V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
kmdd33
V2EX  ›  问与答

nginx 403 forbidden , google 了 3 天还没搞定,请教同学们

  •  
  •   kmdd33 · 2018-09-05 11:13:17 +08:00 · 2037 次点击
    这是一个创建于 2032 天前的主题,其中的信息可能已经有所发展或是发生改变。

    环境:centos7+openresty+csf 防火墙+php7

    issue: http 和 https 均能显示正常,但是,大约 5 秒钟内刷新任何一个网页超过 5 次后,就会出现 403 forbidden,大约 10 秒钟后,刷新该页面,该网页重新可以访问。

    贴出自己的 error.log 和 nginx.conf:

    2018/09/05 02:46:56 [notice] 22581#22581: 3260 "^(.)" matches "/robots.txt", client: 162.158.107.13, server: 19.162.19.38, request: "GET /robots.txt HTTP/1.1", host: "www.mydomain.com"

    2018/09/05 02:46:56 [notice] 22581#22581: *3260 rewritten redirect: "https://www.mydomain.com/robots.txt", client: 162.158.107.13, server: 19.162.19.38, request: "GET /robots.txt HTTP/1.1", host: "www.mydomain.com"

    2018/09/05 02:46:57 [notice] 22581#22581: 3262 "^(.)" matches "/", client: 108.162.245.124, server: 19.162.19.38, request: "GET /?/category-22__is_recommend-1 HTTP/1.1", host: "www.mydomains.com"

    2018/09/05 02:46:57 [notice] 22581#22581: *3262 rewritten redirect: "https://www.mydomain.com/?/category-22__is_recommend-1", client: 108.162.245.124, server: 39.12.21.38, request: "GET /?/category-22__is_recommend-1 HTTP/1.1", host: "www.mydomain.com"

    2018/09/05 02:50:03 [error] 22581#22581: *3265 open() "/usr/local/openresty/nginx/html/crond/run/1535740897" width="1" height="1" />" failed (2: No such file or directory), client: 119.162.19.388, server: www.mydomain.com, request: "GET /crond/run/1535740897%22%20width%3D%221%22%20height%3D%221%22%20/%3E HTTP/1.1", host: "mydomain.com"

    2018/09/05 02:51:28 [error] 22581#22581: *3272 open() "/usr/local/openresty/nginx/html/apple-touch-icon-precomposed.png" failed (2: No such file or directory), client: 173.245.48.63, server: www.mydomain.com, request: "GET /apple-touch-icon-precomposed.png HTTP/1.1", host: "www.mydomain.com"

    2018/09/05 02:51:29 [error] 22581#22581: *3273 open() "/usr/local/openresty/nginx/html/apple-touch-icon.png" failed (2: No such file or directory), client: 162.158.58.159, server: www.mydomain.com, request: "GET /apple-touch-icon.png HTTP/1.1", host: "www.mydomain.com"

    2018/09/05 02:53:11 [error] 22581#22581: *3295 open() "/usr/local/openresty/nginx/html/favicon.ico" failed (2: No such file or directory), client: 172.69.33.113, server: www.mydomain.com, request: "GET /favicon.ico HTTP/1.1", host: "www.mydomain.com", referrer: "https://www.mydomain.com/?/"

    nginx.conf 文件:

    user root;

    worker_processes 1;

    #error_log logs/error.log;

    error_log logs/error.log debug;

    #error_log logs/error.log info;

    pid logs/nginx.pid;

    events {

    worker_connections  1024;
    

    }

    http {

    include       mime.types;
    
    default_type  application/octet-stream;
    
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';
    
    #access_log  logs/access.log  main;
    
    sendfile        on;
    #tcp_nopush     on;
    
    #keepalive_timeout  0;
    keepalive_timeout  65;
    
    client_max_body_size 8m;    #允许客户端请求的最大单文件字节数
    client_body_buffer_size 2m;  #缓冲区代理缓冲用户端请求的最大字节
    
    fastcgi_buffers 8 16k;
    fastcgi_buffer_size 32k;
    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
    
    gzip  on;
    

    #WAF

    lua_shared_dict limit 50m;
    lua_shared_dict guard_dict 100m;
    lua_shared_dict dict_captcha 70m;
    lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
    init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
    access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";
    
    
    
    
    
    server {
        listen       80;
        listen       [::]:80 ipv6only=on default_server;
        server_name  39.2.19.38;
        rewrite ^(.*) https://$host$1 permanent;
    
    
        #charset koi8-r;
    
        #access_log  logs/host.access.log  main;
    
        location / {
            root   html;
            index  index.php index.html index.htm;
        }
    
        #error_page  404              /404.html;
    
        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    
        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}
    
        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        location ~ \.php$ {
           root           html;
           fastcgi_pass   127.0.0.1:9000;
           fastcgi_index  index.php;
           fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
           include        fastcgi_params;
        }
    
        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }
    
    
    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;
    
    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}
    
    
    # HTTPS server
    #
    server {
        listen       443 ssl http2;
        server_name  www.mydomain.com;
    
        charset  utf-8;
        ssl on;
        default_type  text/plain;
        
       ssl_certificate       1_www.mydomain.com_bundle.crt;
       ssl_certificate_key   2_www.mydomain.com.key;
       
    
       ssl_session_cache    shared:SSL:1m;
       ssl_session_timeout  5m;
       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
       ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
       ssl_prefer_server_ciphers  on;
    
        location / {
            root   html;
            index  index.html index.htm index.php;
        }
    
       location ~ /phpmyadmin/.+\.php$ {
            if ($fastcgi_script_name ~ /phpmyadmin/(.+\.php.*)$) {
             set $valid_fastcgi_script_name $1;
            }
             include fastcgi_params;
             fastcgi_pass 127.0.0.1:9000;
             fastcgi_index index.php;
             fastcgi_param SCRIPT_FILENAME /usr/share/phpMyAdmin/$valid_fastcgi_script_name;
         }
    
        location ~ \.php$ {
            # 设置监听端口
            fastcgi_pass   127.0.0.1:9000;
            # 设置 nginx 的默认首页文件(上面已经设置过了,可以删除)
            fastcgi_index  index.php;
            # 设置脚本文件请求的路径
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            # 引入 fastcgi 的配置文件
            include        fastcgi_params;
        }
    
    
    
    }
    

    }

    kmdd33
        1
    kmdd33  
    OP
       2018-09-05 11:56:01 +08:00
    @kmdd33 是不是 csf 和 waf 防火墙配置有误?
    kmdd33
        2
    kmdd33  
    OP
       2018-09-05 20:28:19 +08:00
    由于自己安装了 waf+csf 防火墙,需要更改 config.lua 这个文件,
    找到位置:/usr/local/openresty/nginx/config/waf/config.lua
    里面的 config_cc_rate = "1200/60 ” 是正确的配置方法,也可以设置成 20/1,意思是单个 ip 访问某一个页面最多允许 20 次(原来这里自己设置的 2/1 ),
    然后:systemctl restart openresty

    自己解决掉了,贴出方法。
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   我们的愿景   ·   实用小工具   ·   5433 人在线   最高记录 6543   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 26ms · UTC 08:47 · PVG 16:47 · LAX 01:47 · JFK 04:47
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.