## nginx 拦截非法字符，nginx禁止url访问特定字符，nginx过滤url访问

参考代码一

#前缀为无限，后面的精准屏蔽字符 123 if ($request_uri ~* "123") { return 403 "I've recorded your ip Wait to check the water meter"; } 

参考代码二

#前缀为index.php，后面的精准屏蔽字符 123 if ($request_uri ~* "/index.php\123") { return 403 "I've recorded your ip Wait to check the water meter"; } 

参考代码三

location / { # 当访问的url中含有/%#时返回404 if ($request_uri ~* "/%#") { return 404; } #当访问url的后面带有？的链接 返回404 if ($request_uri ~* ^/a/m/(.*)\.html\?(.*)$) { return 404; } }

注释：

过滤链接中的？在nginx的配置文件中写入

location / {# 当访问的url中含有/%#时返回404if ($request_uri ~* "/%#") {return 404;}#

当访问url的后面带有？的链接 返回404if ($request_uri ~*^/a/m/(.*)\.html\?(.*)$) {return 404;

nginx 正则表达式

=开头表示精确匹配，如 A 中只匹配根目录结尾的请求，后面不能带任何字符串。

^~ 开头表示uri以某个常规字符串开头，不是正则匹配

~ 开头表示区分大小写的正则匹配;

~* 开头表示不区分大小写的正则匹配

.* .匹配任意字符，*匹配数量0到正无穷；

\. \转义,匹配.

/ 通用匹配, 如果没有其它匹配,任何请求都会匹配到

本站测试代码，小白一键复制（注：需要自行根据网站程序定义）

宝塔为例：/www/server/panel/vhost/nginx/你的网站域名.conf，复制代码点击保存

#前缀为无限，后面的是屏蔽字符 if ($request_uri ~* "../../../../../../") { return 403 "I've recorded your ip Wait to check the water meter"; } #前缀为无限，后面的是屏蔽字符 if ($request_uri ~* ";") { return 403 "I've recorded your ip Wait to check the water meter"; } #前缀为无限，后面的是屏蔽字符 if ($request_uri ~* "&") { return 403 "I've recorded your ip Wait to check the water meter"; } #前缀为无限，后面的是屏蔽字符 if ($request_uri ~* "base64") { return 403 "I've recorded your ip Wait to check the water meter"; } #前缀为index.php屏蔽，后面的是屏蔽字符 if ($request_uri ~* "/index.php\&") { return 403 "I've recorded your ip Wait to check the water meter"; } #前缀为index.php屏蔽，后面的是屏蔽字符 if ($request_uri ~* "/index.php\?") { return 403 "I've recorded your ip Wait to check the water meter"; } #前缀为index.php屏蔽，后面的是屏蔽字符 if ($request_uri ~* "/index.php\;") { return 403 "I've recorded your ip Wait to check the water meter"; } #前缀为index.php屏蔽，后面的是屏蔽字符 if ($request_uri ~* "/index.php\＝") { return 403 "I've recorded your ip Wait to check the water meter"; } #前缀为index.php屏蔽，后面的是屏蔽字符 if ($request_uri ~* "/index.php\=") { return 403 "I've recorded your ip Wait to check the water meter"; } #前缀为index.php屏蔽，后面的是屏蔽字符 if ($request_uri ~* "/index.php\_") { return 403 "I've recorded your ip Wait to check the water meter"; } #前缀为index.php屏蔽，后面的是屏蔽字符 if ($request_uri ~* "/index.php\./") { return 403 "I've recorded your ip Wait to check the water meter"; } #前缀为index.php屏蔽，后面的是屏蔽字符 if ($request_uri ~* "/index.php\:") { return 403 "I've recorded your ip Wait to check the water meter"; } #前缀为index.php屏蔽，后面的是屏蔽字符 if ($request_uri ~* "/index.php\base64") { return 403 "I've recorded your ip Wait to check the water meter"; } #前缀为index.php屏蔽，后面的是屏蔽字符 if ($request_uri ~* "/index.php\%") { return 403 "I've recorded your ip Wait to check the water meter"; } #前缀为index.php屏蔽，后面的是屏蔽字符 if ($request_uri ~* "/index.php\wp-content") { return 403 "I've recorded your ip Wait to check the water meter"; } #前缀为index.php屏蔽，后面的是屏蔽字符 if ($request_uri ~* "/index.php\;amp") { return 403 "I've recorded your ip Wait to check the water meter"; }

