Nginx (engine x)
Is a high-performanceHTTP And reverse proxy services, At present, a large part of the websites are usedNginx Act asWEB The server,Nginx Although very powerful, But by default, malicious access cannot be blocked,xiaoz A commonNginx Shielding rules, I hope it will help you.

Before you start, I hope you are familiar withNginx Frequently used commands( If stop, Restart and other operations) And troubleshootingnginx Error log, In order to avoid problems. Unless otherwise specified, The following commands are added to theserver
Segment, modifynginx Be sure to make a backup before configuration, Need to reload once after modificationnginx, Otherwise, it will not take effect..

Prevent files from being downloaded

For example, export the website database to the site root directory for backup. It's likely to be downloaded by others, Risk of data loss. The following rules can prevent some regular files from being downloaded, Increase or decrease according to the actual situation.
location ~ \.(zip|rar|sql|bak|gz|7z)$ { return 444; }
Shield very common spiders( Reptile)

If you often analyze the website logs, you will find that, Some strangeUA Always visit the website frequently, And theseUA It doesn't mean anything to the website. Increase server pressure instead, It can be shielded directly.
if ($http_user_agent ~*
(SemrushBot|python|MJ12bot|AhrefsBot|AhrefsBot|hubspot|opensiteexplorer|leiki|webmeup))
{return 444; }
Disable script execution in a directory


For example, website upload directory, Usually static files are stored, If the Trojan is uploaded because the program verification is not rigorous, Resulting in website blackout. Please change the following rules to your own directory according to your own situation, Script suffixes that need to be banned can also be added by yourself.
#uploads|templets|data These directories are forbiddenPHP location ~*
^/(uploads|templets|data)/.*.(php|php5)$ { return 444; }
Shield someIP orIP paragraph

If the website is maliciously watered orCC attack, Features can be analyzed from website logsIP, Take itIP orIP Segment to shield.
# Shield192.168.5.23 thisIP deny 192.168.5.23; # Shield192.168.5.* This paragraph denu 192.168.5.0/24;
Other instructions

Emphasize again, modifynginx Be sure to make a backup before configuration, Need to reload once after modificationnginx, Otherwise, it will not take effect..

Most of the above rules return444 Status code instead of403
, because444 Status code innginx Has a special meaning in.nginx Of444 Status is disconnected directly by the server, No more messages will be returned to the client, Than return403 More violent. Please supplement and correct any deficiencies.

Reprinted in:Nginx Common shielding rules, Make your site more secure <https://www.xiaoz.me/archives/11095>