gpt4 book ai didi

caching - 可以 Varnish 缓存被黑客入侵吗?

转载 作者:行者123 更新时间:2023-12-03 17:46:24 26 4
gpt4 key购买 nike

今天,我的两个域(共 9 个域)的索引页面被重定向到亚马逊页面。所有其他页面工作正常。网站是自定义编码的。

第一个想法是网站被黑了,但我没有发现在过去 24 小时内修改过一个文件。我经历了其他可能的选择,但一无所获。

最后一个未知数是几周前安装的 Varnish 。
结果在重新启动 Varnish/清除缓存重定向停止...

所以问题是可以从外部修改 varnish 缓存吗?

我不是 Varnish 专家,因为它在我的服务器上停留的时间很短,而且我知道我的配置文件可能一团糟,但我们感谢任何建议。

谢谢,
德里克

更新:
谢谢你的答案。

刷新缓存并移除重定向后,第二天其他域也会以同样的方式受到影响。
清除单个 url '/' 会删除重定向,直到下次。
我设置了一个脚本检查页面状态以获取它发生的确切时间。有时间,但在日志中找不到太多内容。系统日志中没有 Varnish 命令。

现在它发生在两个物理 vps 服务器上,源代码完全相同。

下面是来自 varnishncsa 的几行,其中 HEAD 请求是我的脚本,第一个 header 返回状态 200,最后一个被重定向 - 302 到亚马逊。

1.2.3.4 - - [11/Jun/2016:22:40:23 -0400] "HEAD http://www.domain.com/ HTTP/1.1" 200 0 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.
7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
107.170.81.129 - - [11/Jun/2016:22:40:29 -0400] "GET http://www.domain.ca/search/?catid=1&sub_catid=22&sub_sub_catid=34 HTTP/1.1" 200 5908 "http:
//www.domain.com/categories/sitemap/" "Mozilla/5.0 (compatible; spbot/5.0.2; +http://OpenLinkProfiler.org/bot )"
100.43.81.151 - - [11/Jun/2016:22:40:39 -0400] "GET http://www.domain.com/ HTTP/1.1" 302 205 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex
.com/bots)"
100.43.91.12 - - [11/Jun/2016:22:40:39 -0400] "GET http://www.domain.com/robots.txt HTTP/1.1" 302 205 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +
http://yandex.com/bots)"
100.43.81.151 - - [11/Jun/2016:22:40:39 -0400] "GET http://domain.com/robots.txt HTTP/1.1" 301 0 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http:
//yandex.com/bots)"
100.43.81.151 - - [11/Jun/2016:22:40:39 -0400] "GET http://domain.com/robots.txt HTTP/1.1" 301 0 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://ya
ndex.com/bots)"
100.43.81.151 - - [11/Jun/2016:22:40:41 -0400] "GET http://www.domain.com/ HTTP/1.1" 200 4046 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://y
andex.com/bots)"
100.43.91.12 - - [11/Jun/2016:22:40:41 -0400] "GET http://domain.com/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.co
m/bots)"
100.43.81.151 - - [11/Jun/2016:22:40:41 -0400] "GET http://domain.com/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/b
ots)"
68.180.228.126 - - [11/Jun/2016:22:40:48 -0400] "GET http://www.domain.ca/profile/Faro HTTP/1.1" 200 7060 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp;
http://help.yahoo.com/help/us/ysearch/slurp)"
104.193.88.243 - - [11/Jun/2016:22:40:55 -0400] "GET http://www.domain.uk/search/?catid=377&sub_catid=448&sub_sub_catid=461 HTTP/1.1" 200 33613 "-
" "Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"
117.78.13.18 - - [11/Jun/2016:22:41:13 -0400] "GET http://www.domain.com/robots.txt HTTP/1.0" 200 405 "-" "nutch-1.4/Nutch-1.4"
1.2.3.4 - - [11/Jun/2016:22:41:23 -0400] "HEAD http://www.domain.com/ HTTP/1.1" 302 0 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.
7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"

以下是发生重定向时的 header :
Request URL: http://www.example.com/
Request method: GET
Remote address: 1.2.3.4:80
Status code: 302 Found
Version: HTTP/1.1


Request headers:
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive


Response headers:

Age: 37681
Cache-Control: public
Connection: keep-alive
Content-Length: 205
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 12 Jun 2016 02:40:41 GMT
Location: http://www.amazon.com
Server: Apache
Via: 1.1 varnish-v4
X-Varnish: 1249239 1443890



Request URL: http://www.amazon.com/
Request method: GET
Remote address: 54.239.25.200:80
Status code: 301 MovedPermanently
Version: HTTP/1.1


Request headers:

Host: www.amazon.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

Response headers:
Content-Encoding: gzip
Content-Type: text/html; charset=ISO-8859-1
Date: Sun, 12 Jun 2016 13:08:43 GMT
Location: https://www.amazon.com/179-0743706-1316952
P3P: policyref="https://www.amazon.com/w3c/p3p.xml",CP="CAO DSP LAW CUR ADM IVAo IVDo CONo OTPo OUR DELi PUBi OTRi BUS PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA

所有域都已上线大约 2 年,没有任何问题,并且在 2 周前安装了 varnish。

现在我被迫通过“索引”,如果找不到解决方案,将尝试降级 Varnish 以查看是否有帮助。

此外,我不知道从哪里开始,从哪里开始寻找什么???

