码迷,mamicode.com
首页 > 其他好文 > 详细

nginx访问控制

时间:2019-10-13 15:25:43      阅读:109      评论:0      收藏:0      [点我收藏+]

标签:目标   cookie   pow   open   补充   详细   sda   执行   请求限制   

1.限制ip访问:

白名单

allow 127.0.0.1;##允许127.0.0.1访问

deny all;##其他ip全部拒绝

黑名单

deny 127.0.0.1;##拒绝这个ip访问

deny 1.1.1.1;##拒绝访问

配置

        allow 127.0.0.1;  ##允许这个ip访问
        allow 192.168.222.0/24; ##允许这个网段访问
        deny all; ##剩下全部拒绝

测试

# curl -x127.0.0.1:80 bbs.centos.com -I ##127.0.0.1可以访问
HTTP/1.1 200 OK
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 05:03:38 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.0
Set-Cookie: d0iK_2132_saltkey=h6XT6j4q; expires=Tue, 12-Nov-2019 05:03:38 GMT; Max-Age=2592000; path=/; HttpOnly
Set-Cookie: d0iK_2132_lastvisit=1570939418; expires=Tue, 12-Nov-2019 05:03:38 GMT; Max-Age=2592000; path=/
Set-Cookie: d0iK_2132_sid=F03I81; expires=Mon, 14-Oct-2019 05:03:38 GMT; Max-Age=86400; path=/
Set-Cookie: d0iK_2132_lastact=1570943018%09index.php%09; expires=Mon, 14-Oct-2019 05:03:38 GMT; Max-Age=86400; path=/
Set-Cookie: d0iK_2132_onlineusernum=3; expires=Sun, 13-Oct-2019 05:08:38 GMT; Max-Age=300; path=/
Set-Cookie: d0iK_2132_sid=F03I81; expires=Mon, 14-Oct-2019 05:03:38 GMT; Max-Age=86400; path=/
# curl -x192.168.109.133:80 http://bbs.centos.com -I ##拒绝访问我们设置了192.168.222.0的网段才能允许
HTTP/1.1 403 Forbidden
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 05:04:33 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-aliv

  

# curl -x192.168.109.133:80 http://bbs.centos.com -I ##拒绝访问我们设置了192.168.222.0的网段才能允许
HTTP/1.1 403 Forbidden
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 05:04:33 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-aliv

2.需求:访问/admin.php/目录的请求,只允许管理员ip才能访问,配置如下:

  location ~ /admin.php
    {
        allow 127.0.0.1;
        allow 192.168.109.0/24;
        deny  all;
       
}

  

测试.

# curl -x127.0.0.1:80 bbs.centos.com/admin.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 05:15:25 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
# curl -x192.168.109.133:80 bbs.centos.com/admin.php -I
HTTP/1.1 200 OK
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 05:15:57 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.0
Set-Cookie: d0iK_2132_saltkey=FGZc2tc6; expires=Tue, 12-Nov-2019 05:15:57 GMT; Max-Age=2592000; path=/; HttpOnly
Set-Cookie: d0iK_2132_lastvisit=1570940157; expires=Tue, 12-Nov-2019 05:15:57 GMT; Max-Age=2592000; path=/
Set-Cookie: d0iK_2132_sid=MRRJ88; expires=Mon, 14-Oct-2019 05:15:57 GMT; Max-Age=86400; path=/
Set-Cookie: d0iK_2132_lastact=1570943757%09admin.php%09; expires=Mon, 14-Oct-2019 05:15:57 GMT; Max-Age=86400; path=/

这些ip都能访问,其他ip都不能访问这个目录。

3.限制某个目录下的某类文件

网站上传图片,日志等可以生成木马文件,非常危险。可以一步步拿到root权限。

安全考虑对一些可写的目录,对这些php请求限制

配置如下:

  location ~ .*(upload|abc|image|attachment|cache)/.*\.php$
    {
       deny all;
    }

