Last Updated: February 25, 2016
· jeremybass

site protection temporary solutions

this is more for my own reminder and place to come back to for reference

Simple rules that have been tested for years to plug most any whole in your site. Not to replace good coding practice, or directly address the root issue, but to act as a simple first line defense as you correct issues. Speed tests as of yet have shown there to be almost no time penalty for the rules.

Again, you still must do your self the favor and check and test for holes in all your projects, but sometimes you can't help but have other peoples code on production.

Rules developed from through discussions by 7 experts there and my self.


# URL Filtering helps stop some hack attempts
#IF the URI contains a "http:"
RewriteCond %{QUERY_STRING} http\: [OR]
#OR if the URI contains a "["
RewriteCond %{QUERY_STRING} \[ [OR]
#OR if the URI contains a "]"
RewriteCond %{QUERY_STRING} \] [OR]
#OR if the URI contains a "<script>"
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
#OR script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
#OR any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) 
RewriteCond %{QUERY_STRING} .*((%73|%53|s)(%65|%45|e)(%6C|%4C|l)(%65|%45|e)(%63|%43|c)(%74|%54|t)|(%69|%49|i)(%6E|%4E|n)(%73|%53|s)(%65|%45|e)(%72|%52|r)(%74|%54|t)|(%44|%64|d)(%65|%45|e)(%6C|%4C|l)(%65|%45|e)(%74|%54|t)(%65|%45|e)|(%44|%64|d)(%72|%52|r)(%4F|%6F|o)(%70|%50|p)|(%55|%75|u)(%70|%50|p)(%44|%64|d)(%41|%61|a)(%74|%54|t)(%65|%45|e)|(%41|%61|a)(%6C|%4C|l)(%74|%54|t)(%65|%45|e)(%72|%52|r)|(%41|%61|a)(%44|%64|d)(%44|%64|d)|(%4A|%6A|j)(%4F|%6F|o)(%69|%49|i)(%6E|%4E|n)|(%63|%43|c)(%72|%52|r)(%65|%45|e)(%41|%61|a)(%74|%54|t)(%65|%45|e)).*((%74|%54|t)(%41|%61|a)(%42|%62|b)(%6C|%4C|l)(%65|%45|e)|(%46|%66|f)(%72|%52|r)(%4F|%6F|o)(%4D|%6D|m)|(%69|%49|i)(%6E|%4E|n)(%74|%54|t)(%4F|%6F|o)|(%73|%53|s)(%65|%45|e)(%74|%54|t)|(%63|%43|c)(%4F|%6F|o)(%6C|%4C|l)(%55|%75|u)(%4D|%6D|m)(%6E|%4E|n)|(%69|%49|i)(%6E|%4E|n)(%44|%64|d)(%58|%78|e)(%72|%52|x)|(%56|%76|v)(%69|%49|i)(%58|%78|e)(%57|%77|w)|(%55|%75|u)(%6E|%4E|n)(%69|%49|i)(%4F|%6F|o)(%6E|%4E|n)|(%44|%64|d)(%41|%61|a)(%74|%54|t)(%41|%61|a)(%42|%62|b)(%41|%61|a)(%73|%53|s)(%65|%45|e)).*((%57|%77|w)(%48|%68|h)(%65|%45|e)(%72|%52|r)(%65|%45|e)|(%4F|%6F|o)(%6E|%4E|n)|(%41|%61|a)(%6C|%4C|l)(%6C|%4C|l)|(.*)).* [NC,OR]
RewriteRule ^.*$ - [F,L] 
# END Filtering


if ($query_string ~ "http\:"){
    return 403;
if ($query_string ~ "\["){
    return 403;
if ($query_string ~ "\]"){
    return 403;
if ($query_string ~* "(\<|%3C).*script.*(\>|%3E)"){
    return 403;
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})"){
    return 403;
if ($query_string ~* ".*((%73|%53|s)(%65|%45|e)(%6C|%4C|l)(%65|%45|e)(%63|%43|c)(%74|%54|t)|(%69|%49|i)(%6E|%4E|n)(%73|%53|s)(%65|%45|e)(%72|%52|r)(%74|%54|t)|(%44|%64|d)(%65|%45|e)(%6C|%4C|l)(%65|%45|e)(%74|%54|t)(%65|%45|e)|(%44|%64|d)(%72|%52|r)(%4F|%6F|o)(%70|%50|p)|(%55|%75|u)(%70|%50|p)(%44|%64|d)(%41|%61|a)(%74|%54|t)(%65|%45|e)|(%41|%61|a)(%6C|%4C|l)(%74|%54|t)(%65|%45|e)(%72|%52|r)|(%41|%61|a)(%44|%64|d)(%44|%64|d)|(%4A|%6A|j)(%4F|%6F|o)(%69|%49|i)(%6E|%4E|n)|(%63|%43|c)(%72|%52|r)(%65|%45|e)(%41|%61|a)(%74|%54|t)(%65|%45|e)).*((%74|%54|t)(%41|%61|a)(%42|%62|b)(%6C|%4C|l)(%65|%45|e)|(%46|%66|f)(%72|%52|r)(%4F|%6F|o)(%4D|%6D|m)|(%69|%49|i)(%6E|%4E|n)(%74|%54|t)(%4F|%6F|o)|(%73|%53|s)(%65|%45|e)(%74|%54|t)|(%63|%43|c)(%4F|%6F|o)(%6C|%4C|l)(%55|%75|u)(%4D|%6D|m)(%6E|%4E|n)|(%69|%49|i)(%6E|%4E|n)(%44|%64|d)(%58|%78|e)(%72|%52|x)|(%56|%76|v)(%69|%49|i)(%58|%78|e)(%57|%77|w)|(%55|%75|u)(%6E|%4E|n)(%69|%49|i)(%4F|%6F|o)(%6E|%4E|n)|(%44|%64|d)(%41|%61|a)(%74|%54|t)(%41|%61|a)(%42|%62|b)(%41|%61|a)(%73|%53|s)(%65|%45|e)).*((%57|%77|w)(%48|%68|h)(%65|%45|e)(%72|%52|r)(%65|%45|e)|(%4F|%6F|o)(%6E|%4E|n)|(%41|%61|a)(%6C|%4C|l)(%6C|%4C|l)|(.*)).*"){
    return 403;

4 Responses
Add your response

I'm not really a master in Nginx configuration but I know usage of if is heavily discouraged except where no other solution is available (perhaps this is the case but I already told you I'm no Nginx master :) )

over 1 year ago ·

@glarrain yes you are correct, nginx is poor at using if's but like it says it's in perspective too,

"There are cases where you simply cannot avoid using an if, for example if you need to test a variable which has no equivalent directive. "
with the example :
if ($request_method = POST ) {
return 405;

over 1 year ago ·

It's great to know you had that considered already. Thanks

over 1 year ago ·

@glarrain yes, but the important part is that it is tested and has not shown any issues as of yet. For me, those doc titles are miss-leading and remnants of the old fear of iframes where you would hear "all iframes are evil" which is simple not the case. But like the iframe, nginx if's are pathways to trouble so use wisely. Cheers

over 1 year ago ·