使用nginx防止机器攻击策略

可以使用nginx对$request进行控制if ($request ~ "GET /sms/sendVerifyCode.do?")

---

user  nginx;
worker_processes  1;

error_log  /var/logs/nginx/error.log;

pid  /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    client_max_body_size 10m;
    default_type  application/octet-stream;
    server_tokens off;
    fastcgi_intercept_errors on;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/logs/nginx/access.log  main;
    sendfile        on;
    tcp_nopush     on;
    keepalive_timeout  65;
    gzip  on;
    include conf.d/*.conf;
  } 

---

upstream  myapp {
    ip_hash;
    server 172.18.111.32:8080;
    server 172.18.111.31:8080;
}
server
     {
    listen       80;
    server_name www.myapp .com;
#    rewrite ^(.*)$ https://$host$1 permanent;  
   location / {
        client_max_body_size 10m;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://myapp;
      } 
   
    location  ^~  /images/ {
            root /var/upload/app_cust_platform/;
            index photo_not_found.png;
            access_log  /var/logs/nginx/imghost.log  main;
      }

    location ~ /.well-known {
          allow all;
    }

    location ^~ /apiDocs/ {
          root /var/upload/myapp_platform/images/;
          error_page 404  /404.html;
    }
    location = /404.html {
            root /usr/local/nginx/html;
            access_log  /var/logs/nginx/error.log  main;
    }

location ~ /sms/sendSmsCode.do?(/.*) {
    if ($http_referer = "-") {return 200; }
    proxy_pass http://myapp;
}

扫描二维码关注公众号，回复： 2677249 查看本文章

}

server {
 listen 443;
 ssl on;
 server_name www.myapp.com;
 ssl_certificate /etc/letsencrypt/live/api.myapp.com/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/api.myapp.com/privkey.pem;
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
 location / {
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_pass http://myapp;
  }
 location  ^~  /images/ {
            root /myapp/upload/myapp_platform/;
            index photo_not_found.png;
            access_log  /var/logs/nginx/imghost.log  main;
      }
    location ~ /.well-known {
          allow all;
    }

    location ^~ /apiDocs/ {
          root /var/upload/myapp_cust_platform/images/;
          error_page 404  /404.html;
    }
    location = /404.html {
            root /usr/local/nginx/html;
            access_log  /var/logs/nginx/error.log  main;
    }

}