有漏洞的nginx服务器
我目前有一个nginx设置,配置如下:有漏洞的nginx服务器,nginx,Nginx,我目前有一个nginx设置,配置如下: worker_processes 10; error_log logs/error.log; pid logs/nginx.pid; events { worker_connections 4000; } http { include mime.types; default_type application/octet-stream; access_log off;
worker_processes 10;
error_log logs/error.log;
pid logs/nginx.pid;
events {
worker_connections 4000;
}
http {
include mime.types;
default_type application/octet-stream;
access_log off;
sendfile on;
tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 30;
keepalive_requests 100000;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1 SSLv3;
ssl_ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;
ssl_prefer_server_ciphers on;
gzip on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
gzip_disable "MSIE [1-6]\.";
# http server
server {
proxy_pass_header Server;
listen 80; # IPv4
server_name localhost;
## Parameterization using hostname of access and log filenames.
access_log logs/localhost_access.log;
error_log logs/localhost_error.log;
## Root and index files.
root html;
index index.php index.html index.htm;
## If no favicon exists return a 204 (no content error).
location = /favicon.ico {
try_files $uri =204;
log_not_found off;
access_log off;
}
## Don't log robots.txt requests.
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
## Try the requested URI as files before handling it to PHP.
location / {
## Regular PHP processing.
location ~ \.php$ {
root html;
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
## Static files
location ~* \.(?:css|gif|htc|ico|js|jpe?g|png|swf)$ {
expires max;
log_not_found off;
## No need to bleed constant updates. Send the all shebang in one
## fell swoop.
tcp_nodelay on;
## Set the OS file cache.
open_file_cache max=200000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
}
## Keep a tab on the 'big' static files.
location ~* ^.+\.(?:ogg|pdf|pptx?)$ {
expires 30d;
## No need to bleed constant updates. Send the all shebang in one
## fell swoop.
tcp_nodelay off;
}
} # / location
} # end http server
# https server
server {
listen 443 spdy ssl;
server_name localhost;
ssl_certificate my.crt;
ssl_certificate_key my.key;
## Parameterization using hostname of access and log filenames.
access_log logs/localhost_access.log;
error_log logs/localhost_error.log;
## Root and index files.
root html;
index index.php index.html index.htm;
## If no favicon exists return a 204 (no content error).
location = /favicon.ico {
try_files $uri =204;
log_not_found off;
access_log off;
}
## Don't log robots.txt requests.
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
## Try the requested URI as files before handling it to PHP.
location / {
## Regular PHP processing.
location ~ \.php$ {
root html;
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
## Static files are served directly.
location ~* \.(?:css|gif|htc|ico|js|jpe?g|png|swf)$ {
expires max;
log_not_found off;
## No need to bleed constant updates. Send the all shebang in one
## fell swoop.
tcp_nodelay off;
## Set the OS file cache.
open_file_cache max=1000 inactive=120s;
open_file_cache_valid 45s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
}
## Keep a tab on the 'big' static files.
location ~* ^.+\.(?:ogg|pdf|pptx?)$ {
expires 30d;
## No need to bleed constant updates. Send the all shebang in one
## fell swoop.
tcp_nodelay off;
}
} # / location
} # end https server
}
web服务器似乎落后了。允许.htaccess定期下载,有时服务器端会发生错误(或者我怀疑是这样),web服务器将开始提供我没有请求的页面或以前请求的页面(即使我明确要求index.php,也会提供其他一些不相关的页面)。总体而言,这是一个非常令人担忧的行为
有人能提供一些线索吗?为了防止下载.ht*文件(例如.htaccess/.htpasswd),您必须将此行添加到配置中
location ~ /\.ht { access_log off; log_not_found off; deny all; }
请更准确地定义发生的错误,如果没有已定义的错误消息,则无法向您提供建议。“web服务器将开始提供我未请求的页面”-这是什么意思?还有什么版本的nginx?您的操作系统是否已完全更新/修补?我正在Windows Server 2012上运行nginx 1.5.2(我知道)。