server {
# 跨站点伪造 限制header头的host
if ($http_Host !~* ^159.75.104.235|127.0.0.1$)
{
return 403;
}
# 限制自定义header头(x-from)
location ~ ^/api/ {
if ($http_x_from = '') {
return 401;
}
}
# 限制请求方法,只允许get,head,post
if ($request_method !~ ^(GET|HEAD|POST)$){
return 500;
}
# 以下后缀禁止访问
location ~* \.(lock|json|env|htaccess|license|md)$ {
deny all;
}
# 以下目录禁止访问
location ~* /(vendor|config)/ {
deny all;
}
# 不解析动态文件
location ~ (/data/) {
location ~* ^.+\.(php){
deny all;
}
}
location ~ \.php(.*)$ {
# 限制php接口的referer
valid_referers ~(127.0.0.1|159.75.104.235);
if ($invalid_referer) {
return 401;
}
# 设置变量
set $flag 0;
# 匹配是否有get参数 referer
if ($arg_referer = 1) {
set $flag 1;
}
if ($flag = 1) {
return 403;
}
# 匹配请求路径中是否有open
if ( $request_uri ~* /(open)/ ) {
return 401;
}
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
# ......
}
}
