个人中心
gpt4 book ai didi

nginx - 如果启用 Nginx 拒绝规则,则 PHP 文件下载

转载 作者:行者123 更新时间:2023-12-04 13:04:14 26 4
gpt4 key购买 nike

我有一台 Nginx 服务器运行了一年多,没有出现任何问题,它为上面的 Wordpress 站点提供 HTML 和 PHP 文件就好了。最近对 wp-login.php 进行了一些暴力攻击,所以我决定使用 Nginx 的拒绝所有规则来限制 IP 对这些区域的访问。

我已经实现了下面的规则,列表中的 IP 没有按预期获得 403,但允许的 IP 提供下载的 wp-login.php 文件而不是站点页面。

这是域规则:

server { 
   listen      10.99.0.20:8080;
   server_name  www.example.com;
   root /home/www.example.com/public_html;
   index index.html index.htm index.php;
   include conf.d/whitelisted.conf;
   include conf.d/wp/restrictions.conf;
   include conf.d/wp/wordpress.conf;
 }

whitelisted.conf 包含大量列入白名单的 IP,我不会发布列表,但它会结束: 
   ...
   allow 1.2.3.4;

   # DROP THE WORLD #
   deny all;

我添加了新的拒绝规则(最后)的约束.conf 是: 
# Global restrictions configuration file.
# Designed to be included in any server {} block.
location = /favicon.ico {
        log_not_found off;
        access_log off;
}

location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
}

# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
        deny all;
}

# Block PHP files in uploads, content, and includes directory.
location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php$ {
  deny all;
}

 # location ~ ^/(wp-admin|wp-login\.php) {
                allow 1.2.3.4
                deny all;
 }

wordpress.conf 文件是: 
 # WordPress single site rules.
# Designed to be included in any server {} block.

# This order might seem weird - this is attempted to match last if rules below fail.
# http://wiki.nginx.org/HttpCoreModule
location / {
  try_files $uri $uri/ /index.php?$args;
}

# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;

# Directives to send expires headers and turn off 404 error logging.
location ~* ^.+\.   (ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
   access_log off; log_not_found off; expires max;
}

# Block PHP files in uploads directory.
location ~* /(?:uploads|files)/.*\.php$ {
  deny all;
}

# Block PHP files in content directory.
location ~* /wp-content/.*\.php$ {
  deny all;
}

# Block PHP files in includes directory.
location ~* /wp-includes/.*\.php$ {
  deny all;
}

# Block PHP files in uploads, content, and includes directory.
location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php$ {
  deny all;
}

# Pass all .php files onto a php-fpm/php-fcgi server.
location ~ [^/]\.php(/|$) {
  fastcgi_split_path_info ^(.+?\.php)(/.*)$;
  if (!-f $document_root$fastcgi_script_name) {
    return 404;
  }
  # This is a robust solution for path info security issue and works     with "cgi.fix_pathinfo = 1" in /etc/php.ini (default)

  include fastcgi_params;
  fastcgi_pass unix:/var/run/php-fpm/php5-fpm.sock;
  fastcgi_index index.php;
  include /etc/nginx/fastcgi_params;
  fastcgi_buffer_size 128k;
  fastcgi_buffers 256 16k;
  fastcgi_busy_buffers_size 256k;
  fastcgi_temp_file_write_size 256k;
  fastcgi_read_timeout 18000;  
}

...最后 fastcgi_params 是: 
fastcgi_param   QUERY_STRING        $query_string;
fastcgi_param   REQUEST_METHOD      $request_method;
fastcgi_param   CONTENT_TYPE        $content_type;
fastcgi_param   CONTENT_LENGTH      $content_length;

fastcgi_param   SCRIPT_NAME     $fastcgi_script_name;
fastcgi_param   REQUEST_URI     $request_uri;
fastcgi_param   DOCUMENT_URI        $document_uri;
fastcgi_param   DOCUMENT_ROOT       $document_root;
fastcgi_param   SERVER_PROTOCOL     $server_protocol;
fastcgi_param   SCRIPT_FILENAME         $document_root$fastcgi_script_name;
fastcgi_param   PATH_INFO       $fastcgi_script_name;

fastcgi_param   GATEWAY_INTERFACE   CGI/1.1;
fastcgi_param   SERVER_SOFTWARE     nginx/$nginx_version;

fastcgi_param   REMOTE_ADDR     $remote_addr;
fastcgi_param   REMOTE_PORT     $remote_port;
fastcgi_param   SERVER_ADDR     $server_addr;
fastcgi_param   SERVER_PORT     $server_port;
fastcgi_param   SERVER_NAME     $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param   REDIRECT_STATUS     200;

感谢有人指出我正确的方向。非常感谢。

最佳答案

在您的配置中,PHP 文件由以下块处理:

location ~ [^/]\.php(/|$) {
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    if (!-f $document_root$fastcgi_script_name) {
        return 404;
    }
    include fastcgi_params;
    fastcgi_pass unix:/var/run/php-fpm/php5-fpm.sock;
    fastcgi_index index.php;
    include /etc/nginx/fastcgi_params;
    fastcgi_buffer_size 128k;
    fastcgi_buffers 256 16k;
    fastcgi_busy_buffers_size 256k;
    fastcgi_temp_file_write_size 256k;
    fastcgi_read_timeout 18000;  
}

通过添加 location ~ ^/(wp-admin|wp-login\.php) { ... }您正在将这些 URI 转移为静态文件进行处理。

一种解决方案是将所有必需的 FastCGI 语句复制到新位置,以便 nginx将 URI 作为 PHP 文件处理,例如: 
location ~ ^/(wp-admin|wp-login\.php) {
    allow 1.2.3.4
    deny all;

    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    if (!-f $document_root$fastcgi_script_name) {
        return 404;
    }
    include fastcgi_params;
    fastcgi_pass unix:/var/run/php-fpm/php5-fpm.sock;
    fastcgi_index index.php;
    include /etc/nginx/fastcgi_params;
}

关于nginx - 如果启用 Nginx 拒绝规则,则 PHP 文件下载,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/42559736/

26 4 0
文章推荐: google-cloud-platform - 在 Google Cloud Platform 中启用双因素身份验证
文章推荐: Yeoman 'yo webapp' 运行,但目录中没有创建文件
文章推荐: asp.net-web-api - ASP.NET WEB API 2 OWIN 身份验证不受支持 grant_Type
文章推荐: python - celery : understanding the big picture
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com