Nginx URL security policy writing guide

As a high-performance web server and reverse proxy server, Nginx is widely favored by website architects. But when using Nginx, we also need to pay attention to security issues, especially when processing URLs.

Due to the flexibility of Nginx, if we do not adopt some URL security strategies, we may be subject to the following attacks:

1. SQL injection
2. XSS attack
3. Illegal file download
4. CSRF attack
5. Illegal request for access, etc.

This article will introduce the guide for writing Nginx URL security policy.

1. Preconditions

Before writing Nginx URL security policy, you need to master the following knowledge points:

1. Regular expression
2. Nginx configuration file syntax
3. Basic knowledge of HTTP protocol

2. Input filtering

Nginx can use http request header detection to prevent malicious HTTP requests. The specific implementation method is to add a configuration similar to the following to the Nginx configuration file:

if ($http_user_agent ~* "some evil expression") {
    return 403;
}

Or use Nginx’s built-in firewall module for input filtering, as follows:

# block ip sends more than 100 requests per 5 seconds
limit_conn_zone $binary_remote_addr zone=one:10m;
limit_req_zone $binary_remote_addr zone=two:10m rate=1r/s;
server {
    location / {
        limit_conn one 10;
        limit_req zone=two burst=5 nodelay;
    }
}

This example does the following:

1. First define two zones, which are memory areas that can store status information. (This also means that if there are many accesses, the cost of this protection may be relatively high)
2. If the same IP address sends more than 100 HTTP requests within 5 seconds, then block.
3. If the same IP address sends more than 5 HTTP requests within 1 second, it will be blocked.

3. Prevent SQL injection

In actual development, it is necessary to avoid SQL injection. In order to prevent SQL injection attacks, we can configure it as follows:

location ~* (.php|.asp|.ashx)/?$ {
    if ($args ~* "select.*from") {
        return 403;
    }
}

This example uses Nginx’s built-in if module to prevent attackers from using select statements to obtain data from the database. If this happens, return 403 Access Forbidden .

4. Prevent XSS attacks

For XSS attacks, we can strengthen the input detection. If a possible XSS attack is detected, the connection can be redirected to a safe URL or an error message can be returned.

if ($args ~* "<script.*>") {
    return 403;
}

This example uses Nginx's built-in if module to detect whether there is content with script tags nested in the URL.

5. Prevent CSRF attacks

When using Nginx, in order to prevent CSRF attacks, you need to prohibit requests from external sites. For example, you can add the following configuration:

location / {
    if ($http_referer !~ "^https?://$host/") {
        return 403;
    }
}

This example uses Nginx's built-in if module to limit it to only receiving requests from the $host site. If there are requests from other sites, Nginx will return 403.

6. Prevent file download vulnerabilities

In order to prevent access to improper files, such as private documents, scripts, configuration files, etc., please use the following strategy:

location ~* .(xls|doc|pdf)$ {
    valid_referers none blocked server_names;
    if ($invalid_referer) {
        return 401;
    }
}

This example Using Nginx's built-in valid_referers module, when a request is found to come from an unauthorized site, 401 will be returned.

7. Prohibit access to some URLs

In actual projects, some URLs can be used by attackers, such as admin.php, login.php, etc. We can simply ban their access.

location ~ /(admin|login).php {
    deny all;
}

The configuration of this example prohibits access to URLs ending with admin.php and login.php.

8. Complete example

Finally, based on the above configuration, we can get the following complete example:

server {
    listen 80;
    server_name yourdomain.com;

    # 设置过滤规则
    location / {
        # 禁止非法请求
        limit_conn_zone $binary_remote_addr zone=one:10m;
        limit_req_zone $binary_remote_addr zone=two:10m rate=1r/s;
        limit_conn one 10;
        limit_req zone=two burst=5 nodelay;

        # 防止XSS攻击
        if ($args ~* "<script.*>") {
            return 403;
        }

        # 防止SQL注入
        if ($args ~* "select.*from") {
            return 403;
        }

        # 禁止admin和login的访问
        location ~ /(admin|login).php {
            deny all;
        }
    }

    # 防止文件下载漏洞
    location ~* .(xls|doc|pdf)$ {
        valid_referers none blocked server_names;
        if ($invalid_referer) {
            return 401;
        }
    }
}

The above is the guide for writing Nginx URL security policy. I hope it can provide some help for your Nginx configuration and improve the security of the system.

The above is the detailed content of Nginx URL security policy writing guide. For more information, please follow other related articles on the PHP Chinese website!