nginx防文件注入与SQL注入安全设置

作者：袖梨 2022-06-30

nginx配置文件本来就是一个脚本程序，能帮你过滤一切你想过滤的提交内容，本人总结了一些nginx的防注入扫描规则，希望对你有用：

配置文件可以在一定程度上防止sql与文件形式的注入，放在配置文件的server块里面。

防止SQL注入扫描

代码如下

复制代码

if ($request_uri ~* "([+|(%20)]and[+|(%20)])|([+|(%20)]or[+|(%20)])|([+|(%20)]select[+|(%20)])|([+|(%20)]exec[+|(%20)])|([+|(%20)]union[+|(%20)])") {
return 404;
}
if ($request_uri ~* "(cost()|(concat()") {
return 404;
}
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
return 404;
}
if ($query_string ~ "GLOBALS(=|[|%[0-9A-Z]{0,2})") {
return 404;
}
if ($query_string ~ "_REQUEST(=|[|%[0-9A-Z]{0,2})") {
return 404;
}
if ($query_string ~ "proc/self/environ") {
return 404;
}
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") {
return 404;
}
if ($query_string ~ "base64_(en|de)code(.*)") {
return 404;
}
if ($http_user_agent ~ "Python-urllib") {
return 404;
}

程序里return 404你也可以修改成自己的响应模式或响应页面，吓唬一下试探者吧~

nginx防文件注入

代码如下

复制代码

server {
[...]

## Block SQL injections
set $block_sql_injections 0;
if ($query_string ~ "union.*select.*(") {
set $block_sql_injections 1;
}
if ($query_string ~ "union.*all.*select.*") {
set $block_sql_injections 1;
}
if ($query_string ~ "concat.*(") {
set $block_sql_injections 1;
}
if ($block_sql_injections = 1) {
return 403;
}

## Block file injections
set $block_file_injections 0;
if ($query_string ~ "[a-zA-Z0-9_]=http://") {
set $block_file_injections 1;
}
if ($query_string ~ "[a-zA-Z0-9_]=(..//?)+") {
set $block_file_injections 1;
}
if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
set $block_file_injections 1;
}
if ($block_file_injections = 1) {
return 403;
}

## Block common exploits
set $block_common_exploits 0;
if ($query_string ~ "(|%3E)") {
set $block_common_exploits 1;
}
if ($query_string ~ "GLOBALS(=|[|%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
}
if ($query_string ~ "_REQUEST(=|[|%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
}
if ($query_string ~ "proc/self/environ") {
set $block_common_exploits 1;
}
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") {
set $block_common_exploits 1;
}
if ($query_string ~ "base64_(en|de)code(.*)") {
set $block_common_exploits 1;
}
if ($block_common_exploits = 1) {
return 403;
}

## Block spam
set $block_spam 0;
if ($query_string ~ "b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)b") {
set $block_spam 1;
}
if ($query_string ~ "b(erections|hoodia|huronriveracres|impotence|levitra|libido)b") {
set $block_spam 1;
}
if ($query_string ~ "b(ambien|bluespill|cialis|cocaine|ejaculation|erectile)b") {
set $block_spam 1;
}
if ($query_string ~ "b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)b") {
set $block_spam 1;
}
if ($block_spam = 1) {
return 403;
}

## Block user agents
set $block_user_agents 0;

# Don't disable wget if you need it to run cron jobs!
#if ($http_user_agent ~ "Wget") {
# set $block_user_agents 1;
#}

# Disable Akeeba Remote Control 2.5 and earlier
if ($http_user_agent ~ "Indy Library") {
set $block_user_agents 1;
}

# Common bandwidth hoggers and hacking tools.
if ($http_user_agent ~ "libwww-perl") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "GetRight") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "GetWeb!") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Go!Zilla") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Download Demon") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Go-Ahead-Got-It") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "TurnitinBot") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "GrabNet") {
set $block_user_agents 1;
}

if ($block_user_agents = 1) {
return 403;
}
}

注意：如果你的应用是高级别的管理后台，譬如phpmyadmin，本规则将会是这些程序的部分功能不可用，因为这些程序参数里包含sql语句哦。