G6 Firewall 可以转换为在 NGINX 上使用吗?
Can G6 Firewall be converted to be used on NGINX?
我是 G6 防火墙(以前的 G5)htaccess 规则的忠实粉丝。我想知道将其转换为与 NGINX 一起使用是否可能,以及是否有益?可以在此处找到源文章:https://perishablepress.com/6g/。如果可以重写它,你会提供 NGINX 等效规则集吗?我认为这对很多开发人员都有帮助。
这是原始的 .htaccess 规则:
# 6G FIREWALL/BLACKLIST
# @ https://perishablepress.com/6g/
# 6G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} ([a-z0-9]{2000}) [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
RewriteCond %{QUERY_STRING} (\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REQUEST METHOD]
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|put|trace|track) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REFERRERS]
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000}) [NC,OR]
RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REQUEST STRINGS]
<IfModule mod_alias.c>
RedirectMatch 403 (?i)([a-z0-9]{2000})
RedirectMatch 403 (?i)(https?|ftp|php):/
RedirectMatch 403 (?i)(base64_encode)(.*)(\()
RedirectMatch 403 (?i)(=\\'|=\%27|/\\'/?)\.
RedirectMatch 403 (?i)/($(\&)?|\*|\"|\.|,|&|&?)/?$
RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\"\\")
RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\|\s|\{|\}|\[|\]|\|)
RedirectMatch 403 (?i)/(=|$&|_mm|cgi-|etc/passwd|muieblack)
RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
</IfModule>
# 6G:[USER AGENTS]
<IfModule mod_setenvif.c>
SetEnvIfNoCase User-Agent ([a-z0-9]{2000}) bad_bot
SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
<limit GET POST PUT>
Order Allow,Deny
Allow from All
Deny from env=bad_bot
</limit>
</IfModule>
# 6G:[BAD IPS]
<Limit GET HEAD OPTIONS POST PUT>
Order Allow,Deny
Allow from All
# uncomment/edit/repeat next line to block IPs
# Deny from 123.456.789
</Limit>
提前感谢您对此的帮助或想法,并感谢 Perishable Press 编写此 htaccess。谢谢!
## Add here all user agents that are to be blocked.
map $http_user_agent $bad_bot {
default 0;
"~*([a-z0-9]{2000})" 1;
~*(archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|htmlparser|libwww|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) 1;
}
## Add here all referrers that are to blocked.
map $http_referer $bad_referer {
default 0;
"~*([a-z0-9]{2000})" 1;
~*(semalt.com|todaperfeita) 1;
}
# query strings that should be blocked
map $query_string $bad_querystring {
default 0;
~*(eval\() 1;
~*(127\.0\.0\.1) 1;
"~*([a-z0-9]{2000})" 1;
"~*(javascript:)(.*)(;)" 1;
~*(base64_encode)(.*)(\() 1;
~*(GLOBALS|REQUEST)(=|\[|%) 1;
~*(<|%3C)(.*)script(.*)(>|%3) 1;
~*(\|\.\.\.|\.\./|~|`|<|>|\|) 1;
~*(boot\.ini|etc/passwd|self/environ) 1;
~*(thumbs?(_editor|open)?|tim(thumb)?)\.php 1;
~*(\'|\")(.*)(drop|insert|md5|select|union|concat) 1;
}
map $request_uri $bad_request {
default 0;
"~*([a-z0-9]{2000})" 1;
~*(https?|ftp|php):/ 1;
~*(base64_encode)(.*)(\() 1;
~*(=\\'|=\%27|/\\'/?)\. 1;
"~*/($(\&)?|\*|\"|\.|,|&|&?)/?$" 1;
~*(\{0\}|\(/\(|\.\.\.|\+\+\+|\\"\\") 1;
"~*(~|`|<|>|:|;|,|%|\|\s|\{|\}|\[|\]|\|)" 1;
~*/(=|$&|_mm|cgi-|etc/passwd|muieblack) 1;
"~*(&pws=0|_vti_|\(null\)|\{$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" 1;
~*\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$ 1;
~*/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php 1;
}
map $request_method $not_allowed_method {
default 0;
~*^(connect|debug|delete|move|put|trace|track) 1;
}
然后在服务器指令中添加这个
server {
...
if ($bad_bot) { return 444; }
if ($bad_referer) { return 444; }
if ($bad_querystring) { return 444; }
if ($bad_request) { return 444; }
if ($not_allowed_method) { return 405; }
## Filesystem root of the site and index.
root /home/$DOMAIN/public;
index index.php;
...
