nginx 防止注入

我们用得最多的无非就是使用php,asp,asp.net这种代码来实现sql防注入***
防御原理：
1. 通过以上配置过滤基本的url中的注入关键字；
2. 当然，数据库中的用户密码得加密存放 ；
3. php程序进行二次过滤，过滤GET和POST变量中的关键字；
4. 生产环境关闭PHP和MySQL的错误信息。

最近网站受到的***比较多，用下面的方法减轻了很多，记录下来以后备用。

#禁止sql注入 if ($query_string ~* ".*[\;\'\<\>].*" ){     return 404; } if ($request_uri ~* "(cost\()|(concat\()") {     return 404; } if ($request_uri ~* "[+|(%20)]union[+|(%20)]") {     return 404; } if ($request_uri ~* "[+|(%20)]and[+|(%20)]") {     return 404; } if ($request_uri ~* "[+|(%20)]select[+|(%20)]") {     return 404; } if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {     return 404; } if ($query_string ~ "GLOBALS(=|[|%[0-9A-Z]{0,2})") {     return 404; } if ($query_string ~ "_REQUEST(=|[|%[0-9A-Z]{0,2})") {     return 404; } if ($query_string ~ "proc/self/environ") {     return 404; } if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") {     return 404; } if ($query_string ~ "base64_(en|de)code(.*)") {     return 404; } if ($query_string ~ "select") {     return 404; }   #禁止文件注入 ## Block file injections set $block_file_injections 0; if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { set $block_file_injections 1; } if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {     set $block_file_injections 1; } if ($block_file_injections = 1) {     return 444; }   ## 禁掉溢出*** set $block_common_exploits 0; if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { set $block_common_exploits 1; } if ($query_string ~ "GLOBALS(=|[|%[0-9A-Z]{0,2})") {     set $block_common_exploits 1; } if ($query_string ~ "_REQUEST(=|[|%[0-9A-Z]{0,2})") {     set $block_common_exploits 1; } if ($query_string ~ "proc/self/environ") {     set $block_common_exploits 1; } if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") {     set $block_common_exploits 1; } if ($query_string ~ "base64_(en|de)code(.*)") {     set $block_common_exploits 1; } if ($block_common_exploits = 1) {     return 444; }   ## 禁spam字段 set $block_spam 0; if ($query_string ~ "b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)b") { set $block_spam 1; } if ($query_string ~ "b(erections|hoodia|huronriveracres|impotence|levitra|libido)b") { set $block_spam 1; } if ($query_string ~ "b(ambien|bluespill|cialis|cocaine|ejaculation|erectile)b") { set $block_spam 1; } if ($query_string ~ "b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)b") { set $block_spam 1; } if ($block_spam = 1) {     return 444; }   ## 禁掉user-agents set $block_user_agents 0; # Don’t disable wget if you need it to run cron jobs! #if ($http_user_agent ~ "Wget") { # set $block_user_agents 1; #} # Disable Akeeba Remote Control 2.5 and earlier if ($http_user_agent ~ "Indy Library") { set $block_user_agents 1; } # Common bandwidth hoggers and hacking tools. if ($http_user_agent ~ "libwww-perl") { set $block_user_agents 1; } if ($http_user_agent ~ "GetRight") { set $block_user_agents 1; } if ($http_user_agent ~ "GetWeb!") { set $block_user_agents 1; } if ($http_user_agent ~ "Go!Zilla") { set $block_user_agents 1; } if ($http_user_agent ~ "Download Demon") { set $block_user_agents 1; } if ($http_user_agent ~ "Go-Ahead-Got-It") { set $block_user_agents 1; } if ($http_user_agent ~ "TurnitinBot") { set $block_user_agents 1; } if ($http_user_agent ~ "GrabNet") { set $block_user_agents 1; } if ($http_user_agent ~ "WebBench") {     set $block_user_agents 1; } if ($http_user_agent ~ "ApacheBench") {     set $block_user_agents 1; } if ($http_user_agent ~ ^$) {     set $block_user_agents 1; } if ($http_user_agent ~ "Python-urllib") {     set $block_user_agents 1; } if ($block_user_agents = 1) { return 444; }

把以上代码保存为block.conf，放在nginx的conf根目录，在需要防护的网站上用include引入就可以了。

include block.conf