配置示例
来自SEnginx
目录 |
本页中提供各种功能的配置示例
senginx.org
配置文件
公布senginx.org的配置文件,供大家参考。
此配置文件中开启了cookie防篡改、机器人缓解和naxsi。
user nobody;
worker_processes 1;
error_log logs/error.log notice;
pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
include /usr/local/senginx/naxsi/naxsi_config/naxsi_core.rules;
geoip_country /usr/local/senginx/GeoIP.dat;
geoip_city /usr/local/senginx/GeoLiteCity.dat;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
' - [$geoip_city, $geoip_city_country_name]';
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
gzip on;
session_max_size 1024;
upstream backend {
server 127.0.0.1:8086;
}
server {
listen 80;
server_name senginx.org;
access_log logs/access.www.log main;
error_page /50x.html;
location = /50x.html {
root html;
}
session_timeout 600;
session on;
location /RequestDenied {
return 403;
}
location /favicon.ico {
proxy_pass http://backend;
}
location /download {
proxy_pass http://backend;
}
location /img {
proxy_pass http://backend;
}
location /cn {
error_log logs/error.cn.log;
robot_mitigation on;
robot_mitigation_mode js;
robot_mitigation_action block;
robot_mitigation_whitelist {
"Baidu" "Baiduspider";
"Google" "Googlebot";
}
cookie_poisoning on;
cookie_poisoning_action block;
#LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
include wl.conf;
## check rules
CheckRule "$XSS >= 4" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 8" BLOCK;
CheckRule "$UPLOAD >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$SQL >= 8" BLOCK;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://backend;
}
location /en {
error_log logs/error.en.log;
robot_mitigation on;
robot_mitigation_mode js;
robot_mitigation_action block;
robot_mitigation_whitelist {
"Google" "Googlebot";
}
cookie_poisoning on;
cookie_poisoning_action block;
#LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
include wl-en.conf;
## check rules
CheckRule "$XSS >= 4" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 8" BLOCK;
CheckRule "$UPLOAD >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$SQL >= 8" BLOCK;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://backend;
}
location / {
if ($geoip_country_code = CN) {
rewrite ^/$ /cn redirect;
}
if ($geoip_country_code != CN) {
rewrite ^/$ /en redirect;
}
}
}
}
配置文件说明
本配置文件是基于senginx 1.5.3版本的,并编译了cookie poisoning模块和GeoIP模块,旧的版本可能会无法使用其中的一些命令。
senginx.org的基础结构是使用apache监听本地的8086端口,然后使用senginx反向代理,并实现了如下功能:
- 根据地理位置(源IP)分发请求到不同的location
- 开启session功能
- 防机器人(把baidu和google的爬虫加入白名单)
- cookie防篡改
- naxsi的全部检查
