我在一些网站上遇到了非常非常奇怪的事情。我重启了许多网站托管的服务器(出于维护原因),重启后,一些网站只有一个?在他们的 URL 末尾。在网站 URL 末尾我得到了index.php?而不是之前仅有的 index.php。
通常 URL 是https://www.example.com/index.php但现在突然https://www.example.com/index.php?
供参考,在重启之前一切都很好。没有任何变化(在 nginx 或管理工具文件生成器上……没有任何变化)
你知道原因吗?你认为管理工具 nginx 文件生成器可能是根本原因吗?
我不明白为什么以及如何发生这种情况,因为在服务器重启之前一切都正常。
我正在使用 debian 9.5、nginx 1.15.5、PHP 7.2.11、MySQL 5.7.24
以下是有关我的 Nginx conf 文件的更多信息。
主文件nginx.conf位于此处:/etc/nginx/
user www-data;
worker_processes 4;
pid /var/run/nginx.pid;
load_module modules/ngx_http_modsecurity_module.so;
events {
worker_connections 1024;
}
http {
# Basic Settings
disable_symlinks off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log warn;
server_tokens off;
sendfile on;
tcp_nopush on;
#tcp_nodelay on;
server_names_hash_max_size 1024;
server_names_hash_bucket_size 64;
types_hash_max_size 2048;
# (default is 8k or 16k) The directive specifies the client request body buffer size.
# If the request body is more than the buffer, then the entire request body or some part is written in a temporary file.
client_body_buffer_size 16K;
# Directive sets the headerbuffer size for the request header from client. For the overwhelming
# majority of requests a buffer size of 1K is sufficient. Increase this if you have a custom header
# or a large cookie sent from the client (e.g., wap client).
client_header_buffer_size 1k;
# Directive assigns the maximum accepted body size of client request, indicated by the line Content-Length
# in the header of request. If size is greater the given one, then the client gets the error
# "Request Entity Too Large" (413). Increase this when you are getting file uploads via the POST method.
client_max_body_size 32m;
# Directive assigns the maximum number and size of buffers for large headers to read from client request.
# By default the size of one buffer is equal to the size of page, depending on platform this either 4K or 8K,
# if at the end of working request connection converts to state keep-alive, then these buffers are freed.
# 2x1k will accept 2kB data URI. This will also help combat bad bots and DoS attacks.
large_client_header_buffers 4 8k;
# The first parameter assigns the timeout for keep-alive connections with the client.
# The server will close connections after this time. The optional second parameter assigns
# the time value in the header Keep-Alive: timeout=time of the response. This header can
# convince some browsers to close the connection, so that the server does not have to. Without
# this parameter, nginx does not send a Keep-Alive header (though this is not what makes a connection "keep-alive").
keepalive_timeout 300 300;
# Directive sets the read timeout for the request body from client.
# The timeout is set only if a body is not get in one readstep. If after
# this time the client send nothing, nginx returns error "Request time out"
# (408). The default is 60.
client_body_timeout 600;
# Directive assigns timeout with reading of the title of the request of client.
# The timeout is set only if a header is not get in one readstep. If after this
# time the client send nothing, nginx returns error "Request time out" (408).
client_header_timeout 600;
# Directive assigns response timeout to client. Timeout is established not on entire
## transfer of answer, but only between two operations of reading, if after this time
# client will take nothing, then nginx is shutting down the connection.
send_timeout 600;
# Solve upstream sent too big header while reading response header from upstream
# http://wiki.nginx.org/HttpProxyModule
# This directive set the buffer size, into which will be read the first part of the response, obtained from the proxied server.
# Default: 4k|8k
#proxy_buffer_size 128k;
# This directive sets the number and the size of buffers, into which will be
read the answer, obtained from the proxied server.
# By default, the size of one buffer is equal to the size of page. Depending
on platform this is either 4K or 8K.
