日志
屏蔽user-agent并屏蔽日志
|
if ($http_user_agent ~* (^badbot/useragent$)) { rewrite (.*) /badbot break; } location = /badbot { access_log off; return 403; } |
不屏蔽user-agent(允许其访问),但屏蔽日志
|
server { set $is_spider 1; if ($http_user_agent ~* "bot|spider|Bot|Disqus|WebIndex|YunGuanCe") { set $is_spider 0; } access_log /var/log/nginx/access.log combined if=$is_spider; } |
按uri屏蔽日志(可以和上面的按user-agent用同一个变量来同时过滤uri和user-agent)
|
map $request $loggable { ~/favicon.ico 0; ~/images/* 0; ~/js/* 0; ~/css/* 0; default 1; } server { access_log /var/log/nginx/access.log combined if=$loggable; } |
Header
按mime type设置缓存时间
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
|
map $sent_http_content_type $cacheable_types { "text/css" "max-age=14400"; "text/plain" "max-age=86400"; "image/jpeg" "max-age=86400"; "image/png" "max-age=86400"; "image/gif" "max-age=86400"; "image/x-icon" "max-age=86400"; "application/x-7z-compressed" "max-age=864000"; "application/x-javascript" "max-age=86400"; "application/json" "max-age=86400"; "application/x-bittorrent" "max-age=864000"; default ""; } server { location / { root "/var/www/html/"; add_header "Cache-Control" $cacheable_types; } } |
防攻击
简单的无状态cookie challenge(需要lua-nginx-module)
crawlers块中可以手动填写要屏蔽的IP
将其中的s改成随机字符串+时间戳可以变成有状态版本(需使用redis/memcached/shared memory存储生成的随机字符串)
将set-cookie改成通过js生成cookie可以变成javascript challenge,注意要在js里加上浏览器上下文判断,如var cookie=location.protocol?cookie:””; 或者DOM操作
这里有个更高级的输验证码的示例
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
|
geo $crawlers{ 1.2.3.0/24 1; 4.5.6.7 1; default 0; } server { location ~ \.php { set $_c 0; if ($http_user_agent ~* "bad.guy/123") { set $_c 1; } if ($crawlers){ set $_c 1; } if ($_c){ access_log off; access_by_lua_block { local expires = 90 local s = ngx.time() local cob = tonumber(ngx.var.cookie_cob) if cob == nil then cob=0 end local coa = ngx.md5("saltsalt" .. ngx.var.remote_addr .. "saltsalt" .. cob) if s - cob > expires or ngx.var.cookie_coa ~= coa then coa = ngx.md5("saltsalt" .. ngx.var.remote_addr .. "saltsalt" .. s) ngx.header["Set-Cookie"] = {"coa=" .. coa .."; path=/; domain=.example.com; HttpOnly", "cob=" .. s.."; path=/; domain=.example.com; HttpOnly"} ngx.header["Content-Type"] = "text/html" ngx.say("<meta http-equiv ='refresh' content='0'>"); ngx.exit(200) end } } # fastcgi_pass } } |
其他
植入cookie
需要注意的是使用ngx.time()产生秒级的时间,用来做随机数种子可能会冲突,因此建议加上另外的随机变量(如下面的例子用的是客户端的ip) 可以使用ngx.now()产生毫秒精度时间
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41
|
local modname = "util" local _M = { _VERSION = '0.01' } local mt = { __index = _M } function _M.random_str(l, seed, r) local s = r or 'abcdefghijklmnhopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789=+-' local ret ='' -- os.time() is precise to second math.randomseed(os.time() * 1000 + ngx.crc32_short(seed or "")) for i=1 ,l do local pos = math.random(1, string.len(s)) ret = ret .. string.sub(s, pos, pos) end return ret end function _M.plant_cookie(k, h) local ck = require "resty.cookie" local cookie, err = ck:new() if not cookie then ngx.log(ngx.ERR, "ERROR PLANTING COOKIE", err) return end local _, err = cookie:get(k) if _ then return end local ok, err = cookie:set({ key = k, value = _M.random_str(32, ngx.var.remote_addr, '0123456789abcdef'), path = "/", domain = h or ngx.var.http_host, httponly = true, expires= 'Thu, 31-Dec-37 23:55:55 GMT', max_age = 2147483647 }) end return _M |
|
location / { access_by_lua ' local _ = require("util") _.plant_cookie("cookie_name",".example.come") '; } |