$request_uri
This variable is equal to the original request URI as received from the client including the args. It cannot be modified. Look at $uri for the post-rewrite/altered URI. Does not include host name. Example: "/foo/bar.php?arg=baz"
這個變量等於從客戶端發送來的原生請求URI,包括參數。它不可以進行修改。$uri變量反映的是重寫後/改變的URI。不包括主機名張小三資源網。例如:"/foo/bar.php?arg=baz"
$uri
This variable is the current request URI, without any arguments (see $args for those). This variable will reflect any modifications done so far by internal redirects or the index module. Note this may be different from $request_uri, as $request_uri is what was originally sent by the browser before any such modifications. Does not include the protocol or host name. Example: /foo/bar.html
這個變量指當前的請求URI,不包括任何參數(見$args)。這個變量反映任何內部重定向或index模塊所做的修改。注意,這和$request_uri不同,因$request_uri是瀏覽器發起的不做任何修改的原生URI。不包括協議及主機名。例如張小三資源:"/foo/bar.html"
$document_uri
The same as $uri.
同$uri.
下面是收集的一些簡單規則:
if ($query_string ~* ".*('|--|union|insert|drop|truncate|update|from|grant|exec|where|select|and|or|count|chr|mid|like|iframe|script|alert|webscan|dbappsecurity|style|confirm|innerhtml|innertext|class).*")
{ return 500; }
if ($uri ~* .*(viewsource.jsp)$) { return 404; }
if ($uri ~* .*(/~).*) { return 404; }修補空字節資源網解析漏洞:
if ($query_string ~* ".*[;'<>].*") { return 444; }
if ($request_uri ~ " ") { return 444; }禁止未允許的IP訪問目錄執行PHP。未開啓pathinfo的情況下資源在location ~ [^/].php(/|$)前加如下
location ~ /(xxx)/.*\.(php|php5)?$
{ allow 允許的IP; deny all; }開啓pathinfo的情況下:在location ~ [^/].php(/|$)前加如下location ^~ /xxx/ { #default_type text/plain; #expires 30d; allow 允許的IP; deny all; }
內部:if ($uri ~* (.*)(insert|select|delete|update|count|master|truncate|declare|exec|\*|%|\')(.*)$ ) { return 403; }
外部:
if ($request_uri ~* "(cost\()|(concat\()") { return 403; }
if ($request_uri ~* "[+|(%20)]union[+|(%20)]") { return 403; }
if ($request_uri ~* "[+|(%20)]and[+|(%20)]") { return 403; }
if ($request_uri ~* "[+|(%20)]select[+|(%20)]") { return 403; }
if ($request_uri ~* "[+|(%20)]or[+|(%20)]") { return 403; }
if ($request_uri ~* "[+|(%20)]delete[+|(%20)]") { return 403; }
if ($request_uri ~* "[+|(%20)]update[+|(%20)]") { return 403; }
if ($request_uri ~* "[+|(%20)]insert[+|(%20)]") { return 403; }溢出過濾:
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { return 403; }
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { return 403; }
if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { return 403; }
if ($query_string ~ "proc/self/environ") { return 403; }
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { return 403; }
if ($query_string ~ "base64_(en|de)code\(.*\)") { return 403; }文件注入禁止:
if ($query_string ~ "[a-zA-Z0-9_]=http://") { return 403; }
if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { return 403; }
if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { return 403; }一些頭部的參考:
if ($http_user_agent ~ ApacheBench|WebBench|Jmeter|JoeDog|Havij|GetRight|TurnitinBot|GrabNet|masscan|mail2000|github|wget|curl) { return 444; }
if ($http_user_agent ~ "Go-Ahead-Got-It") { return 444; }
if ($http_user_agent ~ "GetWeb!") { return 444; }
if ($http_user_agent ~ "Go!Zilla") { return 444; }
if ($http_user_agent ~ "Download Demon") { return 444; }
if ($http_user_agent ~ "Indy Library") { return 444; }
if ($http_user_agent ~ "libwww-perl") { return 444; }
if ($http_user_agent ~ "Nmap Scripting Engine") { return 444; }
if ($http_user_agent ~ "Load Impact") { return 444; }
if ($http_user_agent ~ "~17ce.com") { return 444; }
if ($http_user_agent ~ "WebBench*") { return 444; }
if ($http_referer ~* 17ce.com) { return 444; }
if ($http_user_agent ~* qiyunce) { return 444; }
if ($http_user_agent ~* YunGuanCe) { return 403; }
if ($http_referer ~* WebBench*") { return 444; }
if ($http_user_agent ~ "BLEXBot") { return 403; }
if ($http_user_agent ~ "MJ12bot") { return 403; }
if ($http_user_agent ~ "semalt.com") { return 403; }屏蔽web ip:
iptables -I INPUT -s 100.220.213.3 -j DROP
if ($remote_addr ~* "100.220.213.3|ip2|ip3....") { return 404; }加或者不加引號的效果都是一樣的,但是如果名稱中有空格則必須加雙引號
~*不區分大小寫 ~區分大小寫