SecRule REMOTE_ADDR "@geoLookup" "id:10001,phase:1,pass,log" # nginx-module-vts(与 shellstack_vts.conf 中 location /nginx-vts-status 等一致) SecRule REQUEST_URI "@beginsWith /nginx-vts-status" "id:10006,phase:1,nolog,pass,ctl:ruleEngine=Off" SecRule REQUEST_URI "@beginsWith /vts_status" "id:10002,phase:1,nolog,pass,ctl:ruleEngine=Off" # nginx stub_status(与 shellstack_status.conf 默认 URI 一致) SecRule REQUEST_URI "@beginsWith /nginx_stub_status" "id:10007,phase:1,nolog,pass,ctl:ruleEngine=Off" SecRule REQUEST_URI "@beginsWith /nginx_status" "id:10008,phase:1,nolog,pass,ctl:ruleEngine=Off" SecRule REQUEST_URI "@beginsWith /stub_status" "id:10009,phase:1,nolog,pass,ctl:ruleEngine=Off" # PHP-FPM status:PHP 5.6–8.1(宝塔目录键 56;70–75;80–81)。shellstack tag 为 exporter 的 ${ver//./_}(如 81、8_1) SecRule REQUEST_URI "@rx ^/shellstack-fpm-status-(56|5_6|70|71|72|73|74|75|80|81|8_0|8_1)(/|$|\?)" "id:10018,phase:1,nolog,pass,ctl:ruleEngine=Off" SecRule REQUEST_URI "@rx ^/phpfpm_(56|70|71|72|73|74|75|80|81)_status" "id:10019,phase:1,nolog,pass,ctl:ruleEngine=Off" # 帝国 CMS 后台(自用路径加白) SecRule REQUEST_URI "@beginsWith /eadmin/ADfr_jiUL5/" "id:10011,phase:1,nolog,pass,ctl:ruleEngine=Off" SecRule REQUEST_URI "@beginsWith /e/ADfr_jiUL5/" "id:10012,phase:1,nolog,pass,ctl:ruleEngine=Off" SecRule REQUEST_URI "@beginsWith /e/e_DliR28KktG1dpud/" "id:10003,phase:1,nolog,pass,ctl:ruleEngine=Off" SecRule REQUEST_URI "@beginsWith /e/jiayou/" "id:10014,phase:1,nolog,pass,ctl:ruleEngine=Off" SecRule REQUEST_URI "@beginsWith /eadmin/fengye-123/" "id:10015,phase:1,nolog,pass,ctl:ruleEngine=Off" SecRule REQUEST_URI "@beginsWith /e/fengye/" "id:10016,phase:1,nolog,pass,ctl:ruleEngine=Off" SecRule REQUEST_URI "@beginsWith /eadmin/fengye/" "id:10017,phase:1,nolog,pass,ctl:ruleEngine=Off" SecRule REMOTE_ADDR "@ipMatchFromFile /www/server/whitelist.txt" \ "id:999,phase:1,allow,msg:'Allow access from whitelist IP'" SecRule REQUEST_URI "@rx ^/e/member/" \ "id:11000,phase:1,deny,status:403,msg:'Access to /e/member/ is denied'" SecRule REQUEST_URI "@rx ^//e/ShopSys/" \ "id:11001,phase:1,deny,status:403,msg:'Access to //e/ShopSys/ is denied'" SecRule ARGS "^([A-Za-z0-9+/]{64,}=*)$" \ "phase:2,deny,id:10004,log,msg:'参数值疑似Base64编码且长度超过64'" SecRule ARGS "^[A-Fa-f0-9]{64,}$" \ "phase:2,deny,id:10005,log,msg:'参数值疑似十六进制编码且长度超过64'" SecAction "id:1001,phase:1,nolog,pass,setvar:tx.html_rate_limit=2" SecRule REQUEST_URI "@endsWith .html" "id:1002,phase:2,t:none,pass,nolog,setvar:ip.html_request_counter=+1,expirevar:ip.html_request_counter=2" SecRule IP:html_request_counter "@gt 2" "id:1003,phase:2,log,deny,status:429,msg:'Too many requests for .html files from this IP',setvar:ip.html_exceed_counter=+1,expirevar:ip.html_exceed_counter=3600" SecRule IP:html_exceed_counter "@ge 3" "id:1004,phase:2,log,deny,status:403,msg:'IP temporarily banned for excessive requests to .html files',setvar:ip.block_time=+1,expirevar:ip.block_time=300,setvar:ip.html_exceed_counter=0" SecRule IP:block_time "@ge 2" "id:1005,phase:1,log,deny,status:403,msg:'IP is banned for 5 minutes'" SecRule RESPONSE_STATUS "@in 400,403,404,405,429,503" \ "id:2001,phase:3,pass,nolog,setvar:ip.error_request_counter=+1,expirevar:ip.error_request_counter=180" SecRule IP:error_request_counter "@gt 15" \ "id:2002,phase:3,log,deny,status:403,msg:'Too many error requests in 3 minutes , IP temporarily banned',setvar:ip.block_time=+1,expirevar:ip.block_time=3600,setvar:ip.error_request_counter=0" SecRule IP:block_time "@ge 1" \ "id:2003,phase:1,log,deny,status:403,msg:'IP is banned for 1 hour due to excessive error requests'"