一直以来由于浏览器的版本陈旧,网站会员及程序本身不更新,以及技术发展较迅速的原因,网站安全相关已成为人们常说的话题。
经常在购物及银行类站点,都面临这类问题,现在这个问题正在被放大,小型及个人站点也将遇到这类,所以作为开发人员的我们,提前掌握方法及防止它们,才是网站安全的唯一途径。
从层面上讲,网站的安全涉及两个部分:
一、客户端的浏览器及软件载体本身的问题
二、网站自身程序及空间配置的原因
而要解决这些问题,至少要有一个出发点,大部分人是不具备专业网站开发技能及使用知识的,他们只知道打开电脑要干点什么,或访问某些站点要得到或知道些什么,而不管你电脑是否中毒或有漏洞,也不管浏览器是 360或 ie678还是chrome safari或是不知道名称的那种皮肤浏览器。
所以抛开客户端软件载体的原因,从根本上解决网站安全问题,才是重中之重。这也是技术人员应该去做的,不要因为你技术不深入或是一个程序版本太旧为借口不去做(not to do)。面临这些问题时首先从软件发展的角度考虑,当前陈旧配置及最新出现的方法,用心去思考和善用搜索引擎并最终解决这类问题。
下面列出 windows iis8.5的一些网站防御规则
// 跨域规则
1 2 3 4 5 6 7 8 9 10 | <!-- BEGIN Crossdomain --> <!-- <rule name="AddCrossDomain"> <match serverVariable="RESPONSE_Access_Control_Allow_Origin" pattern=".*" /> <conditions logicalGrouping="MatchAll" trackAllCaptures="true"> <add input="{HTTP_ORIGIN}" pattern="(http(s)?://((.+\.)?domain1\.com|(.+\.)?domain2\.com|(.+\.)?domain3\.com))" /> <add input="{HTTP_ORIGIN}" pattern="^http(s)?://(.+\.)?(domainname1|domainname2|domainname3)\.(?:com|net|org)$" /> </conditions> <action type="Rewrite" value="{C:0}" /> </rule> --> <!-- END Crossdomain --> |
// ssl(https)跳转规则
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | <!-- BEGIN http_to_https_redirect --> <!-- It must be placed before its "WP_Super_Cache_HTTP" and "wordpress rule 4",otherwise you can't jump from HTTP to HTTPS,because "/wp-content/cache/supercache/{SERVER_NAME}/{R:1}/index.html" overlay index page. --> <!-- <rule name="HTTP to HTTPS redirect" stopProcessing="true"> <match url="(.*)" /> <conditions> <add input="{HTTPS}" pattern="^OFF$" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" /> </rule> --> <!-- <rule name="example.com http to https" stopProcessing="true"> <match url="(.*)" ignoreCase="true" /> <conditions logicalGrouping="MatchAll"> <add input="{HTTP_HOST}" pattern="^(www.)?example\.com$" /> <add input="{HTTPS}" pattern="off" /> <add input="{URL}" pattern="(.*)" /> </conditions> <action type="Redirect" url="https://www.example.com/{R:1}" redirectType="Permanent" /> </rule> --> <!-- <rule name="Redirect to www subdomain"> <match url=".*" /> <conditions logicalGrouping="MatchAll"> <add input="{HTTP_HOST}" pattern="^(www\.)(.*)$" negate="true" /> <add input="{SERVER_PROTOCOL}" pattern="^(.*)(/.*)?$"/> </conditions> <action type="Redirect" url="{C:1}://www.{HTTP_HOST}/{R:0}" redirectType="Permanent"/> </rule> --> <!-- <rule name="Own website for sub domain"> <match url="(.*)" /> <conditions trackAllCaptures="true"> <add input="{HTTP_HOST}" pattern="^(foobar)\.example\.com$" /> <add input="{PATH_INFO}" pattern="^/\{C:1\}" negate="true" /> <add input="{HTTP_HOST}" pattern="^www" negate="true" /> </conditions> <action type="Rewrite" url="/{C:1}/{R:1}" /> --> <!-- END http_to_https_redirect --> |
// 反向代理镜像规则
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | <!-- step1: Check the “enable proxy” checkbox located in application request routing feature view is iis manager. step2: Add the following rule to the web site that will be used to proxy http requests: url="http://internalserver.com/{R:1}" step3: if use this proxy,please delete in "BEGIN wordpress" ... "END wordpress" all content,because there are some problems of repetition and rewriting between them. --> <!-- BEGIN proxy --> <!-- <rule name="proxy"> <match url="^(.*)" /> <conditions> <add input="{HTTP_HOST}" pattern="^webkv.com$" /> </conditions> <action type="Rewrite" url="https://example.com/{R:1}" /> </rule> --> <!-- END proxy --> |
// 删除网站服务器操作系统版本及hsts(要配合https)规则
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | <rewrite> <outboundRules> <!-- Remove Server response header --> <rule name="Remove Server header"> <match serverVariable="RESPONSE_Server" pattern=".+" /> <action type="Rewrite" value="" /> </rule> <!-- BEGIN hsts_iis --> <!-- <rule name="Add Strict-Transport-Security when HTTPS" enabled="true"> <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" /> <conditions> <add input="{HTTPS}" pattern="on" ignoreCase="true" /> </conditions> <action type="Rewrite" value="max-age=31536000" /> </rule> --> <!-- END hsts_iis --> </outboundRules> </rewrite> |
// 404页面配置
1 2 3 4 5 6 | <!-- BEGIN httpErrors --> <httpErrors errorMode="DetailedLocalOnly"> <remove statusCode="404" subStatusCode="-1" /> <error statusCode="404" prefixLanguageFilePath="" path="HttpErrors\404.shtm" responseMode="File" /> </httpErrors> <!-- END httpErrors --> |
