Categories: HTTP服务器ModSecurityNginxNginx 1.10Nginx 1.17安全相关服务器

在 nginx/1.17.8 下响应 502 Bad Gateway 的排查分析(不再启用 ModSecurity)

图2

1、响应 200 的 Nginx 配置文件内容如下。

server {
    listen 82;
    charset utf-8;
    
    root /mcloud/creditshop_back/app/webroot;
    index  index.php;

    location / {
                modsecurity on;
                modsecurity_rules_file /etc/nginx/modsec_includes_lite.conf;
        if (!-e $request_filename) {
            rewrite ^/(.+)$ /index.php?url=$1 last;
            break;
        }
    }

        location /creditf {
                modsecurity on;
                modsecurity_rules_file /etc/nginx/modsec_includes_lite.conf;
                alias /webtv/wangjie/creditshop_back/h5jifen/files;
            index index.html;
    }

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  /mcloud/creditshop_back/app/webroot$fastcgi_script_name;
        include        fastcgi_params;
    }
    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
        deny  all;
    }

        location ~ ^/(status|ping)$ {
        include fastcgi_params;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
        access_log off;
        allow 127.0.0.1;
        allow 10.42.0.0/16;
        allow 10.244.0.0/8;
        allow 192.168.0.0/8;
        allow 172.17.0.0/8;
        deny all;
    }
}

2、查看 Nginx 版本:nginx version: nginx/1.10.3。如图1

图1

nginx version: nginx/1.10.3
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) 
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --add-module=/data/openresty-1.11.2.3/bundle/ngx_devel_kit-0.3.0 --add-module=/data/openresty-1.11.2.3/bundle/iconv-nginx-module-0.14 --add-module=/data/openresty-1.11.2.3/bundle/echo-nginx-module-0.60 --add-module=/data/openresty-1.11.2.3/bundle/xss-nginx-module-0.05 --add-module=/data/openresty-1.11.2.3/bundle/ngx_coolkit-0.2rc3 --add-module=/data/openresty-1.11.2.3/bundle/set-misc-nginx-module-0.31 --add-module=/data/openresty-1.11.2.3/bundle/form-input-nginx-module-0.12 --add-module=/data/openresty-1.11.2.3/bundle/encrypted-session-nginx-module-0.06 --add-module=/data/openresty-1.11.2.3/bundle/srcache-nginx-module-0.31 --add-module=/data/openresty-1.11.2.3/bundle/ngx_lua-0.10.8 --add-module=/data/openresty-1.11.2.3/bundle/ngx_lua_upstream-0.06 --add-module=/data/openresty-1.11.2.3/bundle/headers-more-nginx-module-0.32 --add-module=/data/openresty-1.11.2.3/bundle/array-var-nginx-module-0.05 --add-module=/data/openresty-1.11.2.3/bundle/memc-nginx-module-0.18 --add-module=/data/openresty-1.11.2.3/bundle/redis2-nginx-module-0.14 --add-module=/data/openresty-1.11.2.3/bundle/redis-nginx-module-0.3.7 --add-module=/data/openresty-1.11.2.3/bundle/rds-json-nginx-module-0.14 --add-module=/data/openresty-1.11.2.3/bundle/rds-csv-nginx-module-0.07 --add-module=/data/ModSecurity-nginx-master --with-ld-opt=-Wl,-rpath,/usr/local/openresty/luajit/lib --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' --with-pcre

3、升级至 Nginx 版本:nginx version: nginx/1.17.8,在 nginx/1.17.8 下响应 502 Bad Gateway。如图2

图2

[root@back-7d88c84cdd-xpc6x /]# nginx -V
nginx version: mcloud web server/v1.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --add-module=/data/openresty-1.13.6.2/bundle/ngx_devel_kit-0.3.0 --add-module=/data/openresty-1.13.6.2/bundle/echo-nginx-module-0.61 --add-module=/data/openresty-1.13.6.2/bundle/xss-nginx-module-0.06 --add-module=/data/openresty-1.13.6.2/bundle/ngx_coolkit-0.2rc3 --add-module=/data/openresty-1.13.6.2/bundle/set-misc-nginx-module-0.32 --add-module=/data/openresty-1.13.6.2/bundle/form-input-nginx-module-0.12 --add-module=/data/openresty-1.13.6.2/bundle/encrypted-session-nginx-module-0.08 --add-module=/data/openresty-1.13.6.2/bundle/srcache-nginx-module-0.31 --add-module=/data/openresty-1.13.6.2/bundle/ngx_lua-0.10.13 --add-module=/data/openresty-1.13.6.2/bundle/ngx_lua_upstream-0.07 --add-module=/data/openresty-1.13.6.2/bundle/array-var-nginx-module-0.05 --add-module=/data/openresty-1.13.6.2/bundle/memc-nginx-module-0.19 --add-module=/data/openresty-1.13.6.2/bundle/redis2-nginx-module-0.15 --add-module=/data/openresty-1.13.6.2/bundle/rds-json-nginx-module-0.15 --add-module=/data/openresty-1.13.6.2/bundle/rds-csv-nginx-module-0.09 --add-module=/data/ModSecurity-nginx-master --with-ld-opt=-Wl,-rpath,/usr/local/openresty/luajit/lib --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' --with-pcre

4、编辑 Nginx 配置文件内容如下。不再启用 ModSecurity。响应 200。如图3

图3

server {
    listen 82;
    charset utf-8;
    
    root /mcloud/creditshop_back/app/webroot;
    index index.php;

    location / {
        # modsecurity on;
        # modsecurity_rules_file /etc/nginx/modsec_includes_lite.conf;
        if (!-e $request_filename) {
            rewrite ^/(.+)$ /index.php?url=$1 last;
            break;
        }
    }

    location /creditf {
        # modsecurity on;
        # modsecurity_rules_file /etc/nginx/modsec_includes_lite.conf;
        alias /webtv/wangjie/creditshop_back/h5jifen/files;
        index index.html;
    }

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  /mcloud/creditshop_back/app/webroot$fastcgi_script_name;
        include        fastcgi_params;
    }
    #error_page  404              /404.html;
    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
        deny  all;
    }
}
永夜

Leave a Comment
Share
Published by
永夜
Tags: 502 Bad GatewayModSecuritymodsecurity onmodsecurity_rules_filenginx -Vnginx/1.10.3nginx/1.17.8
3 年 ago

Recent Posts

在 Google Chrome 中由于网站升级,打开空白,仅在无痕模式中可正常打开的解决

1、在 Google Chro…

3 天 ago

在 https://tinys.pl/cn/swap 上用 SOL 购买得到 NUTS,在 欧易 Web3 钱包 中显示数量为 0 的排查分析

1、在 https://tin…

5 天 ago

在 Laravel 9 中,基于 Spatie\QueryBuilder\QueryBuilder 来生成查询 SQL,同一字段可支持:partial、exact

1、参考:在 Laravel …

7 天 ago

基于 PHP-Xlswriter 导出 Excel 文件时,设置日期列的格式

1、现在导出的 Excel 文…

1 周 ago

在 OneKey 钱包中,发送 Optimism 网络中的 USDT 的流程

1、在 OneKey 钱包中,…

2 周 ago

在 Laravel 9 中,复杂的条件验证的实现,基于嵌套数组中的一系列值,确认嵌套数组外层的值是否验证通过

1、现在请求参数如下,只有当 …

3 周 ago