zoukankan      html  css  js  c++  java

  • nginx访问控制

    1.限制ip访问:

    白名单

    allow 127.0.0.1;##允许127.0.0.1访问

    deny all;##其他ip全部拒绝

    黑名单

    deny 127.0.0.1;##拒绝这个ip访问

    deny 1.1.1.1;##拒绝访问

    配置

            allow 127.0.0.1;  ##允许这个ip访问
        allow 192.168.222.0/24; ##允许这个网段访问
        deny all; ##剩下全部拒绝

    测试

    # curl -x127.0.0.1:80 bbs.centos.com -I ##127.0.0.1可以访问
HTTP/1.1 200 OK
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 05:03:38 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.0
Set-Cookie: d0iK_2132_saltkey=h6XT6j4q; expires=Tue, 12-Nov-2019 05:03:38 GMT; Max-Age=2592000; path=/; HttpOnly
Set-Cookie: d0iK_2132_lastvisit=1570939418; expires=Tue, 12-Nov-2019 05:03:38 GMT; Max-Age=2592000; path=/
Set-Cookie: d0iK_2132_sid=F03I81; expires=Mon, 14-Oct-2019 05:03:38 GMT; Max-Age=86400; path=/
Set-Cookie: d0iK_2132_lastact=1570943018%09index.php%09; expires=Mon, 14-Oct-2019 05:03:38 GMT; Max-Age=86400; path=/
Set-Cookie: d0iK_2132_onlineusernum=3; expires=Sun, 13-Oct-2019 05:08:38 GMT; Max-Age=300; path=/
Set-Cookie: d0iK_2132_sid=F03I81; expires=Mon, 14-Oct-2019 05:03:38 GMT; Max-Age=86400; path=/
    # curl -x192.168.109.133:80 http://bbs.centos.com -I ##拒绝访问我们设置了192.168.222.0的网段才能允许
HTTP/1.1 403 Forbidden
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 05:04:33 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-aliv

      

    # curl -x192.168.109.133:80 http://bbs.centos.com -I ##拒绝访问我们设置了192.168.222.0的网段才能允许
HTTP/1.1 403 Forbidden
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 05:04:33 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-aliv

    2.需求:访问/admin.php/目录的请求,只允许管理员ip才能访问,配置如下:

      location ~ /admin.php
    {
        allow 127.0.0.1;
        allow 192.168.109.0/24;
        deny  all;
       
}

      

    测试.

    # curl -x127.0.0.1:80 bbs.centos.com/admin.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 05:15:25 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

    # curl -x192.168.109.133:80 bbs.centos.com/admin.php -I
HTTP/1.1 200 OK
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 05:15:57 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.0
Set-Cookie: d0iK_2132_saltkey=FGZc2tc6; expires=Tue, 12-Nov-2019 05:15:57 GMT; Max-Age=2592000; path=/; HttpOnly
Set-Cookie: d0iK_2132_lastvisit=1570940157; expires=Tue, 12-Nov-2019 05:15:57 GMT; Max-Age=2592000; path=/
Set-Cookie: d0iK_2132_sid=MRRJ88; expires=Mon, 14-Oct-2019 05:15:57 GMT; Max-Age=86400; path=/
Set-Cookie: d0iK_2132_lastact=1570943757%09admin.php%09; expires=Mon, 14-Oct-2019 05:15:57 GMT; Max-Age=86400; path=/

    这些ip都能访问,其他ip都不能访问这个目录。

    3.限制某个目录下的某类文件

    网站上传图片,日志等可以生成木马文件,非常危险。可以一步步拿到root权限。

    安全考虑对一些可写的目录,对这些php请求限制

    配置如下:

      location ~ .*(upload|abc|image|attachment|cache)/.*.php$
    {
       deny all;
    }

    限制了upload|abc|image|attachment|cache这些目录,你在这些目录下都执行不了php文件

    测试

    # curl -x127.0.0.1:80 bbs.centos.com/upload/sdasdasd/sdasdasd/1.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 05:27:11 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

    # curl -x127.0.0.1:80 bbs.centos.com/image/sdasdasd/sdasdasd/1.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 05:27:52 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

    # curl -x127.0.0.1:80 bbs.centos.com/abc/sdasdasd/sdasdasd/1.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 05:28:26 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

    测试一个没在限制的目录

    # curl -x127.0.0.1:80 bbs.centos.com/accc/sdasdasd/sdasdasd/1.php -I
HTTP/1.1 404 Not Found
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 05:31:11 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.3.0

    显示404只是页面不存在,还是可以访问的。

    4.限制user-agent

    什么是user-agent?