// 站点压缩及头部 head的去除和防镜像或跨域攻击注入过滤
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 | <!-- urlCompression can give issues under certain circumstances --> <urlCompression doStaticCompression="true" doDynamicCompression="true" dynamicCompressionBeforeCache="true" /> <!-- Remove and add some response headers --> <!-- BEGIN httpProtocol_Frame_Allow --> <httpProtocol> <customHeaders> <!-- Remove response headers --> <remove name="X-Powered-By" /> <remove name="Vary" /> <remove name="ETag"/> <!-- Prevent web pages from being Frame and reverse proxy --> <add name="X-Frame-Options" value="SAMEORIGIN" /> <!-- Implementing cross domain and input type --> <add name="Access-Control-Allow-Origin" value="*" /> <add name="Access-Control-Allow-Methods" value="GET,POST,PUT,DELETE,OPTIONS" /> <add name="Access-Control-Allow-Headers" value="Content-Type" /> <!-- May help against some types of drive-by-downloads --> <add name="X-Content-Type-Options" value="nosniff" /> <!-- May help against some types of cross-site scripting attacks --> <add name="X-XSS-Protection" value="1; mode=block" /> <!-- Content security policy --> <!-- <add name="Content-Security-Policy" value="default-src 'self' webkv.com;" /> --> <!-- Use google chrome frame in browser --> <add name="X-UA-Compatible" value="IE=Edge,chrome=1" /> <!-- Set a Cache-Control header with max-age=691200 value --> <add name="Cache-Control" value="max-age=691200" /> <add name="Referrer-Policy" value="origin-when-cross-origin" /> <!-- Set value="vibrate * or 'self' or 'none'; --> <!-- <add name="Feature-Policy" value="vibrate 'self';usermedia *;sync-xhr 'self' wordpress.org;" /> --> <!-- The homologous default policy can be applied to all accesses such as JS file / picture / CSS / Ajax requests, but this prevents all file access policies for external domains, unless you can determine which external URLs are allowed to disable this. --> <!-- <add name="Content-Security-Policy" value="default-src 'self';style-src *;script-src *;usermedia *;" /> --> </customHeaders> </httpProtocol> <!-- END httpProtocol_Frame_Allow --> |
// 一些文件头 head压缩,缓存,静态类型的处理及时间配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 | <system.webServer> <!-- We need to set a mimeType for javascrip there, so configure some other types too. Notice minFileSizeForComp, this specifies the minimum number of kilobytes a file must contain in order to use on-demand compression --> <!-- BEGIN httpCompression --> <httpCompression minFileSizeForComp="0"> <scheme name="gzip" dll="%Windir%\system32\inetsrv\gzip.dll" staticCompressionLevel="7" /> <dynamicTypes> <clear/> <add mimeType="text/*" enabled="true" /> <add mimeType="message/*" enabled="true" /> <add mimeType="application/x-javascript" enabled="true" /> <add mimeType="*/*" enabled="false" /> <add mimeType="image/svg+xml" enabled="true" /> <add mimeType="application/font-woff" enabled="true" /> <add mimeType="application/x-font-ttf" enabled="true" /> <add mimeType="application/octet-stream" enabled="true" /> </dynamicTypes> <staticTypes> <clear/> <add mimeType="text/*" enabled="true" /> <add mimeType="message/*" enabled="true" /> <add mimeType="application/x-javascript" enabled="true" /> <add mimeType="application/atom+xml" enabled="true" /> <add mimeType="application/xaml+xml" enabled="true" /> <add mimeType="*/*" enabled="false" /> <add mimeType="image/svg+xml" enabled="true" /> <add mimeType="application/font-woff" enabled="true" /> <add mimeType="application/x-font-ttf" enabled="true" /> <add mimeType="application/octet-stream" enabled="true" /> </staticTypes> </httpCompression> <!-- END httpCompression --> <!-- Browser cache (or client cache), and mimeMappings for IIS --> <!-- BEGIN Browser cache and mimeMappings --> <staticContent> <clientCache cacheControlCustom="public" cacheControlMode="UseMaxAge" cacheControlMaxAge="30.00:00:00" /> <!