An introduction to the configuration of Nginx to prevent SQL injection attacks

An introduction to the configuration of Nginx to prevent SQL injection attacks _nginx

Last Update:2017-01-18 Source: Internet

Author: User

Tags sql injection

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

The best way to prevent SQL injection is to filter and escape all data that is submitted back to the background.

For simple situations, such as including single quotes ', semicolons,,, and so on, the characters can be rewrite directly to the 404 page to avoid.

With rewrite there is a prerequisite to know that the general use of rewrite matching can only match the URI of the Web page, that is, the URL in the former part,? The next part is the request parameter.

The request parameter after the question mark, expressed in nginx with $query_string, cannot be matched to in the rewrite and needs to be judged by the IF

For example, the ' match ' with single quotes in the argument is then directed to the error page.

/plus/list.php?tid=19&mid=1124 '

rewrite ^.* ([; ') <>]). */error.html break;

Writing a rewrite like this will certainly not match correctly, because the rewrite parameter only matches the requested URI, which is the/plus/list.php part.

You need to use $query_string to determine if the query string contains special characters and returns 404.

if ($query _string ~* ". *[; <>].* ") {return
404;
}

Here's how to share a configuration file instance:

server {# # Forbidden SQL injection block SQL injections set $block _sql_injections 0; if ($query _string ~ "union.*select.* (") {set $block
_sql_injections 1; } if ($query _string ~ "union.*all.*select.*") {set $block _sql_injections 1;} if ($query _string ~ "concat.* (") {set $blo
Ck_sql_injections 1;
} if ($block _sql_injections = 1) {return 444;} # # Ban file injection set $block _file_injections 0; if ($query _string ~ "[a-za-z0-9_]=http://") {set $block _file_injections 1;} if ($query _string ~ "[a-za-z0-9_]= (.. //?) + ") {set $block _file_injections 1;} if ($query _string ~" [a-za-z0-9_]=/[a-z0-9_.] //?)  + ") {set $block _file_injections 1;} if ($block _file_injections = 1) {return 444;} # # to ban overflow attack set $block _common_exploits
0; if ($query _string ~ "(<|%3c). *script.* (>|%3e)") {set $block _common_exploits 1;} if ($query _string ~ "GLOBALS" (=|[| %[0-9a-z]{0,2}) "{Set $block _common_exploits 1;} if ($query _string ~" _request (=|[| %[0-9a-z]{0,2}) "{Set $block _common_exploits 1;} if ($query _string ~" Proc/self/enviRon ") {set $block _common_exploits 1;} if ($query _string ~" mosconfig_[a-za-z_]{1,21} (=|%3d) ") {Set $block _common_exploi
TS 1;  if ($query _string ~ "base64_ (en|de) code (. *)") {set $block _common_exploits 1;} if ($block _common_exploits = 1) {return
444;
# # # Forbidden Spam field set $block _spam 0;  if ($query _string ~ "B (ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo) b") {set $block _spam 1;} if ($query _string ~ "B (erections|hoodia|huronriveracres|impotence|levitra|libido) b") {set $block _spam 1;} if ($query _string ~ "B" (ambien| Bluespill|cialis|cocaine|ejaculation|erectile) B ") {set $block _spam 1;} if ($query _string ~" B "(lipitor|phentermin|pro[ Sz]ac|sandyauer|tramadol|troyhamby) B ") {set $block _spam 1;} if ($block _spam = 1) {return 444;} # # User-agents set $b
Lock_user_agents 0;
# Don ' t disable wget if you need it to run cron jobs! #if ($http _user_agent ~ "Wget") {# set $block _user_agents 1; #} # Disable Akeeba Remote Control 2.5 and earlier if ($http _user_agent ~ "Indy Library") {Set $block _user_agents 1;
# Common Bandwidth hoggers and hacking tools. if ($http _user_agent ~ "Libwww-perl") {set $block _user_agents 1;} if ($http _user_agent ~ "GetRight") {Set $block _user_a
Gents 1; } if ($http _user_agent ~ "getweb!")
{Set $block _user_agents 1;} if ($http _user_agent ~ "go! Zilla ") {set $block _user_agents 1;} if ($http _user_agent ~" Download Demon ") {set $block _user_agents 1;} if ($http _use r_agent ~ "Go-ahead-got-it") {set $block _user_agents 1;} if ($http _user_agent ~ "Turnitinbot") {Set $block _user_agents
1;
  } if ($http _user_agent ~ "Grabnet") {set $block _user_agents 1;}
  if ($http _user_agent ~ "Webbench") {set $block _user_agents 1;
  } if ($http _user_agent ~ "Apachebench") {set $block _user_agents 1;
  } if ($http _user_agent ~ ^$) {set $block _user_agents 1;
  } if ($http _user_agent ~ "Python-urllib") {set $block _user_agents 1;
 } if ($block _user_agents = 1) {return 444;}}

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More