【问题标题】:NGINX filter requests to lan IPNGINX 过滤对局域网 IP 的请求
【发布时间】:2021-07-29 11:14:06
【问题描述】:

我通过 NGINX 收到了几个请求,这些请求似乎针对我的 LAN IP 192.168.0.1,如下所示:

nginx.vhost.access.log:

192.227.134.73 - - [29/Jul/2021:10:33:47 +0000] "POST /GponForm/diag_Form?style/       HTTP/1.1" 400 154 "-" "curl/7.3.2"

来自 Django:

Invalid HTTP_HOST header: '192.168.0.1:443'. You may need to add '192.168.0.1' to ALLOWED_HOSTS.

我的NGINX配置如下:

upstream django_server {
    server 127.0.0.1:8000;
}

# Catch all requests with an invalid HOST header
server {
    server_name "";
    listen 80;
        return 301 https://backoffice.example.com$request_uri;
    }

server {
    listen 80;
    # Redirect www to https
    server_name www.backoffice.example.com;
    modsecurity on;
    modsecurity_rules_file /some_directory/nginx/modsec/modsec_includes.conf;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;" always;
    add_header X-Frame-Options "deny" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    #add_header Content-Security-Policy "script-src 'self' https://example.com https://backoffice.example.com https://fonts.gstatic.com https://code.jquery.com";
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    return 301 https://backoffice.example.com$request_uri;
}

server {
      listen 443 ssl http2;
      server_name www.backoffice.example.com backoffice.example.com;
      modsecurity on;
      modsecurity_rules_file /some_directory/nginx/modsec/modsec_includes.conf;
      add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;" always;
      add_header X-Frame-Options "deny" always;
      add_header X-XSS-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Content-Security-Policy "script-src 'self' https://example.com https://backoffice.example.com https://fonts.gstatic.com https://code.jquery.com";
      add_header Referrer-Policy "strict-origin-when-cross-origin"; 

      ssl_certificate    /etc/ssl/nginx-ssl/backofficebundle.crt;
      ssl_certificate_key    /etc/ssl/nginx-ssl/backoffice.key;
      
      access_log /some_directory/nginx/nginx.vhost.access.log;
      error_log /some_directory/nginx/nginx.vhost.error.log;

    location / {
        proxy_pass http://localhost:8000;
        proxy_pass_header Server;
            proxy_redirect off;
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Scheme $scheme;
            proxy_set_header REMOTE_ADDR $remote_addr;        
}


      location /media/ {
        alias /some_directory/backoffice/media/;
        }

        location /static/ {
        alias /some_directory/backoffice/static/;
    }

}

我的问题:

  1. 是否有任何方法可以配置 NGINX 以阻止对所有 LAN IP 的请求?
  2. ModSecurity 能否做得更好?

【问题讨论】:

    标签: django nginx mod-security


    【解决方案1】:

    有没有办法配置 NGINX 来阻止对所有 LAN IP 的请求?

    有,只在公共 IP 上创建 nginx listen(例如 listen backoffice.example.com:443 ssl http2;)。虽然我不知道你为什么想要这个……

    因为如果它是一个内部 IP,它不能被外部访问(根据定义——否则你不会称它为内部的)。如果是这种情况,您的网络/防火墙可能会出现问题。

    关于 nginx 访问日志,我没有发现任何问题。 192.227.134.73 不是私有 IP。

    关于 Django 日志,curl -H "Host: 192.168.0.1:443" https://backoffice.example.com 会引起这样的请求。 “主机”标头毕竟只是一个标头,可以包含任何内容。

    【讨论】:

    • 嗨,斯劳斯,感谢您的回复。您能否扩展您的答案以解释为什么阻止 wan 流量访问内部 IP 是不可取的?你有什么建议?再次感谢。
    • 我更新了我的答案。恕我直言,在没有有效“主机”标头的情况下阻止请求是有意义的。如果您对此感兴趣,请告诉我。
    猜你喜欢
    • 2015-10-18
    • 1970-01-01
    • 2020-05-19
    • 2015-11-12
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2021-06-05
    • 2018-03-14
    相关资源
    最近更新 更多