-- <clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="30.00:00:00" /> --> <remove fileExtension=".htm" /> <mimeMap fileExtension=".htm" mimeType="text/html;charset=UTF-8" /> <remove fileExtension=".html" /> <mimeMap fileExtension=".html" mimeType="text/html;charset=UTF-8" /> <remove fileExtension=".shtm" /> <mimeMap fileExtension=".shtm" mimeType="text/html;charset=UTF-8" /> <remove fileExtension=".shtml" /> <mimeMap fileExtension=".shtml" mimeType="text/html;charset=UTF-8" /> <remove fileExtension=".css" /> <mimeMap fileExtension=".css" mimeType="text/css" /> <remove fileExtension=".woff" /> <mimeMap fileExtension=".woff" mimeType="application/font-woff" /> <remove fileExtension=".js" /> <mimeMap fileExtension=".js" mimeType="application/x-javascript;charset=UTF-8" /> <remove fileExtension=".svg" /> <mimeMap fileExtension=".svg" mimeType="image/svg+xml" /> <!-- BEGIN gzip remove application/x-gzip or maybe to changed text/html --> <remove fileExtension=".gz" /> <mimeMap fileExtension=".gz" mimeType="application/x-gzip; charset=UTF-8" /> <!-- END gzip remove application/x-gzip or maybe to changed text/html --> </staticContent> <!-- After caching open, the specified caching type (htm,html,shtm,shtml,css,woff,js,svg,gz) returns 200 when the page is opened for the first time, and 304 when the page is refreshed by F5. If it is not 304 (after refresh), the local storage of the browser is not read, proving that there is no cache or that the client browser has disabled the cache. but some pages will automatically survive temporary merge files, such as js and css,/wp-content/cache/autoptimize/css/autoptimize_6c9ad88b45e32ed5bdbe0ef0a7a8a429.css, it still remains at 200,because itundefineds just been regenerated (new and different). --> <caching enabled="true" enableKernelCache="true"> <profiles> <!-- In the Web.config file, IIS uses the Output Caching module and the caching directive to control caching. For the sample application, you can enable caching for .html files for a maximum of 30 days. For .php files, ensure that no caching is performed at all with the code. --> <add extension=".php" policy="DisableCache" kernelCachePolicy="DisableCache" /> <add extension=".htm" policy="CacheForTimePeriod" kernelCachePolicy="CacheForTimePeriod" duration="30:00:00:00" /> <add extension=".html" policy="CacheForTimePeriod" kernelCachePolicy="CacheForTimePeriod" duration="30:00:00:00" /> <add extension=".shtm" policy="CacheForTimePeriod" kernelCachePolicy="CacheForTimePeriod" duration="30:00:00:00" /> <add extension=".shtml" policy="CacheForTimePeriod" kernelCachePolicy="CacheForTimePeriod" duration="30:00:00:00" /> <add extension=".css" policy="CacheForTimePeriod" kernelCachePolicy="CacheForTimePeriod" duration="30:00:00:00" /> <add extension=".woff" policy="CacheForTimePeriod" kernelCachePolicy="CacheForTimePeriod" duration="30:00:00:00" /> <add extension=".js" policy="CacheForTimePeriod" kernelCachePolicy="CacheForTimePeriod" duration="30:00:00:00" /> <add extension=".svg" policy="CacheForTimePeriod" kernelCachePolicy="CacheForTimePeriod" duration="30:00:00:00" /> <add extension=".gz" policy="CacheForTimePeriod" kernelCachePolicy="CacheForTimePeriod" duration="30:00:00:00" /> </profiles> </caching> <!-- END Browser cache and mimeMappings --> </system.webServer> |
// 编码及一些连接数报错和域的配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | <!-- Prohibit some configuration in web.config under the virtual directory inheritance root directory. --> <!-- BEGIN allowOverride true for wp super cache --> <location path="." allowOverride="true" inheritInChildApplications="false"> <!-- modify C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config in maxconnection. --> <system.net> <connectionManagement> <add address = "*" maxconnection = "24" /> <!-- Specific ip. --> <add address="150.23.135.201" maxconnection = "12" /> </connectionManagement> </system.net> <system.web> <httpRuntime minFreeThreads="176" minLocalRequestFreeThreads="152"/> <!-- BEGIN customErrors --> <customErrors mode="Off" /> <!-- END customErrors --> <!-- BEGIN requestEncoding --> <globalization requestEncoding="UTF-8" responseEncoding="UTF-8" fileEncoding="UTF-8" /> <!-- END requestEncoding --> </system.web> </location> <!-- END allowOverride true for wp super cache --> |
也许这个系列快到了结束的时候,本来是想写全面些并配图和制作视频教程的,但那样太要时间和配置及操作,但这不是最后一篇教程,还会有的,实际上这几年偶都在环境配置及网站安全方面做了一些教程和配置及实践,偶从来都不是讲话不去操作的那种人,相信实际掌握才是值得学习和研究的,你们也应该像偶一样去理解这块的知识点,比方去装 1000次 2003系统,或装 100次 2012r2,哈哈,当然这只是偶自己去做过,但别人会当成笑话的那种事情。