Nginx (engine x)
It's a high performance one HTTP And reverse proxy service , At present, a large part of the website is used Nginx As WEB The server ,Nginx Although very powerful , However, malicious access cannot be blocked by default ,xiaoz I sorted out a common one Nginx Shielding rules , I hope it can help you .

Before we start , I hope you are familiar with it Nginx Common commands ( If stopped , Restart and other operations ) And investigation nginx Error log , So as to avoid problems and be at a loss . If there is no special indication , The following commands are added to the server
Within the segment , modify nginx Be sure to make a backup before configuration , After modification, it needs to be reloaded once nginx, Otherwise, it will not take effect .

Prevent files from being downloaded

For example, export the website database to the site root directory for backup , It's likely to be downloaded , This leads to the risk of data loss . The following rules can prevent some regular files from being downloaded , It can be increased or decreased according to the actual situation .
location ~ \.(zip|rar|sql|bak|gz|7z)$ { return 444; }
Shield unusual spiders ( Reptiles )

If you often analyze the website log, you will find that , Something strange UA Always visit the site frequently , And these UA It's meaningless to include the website , Instead, it increases server pressure , It can be shielded directly .
if ($http_user_agent ~*
(SemrushBot|python|MJ12bot|AhrefsBot|AhrefsBot|hubspot|opensiteexplorer|leiki|webmeup))
{return 444; }
Prevent a directory from executing scripts


For example, website upload directory , Usually, static files are stored , If the program verification is not rigorous, the Trojan program is uploaded , Causing the website to be hacked . Please change the following rules to your own directory according to your own situation , Script suffixes that need to be banned can also be added by yourself .
#uploads|templets|data These directories are forbidden PHP location ~*
^/(uploads|templets|data)/.*.(php|php5)$ { return 444; }
Block a IP or IP paragraph

If the website is malicious irrigation or CC attack , Features can be analyzed from website logs IP, Put it IP or IP Segment .
# shield 192.168.5.23 this IP deny 192.168.5.23; # shield 192.168.5.* This paragraph denu 192.168.5.0/24;
Other instructions

Again , modify nginx Be sure to make a backup before configuration , After modification, it needs to be reloaded once nginx, Otherwise, it will not take effect .

Most of the above rules return 444 Status code instead of 403
, because 444 Status code in nginx There is a special meaning in .nginx Of 444 The status is to be disconnected directly by the server , No more messages are returned to the client , Than return 403 More violent . If there are deficiencies, please add and correct .

Reprinted at :Nginx Common shielding rules , Make the website more secure <https://www.xiaoz.me/archives/11095>