diff --git a/docker-compose-deploy.yml b/docker-compose-deploy.yml index bea7f91..e78fca1 100644 --- a/docker-compose-deploy.yml +++ b/docker-compose-deploy.yml @@ -127,6 +127,7 @@ services: volumes: - ./nginx/nginx.conf:/etc/nginx/nginx.conf - ./nginx/conf.d:/etc/nginx/conf.d + - ./nginx/configs:/etc/nginx/configs ports: - "80:80" restart: always diff --git a/nginx/configs/bot-block.conf b/nginx/configs/bot-block.conf new file mode 100644 index 0000000..66cf1ad --- /dev/null +++ b/nginx/configs/bot-block.conf @@ -0,0 +1,11 @@ +#Bot +map $http_user_agent $limit_bots { + default 0; + ~*(MJ12bot|ltx71|Adsbot/3.1/WordPress|BLEXBot|UCBrowser|Mb2345Browser) 1; + ~*(MicroMessenger|LieBaoFast|Headless|netEstate|PetalBot) 1; + ~*(bingbot|FeedDemon|GrapeshotCrawler|DuckDuckBot|MegaIndex) 1; + ~*(VelenPublicWebCrawler|SimplePie|YandexBot|SCMGUARD|DotBot) 1; + ~*(AhrefsBot|SemrushBot) 1; + ~*(wget|curl) 1; + ~*(Custom-AsyncHttpClient) 1; +} \ No newline at end of file diff --git a/nginx/configs/ip-block-list.conf b/nginx/configs/ip-block-list.conf new file mode 100644 index 0000000..d2e42ed --- /dev/null +++ b/nginx/configs/ip-block-list.conf @@ -0,0 +1,5 @@ +geo $bad_ip { + 43.128.149.53 1; + 172.31.11.235 1; + default 0; +} \ No newline at end of file diff --git a/nginx/configs/nginx-blue.conf b/nginx/configs/nginx-blue.conf index 319dd42..f059dc6 100644 --- a/nginx/configs/nginx-blue.conf +++ b/nginx/configs/nginx-blue.conf @@ -8,15 +8,31 @@ http { server fastapi-blue:8000; } - # DOS 공격 방어를 위한 설정 limit_req_zone $binary_remote_addr zone=limit_per_ip:10m rate=10r/s; limit_conn_zone $binary_remote_addr zone=addr:10m; + # 별도 경로로 빼둔 설정파일들 + include /etc/nginx/configs/ip-block-list.conf; #ip block + include /etc/nginx/configs/word-block.conf; #Hack word + include /etc/nginx/configs/bot-block.conf; #Bot block + server { listen 80; listen [::]:80; + #Ban black ip + if ($bad_ip) { return 444; } + + #특정 url 패턴을 거부 + if ($bad_word = 1) { return 444; } + + #특정 user-agent를 거부 + if ($limit_bots = 1) { return 444; } + + #공백 User-agent를 거부 + if ($http_user_agent = "") { return 444; } + # 백엔드 프록시 설정 location / { proxy_pass http://backend; diff --git a/nginx/configs/nginx-green.conf b/nginx/configs/nginx-green.conf index 6248ef3..05ceb6b 100644 --- a/nginx/configs/nginx-green.conf +++ b/nginx/configs/nginx-green.conf @@ -8,15 +8,32 @@ http { server fastapi-green:8000; } - # DOS 공격 방어를 위한 설정 limit_req_zone $binary_remote_addr zone=limit_per_ip:10m rate=10r/s; limit_conn_zone $binary_remote_addr zone=addr:10m; + # 별도 경로로 빼둔 설정파일들 + include /etc/nginx/configs/ip-block-list.conf; #ip block + include /etc/nginx/configs/word-block.conf; #Hack word + include /etc/nginx/configs/bot-block.conf; #Bot block + + server { listen 80; listen [::]:80; + #Ban black ip + if ($bad_ip) { return 444; } + + #특정 url 패턴을 거부 + if ($bad_word = 1) { return 444; } + + #특정 user-agent를 거부 + if ($limit_bots = 1) { return 