nginx安全规则分享

分享一些常用的 nginx 安全规则，按需添加

# 请求这些敏感词时跳转下载 10g 文件
if ($request_uri ~* "(\.gz)|(")|(\.tar)|(admin)|(\.zip)|(\.sql)|(\.asp)|(\.rar)|(function)|($_GET)|(eval)|(\?php)|(config)|(\')|(\.bak)") {return 301 http://lg-dene.fdcservers.net/10GBtest.zip;}


#禁止下载以 XXX 后缀的文件
location ~ \.(zip|rar|sql|bak|gz|7z)$
{return 444;}


#访问链接里含有 test 直接跳转到公安网
if ($request_uri ~* test=) {return 301 https://www.mps.gov.cn;}


#防止 SB 爬虫
if ($http_user_agent ~* (SemrushBot|python|MJ12bot|AhrefsBot|AhrefsBot|hubspot|opensiteexplorer|leiki|webmeup)) {return 444;}


#屏蔽非常见蜘蛛爬虫配置
if ($http_user_agent ~* (SemrushBot|python|MJ12bot|AhrefsBot|AhrefsBot|hubspot|opensiteexplorer|leiki|webmeup)) {return 444;}


#禁止某个目录执行脚本
#uploads|templets|data 这些目录禁止执行 PHP
location ~* ^/(uploads|templets|data)/.*.(php|php5)$ {return 444;}

#禁止爬虫返回 404
if ($http_user_agent ~* "qihoobot|Censys|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot|FeedDemon|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|Scrapy|HttpClient|MJ12bot|heritrix|EasouSpider|LinkpadBot|Ezooms|^$") {return 404;}

#非指定域名访问返回 403
if ($host != 'XX.XX.XX'){return 403;}

#仅允许特定 IP 访问并加上帐号密码验证
 root /opt/hostloc/www;
 allow  xx.xx.xx.xx; 
 allow  2xx.xx.x.xx; 
 deny  all;
 auth_basic“test”;
 auth_basic_user_file htpasswd;

#禁止访问多个目录
 location ~ ^/(cron|templates)/
 {
 deny all;
 break;
 }

#隐藏 nginx 版本号
http 块添加
http {
...
server_tokens off;
...
}

#禁止非浏览器访问
if ($http_user_agent ~ ^$) {return 412;}