V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
kmdd33
V2EX  ›  程序员

网站只要刷新几次后 出现 403 forbidden,过一段时间后又访问正常,如何解决?请教运维伙伴们

  •  
  •   kmdd33 · 2018-06-24 19:51:16 +08:00 · 2969 次点击
    这是一个创建于 2346 天前的主题,其中的信息可能已经有所发展或是发生改变。

    请问伙伴们,自己的 csf 防火墙是不是出现了什么配置错误?

    目前已经关闭了 selinux 和 firewalld,自己的 csf 配置如下: https://segmentfault.com/q/1010000015367181 (文字超出限制,发到上面这个链接了)

    7 条回复    2018-06-25 23:26:49 +08:00
    kmdd33
        1
    kmdd33  
    OP
       2018-06-24 19:53:26 +08:00
    网站是正常显示的状态,配置是:centos7+openresty +csf firewall+php7+mysql
    csf 防火墙里面的配置文件,固定 ip 访问次数我设置的很高啊,waf 里面设置的 120/60,
    juzipeek
        2
    juzipeek  
       2018-06-25 10:11:21 +08:00
    感觉是 nginx 配置有问题,可以贴下 nginx 配置文件
    orangutan92
        3
    orangutan92  
       2018-06-25 10:52:30 +08:00
    感觉是 WAF 的问题,我的是连续刷新十次就不能访问了
    wqsfree
        4
    wqsfree  
       2018-06-25 11:28:41 +08:00
    1.防火墙问题?
    2.内存不够,连接的用户过多?
    3.web 服务的配置文件设置不合理?
    kmdd33
        5
    kmdd33  
    OP
       2018-06-25 23:10:12 +08:00
    @juzipeek nginx.conf 的配置:




    #user nobody;
    worker_processes 1;

    #error_log logs/error.log;
    #error_log logs/error.log notice;
    #error_log logs/error.log info;

    #pid logs/nginx.pid;


    events {
    worker_connections 1024;
    }


    http {
    include mime.types;
    default_type application/octet-stream;

    #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
    # '$status $body_bytes_sent "$http_referer" '
    # '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log logs/access.log main;

    sendfile on;
    #tcp_nopush on;

    #keepalive_timeout 0;
    keepalive_timeout 65;

    client_max_body_size 8m; #允许客户端请求的最大单文件字节数
    client_body_buffer_size 2m; #缓冲区代理缓冲用户端请求的最大字节

    gzip on;
    #WAF
    lua_shared_dict limit 50m;
    lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
    init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
    access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";

    server {
    listen 127.0.0.1;
    server_name mywebsitedomain.com;

    #charset koi8-r;

    #access_log logs/host.access.log main;

    location / {
    root html;
    index index.php index.html index.htm;
    }

    #error_page 404 /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    root html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    # proxy_pass http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
    root html;
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    # deny all;
    #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    # listen 8000;
    # listen somename:8080;
    # server_name somename alias another.alias;

    # location / {
    # root html;
    # index index.html index.htm;
    # }
    #}


    # HTTPS server
    #
    #server {
    # listen 443 ssl;
    # server_name localhost;

    # ssl_certificate cert.pem;
    # ssl_certificate_key cert.key;

    # ssl_session_cache shared:SSL:1m;
    # ssl_session_timeout 5m;

    # ssl_ciphers HIGH:!aNULL:!MD5;
    # ssl_prefer_server_ciphers on;

    # location / {
    # root html;
    # index index.html index.htm;
    # }
    #}

    }
    kmdd33
        6
    kmdd33  
    OP
       2018-06-25 23:11:05 +08:00
    @orangutan92 请问你是如何解决的呢?
    kmdd33
        7
    kmdd33  
    OP
       2018-06-25 23:26:49 +08:00
    @orangutan92

    waf configure.lua 的配置文件如下:



    --WAF config file,enable = "on",disable = "off"

    --waf status
    config_waf_enable = "on"
    --log dir
    config_log_dir = "/tmp"
    --rule setting
    config_rule_dir = "/usr/local/openresty/nginx/conf/waf/rule-config"
    --enable/disable white url
    config_white_url_check = "on"
    --enable/disable white ip
    config_white_ip_check = "on"
    --enable/disable block ip
    config_black_ip_check = "on"
    --enable/disable url filtering
    config_url_check = "on"
    --enalbe/disable url args filtering
    config_url_args_check = "on"
    --enable/disable user agent filtering
    config_user_agent_check = "on"
    --enable/disable cookie deny filtering
    config_cookie_check = "on"
    --enable/disable cc filtering
    config_cc_check = "on"
    --cc rate the xxx of xxx seconds
    config_cc_rate = "1200/60"
    --enable/disable post filtering
    config_post_check = "on"
    --config waf output redirect/html
    config_waf_output = "html"
    --if config_waf_output ,setting url
    config_waf_redirect_url = "https://www.unixhot.com"
    config_output_html=[[
    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta http-equiv="Content-Language" content="zh-cn" />
    <title>网站防火墙</title>
    </head>
    <body>
    <h1 align="center"> 欢迎白帽子进行授权安全测试,安全漏洞请联系 QQ:1111111。
    </body>
    </html>
    ]]
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   1175 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 27ms · UTC 18:36 · PVG 02:36 · LAX 10:36 · JFK 13:36
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.