背景
写了个电影网站(纯粹搞着玩的),准备买个域名然后上线,但是看日志经常被一些恶意IP进行攻击,这里准备接入腾讯云的安全以及加速产品edgeone,记录下当时的步骤。
一、nginx配置重定向以及日志格式
nginx.conf
user nginx;
#user root;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid; # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf; events { worker_connections 1024;
} http { include log_format.conf; include upstream.conf; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; access_log /var/log/nginx/access.json.log json_format; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream;include /etc/nginx/conf.d/*.conf; include /etc/nginx/default.d/*.conf; }
log_format.conf
log_format json_format escape=json '{"@timestamp":"$time_iso8601",''"@version":"1",''"server_addr":"$server_addr",''"remote_addr":"$remote_addr",''"http_host":"$host",''"uri":"$uri",'#'"upstream_response_time":$temprt,''"upstream_addr":"$upstream_addr",''"upstream_status":$upstream_status,''"body_bytes_sent":$body_bytes_sent,''"bytes_sent":$bytes_sent,''"request_method":"$request_method",''"request":"$request",''"request_length":$request_length,''"request_time":$request_time,''"status":"$status",''"http_referer":"$http_referer",''"http_x_forwarded_for":"$http_x_forwarded_for",''"http_user_agent":"$http_user_agent",''"http_x_tc_requestId": "$http_x_tc_requestId",''"body":"$request_body "''}';
default.conf
server {listen 80;server_name vip04.cn www.vip04.cn;return 301 https://www.vip04.cn$request_uri;
}server {listen 443 ssl;server_name vip04.cn;ssl_certificate /etc/nginx/ssl_certificate/vip04.cn_bundle.crt;ssl_certificate_key /etc/nginx/ssl_certificate/vip04.cn.key;ssl_protocols TLSv1.2 TLSv1.3;ssl_ciphers HIGH:!aNULL:!MD5;return 301 https://www.vip04.cn$request_uri;
}
server {listen 443 ssl;server_name www.vip04.cn;ssl_certificate /etc/nginx/ssl_certificate/vip04.cn_bundle.crt; ssl_certificate_key /etc/nginx/ssl_certificate/vip04.cn.key;ssl_protocols TLSv1.2 TLSv1.3;ssl_ciphers HIGH:!aNULL:!MD5;location /static {alias /data/flask_demo/12.1/static/;}location / {try_files $uri @yourapplication;}location ~* /test {return 403;}location ~* /admin.console {return 403;}location @yourapplication {include uwsgi_params;uwsgi_pass unix:/tmp/logs/movie.sock;uwsgi_read_timeout 1800;uwsgi_send_timeout 300;}
}
二、修改域名解析指向edgeone提供的域名
1、dnspod修改解析
2、eo控制台查看是否生效
三、配置防护策略
四、验证是否生效
1、开启拦截策略
浏览器访问vip04.cn测试效果
结论
可以看到重定向生效和拦截策略生效(status为567的就是拦截成功)
2、放开拦截策略
浏览器访问vip04.cn测试效果
结论
没有触发拦截,符合预期
