 403; } if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { return 403; } #local regex = "(.*?((union)|(insert)|(drop)|(truncate)|(update)|(from)|(grant)|(where)|(select)|(chr)|(mid)|(like)|(iframe)|(alert)|(webscan)|(dbappsecurity)|(WAITFOR)|(confirm)|(innerhtml)|(innertext)|(class)).*?){1,}" location / { proxy_http_version 1.1; proxy_set_header Connection ""; proxy_next_upstream http_502 error timeout invalid_header; proxy_pass http://192.168.100.189:9090/; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } server { listen 48800; listen [::]:48800; server_name _; root /usr/share/nginx/html; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; error_page 404 /404.html; location = /404.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } if ($query_string ~* ".*('|--|(%20)union|(%20)insert|(%20)drop|(%20)truncate|(%20)update|(%20)from|(%20)grant|(%20)where|(%20)select|(%20)and|(%20)chr|(%20)mid|(%20)like).*") { return 403; } #if ($uri ~* (.*)(insert|select|delete|update|count|master|truncate|declare|\*|%|\')(.*)$ ) { return 403; } if ($http_user_agent ~ ApacheBench|WebBench|Jmeter|JoeDog|Havij|GetRight|TurnitinBot|GrabNet|masscan|mail2000|github|wget|curl) { return 444; } if ($http_user_agent ~ "Go-Ahead-Got-It") { return 444; } if ($http_user_agent ~ "GetWeb!") { return 444; } if ($http_user_agent ~ "Go!Zilla") { return 444; } if ($http_user_agent ~ "Download Demon") { return 444; } if ($http_user_agent ~ "Indy Library") { return 444; } if ($http_user_agent ~ "libwww-perl") { return 444; } if ($http_user_agent ~ "Nmap Scripting Engine") { return 444; } if ($http_user_agent ~ "Load Impact") { return 444; } if ($http_user_agent ~ "~17ce.com") { return 444; } if ($http_user_agent ~ "WebBench*") { return 444; } if ($http_referer ~* 17ce.com) { return 444; } if ($http_user_agent ~* qiyunce) { return 444; } if ($http_user_agent ~* YunGuanCe) { return 403; } if ($http_referer ~* WebBench*") { return 444; } if ($http_user_agent ~ "BLEXBot") { return 403; } if ($http_user_agent ~ "MJ12bot") { return 403; } if ($http_user_agent ~ "semalt.com") { return 403; } if ($http_user_agent ~ "sqlmap") { return 403; } #自动防护 if ($request_uri ~* \.(htm|do)\?(.*)$) { set $req $2; } if ($req ~* "(cost\()|(concat\()") { return 503; } if ($req ~* "union[+|(%20)]") { return 503; } if ($req ~* "and[+|(%20)]") { return 503; } if ($req ~* "select[+|(%20)]") { return 503; } #溢出过滤 if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { return 403; } if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { return 403; } if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { return 403; } if ($query_string ~ "proc/self/environ") { return 403; } if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { return 403; } if ($query_string ~ "base64_(en|de)code\(.*\)") { return 403; } #文件注入禁止 if ($query_string ~ "[a-zA-Z0-9_]=http://") { return 403; } if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { return 403; } if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { return 403; } location / { proxy_http_version 1.1; proxy_set_header Connection ""; proxy_next_upstream http_502 error timeout invalid_header; proxy_pass http://192.168.100.189:8081/; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } server { listen 17883 ssl; listen [::]:17883 ssl; server_name _; root /usr/share/nginx/html; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; error_page 404 /404.html; location = /404.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } server_name www.npcable.cn; ssl_certificate /root/kk/www.npcable.cn_nginx/www.npcable.cn_bundle.crt; ssl_certificate_key /root/kk/www.npcable.cn_nginx/www.npcable.cn.key; if ($query_string ~* ".*('|--|(%20)union|(%20)insert|(%20)drop|(%20)truncate|(%20)update|(%20)from|(%20)grant|(%20)where|(%20)select|(%20)and|(%20)chr|(%20)mid|(%20)like).*") { return 403; } #if ($uri ~* (.*)(insert|select|delete|update|count|master|truncate|declare|\*|%|\')(.*)$ ) { return 403; } if ($http_user_agent ~ ApacheBench|WebBench|Jmeter|JoeDog|Havij|GetRight|TurnitinBot|GrabNet|masscan|mail2000|github|wget|curl) { return 444; } if ($http_user_agent ~ "Go-Ahead-Got-It") { return 444; } if ($http_user_agent ~ "GetWeb!") { return 444; } if ($http_user_agent ~ "Go!Zilla") { return 444; } if ($http_user_agent ~ "Download Demon") { return 444; } if ($http_user_agent ~ "Indy Library") { return 444; } if ($http_user_agent ~ "libwww-perl") { return 444; } if ($http_user_agent ~ "Nmap Scripting Engine") { return 444; } if ($http_user_agent ~ "Load Impact") { return 444; } if ($http_user_agent ~ "~17ce.com") { return 444; } if ($http_user_agent ~ "WebBench*") { return 444; } if ($http_referer ~* 17ce.com) { return 444; } if ($http_user_agent ~* qiyunce) { return 444; } if ($http_user_agent ~* YunGuanCe) { return 403; } if ($http_referer ~* WebBench*") { return 444; } if ($http_user_agent ~ "BLEXBot") { return 403; } if ($http_user_agent ~ "MJ12bot") { return 403; } if ($http_user_agent ~ "semalt.com") { return 403; } if ($http_user_agent ~ "sqlmap") { return 403; } #自动防护 if ($request_uri ~* \.(htm|do)\?(.*)$) { set $req $2; } if ($req ~* "(cost\()|(concat\()") { return 503; } if ($req ~* "union[+|(%20)]") { return 503; } if ($req ~* "and[+|(%20)]") { return 503; } if ($req ~* "select[+|(%20)]") { return 503; } #溢出过滤 if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { return 403; } if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { return 403; } if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { return 403; } if ($query_string ~ "proc/self/environ") { return 403; } if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { return 403; } if ($query_string ~ "base64_(en|de)code\(.*\)") { return 403; } #文件注入禁止 if ($query_string ~ "[a-zA-Z0-9_]=http://") { return 403; } if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { return 403; } if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { return 403; } location / { proxy_http_version 1.1; proxy_set_header Connection ""; proxy_next_upstream http_502 error timeout invalid_header; proxy_pass https://192.168.100.178:17881/; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } # Settings for a TLS enabled server. # # server { # listen 443 ssl http2; # listen [::]:443 ssl http2; # server_name _; # root /usr/share/nginx/html; # # ssl_certificate "/etc/pki/nginx/server.crt"; # ssl_certificate_key "/etc/pki/nginx/private/server.key"; # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 10m; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_prefer_server_ciphers on; # # # Load configuration files for the default server block. # include /etc/nginx/default.d/*.conf; # # error_page 404 /404.html; # location = /40x.html { # } # # error_page 500 502 503 504 /50x.html; # location = /50x.html { # } # } }