保护敏感资源
隐藏的目录和文件永远不应该被web访问-有时关键数据会在应用程序部署期间发布。
如果你使用的是版本控制系统,发布程序时应该明确地禁止对关键隐藏目录/文件的访问(通过向攻击者提供更少的信息),比如.git或.svn,
以防止暴露应用程序的源代码。
使用方式
server块添加include /etc/nginx/conf/conf.d/deny.location;配置
```nginx configuration server { listen 8088; include /etc/nginx/conf/conf.d/deny.location; location / { return 200; } }
`deny.location`内容如下:
```nginx configuration
location ~* ^.*(\.(?:git|svn|hg|bak|bckp|save|old|orig|original|test|conf|cfg|dist|in[ci]|log|sql|mdb|sw[op]|htaccess|php#|php~|php_bak|aspx?|tpl|sh|bash|bin|exe|dll|jsp|out|cache|))$ {
# Use also rate limiting:
# in server context: limit_req_zone $binary_remote_addr zone=per_ip_5r_s:5m rate=5r/s;
limit_req zone=per_ip_5r_s;
deny all;
access_log /var/log/nginx/restricted-files-access.log main;
access_log /var/log/nginx/restricted-files-error.log main;
}
测试用例:
[root@localhost conf.d]# curl 127.0.0.1:8088/.git -I
HTTP/1.1 403 Forbidden
Date: Sat, 16 Oct 2021 04:31:03 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 146
Connection: keep-alive
Server: Unknown
[root@localhost conf.d]# curl 127.0.0.1:8088/.sh -I
HTTP/1.1 403 Forbidden
Date: Sat, 16 Oct 2021 04:31:38 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 146
Connection: keep-alive
Server: Unknown