#proxy_buffers 4 256k;
#proxy_busy_buffers_size 256k;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
fastcgi_buffers 8 128k;
fastcgi_buffer_size 256k;
fastcgi_read_timeout 600;
fastcgi_ignore_client_abort on;
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_min_length 1000;
gzip_buffers 4 32k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/xhtml application/json
application/x-javascript text/xml application/xml application/xml+rss
text/javascript application/x-font-ttf application/javascript font/eot
font/opentype image/svg+xml image/x-icon;
#gzip_disable "MSIE [1-6]\.";
gzip_disable "MSIE [1-6].(?!.*SV1)";
include /etc/nginx/conf.d/*.conf;
}
文件00-默认.conf位于此处:/etc/nginx/conf.d/
server {
server_name _;
listen 80 default_server;
listen 443 ssl default_server;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
return 404;
}
文件例子.conf对于位于此处的服务器上托管的每个网站:/etc/nginx/conf.d/
server {
listen 80;
listen [::]:80;
server_name www.example.fr example.fr;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.example.fr example.fr;
root /home/example/www/;
index index.html index.htm index.php;
access_log /var/log/nginx/example.access_log;
error_log /var/log/nginx/example.error_log info;
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.2-fpm-example.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
include /etc/nginx/conf/security.conf;
location ^~ /administrator {
auth_basic "Authentification Requise";
auth_basic_user_file /home/example/www/administrator/.htpasswd;
}
include /etc/nginx/conf/joomla.conf;
ssl_certificate /etc/letsencrypt/live/example.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.fr/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.fr/chain.pem;
include /etc/nginx/conf/ssl.conf;
}
文件安全配置文件此处的全局安全设置:/etc/nginx/conf/
### Prevent access to this file
location = /nginx.conf {
log_not_found off;
access_log off;
return 404;
break;
}
######################################################################
## Protect against common file injection attacks
######################################################################
set $file_injection 0;
if ($query_string ~ "[a-zA-Z0-9_]=http://") {
set $file_injection 1;
}
if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
set $file_injection 1;
}
if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
set $file_injection 1;
}
if ($file_injection = 1) {
return 403;
break;
}
######################################################################
## Disable PHP Easter Eggs
######################################################################
if ($query_string ~ "\=PHP[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}") {
return 403;
break;
}
######################################################################
## Block access to configuration.php-dist and htaccess.txt
######################################################################
location = /configuration.php-dist {
log_not_found off;
access_log off;
return 404;
break;
}
location = /htaccess.txt {
log_not_found off;
access_log off;
return 404;
break;
}
location = /web.config {
log_not_found off;
access_log off;
return 404;
break;
}
location = /configuration.php {
log_not_found off;
access_log off;
return 404;
break;
}
location = /CONTRIBUTING.md {
log_not_found off;
access_log off;
return 404;
break;
}
location = /joomla.xml {
log_not_found off;
access_log off;
return 404;
break;
}
location = /LICENSE.txt {
log_not_found off;
access_log off;
return 404;
break;
}
location = /phpunit.xml {
log_not_found off;
access_log off;
return 404;
break;
}
location = /README.txt {
log_not_found off;
access_log off;
return 404;
break;
}
location = /web.config.txt {
log_not_found off;
access_log off;
return 404;
break;
}
## Protect against clickjacking
add_header X-Frame-Options SAMEORIGIN;
######################################################################
## Directory indices and no automatic directory listings
## Forces index.php to be read before the index.htm(l) files
## Also disables showing files in a directory automatically
######################################################################
index index.php index.html index.htm;
######################################################################
### Redirect non-www to www
#######################################################################
if ($host = 'alex-alu.fr' ) {
rewrite ^/(.*)$ $scheme://www.example.fr/$1 permanent;
}
######################################################################
## Disable following symlinks
######################################################################
disable_symlinks if_not_owner;
######################################################################
## Automatic compression of static resources
## Compress text, html, javascript, css, xml and other static resources
## May kill access to your site for old versions of Internet Explorer
######################################################################
# The following is the actual automatic compression setup
gzip on;
gzip_vary on;
gzip_comp_level 6;
gzip_proxied expired no-cache no-store private auth;
gzip_min_length 1000;
gzip_http_version 1.1;
gzip_types text/plain text/css application/xhtml+xml
application/xml+rss application/rss+xml application/x-javascript
application/javascript text/javascript application/json text/xml
application/xml image/svg+xml;
gzip_buffers 16 8k;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
## HSTS Header - See
http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
add_header Strict-Transport-Security max-age=31536000;
## Referrer-policy
add_header Referrer-Policy "unsafe-url";
## Disable HTTP methods TRACE and TRACK (protect against XST)
if ($request_method ~ ^(TRACE|TRACK)$ ) {
return 405;
}
## Reduce MIME type security risks
add_header X-Content-Type-Options "nosniff";
