limit_except VS $request_method !~ ^(GET|HEAD|POST)$

tag-icon tag-icon nginx php-fpm
limit_except VS $request_method !~ ^(GET|HEAD|POST)$

我已经读了很多关于nginx最近在网上找到了 2 种方法。第一种方法似乎适用于服务器上下文级别,第二种方法推荐用于位置上下文级别。

问题。limit_except在服务器上下文级别使用是否合适?

方法 #1($request_method) 嵌入变量

# server context
#
# Disable unwanted HTTP methods
# Most of the time, you need just GET, HEAD & POST HTTP request in your web application.
# Allowing TRACE or DELETE is risky as it can allow Cross-Site Tracking attack and potentially
# allow an attacker to steal the cookie information.
# So we return a 405 Not Allowed if someone is trying to use TRACE, DELETE, PUT, OPTIONS.

if ($request_method !~ ^(GET|HEAD|POST)$ ) {

  return 405;

}

方法 #2limit_except) 方法

# Limits allowed HTTP methods inside a location.
. . .

location /restricted-write {

    # location context

    limit_except GET HEAD {

        # limit_except context

        allow 192.168.1.1/24;
        deny all;
    }
}

答案1

不可以,您不能limit_exceptserver上下文级别使用。location根据ngx_http_core_module 文档

句法: limit_except method ... { ... }

默认:

语境: location

limit_except方法#1是类似功能的解决方法/替代方案,但需要注意的是,您的示例将给出 HTTP 状态 405 响应,而不是响应的403 状态。

答案2

方法 2 可以简化为

limit_except GET {
}

HEAD将允许按照http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_except

相关内容