PHP 启用 Nginx 拒绝规则时的文件下载
PHP File downloads if Nginx deny rule enabled
我有一个 Nginx 服务器 运行 一年多了,没有任何问题,它可以为上面的 Wordpress 站点提供 HTML 和 PHP 文件。最近 wp-login.php 发生了一些暴力攻击,所以我决定使用 Nginx 的拒绝所有规则来限制 IP 对这些区域的访问。
我已经实施了下面的规则,不在列表中的 IP 按预期获得了 403,但允许的 IP 提供了下载的 wp-login.php 文件而不是网站页面。
这是域规则:
server {
listen 10.99.0.20:8080;
server_name www.example.com;
root /home/www.example.com/public_html;
index index.html index.htm index.php;
include conf.d/whitelisted.conf;
include conf.d/wp/restrictions.conf;
include conf.d/wp/wordpress.conf;
}
whitelisted.conf 包含大量列入白名单的 IP,我不会 post 该列表但它结束了:
...
allow 1.2.3.4;
# DROP THE WORLD #
deny all;
我添加新拒绝规则(最后)的 restrictions.conf 是:
# Global restrictions configuration file.
# Designed to be included in any server {} block.
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
deny all;
}
# Block PHP files in uploads, content, and includes directory.
location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php$ {
deny all;
}
# location ~ ^/(wp-admin|wp-login\.php) {
allow 1.2.3.4
deny all;
}
wordpress.conf 文件是:
# WordPress single site rules.
# Designed to be included in any server {} block.
# This order might seem weird - this is attempted to match last if rules below fail.
# http://wiki.nginx.org/HttpCoreModule
location / {
try_files $uri $uri/ /index.php?$args;
}
# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
# Directives to send expires headers and turn off 404 error logging.
location ~* ^.+\. (ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
access_log off; log_not_found off; expires max;
}
# Block PHP files in uploads directory.
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# Block PHP files in content directory.
location ~* /wp-content/.*\.php$ {
deny all;
}
# Block PHP files in includes directory.
location ~* /wp-includes/.*\.php$ {
deny all;
}
# Block PHP files in uploads, content, and includes directory.
location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php$ {
deny all;
}
# Pass all .php files onto a php-fpm/php-fcgi server.
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
# This is a robust solution for path info security issue and works with "cgi.fix_pathinfo = 1" in /etc/php.ini (default)
include fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm/php5-fpm.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 16k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_read_timeout 18000;
}
...最后 fastcgi_params 是:
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
感谢有人为我指明正确的方向。非常感谢。
在您的配置中,PHP 个文件由以下块处理:
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm/php5-fpm.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 16k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_read_timeout 18000;
}
通过添加 location ~ ^/(wp-admin|wp-login\.php) { ... },您会将这些 URI 转移为静态文件进行处理。
一个解决方案是将所有必需的 FastCGI 语句复制到新位置,以便 nginx 将 URI 作为 PHP 文件处理,例如:
location ~ ^/(wp-admin|wp-login\.php) {
allow 1.2.3.4
deny all;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm/php5-fpm.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
我有一个 Nginx 服务器 运行 一年多了,没有任何问题,它可以为上面的 Wordpress 站点提供 HTML 和 PHP 文件。最近 wp-login.php 发生了一些暴力攻击,所以我决定使用 Nginx 的拒绝所有规则来限制 IP 对这些区域的访问。
我已经实施了下面的规则,不在列表中的 IP 按预期获得了 403,但允许的 IP 提供了下载的 wp-login.php 文件而不是网站页面。
这是域规则:
server {
listen 10.99.0.20:8080;
server_name www.example.com;
root /home/www.example.com/public_html;
index index.html index.htm index.php;
include conf.d/whitelisted.conf;
include conf.d/wp/restrictions.conf;
include conf.d/wp/wordpress.conf;
}
whitelisted.conf 包含大量列入白名单的 IP,我不会 post 该列表但它结束了:
...
allow 1.2.3.4;
# DROP THE WORLD #
deny all;
我添加新拒绝规则(最后)的 restrictions.conf 是:
# Global restrictions configuration file.
# Designed to be included in any server {} block.
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
deny all;
}
# Block PHP files in uploads, content, and includes directory.
location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php$ {
deny all;
}
# location ~ ^/(wp-admin|wp-login\.php) {
allow 1.2.3.4
deny all;
}
wordpress.conf 文件是:
# WordPress single site rules.
# Designed to be included in any server {} block.
# This order might seem weird - this is attempted to match last if rules below fail.
# http://wiki.nginx.org/HttpCoreModule
location / {
try_files $uri $uri/ /index.php?$args;
}
# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
# Directives to send expires headers and turn off 404 error logging.
location ~* ^.+\. (ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
access_log off; log_not_found off; expires max;
}
# Block PHP files in uploads directory.
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# Block PHP files in content directory.
location ~* /wp-content/.*\.php$ {
deny all;
}
# Block PHP files in includes directory.
location ~* /wp-includes/.*\.php$ {
deny all;
}
# Block PHP files in uploads, content, and includes directory.
location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php$ {
deny all;
}
# Pass all .php files onto a php-fpm/php-fcgi server.
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
# This is a robust solution for path info security issue and works with "cgi.fix_pathinfo = 1" in /etc/php.ini (default)
include fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm/php5-fpm.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 16k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_read_timeout 18000;
}
...最后 fastcgi_params 是:
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
感谢有人为我指明正确的方向。非常感谢。
在您的配置中,PHP 个文件由以下块处理:
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm/php5-fpm.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 16k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_read_timeout 18000;
}
通过添加 location ~ ^/(wp-admin|wp-login\.php) { ... },您会将这些 URI 转移为静态文件进行处理。
一个解决方案是将所有必需的 FastCGI 语句复制到新位置,以便 nginx 将 URI 作为 PHP 文件处理,例如:
location ~ ^/(wp-admin|wp-login\.php) {
allow 1.2.3.4
deny all;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm/php5-fpm.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}