<div class="gmail_quote">On 27 May 2011 18:59, pk899 <span dir="ltr"><<a href="mailto:nginx-forum@nginx.us">nginx-forum@nginx.us</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
thanks. i have reading about nginx a lot on the internet. and it seems<br>
to me that many features of mod_security are available inside nginx.<br>
<br>
i like this post:<br>
<a href="http://eng.eelcowesemann.nl/linux-unix/nginx/nginx-blocking/" target="_blank">http://eng.eelcowesemann.nl/linux-unix/nginx/nginx-blocking/</a><br>
<br>
my questions.<br>
1. how should i block remote_addr based on IP in a certain external<br>
file?<br></blockquote><div><br></div><div>It's in your link: <span class="Apple-style-span" style="border-collapse: collapse; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 12px; line-height: 14px; ">include /etc/nginx/block.conf;</span></div>
<div>But it's not really nginx's job to secure your server from attackers. Use iptables or similar for that. </div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
2. to block xss or such type of injection attacks -- any best practice<br>
rules?<br></blockquote><div> </div><div>These are application-level problems (HTML, JS, SQL etc.) and are not specific to your server software. </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
3. can i block based on "request_uri"? if some hosts are in it<br>
(parameter) then block it.<br></blockquote><div><br></div><div><a href="http://eng.eelcowesemann.nl/linux-unix/nginx/nginx-blocking/" target="_blank">http://eng.eelcowesemann.nl/linux-unix/nginx/nginx-blocking/</a></div>
<div>Use $request_uri instead of $http_referer</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
4. can i block based on RBL checks? from spamhaus etc.</blockquote><div><br></div><div>Not that I know of, and if you are deploying nginx for speed then this is the last job you want to give it. Block proxies/spammers at the application level where posting actually happens (e.g. in postcommentform.php), not for every HTTP request you receive.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"> </blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
thanks!</blockquote><div><br></div></div>