    $http_user_agent 客户端的详细信息,也就是浏览器的标识,用curl -A可以指定

    可以百度nginx的内置参数

    配置

       if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
   {  
      return 403;
   }

    当这个$http_user_agent字段,匹配到Spider/3.0|YoudaoBot|Tomato这些就会返回403

    测试

    # curl -A 'aaa.Spider/3.0' -x127.0.0.1:80 bbs.centos.com -I
HTTP/1.1 403 Forbidden
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 05:41:54 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

    Spider换成小写spider
    # curl -A 'aaa.spider/3.0' -x127.0.0.1:80 bbs.centos.com -I
HTTP/1.1 200 OK
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 05:42:35 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.0
Set-Cookie: d0iK_2132_saltkey=Q92MZZ26; expires=Tue, 12-Nov-2019 05:42:35 GMT; Max-Age=2592000; path=/; HttpOnly
Set-Cookie: d0iK_2132_lastvisit=1570941755; expires=Tue, 12-Nov-2019 05:42:35 GMT; Max-Age=2592000; path=/
Set-Cookie: d0iK_2132_sid=aHo524; expires=Mon, 14-Oct-2019 05:42:35 GMT; Max-Age=86400; path=/
Set-Cookie: d0iK_2132_lastact=1570945355%09index.php%09; expires=Mon, 14-Oct-2019 05:42:35 GMT; Max-Age=86400; path=/
Set-Cookie: d0iK_2132_sid=aHo524; expires=Mon, 14-Oct-2019 05:42:35 GMT; Max-Age=86400; path=/

    补充:多次用到cuel命令

    curl命令用法:

    # curl -v -A 'aaa.spider/3.0' -x127.0.0.1:80 bbs.centos.com -I

    -A指定user-agent  -e指定referer  -x指定访问目标服务器来源ip和port  -I只显示header信息,不显示具体的网页内容 -v显示详细的通信过程

    5.限制url

    什么是url

    $request_uri 请求的链接,包括$document_uri和$args
    $document_uri 当前请求中不包含指令的URI,如www.123.com/1.php?a=1&b=2的$document_uri就是1.php,不包含后面的参数
    $args 请求中的参数,如www.123.com/1.php?a=1&b=2的$args就是a=1&b=2

    配置

     if ($request_uri ~ (viewthread|adc|123))
       {
           return 404;

    $request_uri匹配到viewthread|adc|123都会返回404

    测试
    # curl -x127.0.0.1:80 bbs.centos.com/forum.php?mod=viewthread -I
HTTP/1.1 404 Not Found
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 06:00:23 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

      

    # curl -x127.0.0.1:80 bbs.centos.com/forum.php?mod=adc -I
HTTP/1.1 404 Not Found
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 06:00:44 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive




      
  • 相关阅读:
    Dalvik虚拟机进程和线程的创建过程分析
    Dalvik虚拟机的运行过程分析
    Dalvik虚拟机JNI方法的注册过程分析
    Dalvik虚拟机简要介绍和学习计划
    Dalvik虚拟机的启动过程分析
    Android应用程序资源的查找过程分析
    Android应用程序资源管理器(Asset Manager)的创建过程分析
    Android应用程序资源的编译和打包过程分析
    Android视图SurfaceView的实现原理分析
    MySQL中CASE的使用
  • 原文地址:https://www.cnblogs.com/yantou/p/11666294.html
Copyright © 2011-2022 走看看