背景

写了个电影网站(纯粹搞着玩的),准备买个域名然后上线,但是看日志经常被一些恶意IP进行攻击,这里准备接入腾讯云的安全以及加速产品edgeone,记录下当时的步骤。

一、nginx配置重定向以及日志格式

nginx.conf

user nginx;                                                                                 
#user root;                                                                                 
worker_processes auto;                                                                      
error_log /var/log/nginx/error.log;                                                         
pid /run/nginx.pid;                                                                         
                                                                                            
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.                            
include /usr/share/nginx/modules/*.conf;                                                    
                                                                                            
events {                                                                                    
    worker_connections 1024;                                                                
}                                                                                           
                                                                                            
http {                                                                                      
    include log_format.conf;                                                                
    include upstream.conf;                                                                  
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '               
                      '$status $body_bytes_sent "$http_referer" '                           
                      '"$http_user_agent" "$http_x_forwarded_for"';                         
                                                                                            
    access_log  /var/log/nginx/access.log  main;                                            
    access_log  /var/log/nginx/access.json.log  json_format;                                
                                                                                            
    sendfile            on;                                                                 
    tcp_nopush          on;                                                                 
    tcp_nodelay         on;                                                                 
    keepalive_timeout   65;                                                                 
    types_hash_max_size 2048;                                                               
                                                                                            
    include             /etc/nginx/mime.types;                                              
    default_type        application/octet-stream;
    include /etc/nginx/conf.d/*.conf;                                                       
        include /etc/nginx/default.d/*.conf;                                                
    }

log_format.conf

log_format json_format  escape=json '{"@timestamp":"$time_iso8601",'
                '"@version":"1",'
                '"server_addr":"$server_addr",'
                '"remote_addr":"$remote_addr",'
                '"http_host":"$host",'
                '"uri":"$uri",'
                #'"upstream_response_time":$temprt,'
                '"upstream_addr":"$upstream_addr",'
                '"upstream_status":$upstream_status,'
                '"body_bytes_sent":$body_bytes_sent,'
                '"bytes_sent":$bytes_sent,'
                '"request_method":"$request_method",'
                '"request":"$request",'
                '"request_length":$request_length,'
                '"request_time":$request_time,'
                '"status":"$status",'
                '"http_referer":"$http_referer",'
                '"http_x_forwarded_for":"$http_x_forwarded_for",'
                '"http_user_agent":"$http_user_agent",'
                '"http_x_tc_requestId": "$http_x_tc_requestId",'
                '"body":"$request_body "'
                '}';

default.conf

server {
    listen 80;
    server_name vip04.cn www.vip04.cn;
    return 301 https://www.vip04.cn$request_uri;
}

server {
    listen 443 ssl;
    server_name vip04.cn;
    ssl_certificate /etc/nginx/ssl_certificate/vip04.cn_bundle.crt;
    ssl_certificate_key /etc/nginx/ssl_certificate/vip04.cn.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    return 301 https://www.vip04.cn$request_uri;
}
server {
        listen 443 ssl;
        server_name  www.vip04.cn;
        ssl_certificate /etc/nginx/ssl_certificate/vip04.cn_bundle.crt; 
        ssl_certificate_key /etc/nginx/ssl_certificate/vip04.cn.key;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers HIGH:!aNULL:!MD5;

        location /static {
                alias  /data/flask_demo/12.1/static/;
        }

        location / {
                try_files $uri @yourapplication;
        }
        location ~* /test {
                return 403;
        }
        location ~* /admin.console {
                return 403;
        }
    location @yourapplication {
        include uwsgi_params;
        uwsgi_pass unix:/tmp/logs/movie.sock;
        uwsgi_read_timeout 1800;
        uwsgi_send_timeout 300;
    }
}

二、修改域名解析指向edgeone提供的域名

1、dnspod修改解析小电影网站上线之nginx配置不带www域名301重定向到www域名+接入腾讯云安全防护edgeone-LMLPHP

2、eo控制台查看是否生效

小电影网站上线之nginx配置不带www域名301重定向到www域名+接入腾讯云安全防护edgeone-LMLPHP

三、配置防护策略

小电影网站上线之nginx配置不带www域名301重定向到www域名+接入腾讯云安全防护edgeone-LMLPHP

四、验证是否生效

1、开启拦截策略

浏览器访问vip04.cn测试效果
小电影网站上线之nginx配置不带www域名301重定向到www域名+接入腾讯云安全防护edgeone-LMLPHP
小电影网站上线之nginx配置不带www域名301重定向到www域名+接入腾讯云安全防护edgeone-LMLPHP
小电影网站上线之nginx配置不带www域名301重定向到www域名+接入腾讯云安全防护edgeone-LMLPHP

结论
可以看到重定向生效和拦截策略生效(status为567的就是拦截成功)

2、放开拦截策略

浏览器访问vip04.cn测试效果
小电影网站上线之nginx配置不带www域名301重定向到www域名+接入腾讯云安全防护edgeone-LMLPHP
小电影网站上线之nginx配置不带www域名301重定向到www域名+接入腾讯云安全防护edgeone-LMLPHP
结论
没有触发拦截,符合预期

01-28 08:01