Configuration for preventing SQL injection attacks in Nginx

2020-05-10 23:27:15
OfStack

The best way to prevent the injection of sql is to filter and escape all the data behind the submission.

For simple cases, such as including single quotes', semicolon; . < , > , can be avoided by redirecting rewrite directly to the 404 page.

The premise of using rewrite is that 1 regular match with rewrite can only be matched to URI of a web page, which is url ? The first part, ? The next section is the request parameter.

The request parameter after the question mark, shown in nginx with $query_string table, cannot be matched in rewrite, so it needs to be judged by if

For example, match the single quoted 'in the parameter and then direct it to the error page,


/plus/list.php?tid=19&mid=1124'

rewrite ^.*([;'<>]).* /error.html break;

Writing an overwrite like this will never match correctly, because the rewrite parameter will only match the requested uri, which is the /plus/ list.php section.

You need to use $query_string for if, and if the query string contains special characters, return 404.


if ( $query_string ~* ".*[;'<>].*" ){
return 404;
}

Let's share an example of a configuration file:


server {
##  The forbidden SQL injection  Block SQL injections
set $block_sql_injections 0;
if ($query_string ~  " union.*select.*( " ) {
set $block_sql_injections 1;
}
if ($query_string ~  " union.*all.*select.* " ) {
set $block_sql_injections 1;
}
if ($query_string ~  " concat.*( " ) {
set $block_sql_injections 1;
}
if ($block_sql_injections = 1) {
return 444;
}
##  Disable file injection 
set $block_file_injections 0;
if ($query_string ~  " [a-zA-Z0-9_]=http:// " ) {
set $block_file_injections 1;
}
if ($query_string ~  " [a-zA-Z0-9_]=(..//?)+ " ) {
set $block_file_injections 1;
}
if ($query_string ~  " [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ " ) {
set $block_file_injections 1;
}
if ($block_file_injections = 1) {
return 444;
}
##  Disable overflow attacks 
set $block_common_exploits 0;
if ($query_string ~  " (<|%3C).*script.*(>|%3E) " ) {
set $block_common_exploits 1;
}
if ($query_string ~  " GLOBALS(=|[|%[0-9A-Z]{0,2}) " ) {
set $block_common_exploits 1;
}
if ($query_string ~  " _REQUEST(=|[|%[0-9A-Z]{0,2}) " ) {
set $block_common_exploits 1;
}
if ($query_string ~  " proc/self/environ " ) {
set $block_common_exploits 1;
}
if ($query_string ~  " mosConfig_[a-zA-Z_]{1,21}(=|%3D) " ) {
set $block_common_exploits 1;
}
if ($query_string ~  " base64_(en|de)code(.*) " ) {
set $block_common_exploits 1;
}
if ($block_common_exploits = 1) {
return 444;
}
##  The forbidden spam field 
set $block_spam 0;
if ($query_string ~  " b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)b " ) {
set $block_spam 1;
}
if ($query_string ~  " b(erections|hoodia|huronriveracres|impotence|levitra|libido)b " ) {
set $block_spam 1;
}
if ($query_string ~  " b(ambien|bluespill|cialis|cocaine|ejaculation|erectile)b " ) {
set $block_spam 1;
}
if ($query_string ~  " b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)b " ) {
set $block_spam 1;
}
if ($block_spam = 1) {
return 444;
}
##  banned user-agents
set $block_user_agents 0;
# Don't disable wget if you need it to run cron jobs!
#if ($http_user_agent ~  " Wget " ) {
# set $block_user_agents 1;
#}
# Disable Akeeba Remote Control 2.5 and earlier
if ($http_user_agent ~  " Indy Library " ) {
set $block_user_agents 1;
}
# Common bandwidth hoggers and hacking tools.
if ($http_user_agent ~  " libwww-perl " ) {
set $block_user_agents 1;
}
if ($http_user_agent ~  " GetRight " ) {
set $block_user_agents 1;
}
if ($http_user_agent ~  " GetWeb! " ) {
set $block_user_agents 1;
}
if ($http_user_agent ~  " Go!Zilla " ) {
set $block_user_agents 1;
}
if ($http_user_agent ~  " Download Demon " ) {
set $block_user_agents 1;
}
if ($http_user_agent ~  " Go-Ahead-Got-It " ) {
set $block_user_agents 1;
}
if ($http_user_agent ~  " TurnitinBot " ) {
set $block_user_agents 1;
}
if ($http_user_agent ~  " GrabNet " ) {
set $block_user_agents 1;
}
  if ($http_user_agent ~ "WebBench") {
    set $block_user_agents 1;
  }
  if ($http_user_agent ~ "ApacheBench") {
    set $block_user_agents 1;
  }
  if ($http_user_agent ~ ^$) {
    set $block_user_agents 1;
  }
  if ($http_user_agent ~ "Python-urllib") {
    set $block_user_agents 1;
  }
if ($block_user_agents = 1) {
return 444;
}
}