使用Lua保护Nginx远离CC攻击

Published: Tags: LINUX NGINX

简单,以下方法不需要额外安装模块:

location ~ \.php$ {
	if ($cookie_reCAPTCHA != "$remote_addr"){
		add_header Set-Cookie "reCAPTCHA=$remote_addr; PATH=/";
		rewrite .* "$scheme://$host$uri" redirect;
		#rewrite .* "$scheme://localhost:$remote_port" redirect;
	}
	
	... ...
}

进阶,返回JS跳转代码过滤模拟访问:

location ~ \.php$ {
	default_type text/html;
	if ($cookie_reCAPTCHA != "$remote_addr"){
		add_header Set-Cookie "reCAPTCHA=$remote_addr; PATH=/";
		return 200 "<script>location.reload()</script>\n";
	}
	
	... ...
}

PERL,返回JS设置COOKIE并自动刷新:

http {
	perl_set $reCAPTCHA 'sub{use Digest::MD5 qw(md5_base64); md5_base64("SALT",shift->variable("remote_addr"))}';
	... ...
	server {
		... ...
		location ~ \.php$ {
			default_type text/html;
			if ($cookie_reCAPTCHA != $reCAPTCHA){ #访问非text/html会异常,换用add_header设置Cookie避免js无法执行
				return 200 '<script>\ndocument.cookie="reCAPTCHA=$reCAPTCHA";\nlocation.reload();\n</script>\n';
			}
			... ...
		}
	}
}

综合以上方法,笔者当前使用的配置:

http {
    perl_set $reCAPTCHA 'sub{use Digest::MD5 qw(md5_base64); my $r = shift;
    md5_base64("salt:RANDOM".$r->variable("remote_addr").$r->variable("http_user_agent"))}';
    ... ...
    server {
        ... ...
        location / {
            default_type text/html;
            if ($cookie_reCAPTCHA != $reCAPTCHA){
                add_header Set-Cookie "reCAPTCHA=$reCAPTCHA; PATH=/";
                return 200 '<script>location.reload()</script>';
            }
            proxy_pass http://www.baidu.com;
        }
    }
}

LUA,大同小异,需要安装扩展模块:apt-get install nginx-extras

location ~ \.php$ {
	rewrite_by_lua '
		local md5token = ngx.md5(ngx.var.remote_addr .. ngx.var.http_user_agent)
		if (ngx.var.cookie_reCAPTCHA ~= md5token) then
			ngx.header["Set-Cookie"] = "reCAPTCHA=" .. md5token
			return ngx.redirect(ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri)
		end
	';
	
	... ...
}

参考: https://jiji262.github.io/wooyun_articles/drops/通过nginx配置文件抵御攻击.html