网站只要刷新几次后 出现 403 forbidden,过一段时间后又访问正常,如何解决?请教运维伙伴们

2018-06-24 19:51:16 +08:00
 kmdd33

请问伙伴们,自己的 csf 防火墙是不是出现了什么配置错误?

目前已经关闭了 selinux 和 firewalld,自己的 csf 配置如下: https://segmentfault.com/q/1010000015367181 (文字超出限制,发到上面这个链接了)

2995 次点击
所在节点    程序员
7 条回复
kmdd33
2018-06-24 19:53:26 +08:00
网站是正常显示的状态,配置是:centos7+openresty +csf firewall+php7+mysql
csf 防火墙里面的配置文件,固定 ip 访问次数我设置的很高啊,waf 里面设置的 120/60,
juzipeek
2018-06-25 10:11:21 +08:00
感觉是 nginx 配置有问题,可以贴下 nginx 配置文件
orangutan92
2018-06-25 10:52:30 +08:00
感觉是 WAF 的问题,我的是连续刷新十次就不能访问了
wqsfree
2018-06-25 11:28:41 +08:00
1.防火墙问题?
2.内存不够,连接的用户过多?
3.web 服务的配置文件设置不合理?
kmdd33
2018-06-25 23:10:12 +08:00
@juzipeek nginx.conf 的配置:




#user nobody;
worker_processes 1;

#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;

#pid logs/nginx.pid;


events {
worker_connections 1024;
}


http {
include mime.types;
default_type application/octet-stream;

#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';

#access_log logs/access.log main;

sendfile on;
#tcp_nopush on;

#keepalive_timeout 0;
keepalive_timeout 65;

client_max_body_size 8m; #允许客户端请求的最大单文件字节数
client_body_buffer_size 2m; #缓冲区代理缓冲用户端请求的最大字节

gzip on;
#WAF
lua_shared_dict limit 50m;
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";

server {
listen 127.0.0.1;
server_name mywebsitedomain.com;

#charset koi8-r;

#access_log logs/host.access.log main;

location / {
root html;
index index.php index.html index.htm;
}

#error_page 404 /404.html;

# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}

# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}


# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;

# location / {
# root html;
# index index.html index.htm;
# }
#}


# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;

# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;

# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;

# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;

# location / {
# root html;
# index index.html index.htm;
# }
#}

}
kmdd33
2018-06-25 23:11:05 +08:00
@orangutan92 请问你是如何解决的呢?
kmdd33
2018-06-25 23:26:49 +08:00
@orangutan92

waf configure.lua 的配置文件如下:



--WAF config file,enable = "on",disable = "off"

--waf status
config_waf_enable = "on"
--log dir
config_log_dir = "/tmp"
--rule setting
config_rule_dir = "/usr/local/openresty/nginx/conf/waf/rule-config"
--enable/disable white url
config_white_url_check = "on"
--enable/disable white ip
config_white_ip_check = "on"
--enable/disable block ip
config_black_ip_check = "on"
--enable/disable url filtering
config_url_check = "on"
--enalbe/disable url args filtering
config_url_args_check = "on"
--enable/disable user agent filtering
config_user_agent_check = "on"
--enable/disable cookie deny filtering
config_cookie_check = "on"
--enable/disable cc filtering
config_cc_check = "on"
--cc rate the xxx of xxx seconds
config_cc_rate = "1200/60"
--enable/disable post filtering
config_post_check = "on"
--config waf output redirect/html
config_waf_output = "html"
--if config_waf_output ,setting url
config_waf_redirect_url = "https://www.unixhot.com"
config_output_html=[[
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Language" content="zh-cn" />
<title>网站防火墙</title>
</head>
<body>
<h1 align="center"> 欢迎白帽子进行授权安全测试,安全漏洞请联系 QQ:1111111。
</body>
</html>
]]

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/465470

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX