【填坑、解决方案】Apache Shiro历史高危反序列化漏洞预警 (shiro-550、shiro-721)
华为这个【Apache Shiro历史高危反序列化漏洞预警 (shiro-550、shiro-721)】漏洞预警,网上两类方案,无非是:①改代码改默认shiro密码(几十个版本测下来,改不了^o^ 哈哈哈,生无可恋... 一度以为成功了,实际上是爆破工具目标地址,不认ip开头,空欢喜,哈哈);②cookie拦截,去掉rememberMe,这个对于“非技术人”来说,解释不清... 佛系...
于是,换一个思路,在nginx上做文章,对请求方式限制,亲测有效,完美,哈哈哈~~
location = /[你的路径] { #关键就是这段 if ($request_method !~* POST) { return 403; } add_header Access-Control-Allow-Origin $cors_orixxx always; add_header Set-Cookie "HttpOnly" always; add_header Access-Control-Allow-Methods 'POST' always; add_header Access-Control-Allow-Credentials 'true' always; add_header Access-Control-Allow-Headers 'Accept, Authorization,Keep-Alive,User-Agent,Cache-Control,Content-Type,jwtToken' always; proxy_pass http://ip:port/[你的路径]; #这里有坑,ip没走网关,不需要前缀 /xxxx proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-Port $remote_port; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_redirect default; }
成本最低的方式,成功!
哈哈!