444; } + + #공백 User-agent를 거부 + if ($http_user_agent = "") { return 444; } + # 백엔드 프록시 설정 location / { proxy_pass http://backend; diff --git a/nginx/configs/word-block.conf b/nginx/configs/word-block.conf new file mode 100644 index 0000000..6ad7c07 --- /dev/null +++ b/nginx/configs/word-block.conf @@ -0,0 +1,20 @@ +#Request Bad Word +map $request_uri $bad_word { + default 0; + ~*(wp-includes|wlwmanifest|xmlrpc|wordpress|administrator|wp-admin|wp-login|owa|a2billing) 1; + ~*(fgt_lang|flu|stalker_portal|streaming|system_api|exporttool|ecp|vendor|LogService|invoke|phpinfo) 1; + ~*(Autodiscover|console|eval-stdin|staging|magento|demo|rss|root|mifs|git|graphql|sidekiq|c99|GponForm) 1; + ~*(header-rollup-554|fckeditor|ajax|misc|plugins|execute-solution|wp-content|php|telescope) 1; + ~*(idx_config|DS_Store|nginx|wp-json|ads|humans|exec|level|monitoring|configprops|balancer|actuator) 1; + ~*(meta-data|web_shell_cmd|latest|remote|_asterisk|bash|Bind|binding|appxz|bankCheck|GetAllGameCategory) 1; + ~*(exchangerateuserconfig|exchange_article|kline_week|anquan|dns-query|nsepa_setup|java_script|gemini-iptv) 1; + ~*(j_spring_security_check|wps|cgi|asmx|HNAP1|sdk|evox) 1; + ~*(_ignition|alvzpxkr|ALFA_DATA|wp-plain) 1; + ~*(ldap|jndi|dns|securityscan|rmi|ldaps|iiop|corba|nds|nis) 1; # log4j + ~*(.aws|.git|wp-config|wp-config-sample|wp-config.php|wp-config-sample.php|wp-config.bak|wp-config-sample.bak) 1; + ~*(.env|.env.example|.env.local|.env.development|.env.test|.env.production|.env.local.php|.env.local.php.bak) 1; + ~*(.env.bak|.env.local.bak|.env.development.bak|.env.test.bak|.env.production.bak|.env.local.php.bak) 1; + ~*(phpinfo|phpinfo.php|info.php|test.php|test|php|phpmyadmin|pma|myadmin|t.php|i.php) 1; + ~*(dev|test|staging|app_dev|admin|www|home|app|main|backup|old|new|tmp|temp|temp1|temp2|temp3) 1; + ~*(vendor|phpunit|lib|V2|ws|cms|tests|blog) 1; +} \ No newline at end of file diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 69fdfeb..f60dd0f 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -5,20 +5,36 @@ events { http { upstream backend { # upstream으로 설정 및 서버 문제시 다른 서버로 이동 - server fastapi-green:8000 max_fails=1 fail_timeout=3s; - server fastapi-blue:8000 max_fails=1 fail_timeout=3s; + server fastapi-green:8000; } - # DOS 공격 방어를 위한 설정 limit_req_zone $binary_remote_addr zone=limit_per_ip:10m rate=10r/s; limit_conn_zone $binary_remote_addr zone=addr:10m; + # 별도 경로로 빼둔 설정파일들 + include /etc/nginx/configs/ip-block-list.conf; #ip block + include /etc/nginx/configs/word-block.conf; #Hack word + include /etc/nginx/configs/bot-block.conf; #Bot block + + server { listen 80; listen [::]:80; + #Ban black ip + if ($bad_ip) { return 444; } + + #특정 url 패턴을 거부 + if ($bad_word = 1) { return 444; } + + #특정 user-agent를 거부 + if ($limit_bots = 1) { return 444; } + + #공백 User-agent를 거부 + if ($http_user_agent = "") { return 444; } + # 백엔드 프록시 설정 location / { proxy_pass http://backend;