Using .htaccess to restrict access

@jeremy_mizell wrote:

For those using NGINX, I made a best guess conversion from apache mod_rewrite to NGINX DSL. Sorry I didn't preserve all credits in the comments, I was primarly focused on making it work in my config.

    location / {

      # block sql injection
      if ($query_string ~* "(;|<|>|'|\"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark)"){ return 403; } 
      if ($query_string ~ "\.\./\.\."){ return 403; } 
      if ($query_string ~* "(localhost|loopback|127\.0\.0\.1)"){ return 403; } 
      if ($query_string ~* "(<|>|'|%0A|%0D|%27|%3C|%3E|%00)"){ return 403; }

      # If the request query string contains /proc/self/environ
      if ($query_string ~ "proc/self/environ"){ return 403; } 

      # Block out any script trying to base64_encode or base64_decode data within the URL
      if ($query_string ~ "base64_(en|de)code[^(]*\([^)]*\)"){ return 403; } 

      # Block out any script that includes a <script> tag in URL      
      if ($query_string ~* "(<|%3C)([^s]*s)+cript.*(>|%3E)"){ return 403; } 

      # Block out any script trying to set a PHP GLOBALS variable via URL
      if ($query_string ~ "GLOBALS(=|[|\%[0-9A-Z]{0,2})"){ return 403; } 

      # Block out any script trying to modify a _REQUEST variable via URL
      if ($query_string ~ "_REQUEST(=|[|\%[0-9A-Z]{0,2})"){ return 403; }

      # file injection protection
      set $fileinjectionmethod 0;
      set $fileinjection 0;
      if ($request_method ~ "GET"){ set $fileinjectionmethod 1; } 
      if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+"){ set $fileinjection 1; } 
      if ($query_string ~* "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+"){ set $fileinjection 1; }
      set $injection "${fileinjectionmethod}${fileinjection}";
      if ($injection = 11) { return 403; }

      # easter egg protection
      if ($query_string ~* "\=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}"){ return 403; }

      ## SQLi first line of defense
      if ($query_string ~* "concat[^\(]*\("){ return 403; } 
      if ($query_string ~* "union([^s]*s)+elect"){ return 403; } 
      if ($query_string ~* "union([^a]*a)+ll([^s]*s)+elect"){ return 403; }

      set $allow 0;
 
      # allow post
      if ( $request_method ~ "POST" ) { set $allow 1; }
    
      # allow put
      if ( $request_method ~ "GET" ) { set $allow 1; }
    
      # send forbidden on all disallowed
      if ( $allow = 0 ){
          return 403;
          break;
      }

      # sub-domain prevention
      if ($http_host !~ "^piwik\.viasat\.com$"){ 
        rewrite ^(.*)$ https://piwik.viasat.com/$1 redirect;
      }
    }

Read full topic