}
我是 G6 防火墙(以前的 G5)htaccess 规则的忠实粉丝。我想知道将其转换为与 NGINX 一起使用是否可能,以及是否有益?可以在此处找到源文章:https://perishablepress.com/6g/。如果可以重写它,你会提供 NGINX 等效规则集吗?我认为这对很多开发人员都有帮助。
这是原始的 .htaccess 规则:
# 6G FIREWALL/BLACKLIST
# @ https://perishablepress.com/6g/
# 6G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} ([a-z0-9]{2000}) [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
RewriteCond %{QUERY_STRING} (\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REQUEST METHOD]
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|put|trace|track) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REFERRERS]
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000}) [NC,OR]
RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REQUEST STRINGS]
<IfModule mod_alias.c>
RedirectMatch 403 (?i)([a-z0-9]{2000})
RedirectMatch 403 (?i)(https?|ftp|php):/
RedirectMatch 403 (?i)(base64_encode)(.*)(\()
RedirectMatch 403 (?i)(=\\'|=\%27|/\\'/?)\.
RedirectMatch 403 (?i)/($(\&)?|\*|\"|\.|,|&|&?)/?$
RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\"\\")
RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\|\s|\{|\}|\[|\]|\|)
RedirectMatch 403 (?i)/(=|$&|_mm|cgi-|etc/passwd|muieblack)
RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
</IfModule>
# 6G:[USER AGENTS]
<IfModule mod_setenvif.c>
SetEnvIfNoCase User-Agent ([a-z0-9]{2000}) bad_bot
SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
<limit GET POST PUT>
Order Allow,Deny
Allow from All
Deny from env=bad_bot
</limit>
</IfModule>
# 6G:[BAD IPS]
<Limit GET HEAD OPTIONS POST PUT>
Order Allow,Deny
Allow from All
# uncomment/edit/repeat next line to block IPs
# Deny from 123.456.789
</Limit>
提前感谢您对此的帮助或想法,并感谢 Perishable Press 编写此 htaccess。谢谢!
## Add here all user agents that are to be blocked.
map $http_user_agent $bad_bot {
default 0;
"~*([a-z0-9]{2000})" 1;
~*(archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|htmlparser|libwww|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) 1;
}
## Add here all referrers that are to blocked.
map $http_referer $bad_referer {
default 0;
"~*([a-z0-9]{2000})" 1;
~*(semalt.com|todaperfeita) 1;
}
# query strings that should be blocked
map $query_string $bad_querystring {
default 0;
~*(eval\() 1;
~*(127\.0\.0\.1) 1;
"~*([a-z0-9]{2000})" 1;
"~*(javascript:)(.*)(;)" 1;
~*(base64_encode)(.*)(\() 1;
~*(GLOBALS|REQUEST)(=|\[|%) 1;
~*(<|%3C)(.*)script(.*)(>|%3) 1;
~*(\|\.\.\.|\.\./|~|`|<|>|\|) 1;
~*(boot\.ini|etc/passwd|self/environ) 1;
~*(thumbs?(_editor|open)?|tim(thumb)?)\.php 1;
~*(\'|\")(.*)(drop|insert|md5|select|union|concat) 1;
}
map $request_uri $bad_request {
default 0;
"~*([a-z0-9]{2000})" 1;
~*(https?|ftp|php):/ 1;
~*(base64_encode)(.*)(\() 1;
~*(=\\'|=\%27|/\\'/?)\. 1;
"~*/($(\&)?|\*|\"|\.|,|&|&?)/?$" 1;
~*(\{0\}|\(/\(|\.\.\.|\+\+\+|\\"\\") 1;
"~*(~|`|<|>|:|;|,|%|\|\s|\{|\}|\[|\]|\|)" 1;
~*/(=|$&|_mm|cgi-|etc/passwd|muieblack) 1;
"~*(&pws=0|_vti_|\(null\)|\{$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" 1;
~*\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$ 1;
~*/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php 1;
}
map $request_method $not_allowed_method {
default 0;
~*^(connect|debug|delete|move|put|trace|track) 1;
}
然后在服务器指令中添加这个
server {
...
if ($bad_bot) { return 444; }
if ($bad_referer) { return 444; }
if ($bad_querystring) { return 444; }
if ($bad_request) { return 444; }
if ($not_allowed_method) { return 405; }
## Filesystem root of the site and index.
root /home/$DOMAIN/public;
index index.php;
...
}