下面是我的 default.vcl 文件
vcl 4.0;

# Default backend definition. Set this to point to your content server.
backend default {
.host = "2.3.4.5";
.port = "8080";
.first_byte_timeout = 300s;
.connect_timeout = 5s;
.between_bytes_timeout = 60s;
}

acl allowed_ip {
# Access Control List used to to warm up cahe
"1.2.3.0/22";
"2.3.4.5";
}


sub vcl_recv {

# Do not cache
if ( req.url ~ "^/sitemap-(index|ads|profiles|static)\.xml")
{ return( pass ); }


# Do not allow external access
if (req.url ~ "^/(crone_job|sitemap_generator)\.php" && !client.ip ~ allowed_ip)
{
set req.url = "/";

}


# Detect device and redirect to proper site
if ( (req.http.host ~ "www\.domain\.(ca|com|uk)" ||
req.http.host ~ "^domain\.(ca|com|uk)" ) &&
!(req.url ~ "\.(jpg|jpeg|png|gif|bmp|mp4|ogv|webm|m4a|ogg|doc|docx|xls|xlsx|pps|ppt|pptx|txt|rtf|csv|xml|pdf|zip|odf|ods)$" )) {

call device_detection;
}

# Redirect non-www domain to www
if (req.http.host ~ "^domain\.(ca|com|uk)$") {
return (synth (750, ""));
}

# Only deal with "normal" types
if (req.method != "GET" &&
req.method != "HEAD" &&
req.method != "PUT" &&
req.method != "POST" &&
req.method != "TRACE" &&
req.method != "OPTIONS" &&
req.method != "PATCH" &&
req.method != "DELETE") {
# /* Non-RFC2616 or CONNECT which is weird. */
return (pipe);
}

# Only cache GET or HEAD requests. This makes sure the POST requests are always passed.
if (req.method != "GET" && req.method != "HEAD") {
return (pass);
}

# First remove the Google Analytics added parameters, useless for our backend
if (req.url ~ "(\?|&)(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|siteurl)=") {
set req.url = regsuball(req.url, "&(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|siteurl)=([A-z0-9_\-\.%25]+)", "");
set req.url = regsuball(req.url, "\?(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|siteurl)=([A-z0-9_\-\.%25]+)", "?");
set req.url = regsub(req.url, "\?&", "?");
set req.url = regsub(req.url, "\?$", "");
}


# Remove the "has_js" cookie
set req.http.Cookie = regsuball(req.http.Cookie, "has_js=[^;]+(; )?", "");

# Remove any Google Analytics based cookies
set req.http.Cookie = regsuball(req.http.Cookie, "__utm.=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "_ga=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "_gat=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "utmctr=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "utmcmd.=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "utmccn.=[^;]+(; )?", "");


if (req.http.Cookie ~ "user_name=" || req.http.Cookie == "registeredDevice") {
set req.http.Cookie = ";" + req.http.Cookie;
set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");
set req.http.Cookie = regsuball(req.http.Cookie, ";(PHPSESSID|user_name|registeredDevice)=", "; \1=");
set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");

if (req.http.Cookie == "") {
unset req.http.Cookie;
}
}



# Post requests will not be cachedre there cookies left with only spaces o
# r that are empty?
if (req.http.cookie ~ "^\s*$") {
unset req.http.cookie;
}


# Remove all cookies for static files
if (req.url ~ "^[^?]*\.(css|jpeg|jpg|js|txt|ico)(\?.*)?$"){
unset req.http.Cookie;
return (hash);
}

if (req.url ~ "^/image.php." ||
req.url ~ "publication.php" ||
req.url ~ "google_map.php" ) {
unset req.http.Cookie;
}

# Send Surrogate-Capability headers to announce ESI support to backend
set req.http.Surrogate-Capability = "key=ESI/1.0";



# if (req.http.Authorization || req.method == "POST") {
if ( req.method == "POST") {
return (pass);
}

# Normalizing namespace
if (req.http.host ~ "(?i)^(www.)?domain.ca") {
set req.http.host = "www.domain.ca"; }

if (req.http.host ~ "(?i)^(www.)?domain.com") {
set req.http.host = "www.domain.com"; }

if (req.http.host ~ "(?i)^(www.)?domain.uk") {
set req.http.host = "www.domain.uk"; }



