ÔõÑùʹÓÃLinuxЧÀÍÆ÷ÔöÇ¿Web½Ó¿ÚµÄ¹ýÂËÓë¼ì²é£¿
ÔõÑùʹÓÃLinuxЧÀÍÆ÷ÔöÇ¿Web½Ó¿ÚµÄ¹ýÂËÓë¼ì²é£¿
×÷Ϊ»¥ÁªÍøÓ¦ÓõÄÖ÷ÒªÈë¿Ú£¬Web½Ó¿ÚµÄÇå¾²ÐÔÒ»Ö±±¸ÊܹØ×¢¡£ÎªÁ˱£»¤Web½Ó¿Ú£¬ÎÒÃÇͨ³£»á½ÓÄÉÖÖÖÖ²½·¥À´¹ýÂ˺ͼì²é½Ó¿ÚµÄÇëÇóºÍÏìÓ¦Êý¾Ý¡£ÔÚ±¾ÎÄÖУ¬ÎÒÃǽ«ÏÈÈÝÔõÑùʹÓÃLinuxЧÀÍÆ÷À´ÔöÇ¿Web½Ó¿ÚµÄ¹ýÂËÓë¼ì²é£¬²¢Ìṩ´úÂëʾÀý¡£
Ò»¡¢Ê¹ÓÃNginx¾ÙÐлá¼û¿ØÖÆ
NginxÊÇÒ»¸ö¸ßÐÔÄܵÄHTTP·´ÏòÊðÀíЧÀÍÆ÷£¬Ëü¿ÉÒÔ×÷Ϊǰ¶ËЧÀÍÆ÷¾ÙÐлá¼û¿ØÖÆ¡£Í¨¹ýÉèÖÃNginx£¬ÎÒÃÇ¿ÉÒÔÏÞÖÆÌض¨IPµØµã»òIPµØµã¶ÎµÄ»á¼û£¬ÒÔÈ·±£Ö»ÓÐÕýµ±µÄÇëÇóÄܹ»Í¨¹ý¡£
ʾÀýÉèÖÃÎļþÈçÏ£º
server { listen 80; server_name example.com; location /api { deny 192.168.0.0/24; allow all; } location / { root /var/www/html; index index.html; } }
µÇ¼ºó¸´ÖÆ
ÉÏÊöÉèÖÃÖУ¬/api·¾¶ÏµÄÇëÇ󽫻ᱻÏÞÖÆ£¬Ö»ÓгýÁË192.168.0.0/24Õâ¸öIPµØµã¶ÎÖ®ÍâµÄ»á¼û²Å»á±»ÔÊÐí¡£ÆäËûÇëÇ󽫻ᱻÖض¨Ïòµ½/var/www/htmlĿ¼ÏµÄindex.htmlÎļþ¡£
¶þ¡¢Ê¹ÓÃNginx¾ÙÐÐÇëÇó¹ýÂË
³ýÁË»á¼û¿ØÖÆ£¬ÎÒÃÇ»¹¿ÉÒÔʹÓÃNginx¾ÙÐÐÇëÇó¹ýÂË¡£Í¨¹ýÉèÖÃNginxµÄrewriteÄ£¿éºÍ·´ÏòÊðÀí£¬ÎÒÃÇ¿ÉÒÔ¹ýÂ˵ôһЩ¶ñÒâÇëÇó»ò²»·¨²ÎÊý¡£
ʾÀýÉèÖÃÎļþÈçÏ£º
server { listen 80; server_name example.com; location /api { if ($args ~ (?:[^=s&]+)(?:&[^=s&]+)*$) { return 403; } proxy_pass http://backend; } location / { root /var/www/html; index index.html; } }
µÇ¼ºó¸´ÖÆ
ÉÏÊöÉèÖÃÖУ¬ÈôÊÇÇëÇó²ÎÊýÖаüÀ¨²»·¨×Ö·û»ò²ÎÊýÃûÌò»×¼È·£¬Ôò·µ»Ø403¹ýʧ¡£Õýµ±µÄÇëÇ󽫻ᱻת·¢¸øºó¶ËЧÀÍÆ÷¡£
Èý¡¢Ê¹ÓÃModSecurity¾ÙÐÐÓ¦Óòã·À»ðǽ
ÁíÒ»ÖÖÔöÇ¿Web½Ó¿ÚµÄ¹ýÂËÓë¼ì²éµÄÒªÁìÊÇʹÓÃModSecurity£¬ËüÊÇÒ»¸ö¿ªÔ´µÄWebÓ¦Óòã·À»ðǽ¡£Í¨¹ýÉèÖÃModSecurity£¬ÎÒÃÇ¿ÉÒÔ¶ÔÇëÇóºÍÏìÓ¦Êý¾Ý¾ÙÐÐÉîÈëµÄ¼ì²éºÍ¹ýÂË¡£
ʾÀýÉèÖÃÎļþÈçÏ£º
SecRuleEngine On SecRequestBodyLimit 13107200 SecRequestBodyInMemoryLimit 13107200 SecRequestBodyNoFilesLimit 13107200 SecRequestBodyAccess On SecRule REQUEST_METHOD "POST" "id:1,phase:1,t:none,pass,nolog,ctl:requestBodyProcessor=XML" SecRule REQUEST_HEADERS:Content-Type "application/(?:json|xml)" "id:2,phase:1,t:none,pass,nolog,ctl:requestBodyProcessor=JSON" SecRule REQUEST_HEADERS:Content-Type "application/x-www-form-urlencoded" "id:3,phase:1,t:none,pass,nolog,ctl:requestBodyProcessor=UTF8" SecResponseBodyAccess Off SecDefaultAction "phase:2,log,auditlog,pass" <LocationMatch "^/api/"> SecRuleRemoveById 920140 </LocationMatch>
µÇ¼ºó¸´ÖÆ
ÉÏÊöÉèÖÃÖУ¬ÎÒÃÇ¿ªÆôÁËModSecurityÒýÇ棬²¢ÉèÖÃÁËÇëÇóºÍÏìÓ¦Ìå¾ÞϸµÄÏÞÖÆ¡£È»ºó£¬ÎÒÃÇƾ֤ÇëÇóµÄContent-Type¶ÔÇëÇó¾ÙÐд¦Öóͷ££¬²¢¹Ø±ÕÁËÏìÓ¦ÌåµÄ»á¼û¡£×îºó£¬ÎÒÃÇÒƳýÁËÒ»¸öÌض¨¹æÔò£¬ÒÔÔÊÐíÇëÇóͨ¹ý¡£
×ÛÉÏËùÊö£¬Í¨¹ýÉèÖÃLinuxЧÀÍÆ÷µÄNginxºÍModSecurity£¬ÎÒÃÇ¿ÉÒÔÔöÇ¿Web½Ó¿ÚµÄ¹ýÂËÓë¼ì²é¡£ÕâЩҪÁì¿ÉÒÔÓÐÓõر£»¤×ðÁú¿Ê±WebÓ¦ÓÃÃâÊܶñÒâÇëÇóºÍ¹¥»÷¡£Ï£Íû±¾ÎÄ¿ÉÒÔ×ÊÖú¸÷È˸üºÃµØÌáÉýWeb½Ó¿ÚµÄÇå¾²ÐÔ¡£
£¨±¾ÎÄ¿¢Ê£©
ÒÔÉϾÍÊÇÔõÑùʹÓÃLinuxЧÀÍÆ÷ÔöÇ¿Web½Ó¿ÚµÄ¹ýÂËÓë¼ì²é£¿µÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