限制了upload|abc|image|attachment|cache这些目录,你在这些目录下都执行不了php文件

测试

# curl -x127.0.0.1:80 bbs.centos.com/upload/sdasdasd/sdasdasd/1.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 05:27:11 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
# curl -x127.0.0.1:80 bbs.centos.com/image/sdasdasd/sdasdasd/1.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 05:27:52 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
# curl -x127.0.0.1:80 bbs.centos.com/abc/sdasdasd/sdasdasd/1.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 05:28:26 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

 

测试一个没在限制的目录

# curl -x127.0.0.1:80 bbs.centos.com/accc/sdasdasd/sdasdasd/1.php -I
HTTP/1.1 404 Not Found
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 05:31:11 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.3.0

显示404只是页面不存在,还是可以访问的。

4.限制user-agent

什么是user-agent?

$http_user_agent 客户端的详细信息,也就是浏览器的标识,用curl -A可以指定

可以百度nginx的内置参数

配置

   if ($http_user_agent ~ ‘Spider/3.0|YoudaoBot|Tomato‘)
   {  
      return 403;
   }

当这个$http_user_agent字段,匹配到Spider/3.0|YoudaoBot|Tomato这些就会返回403

测试

# curl -A ‘aaa.Spider/3.0‘ -x127.0.0.1:80 bbs.centos.com -I
HTTP/1.1 403 Forbidden
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 05:41:54 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
Spider换成小写spider
# curl -A ‘aaa.spider/3.0‘ -x127.0.0.1:80 bbs.centos.com -I
HTTP/1.1 200 OK
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 05:42:35 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.0
Set-Cookie: d0iK_2132_saltkey=Q92MZZ26; expires=Tue, 12-Nov-2019 05:42:35 GMT; Max-Age=2592000; path=/; HttpOnly
Set-Cookie: d0iK_2132_lastvisit=1570941755; expires=Tue, 12-Nov-2019 05:42:35 GMT; Max-Age=2592000; path=/
Set-Cookie: d0iK_2132_sid=aHo524; expires=Mon, 14-Oct-2019 05:42:35 GMT; Max-Age=86400; path=/
Set-Cookie: d0iK_2132_lastact=1570945355%09index.php%09; expires=Mon, 14-Oct-2019 05:42:35 GMT; Max-Age=86400; path=/
Set-Cookie: d0iK_2132_sid=aHo524; expires=Mon, 14-Oct-2019 05:42:35 GMT; Max-Age=86400; path=/

补充:多次用到cuel命令

curl命令用法:

# curl -v -A ‘aaa.spider/3.0‘ -x127.0.0.1:80 bbs.centos.com -I

-A指定user-agent  -e指定referer  -x指定访问目标服务器来源ip和port  -I只显示header信息,不显示具体的网页内容 -v显示详细的通信过程

 

5.限制url

什么是url

$request_uri 请求的链接,包括$document_uri和$args
$document_uri 当前请求中不包含指令的URI,如www.123.com/1.php?a=1&b=2的$document_uri就是1.php,不包含后面的参数
$args 请求中的参数,如www.123.com/1.php?a=1&b=2的$args就是a=1&b=2

配置

 if ($request_uri ~ (viewthread|adc|123))
       {
           return 404;
$request_uri匹配到viewthread|adc|123都会返回404

测试
# curl -x127.0.0.1:80 bbs.centos.com/forum.php?mod=viewthread -I
HTTP/1.1 404 Not Found
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 06:00:23 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

  

# curl -x127.0.0.1:80 bbs.centos.com/forum.php?mod=adc -I
HTTP/1.1 404 Not Found
Server: nginx/1.17.0
Date: Sun, 13 Oct 2019 06:00:44 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

 





技术图片

 

 

 

 

 

  

nginx访问控制

标签:目标   cookie   pow   open   补充   详细   sda   执行   请求限制   

原文地址:https://www.cnblogs.com/yantou/p/11666294.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!