# the script varnish-cache-warmup.sh must always refresh the cache
if (client.ip ~ allowed_ip && req.http.Cache-Control ~ "no-cache") {
set req.hash_always_miss = true;
}
}

sub vcl_backend_response {

if(
bereq.url == "/" ||
bereq.url == "/about-us/" ||
bereq.url == "/contact/" ||
bereq.url == "/blog/" ||
bereq.url == "/categories/sitemap/" ||
bereq.url == "/help/"
){

# cache, ignoring any cache headers
set beresp.ttl = 24h;


unset beresp.http.Pragma;
unset beresp.http.Set-Cookie;
set beresp.http.Cache-Control = "public"; # max-age=0; s-maxage=1800";
unset beresp.http.Expires;
set bereq.http.Cookie = regsuball(bereq.http.Cookie, "PHPSESSID=[^;]+(; )?", "");
unset bereq.http.Cookie;

}


if (beresp.http.Surrogate-Control ~ "ESI/1.0") {
unset beresp.http.Surrogate-Control;
set beresp.do_esi = true;
}


# Enable cache for all static files
if (bereq.url ~ "^[^?]*\.(css|jpeg|jpg|js|txt|ico)(\?.*)?$") {
unset beresp.http.set-cookie;
}

if (bereq.url ~ "^/image.php.") {
unset beresp.http.set-cookie;
}


# Varnish 4 fully supports Streaming, so use streaming here to avoid locking.
if (bereq.url ~ "^[^?]*\.(7z|avi|bz2|flac|flv|gz|mka|mkv|mov|mp3|mp4|mpeg|mpg|ogg|ogm|opus|rar|tar|tgz|tbz|txz|wav|webm|xz|zip)(\?.*)?$") {
unset beresp.http.set-cookie;
set beresp.do_stream = true; # Check memory usage it'll grow in fetch_chunksize blocks (128k by default) if the backend doesn't send a Content-Length header, so only enable it for big objects
set beresp.do_gzip = false; # Don't try to compress it for storage
}


# Set 2min cache if unset for static files
if (beresp.ttl <= 0s || beresp.http.Set-Cookie || beresp.http.Vary == "*") {
set beresp.ttl = 120s; # Important, you shouldn't rely on this, SET YOUR HEADERS in the backend
set beresp.uncacheable = true;
return (deliver);
}

# Don't cache 50x responses
if (beresp.status == 500 || beresp.status == 502 || beresp.status == 503 || beresp.status == 504 || beresp.status == 403) {
return (abandon);
}
# Allow stale content, in case the backend goes down.
# make Varnish keep all objects for 6 hours beyond their TTL
set beresp.grace = 6h;


return (deliver);
}

sub vcl_deliver {


}

sub vcl_synth {

# Redirect non-www domain to www
if (resp.status == 750) {
set resp.status = 301;
set resp.http.Location = "http://www." + req.http.host + req.url;
return(deliver);
}

# Redirect to mobile site
if (resp.status == 751) {
set resp.status =301;
set req.http.host = regsub(req.http.host, "^www\.","");
set resp.http.Location = "http://m." + req.http.host + req.url;
return(deliver);
}

}

sub device_detection {

set req.http.X-Device = "pc";
if (req.http.User-Agent ~ "iP(hone|od)" ||
req.http.User-Agent ~ "Android" ||
req.http.User-Agent ~ "Symbian" ||
req.http.User-Agent ~ "^BlackBerry" ||
req.http.User-Agent ~ "^SonyEricsson" ||
req.http.User-Agent ~ "^Nokia" ||
req.http.User-Agent ~ "^SAMSUNG" ||
req.http.User-Agent ~ "^LG" ||
req.http.User-Agent ~ "webOS")
{ set req.http.X-Device = "mobile"; }

if (req.http.User-Agent ~ "^PalmSource")
{ set req.http.X-Device = "mobile"; }

if (req.http.User-Agent ~ "Build/FROYO" ||
req.http.User-Agent ~ "XOOM" ) {
set req.http.X-Device = "pc";
}

if (req.http.X-Device == "mobile") {

return (synth(751, ""));
}
}

最佳答案

Varnish 和其他软件一样只是软件,因此很难做出保证。

如果您根据之前的事件判断,Varnish 的安全历史非常好,而且看起来大多是安全的。

就您的 VCL 而言,其中没有任何内容允许您描述的行为。事实上,在 Varnish 级别引入这样的东西是非常困难的,因为 Varnish 通常不支持重写/更改响应体。

关于caching - 可以 Varnish 缓存被黑客入侵吗?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/37738272/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com