NGINX 拒绝 Flask 应用的除 websocket 之外的所有内容

tag-icon tag-icon nginx websocket flask socket.io
NGINX 拒绝 Flask 应用的除 websocket 之外的所有内容

我有一个在 nginx 下运行 Flask 应用程序的 Ubuntu 服务器,这是我的配置:

upstream flaskapp {
  server 127.0.0.1:5000 fail_timeout=0;
}

server {
  listen 80;
  server_name _;
  location / {
    add_header "Access-Control-Allow-Origin" "http://localhost, https://website";
    try_files $uri @proxy_to_app;
  }

  location @proxy_to_app {
    proxy_pass http://flaskapp;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $http_host;
    proxy_redirect off;
  }
} 

server {
  listen 443;

  ssl on;
  ssl_certificate      /etc/letsencrypt/live/server/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/server/privkey.pem;
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
  ssl_prefer_server_ciphers on;
  
  location / {
    add_header "Access-Control-Allow-Origin" "http://localhost, https://website";
    try_files $uri @proxy_to_app;
  }

  location @proxy_to_app {
    proxy_pass http://flaskapp;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $http_host;
    proxy_redirect off;
  }
}

可能有很多冗余代码,因为我从多个来源编译了它,但它按预期工作。
我还观察到来自各种类型的僵尸网络的大量传入请求检查我的路由,如下所示:

43.226.152.131,127.0.0.1 - - [20/Jul/2020 14:41:20] "GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php HTTP/1.1" 404 356 0.000558
(1805) accepted ('127.0.0.1', 34590)
43.226.152.131,127.0.0.1 - - [20/Jul/2020 14:41:22] "GET /sqladmin/index.php HTTP/1.1" 404 356 0.000541
(1805) accepted ('127.0.0.1', 34592)
43.226.152.131,127.0.0.1 - - [20/Jul/2020 14:41:22] "GET /sql/index.php HTTP/1.1" 404 356 0.000506
(1805) accepted ('127.0.0.1', 34594)
43.226.152.131,127.0.0.1 - - [20/Jul/2020 14:41:23] "GET /SQL/index.php HTTP/1.1" 404 356 0.000543
(1805) accepted ('127.0.0.1', 34596)
43.226.152.131,127.0.0.1 - - [20/Jul/2020 14:41:23] "GET /websql/index.php HTTP/1.1" 404 356 0.000570
(1805) accepted ('127.0.0.1', 34598)
43.226.152.131,127.0.0.1 - - [20/Jul/2020 14:41:23] "GET /MySQLAdmin/index.php HTTP/1.1" 404 356 0.000566
(1805) accepted ('127.0.0.1', 34600)
43.226.152.131,127.0.0.1 - - [20/Jul/2020 14:41:24] "GET /manager/html HTTP/1.1" 404 356 0.000642
(1805) accepted ('127.0.0.1', 34602)
43.226.152.131,127.0.0.1 - - [20/Jul/2020 14:41:24] "POST /axis2/axis2-admin/login HTTP/1.1" 404 356 0.000606
(1805) accepted ('127.0.0.1', 34610)
128.14.134.134,127.0.0.1 - - [20/Jul/2020 14:43:12] "GET / HTTP/1.1" 404 356 0.000507

这是我自己的请求,它被正确处理了:

53.129.29.157,127.0.0.1 - - [20/Jul/2020 20:49:33] "GET /socket.io/?client=KbDHcPsvwELKRJCCFKleAA6HLy&EIO=3&transport=polling&t=NDj_I0I HTTP/1.1" 200 437 0.001434
(1805) accepted ('127.0.0.1', 35076)

我想拒绝所有传入的 POST 和 GET 请求,除了/socket.io/带有client/transport参数的请求(当然还要在 22 上通过 SSH 连接到该机器)。
这是我的尝试,但没有成功(可能我需要一些嵌套的位置构造):

location = /socket.io/ {
  limit_except GET {
    deny all;
  }
}

我怎样才能拒绝除带有参数的指定位置的 GET 请求之外的所有请求?

相关内容