nginx安全设置

#禁止境内常见爬虫(根据需求自行控制是否禁止)
if ($http_user_agent ~* "qihoobot|Yahoo! Slurp China|Baiduspider|Baiduspider-image|spider|Sogou spider|Sogou web spider|Sogou inst spider|Sogou spider2|Sogou blog|Sogou News Spider|Sogou Orion spider|ChinasoSpider|Sosospider|YoudaoBot|yisouspider|EasouSpider|Tomato Bot|Scooter") { return 403; }
#禁止境外常见爬虫(根据需求自行控制是否禁止)
if ($http_user_agent ~* "Googlebot|Googlebot-Mobile|AdsBot-Google|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|MSNBot|Catall Spider|ArchitextSpider|AcoiRobot|Applebot|Bingbot|Discordbot|Twitterbot|facebookexternalhit|ia_archiver|LinkedInBot|Naverbot|Pinterestbot|seznambot|Slurp|teoma|TelegramBot|Yandex|Yeti|Infoseek|Lycos|Gulliver|Fast|Grabber") { return 403; }
#禁止指定 UA 及 UA 为空的访问
if ($http_user_agent ~ "Googlebot/2.1|bingbot/2.0|Baiduspider-render/2.0|WinHttp|WebZIP|FetchURL|node-superagent|Bytespider|FeedDemon|Jullo|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|CoolpadWebkit|Feedly|Apache-HttpAsyncClient|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|Python|python|lightDeckReports Bot|YYSpider|DigExt|HttpClient|MJ12bot|heritrix|Ezooms|BOT/0.1|YandexBot|FlightDeckReports|Linguee Bot|iaskspider|^$") { return 403; }
#禁止非 GET|HEAD|POST 方式的抓取 if ($request_method !~ ^(GET|HEAD|POST)$) { return 403; }
#禁止 Scrapy 等工具的抓取
if ($http_user_agent ~* (Scrapy|HttpClient)) { return 403; }

#if ($request_uri ~* "(\.gz)|(\")|(\.tar)|(\.sql)|($_GET)|(eval)|(\?php)|(\.php)|(\.aspx)|(\')|(\.bak)") {return 301;}
if ($request_uri ~* "(\")|(\.tar)|(\.sql)|($_GET)|(eval)|(\?php)|(\.php)|(\.aspx)|(\')|(\.bak)") {return 301;}

#检测到目标X-Content-Type-Options响应头缺失
add_header X-Content-Type-Options: nosniff;
#检测到目标X-XSS-Protection响应头缺失
add_header X-Xss-Protection: 1;
add_header X-Xss-Protection: mod=block;
#检测到目标服务器启用了OPTIONS方法
#if ($request_method ~* OPTIONS) {
#return 403;
#}
#检测到目标Strict-Transport-Security响应头缺失
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
#检测到目标Referrer-Policy响应头缺失
add_header 'Referrer-Policy' 'origin';
#检测到目标X-Permitted-Cross-Domain-Policies响应头缺失
add_header X-Permitted-Cross-Domain-Policies "master-only";
#检测到目标X-Download-Options响应头缺失
add_header X-Download-Options "noopen" always;
#检测到目标Content-Security-Policy响应头缺失
# add_header Content-Security-Policy "default-src 'self' script-src 'self' frame-ancestors 'self'";
#add_header Content-Security-Policy "script-src * 'unsafe-inline' 'unsafe-eval'";
#点击劫持:X-Frame-Options未配置
# add_header X-Frame-Options SAMEORIGIN;
#http动词篡改的认证旁路
#if ($request_method !~ ^(GET|HEAD|POST)$ ) {
#return 403;
#}

 

posted @   Mr·柯  阅读(168)  评论(0编辑  收藏  举报
编辑推荐:
· 没有源码,如何修改代码逻辑?
· 一个奇形怪状的面试题:Bean中的CHM要不要加volatile?
· [.NET]调用本地 Deepseek 模型
· 一个费力不讨好的项目,让我损失了近一半的绩效!
· .NET Core 托管堆内存泄露/CPU异常的常见思路
阅读排行:
· 微软正式发布.NET 10 Preview 1:开启下一代开发框架新篇章
· 没有源码,如何修改代码逻辑?
· NetPad:一个.NET开源、跨平台的C#编辑器
· PowerShell开发游戏 · 打蜜蜂
· 凌晨三点救火实录:Java内存泄漏的七个神坑,你至少踩过三个!
点击右上角即可分享
微信分享提示