## 附带：nginx ql语句过滤、文件注入禁止、溢出攻击过滤、spam字段过滤、user-agents头过滤

sql语句过滤

if ($request_uri ~* "(cost\()|(concat\()") { return 444; } if ($request_uri ~* "[+|(%20)]union[+|(%20)]") { return 444; } if ($request_uri ~* "[+|(%20)]and[+|(%20)]") { return 444; } if ($request_uri ~* "[+|(%20)]select[+|(%20)]") { return 444; }

文件注入禁止

set $block_file_injections 0; if ($query_string ~ “[a-zA-Z0-9_]=http://”) { set $block_file_injections 1; } if ($query_string ~ “[a-zA-Z0-9_]=(\.\.//?)+”) { set $block_file_injections 1; } if ($query_string ~ “[a-zA-Z0-9_]=/([a-z0-9_.]//?)+”) { set $block_file_injections 1; } if ($block_file_injections = 1) { return 444; }

溢出攻击过滤

set $block_common_exploits 0; if ($query_string ~ “(<|%3C).*script.*(>|%3E)”) { set $block_common_exploits 1; } if ($query_string ~ “GLOBALS(=|\[|\%[0-9A-Z]{0,2})”) { set $block_common_exploits 1; } if ($query_string ~ “_REQUEST(=|\[|\%[0-9A-Z]{0,2})”) { set $block_common_exploits 1; } if ($query_string ~ “proc/self/environ”) { set $block_common_exploits 1; } if ($query_string ~ “mosConfig_[a-zA-Z_]{1,21}(=|\%3D)”) { set $block_common_exploits 1; } if ($query_string ~ “base64_(en|de)code\(.*\)”) { set $block_common_exploits 1; } if ($block_common_exploits = 1) { return 444; }

spam字段过滤

set $block_spam 0; if ($query_string ~ “\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b”) { set $block_spam 1; } if ($query_string ~ “\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b”) { set $block_spam 1; } if ($query_string ~ “\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b”) { set $block_spam 1; } if ($query_string ~ “\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b”) { set $block_spam 1; } if ($block_spam = 1) { return 444; }

user-agents头过滤

set $block_user_agents 0; if ($http_user_agent ~ “Wget”) { set $block_user_agents 1; } # Disable Akeeba Remote Control 2.5 and earlier if ($http_user_agent ~ “Indy Library”) { set $block_user_agents 1; } # Common bandwidth hoggers and hacking tools. if ($http_user_agent ~ “libwww-perl”) { set $block_user_agents 1; } if ($http_user_agent ~ “GetRight”) { set $block_user_agents 1; } if ($http_user_agent ~ “GetWeb!”) { set $block_user_agents 1; } if ($http_user_agent ~ “Go!Zilla”) { set $block_user_agents 1; } if ($http_user_agent ~ “Download Demon”) { set $block_user_agents 1; } if ($http_user_agent ~ “Go-Ahead-Got-It”) { set $block_user_agents 1; } if ($http_user_agent ~ “TurnitinBot”) { set $block_user_agents 1; } if ($http_user_agent ~ “GrabNet”) { set $block_user_agents 1; } if ($block_user_agents = 1) { return 444; } }

自动防护

if ($request_uri ~* \.(htm|do)\?(.*)$) { set $req $2; } if ($req ~* "(cost\()|(concat\()") { return 503; } if ($req ~* "union[+|(%20)]") { return 503; } if ($req ~* "and[+|(%20)]") { return 503; } if ($req ~* "select[+|(%20)]") { return 503; }

注：使用上也需要进行相应的调整