NGINX 过滤对局域网 IP 的请求

时间:2021-07-29 11:14:06

标签: django nginx mod-security

我通过 NGINX 收到了几个请求,这些请求似乎是针对我的 LAN IP 192.168.0.1 的,如下所示:

nginx.vhost.access.log:

192.227.134.73 - - [29/Jul/2021:10:33:47 +0000] "POST /GponForm/diag_Form?style/       HTTP/1.1" 400 154 "-" "curl/7.3.2"

来自 Django:

Invalid HTTP_HOST header: '192.168.0.1:443'. You may need to add '192.168.0.1' to ALLOWED_HOSTS.

我的 NGINX 配置如下:

upstream django_server {
    server 127.0.0.1:8000;
}

# Catch all requests with an invalid HOST header
server {
    server_name "";
    listen 80;
        return 301 https://backoffice.example.com$request_uri;
    }

server {
    listen 80;
    # Redirect www to https
    server_name www.backoffice.example.com;
    modsecurity on;
    modsecurity_rules_file /some_directory/nginx/modsec/modsec_includes.conf;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;" always;
    add_header X-Frame-Options "deny" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    #add_header Content-Security-Policy "script-src 'self' https://example.com https://backoffice.example.com https://fonts.gstatic.com https://code.jquery.com";
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    return 301 https://backoffice.example.com$request_uri;
}

server {
      listen 443 ssl http2;
      server_name www.backoffice.example.com backoffice.example.com;
      modsecurity on;
      modsecurity_rules_file /some_directory/nginx/modsec/modsec_includes.conf;
      add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;" always;
      add_header X-Frame-Options "deny" always;
      add_header X-XSS-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Content-Security-Policy "script-src 'self' https://example.com https://backoffice.example.com https://fonts.gstatic.com https://code.jquery.com";
      add_header Referrer-Policy "strict-origin-when-cross-origin"; 

      ssl_certificate    /etc/ssl/nginx-ssl/backofficebundle.crt;
      ssl_certificate_key    /etc/ssl/nginx-ssl/backoffice.key;
      
      access_log /some_directory/nginx/nginx.vhost.access.log;
      error_log /some_directory/nginx/nginx.vhost.error.log;

    location / {
        proxy_pass http://localhost:8000;
        proxy_pass_header Server;
            proxy_redirect off;
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Scheme $scheme;
            proxy_set_header REMOTE_ADDR $remote_addr;        
}


      location /media/ {
        alias /some_directory/backoffice/media/;
        }

        location /static/ {
        alias /some_directory/backoffice/static/;
    }

}

我的问题:

  1. 有没有办法配置 NGINX 来阻止对所有 LAN IP 的请求?
  2. ModSecurity 可以做得更好吗?

1 个答案:

答案 0 :(得分:0)

<块引用>

有没有办法配置 NGINX 来阻止对所有 LAN IP 的请求?

有,只需在公共 IP 上创建 nginx listen(例如 listen backoffice.example.com:443 ssl http2;)。虽然我不知道你为什么想要这个......

因为如果它是一个内部 IP,它不能被外部访问(根据定义——否则你不会称它为内部)。如果是这种情况,您的网络/防火墙可能会出现更多问题。

关于 nginx 访问日志,我没有发现任何问题。 192.227.134.73 不是私有 IP。

关于 Django 日志,curl -H "Host: 192.168.0.1:443" https://backoffice.example.com 会引起这样的请求。 “Host”头毕竟只是一个头,可以包含任何东西。

相关问题
最新问题