Question

我是G6防火墙（以前的G5）htaccess规则的忠实粉丝。我想知道转换它与NGINX一起使用是否可行，也是有益的？源文章可以在这里找到：https://perishablepress.com/6g/。如果可以重写这个，你会提供NGINX等效规则集吗？我认为这对那里的很多开发者都有帮助。

这是orignal .htaccess规则：

# 6G FIREWALL/BLACKLIST
# @ https://perishablepress.com/6g/

# 6G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
    RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} ([a-z0-9]{2000}) [NC,OR]
    RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
    RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
    RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
    RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
    RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
    RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
    RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
    RewriteRule .* - [F]
</IfModule>

# 6G:[REQUEST METHOD]
<IfModule mod_rewrite.c>
    RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|put|trace|track) [NC]
    RewriteRule .* - [F]
</IfModule>

# 6G:[REFERRERS]
<IfModule mod_rewrite.c>
    RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000}) [NC,OR]
    RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
    RewriteRule .* - [F]
</IfModule>

# 6G:[REQUEST STRINGS]
<IfModule mod_alias.c>
    RedirectMatch 403 (?i)([a-z0-9]{2000})
    RedirectMatch 403 (?i)(https?|ftp|php):/
    RedirectMatch 403 (?i)(base64_encode)(.*)(\()
    RedirectMatch 403 (?i)(=\\\'|=\\%27|/\\\'/?)\.
    RedirectMatch 403 (?i)/(\$(\&)?|\*|\"|\.|,|&|&amp;?)/?$
    RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")
    RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\\|\s|\{|\}|\[|\]|\|)
    RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack)
    RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
    RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
    RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
</IfModule>

# 6G:[USER AGENTS]
<IfModule mod_setenvif.c>
    SetEnvIfNoCase User-Agent ([a-z0-9]{2000}) bad_bot
    SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
    <limit GET POST PUT>
        Order Allow,Deny
        Allow from All
        Deny from env=bad_bot
    </limit>
</IfModule>

# 6G:[BAD IPS]
<Limit GET HEAD OPTIONS POST PUT>
    Order Allow,Deny
    Allow from All
    # uncomment/edit/repeat next line to block IPs
    # Deny from 123.456.789
</Limit>

提前感谢您对此的帮助或想法以及Perishable Press撰写此htaccess的大声呼喊。谢谢！

Answer 1

## Add here all user agents that are to be blocked.   
map $http_user_agent $bad_bot {
    default 0;
    "~*([a-z0-9]{2000})"    1;
    ~*(archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|htmlparser|libwww|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) 1;
}

## Add here all referrers that are to blocked.
map $http_referer $bad_referer {
   default 0;
   "~*([a-z0-9]{2000})"    1;
    ~*(semalt.com|todaperfeita) 1;
}

# query strings that should be blocked
map $query_string $bad_querystring {
    default 0;
    ~*(eval\() 1;
    ~*(127\.0\.0\.1) 1;
    "~*([a-z0-9]{2000})" 1;
    "~*(javascript:)(.*)(;)" 1;
    ~*(base64_encode)(.*)(\() 1;
    ~*(GLOBALS|REQUEST)(=|\[|%) 1;
    ~*(<|%3C)(.*)script(.*)(>|%3) 1;
    ~*(\\|\.\.\.|\.\./|~|`|<|>|\|) 1;
    ~*(boot\.ini|etc/passwd|self/environ) 1;
    ~*(thumbs?(_editor|open)?|tim(thumb)?)\.php 1;
    ~*(\'|\")(.*)(drop|insert|md5|select|union|concat) 1;  

}

map $request_uri $bad_request {
   default 0;
   "~*([a-z0-9]{2000})"  1;
   ~*(https?|ftp|php):/  1;
   ~*(base64_encode)(.*)(\()  1;
   ~*(=\\\'|=\\%27|/\\\'/?)\.  1;
   "~*/(\$(\&)?|\*|\"|\.|,|&|&amp;?)/?$"  1;
   ~*(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")  1;
   "~*(~|`|<|>|:|;|,|%|\\|\s|\{|\}|\[|\]|\|)"  1;
   ~*/(=|\$&|_mm|cgi-|etc/passwd|muieblack)  1;
   "~*(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)"  1;
   ~*\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$  1;
   ~*/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php  1;
}

map $request_method $not_allowed_method {
  default 0;
  ~*^(connect|debug|delete|move|put|trace|track) 1;
}

然后在服务器指令中添加此

server {
  ...


  if ($bad_bot) { return 444; }
  if ($bad_referer) { return 444; }
  if ($bad_querystring) { return 444; }
  if ($bad_request) { return 444; }
  if ($not_allowed_method) { return 405; }

  ## Filesystem root of the site and index.
  root /home/$DOMAIN/public;
  index index.php;

  ...

}

可以将G6防火墙转换为在NGINX上使用吗？

1 个答案: