敏感文件

weiliang-ms · weiliang-ms · commit c1ed0fe6620d · 2021-10-16T12:32:32.000+08:00
diff --git a/book/04安全加固/03保护敏感资源.md b/book/04安全加固/03保护敏感资源.md
@@ -14,13 +14,47 @@
 
 ```nginx configuration
 server {
-    listen 8080;
+    listen 8088;
     include /etc/nginx/conf/conf.d/deny.location;
     location / {
-        root /usr/share/nginx/ddd;
+            return 200;
     }
-    ...
-    other config
-    ...
 }
+
+```
+
+`deny.location`内容如下：
+
+```nginx configuration
+location ~* ^.*(\.(?:git|svn|hg|bak|bckp|save|old|orig|original|test|conf|cfg|dist|in[ci]|log|sql|mdb|sw[op]|htaccess|php#|php~|php_bak|aspx?|tpl|sh|bash|bin|exe|dll|jsp|out|cache|))$ {
+
+  # Use also rate limiting:
+  # in server context: limit_req_zone $binary_remote_addr zone=per_ip_5r_s:5m rate=5r/s;
+  limit_req zone=per_ip_5r_s;
+
+  deny all;
+  access_log /var/log/nginx/restricted-files-access.log main;
+  access_log /var/log/nginx/restricted-files-error.log main;
+
+}
+```
+
+测试用例:
+
+```shell
+[root@localhost conf.d]# curl 127.0.0.1:8088/.git -I
+HTTP/1.1 403 Forbidden
+Date: Sat, 16 Oct 2021 04:31:03 GMT
+Content-Type: text/html; charset=utf-8
+Content-Length: 146
+Connection: keep-alive
+Server: Unknown
+
+[root@localhost conf.d]# curl 127.0.0.1:8088/.sh -I
+HTTP/1.1 403 Forbidden
+Date: Sat, 16 Oct 2021 04:31:38 GMT
+Content-Type: text/html; charset=utf-8
+Content-Length: 146
+Connection: keep-alive
+Server: Unknown
 ```
diff --git a/rpmbuild/SOURCES/nginx.conf b/rpmbuild/SOURCES/nginx.conf
@@ -22,6 +22,9 @@ http {
     large_client_header_buffers 4 512k;
 	default_type  application/octet-stream;
 
+    # limit
+    limit_req_zone $binary_remote_addr zone=per_ip_5r_s:5m rate=5r/s;
+
 	index index.php index.htm index.html;
 
 	#web security
