Introduction to configurations related to preventing SQL injection attacks in Nginx

Introduction to configurations related to preventing SQL injection attacks in Nginx

The best way to prevent SQL injection is to filter and escape all data submitted to the background.

For simple cases, such as single quotation marks ('), semicolons (;), <,>, and other characters, you can use rewrite to directly subscribe to the 404 page. There is a premise to use rewrite. Generally, rewrite is used for regular matching and can only match the URI of the webpage, that is, the url? First part ,? Later parts are request parameters. The request parameters following the question mark are displayed in the $ query_string table in nginx. They cannot be matched in rewrite. if is used to determine the request parameters. For example, match the 'with single quotes in the parameter and then redirect to the error page,/plus/list. php? Tid = 19 & mid = 1124 'rewrite ^. * ([; '<>]). */error.html break; writing such a rewrite directly will certainly not match correctly, because the rewrite parameter will only match the requested uri, that is,/plus/list. php section. You need to use $ query_string to determine with if. if the query string contains special characters, 404 is returned. If ($ query_string ~ *". * [; '<>]. * ") {Return 404;} to share a configuration file instance: server {## Block SQL injectionsset $ block_ SQL _injections 0; if ($ query_string ~ "Union. * select. * (") {set $ block_ SQL _injections 1;} if ($ query_string ~ "Union. * all. * select. *") {set $ block_ SQL _injections 1;} if ($ query_string ~ "Concat. * (") {set $ block_ SQL _injections 1;} if ($ block_ SQL _injections = 1) {return 444 ;## disable file injection set $ block_file_injections 0; if ($ query_string ~ "[A-zA-Z0-9 _] = http: //") {set $ block_file_injections 1;} if ($ query_string ~ "[A-zA-Z0-9 _] = (..//?) + ") {Set $ block_file_injections 1;} if ($ query_string ~ "[A-zA-Z0-9 _] =/([a-z0-9 _.] //?) + ") {Set $ block_file_injections 1;} if ($ block_file_injections = 1) {return 444 ;## block overflow attack set $ block_common_exploits 0; if ($ query_string ~ "(<| % 3C). * script. * (> | % 3E)") {set $ block_common_exploits 1;} if ($ query_string ~ "GLOBALS (= | [| % [0-9A-Z] {0, 2})") {set $ block_common_exploits 1;} if ($ query_string ~ "_ REQUEST (= | [| % [0-9A-Z] {0, 2})") {set $ block_common_exploits 1;} if ($ query_string ~ "Proc/self/environ") {set $ block_common_exploits 1;} if ($ query_string ~ "MosConfig _ [a-zA-Z _] {} (= | % 3D)") {set $ block_common_exploits 1;} if ($ query_string ~ "Base64_( en | de) code (. *) ") {set $ block_common_exploits 1;} if ($ block_common_exploits = 1) {return 444 ;## disable the spam field set $ block_spam 0; if ($ query_string ~ "B (ultram | unicauca | valium | viagra | vicodin | xanax | ypxaieo) B") {set $ block_spam 1;} if ($ query_string ~ "B (erections | hoodia | huronriveracres | impotence | levitra | libido) B") {set $ block_spam 1;} if ($ query_string ~ "B (ambien | bluespill | cialis | cocaine | ejaculation | erectile) B") {set $ block_spam 1;} if ($ query_string ~ "B (lipitor | phentermin | pro [sz] ac | sandyauer | tramadol | troyhamby) B") {set $ block_spam 1;} if ($ block_spam = 1) {return 444 ;}## disable user-agentsset $ block_user_agents 0; # Don't disable wget if you need it to run cron jobs! # If ($ http_user_agent ~ "Wget") {# set $ block_user_agents 1 ;#}# Disable Akeeba Remote Control 2.5 and earlierif ($ http_user_agent ~ "Indy Library") {set $ block_user_agents 1 ;}# Common bandwidth hoggers and hacking tools. if ($ http_user_agent ~ "Libwww-perl") {set $ block_user_agents 1;} if ($ http_user_agent ~ "GetRight") {set $ block_user_agents 1;} if ($ http_user_agent ~ "GetWeb !") {Set $ block_user_agents 1;} if ($ http_user_agent ~ "Go! Zilla ") {set $ block_user_agents 1;} if ($ http_user_agent ~ "Download Demon") {set $ block_user_agents 1;} if ($ http_user_agent ~ "Go-Ahead-Got-It") {set $ block_user_agents 1;} if ($ http_user_agent ~ "TurnitinBot") {set $ block_user_agents 1;} if ($ http_user_agent ~ "GrabNet") {set $ block_user_agents 1;

 

} If ($ http_user_agent ~ "Webinterfaces") {set $ block_user_agents 1;} if ($ http_user_agent ~ "Apachetasks") {set $ block_user_agents 1;} if ($ http_user_agent ~ ^ $) {Set $ block_user_agents 1;} if ($ http_user_agent ~ "Python-urllib") {set $ block_user_agents 1;} if ($ block_user_agents = 1) {return 444 ;}}