## Reflected XSS prevention
add_header X-XSS-Protection "1; mode=block";
## Prevent content transformation
add_header Cache-Control "no-transform";
# -- Socket settings, see http://wiki.nginx.org/HttpCoreModule
connection_pool_size 8192;
client_header_buffer_size 4k;
large_client_header_buffers 8 8k;
request_pool_size 8k;
# -- Performance, see http://wiki.nginx.org/HttpCoreModule
sendfile on;
sendfile_max_chunk 1m;
postpone_output 0;
tcp_nopush on;
tcp_nodelay on;
# -- Output buffering, see http://wiki.nginx.org/HttpCoreModule
output_buffers 8 32k;
# -- Filehandle Cache, useful when serving a large number of static files
(Joomla! sites do that)
open_file_cache max=2000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
# -- Character encoding, see http://wiki.nginx.org/HttpCharsetModule
charset utf-8;
source_charset utf-8;
# -- Security options, see http://wiki.nginx.org/HttpCoreModule
server_name_in_redirect off;
server_tokens off;
ignore_invalid_headers on;
# -- Maximum client body size set to 1 Gigabyte
client_max_body_size 1G;
set $common_exploit 0;
if ($query_string ~ "proc/self/environ") {
set $common_exploit 1;
}
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
set $common_exploit 1;
}
if ($query_string ~ "base64_(en|de)code\(.*\)") {
set $common_exploit 1;
}
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
set $common_exploit 1;
}
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
set $common_exploit 1;
}
if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
set $common_exploit 1;
}
if ($common_exploit = 1) {
return 403;
}
## Enable SEF URLs
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~* /index.php$ {
fastcgi_pass unix:/var/run/php/php7.2-fpm-example.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
break;
}
######################################################################
## Advanced server protection rules exceptions
######################################################################
location = /administrator/components/com_akeeba/restore.php {
fastcgi_pass unix:/var/run/php/php7.2-fpm-example.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
break;
}
location = /administrator/components/com_admintools/restore.php {
fastcgi_pass unix:/var/run/php/php7.2-fpm-example.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
break;
}
location = /administrator/components/com_joomlaupdate/restore.php {
fastcgi_pass unix:/var/run/php/php7.2-fpm-example.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
break;
}
location = /robots.txt {
break;
}
location ~* ^/cache/.*\.php$
{
break;
}
location ~* ^/cache/.*$
{
break;
}
location ~* ^/cache\/nextend/.*\.php$
{
break;
}
location ~* ^/cache\/nextend/.*$
{
break;
}
location ~* ^/cache\/t3_assets/.*\.php$
{
break;
}
location ~* ^/cache\/t3_assets/.*$
{
break;
}
location ~* ^/cache\/t3_pages/.*\.php$
{
break;
}
location ~* ^/cache\/t3_pages/.*$
{
break;
}
location ~* ^/images/.*\.php$
{
break;
}
location ~* ^/images/.*$
{
break;
}
location ~* ^/t3\-assets/.*\.php$
{
break;
}
location ~* ^/t3\-assets/.*$
{
break;
}
location ~* ^/t3\-assets\/css/.*\.php$
{
break;
}
location ~* ^/t3\-assets\/css/.*$
{
break;
}
location ~* ^/t3\-assets\/js/.*\.php$
{
break;
}
location ~* ^/t3\-assets\/js/.*$
{
break;
}
######################################################################
## Advanced server protection
######################################################################
# Allow media files in select back-end directories
location ~*
^/administrator/(components|modules|templates|images|plugins)/.*. (jpe|jpg|jpeg|jp2|jpe2|png|gif|bmp|css|js|swf|html|mpg|mp3|mpeg|mp4|avi|wav|ogg|ogv|xls|xlsx|doc|docx|ppt|pptx|zip|rar|pdf|xps|txt|7z|svg|odt|ods|odp|flv|mov|htm|ttf|woff|woff2|eot|JPG|JPEG|PNG|GIF|CSS|JS|TTF|WOFF|WOFF2|EOT)$ {
break;
}
# Allow access to the back-end index.php file
location = /administrator/index.php {
fastcgi_pass unix:/var/run/php/php7.2-fpm-example.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
break;
}
location ~* ^/administrator$ {
return 301 /administrator/index.php?$args;
}
location ~* ^/administrator/$ {
return 301 /administrator/index.php?$args;
}
# Disable access to everything else.
location ~* /administrator.*$ {
# If it is a file, directory or symlink and I haven't deliberately
# enabled access to it, forbid any access to it!
if (-e $request_filename) {
return 403;
}
# In any other case, just treat as a SEF URL
try_files $uri $uri/ /administrator/index.php?$args;
}
# Allow media files in select front-end directories
location ~* ^/(components|modules|templates|images|plugins|media|libraries|media/jui/fonts)/.*. (jpe|jpg|jpeg|jp2|jpe2|png|gif|bmp|css|js|swf|html|mpg|mp3|mpeg|mp4|avi|wav|ogg|ogv|xls|xlsx|doc|docx|ppt|pptx|zip|rar|pdf|xps|txt|7z|svg|odt|ods|odp|flv|mov|ico|htm|ttf|woff|woff2|eot|JPG|JPEG|PNG|GIF|CSS|JS|TTF|WOFF|WOFF2|EOT)$ {
break;
}
## Disallow front-end access for certain Joomla! system directories (unless
access to their files is allowed above)
location ~* ^/includes/js/ {
return 403;
}
location ~* ^/(cache|includes|language|logs|log|tmp)/ {
return 403;
}
# Allow access to /
location ~* ^/$ {
return 301 /index.php?$args;
}
# Disable access to everything else.
location ~* ^/.*$ {
# If it is a file, directory or symlink and I haven't deliberately
# enabled access to it, forbid any access to it!
if (-e $request_filename) {
return 403;
}
# In any other case, just treat as a SEF URL
try_files $uri $uri/ /index.php?$args;
}
谢谢 L。
答案1
这里没有足够的信息来确定原因,但它是无害的。
在 URL 中,?字符 表示资源位置的结束,后面的任何内容都是?应传递给该位置的资源的参数。例如,在 URL 中https://www.google.com/search?q=testing,资源是https://www.google.com/search( 之前的所有内容?),并且它将被赋予一个q以值命名的参数testing(q=testing之后?)。 因此index.php和index.php?是等效的 - 它们都意味着访问index.php并且不给它任何参数。
至于可能的原因,我猜测它可能是重写规则或页面模板附加了一个,?以防以后将参数添加到 URL,这样代码就不需要跟踪它是否已被添加。