背景
写了个电影网站(纯粹搞着玩的),准备买个域名然后上线,但是看日志经常被一些恶意IP进行攻击,这里准备接入腾讯云的安全以及加速产品edgeone,记录下当时的步骤。
一、nginx配置重定向以及日志格式
nginx.conf
user nginx;
#user root;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
include log_format.conf;
include upstream.conf;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
access_log /var/log/nginx/access.json.log json_format;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/default.d/*.conf;
}
log_format.conf
log_format json_format escape=json '{"@timestamp":"$time_iso8601",'
'"@version":"1",'
'"server_addr":"$server_addr",'
'"remote_addr":"$remote_addr",'
'"http_host":"$host",'
'"uri":"$uri",'
#'"upstream_response_time":$temprt,'
'"upstream_addr":"$upstream_addr",'
'"upstream_status":$upstream_status,'
'"body_bytes_sent":$body_bytes_sent,'
'"bytes_sent":$bytes_sent,'
'"request_method":"$request_method",'
'"request":"$request",'
'"request_length":$request_length,'
'"request_time":$request_time,'
'"status":"$status",'
'"http_referer":"$http_referer",'
'"http_x_forwarded_for":"$http_x_forwarded_for",'
'"http_user_agent":"$http_user_agent",'
'"http_x_tc_requestId": "$http_x_tc_requestId",'
'"body":"$request_body "'
'}';
default.conf
server {
listen 80;
server_name vip04.cn www.vip04.cn;
return 301 https://www.vip04.cn$request_uri;
}
server {
listen 443 ssl;
server_name vip04.cn;
ssl_certificate /etc/nginx/ssl_certificate/vip04.cn_bundle.crt;
ssl_certificate_key /etc/nginx/ssl_certificate/vip04.cn.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
return 301 https://www.vip04.cn$request_uri;
}
server {
listen 443 ssl;
server_name www.vip04.cn;
ssl_certificate /etc/nginx/ssl_certificate/vip04.cn_bundle.crt;
ssl_certificate_key /etc/nginx/ssl_certificate/vip04.cn.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location /static {
alias /data/flask_demo/12.1/static/;
}
location / {
try_files $uri @yourapplication;
}
location ~* /test {
return 403;
}
location ~* /admin.console {
return 403;
}
location @yourapplication {
include uwsgi_params;
uwsgi_pass unix:/tmp/logs/movie.sock;
uwsgi_read_timeout 1800;
uwsgi_send_timeout 300;
}
}
二、修改域名解析指向edgeone提供的域名
1、dnspod修改解析
2、eo控制台查看是否生效
三、配置防护策略
四、验证是否生效
1、开启拦截策略
浏览器访问vip04.cn测试效果
结论
可以看到重定向生效和拦截策略生效(status为567的就是拦截成功)
2、放开拦截策略
浏览器访问vip04.cn测试效果
结论
没有触发拦截,符合预期