Prevents SQL injection rules in nginx (very detailed)

$ Request_uri

This variable is equal to the * original * request URI as received ed from the client including the args. it cannot be modified. look at $ uri for the post-rewrite/altered URI. does not include host name. example: "/foo/bar. php? Arg = baz"
This variable is equivalent to the native request URI sent from the client, including parameters. It cannot be modified. $ Uri variable indicates the rewritten/changed URI. Do not include the host name. Example: "/foo/bar. php? Arg = baz"
$ Uri
This variable is the current request URI, without any arguments (see $ args for those ). this variable will reflect any modifications done so far by internal redirects or the index module. note this may be different from $ request_uri, as $ request_uri is what was originally sent by the browser before any such modifications. does not include the protocol or host name. example:/foo/bar.html
This variable is the current request URI and does not include any parameters (see $ args ). This variable reflects any changes made by the internal redirection or index module. Note that this is different from $ request_uri, because $ request_uri is a native URI initiated by the browser without any modification. The protocol and host name are not included. For example, John's resource: "/foo/bar.html"

$ Document_uri
The same as $ uri.

The same as $ uri.

The following are some simple rules for collection:

If ($ query_string ~ *". * ('| -- | Union | insert | drop | truncate | update | from | grant | exec | where | select | and | or | count | chr | mid | like | iframe | script | alert | webscan | dbappsecurity | style | confirm | innerhtml | innertext | class ). *")
{Return 500 ;}
If ($ uri ~ *. * (Viewsource. jsp) $) {return 404 ;}
If ($ uri ~ *.*(/~). *) {Return 404 ;}

Fix the WebSocket parsing vulnerability

If ($ query_string ~ * ". * [; '<>]. *") {Return 444 ;}
If ($ request_uri ~ "") {Return 444 ;}

Prohibit unauthorized IP addresses from accessing the directory to execute PHP. If pathinfo is not enabled, John's resources are located in location ~ Add the following before [^/] \. php (/| $):
Location ~ /(Xxx)/. * \. (php | php5 )? $
{IP addresses allowed by allow; deny all ;}
When pathinfo is enabled: in location ~ Add the following before [^/] \. php (/| $):
Location ^ ~ /Xxx/{# default_type text/plain; # expires 30d; IP addresses allowed by allow; deny all ;}

Internal:

If ($ uri ~ *(. *) (Insert | select | delete | update | count | master | truncate | declare | exec | \ * | % | \')(. *) $) {return 403 ;}

External: 

If ($ request_uri ~ * "(Cost \ () | (concat \ ()") {return 403 ;}
If ($ request_uri ~ * "[+ | (% 20)] union [+ | (% 20)]") {return 403 ;}
If ($ request_uri ~ * "[+ | (% 20)] and [+ | (% 20)]") {return 403 ;}
If ($ request_uri ~ * "[+ | (% 20)] select [+ | (% 20)]") {return 403 ;}
If ($ request_uri ~ * "[+ | (% 20)] or [+ | (% 20)]") {return 403 ;}
If ($ request_uri ~ * "[+ | (% 20)] delete [+ | (% 20)]") {return 403 ;}
If ($ request_uri ~ * "[+ | (% 20)] update [+ | (% 20)]") {return 403 ;}
If ($ request_uri ~ * "[+ | (% 20)] insert [+ | (% 20)]") {return 403 ;}

Overflow filtering

If ($ query_string ~ "(<| % 3C). * script. * (> | % 3E)") {return 403 ;}
If ($ query_string ~ "GLOBALS (= | \ [| \ % [0-9A-Z] {403})") {return ;}
If ($ query_string ~ "_ REQUEST (= | \ [| \ % [0-9A-Z] {403})") {return ;}
If ($ query_string ~ "Proc/self/environ") {return 403 ;}
If ($ query_string ~ "MosConfig _ [a-zA-Z _] {403} (=|\% 3D)") {return ;}
If ($ query_string ~ "Base64 _ (en | de) code \ (. * \)") {return 403 ;}

File injection prohibited

If ($ query_string ~ "[A-zA-Z0-9 _] = http: //") {return 403 ;}
If ($ query_string ~ "[A-zA-Z0-9 _] = (\.\.//?) + ") {Return 403 ;}
If ($ query_string ~ "[A-zA-Z0-9 _] =/([a-z0-9 _.] //?) + ") {Return 403 ;}

Some header references:

If ($ http_user_agent ~ Apachedog | WebBench | Jmeter | JoeDog | Havij | GetRight | TurnitinBot | GrabNet | masscan | mail2000 | github | wget | curl) {return 444 ;}
If ($ http_user_agent ~ "Go-Ahead-Got-It") {return 444 ;}
If ($ http_user_agent ~ "GetWeb! ") {Return 444 ;}
If ($ http_user_agent ~ "Go! Zilla ") {return 444 ;}
If ($ http_user_agent ~ "Download Demon") {return 444 ;}
If ($ http_user_agent ~ "Indy Library") {return 444 ;}
If ($ http_user_agent ~ "Libwww-perl") {return 444 ;}
If ($ http_user_agent ~ "Nmap Scripting Engine") {return 444 ;}
If ($ http_user_agent ~ "~ 17ce.com ") {return 444 ;}
If ($ http_user_agent ~ "WebBench *") {return 444 ;}
If ($ http_referer ~ * 17ce.com) {return 444 ;}
If ($ http_referer ~ * WebBench * ") {return 444 ;}

The methods listed above are common methods. For different current network applications, adjustments are also needed. The following lists the prevention methods in my current network.

I. Automatic protection

If ($ request_uri ~ *. (Htm | do )? (. *) $ ){
Set $ req $2;
        }
If ($ req ~ * "(Cost () | (concat ()"){
Return 503;
        }
If ($ req ~ * "Union [+ | (% 20)]") {
Return 503;
        }
If ($ req ~ * "And [+ | (% 20)]") {
Return 503;
        }
If ($ req ~ * "Select [+ | (% 20)]") {
Return 503;
        }

1. Here, the $ request_uri is used instead of the $ query_string variable, because the rewrite splitting through $ request_uri is more accurate.

2.% 20 indicates a space. The preceding space match is canceled here. Like www.111cn.net/aaa.do? Select * from test can also be matched.

3. The above htm is pseudo-static. In fact, like. do, it is also a dynamic file. For convenience of distinguishing from static files, htm instead of html is selected here.

4. Note: what is in the top url? This is also important. If no, www.111cn.net/aaa.htm select * from test will not be filtered, while www.111cn.net/aaa.htm? Select * from test will be filtered. If you want to filter the previous one, you only need? Cancel.

II. Log retrieval and manual analysis

Which URLs may have been scanned due to the injection vulnerability? You can use the following script and send it via mail.

#! /Bin/bash
Cd/tmp
/Bin/rm-rf nginxanalay.tar.gz
Cd/logs/nginx
Egrep '(sqlmap | select | "order by")' * | egrep-v '(Googlebot | Baiduspider | Sosospider | stepselect) '| awk-F 'HTTP/1.1 "'' {print $1}'>/tmp/nginxanalay. log
Cd/tmp
Tar czvf nginxanalay.tar.gz nginxanalay. log
/Usr/bin/sendEmail-f nagios@111cn.net-t recipient 1 Recipient 2-s mail.111cn.net-u 'site SQL analay '-M' this is nginxlog analay. see Annex, That is
May be injected into page. '-xu user name-xp password-a/tmp/nginxanalay.tar.gz