91精品视频在线,欧美日产国产精品,久久裸体网站

當(dāng)前訊息：FortiWeb 策略數(shù)量限制解決方案

2022-12-21 18:13:50 來(lái)源：51CTO博客

(相關(guān)資料圖)

1.背景

由于我司 FortiWeb設(shè)備安全防護(hù)策略有數(shù)量的限制，只允許新建256條策略，對(duì)我司根據(jù)每一個(gè)二級(jí)域名匹配一條安全策略是遠(yuǎn)遠(yuǎn)不夠的。??https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiWeb.pdf??

公司所有業(yè)務(wù)系統(tǒng)綁定二級(jí)域名已達(dá)500余個(gè)，為了讓業(yè)務(wù)系統(tǒng)能得到安全的保障，因此我們需要解決策略數(shù)量的限制。

2.架構(gòu)圖

3.可行性

3.1.查閱后端負(fù)載對(duì)應(yīng)業(yè)務(wù)系統(tǒng)訪(fǎng)問(wèn)日志

訪(fǎng)問(wèn)：??https://wiki.XXXX.com.cn??

訪(fǎng)問(wèn)：https://dg.XXX.com.cn

4.安全性

4.1.驗(yàn)證攔截功能

訪(fǎng)問(wèn)：https://dg.XXX.com.cn

sql注入語(yǔ)句：?id=2" and 1=2 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 0,1

4.2.攔截結(jié)果

5.結(jié)論

由于以上結(jié)果可見(jiàn)，整個(gè)業(yè)務(wù)流程是可以跑通的，并且業(yè)務(wù)系統(tǒng)也能得到FortiWeb有效的防護(hù)。

6.參考內(nèi)容

6.1.二級(jí)代理服務(wù)器日志配置

日志格式增加“http_x_forwarded_for”的變量?jī)?nèi)容，解決（避免）無(wú)法取到實(shí)際訪(fǎng)問(wèn)者的外網(wǎng) IP 的情況（經(jīng)過(guò)2級(jí)代理后默認(rèn)的代理服務(wù)器日志僅記錄上級(jí)服務(wù)器的地址，例如 WAF 設(shè)備地址）。

log_format main "{"@timestamp":"$time_iso8601"," ""host":"$server_addr"," ""clientip":"$remote_addr"," ""size":$body_bytes_sent," ""responsetime":$request_time," ""upstreamtime":"$upstream_response_time"," ""upstreamhost":"$upstream_addr"," ""http_host":"$host"," ""uri":"$uri"," ""domain":"$host"," ""xff":"$http_x_forwarded_for"," ""referer":"$http_referer"," ""tcp_xff":"$proxy_protocol_addr"," ""http_user_agent":"$http_user_agent"," ""status":"$status"}";

log_format main "{"@timestamp":"$time_iso8601","        ""host":"$server_addr","        ""clientip":"$remote_addr","        ""size":$body_bytes_sent,"        ""responsetime":$request_time,"        ""upstreamtime":"$upstream_response_time","        ""upstreamhost":"$upstream_addr","        ""http_host":"$host","        ""uri":"$uri","        ""domain":"$host","        ""xff":"$http_x_forwarded_for","        ""referer":"$http_referer","        ""tcp_xff":"$proxy_protocol_addr","        ""http_user_agent":"$http_user_agent","        ""status":"$status"}";

6.2.二級(jí)代理服務(wù)器基礎(chǔ)配置

由于一級(jí)代理已實(shí)現(xiàn) SSL 證書(shū)的解析，2級(jí)代理無(wú)需增加 SSL 證書(shū)的配置和內(nèi)容

upstream wiki443.xxx.com.cn {server 192.168.5.101:8090;keepalive 6000; }server{ listen 80; server_name wiki.XXX.com.cn; access_log /usr/local/nginx/logs/wiki.access.log main; root html; index index.html index.htm; location / { root html; index index.html index.htm; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://wiki443.XXX.com.cn; proxy_connect_timeout 6000s; proxy_send_timeout 6000s; proxy_read_timeout 6000s; proxy_buffer_size 64k; proxy_buffers 4 64k; proxy_busy_buffers_size 128k; proxy_temp_file_write_size 128k; proxy_http_version 1.1; proxy_set_header Connection ""; } error_page 404 /50x.html; error_page 500 502 503 504 /50x.html; location = /50x.html { root html; }

upstream wiki443.xxx.com.cn {server 192.168.5.101:8090;keepalive 6000;    }server{    listen 80;    server_name wiki.XXX.com.cn;    access_log        /usr/local/nginx/logs/wiki.access.log  main;    root html;    index index.html index.htm; location / {   root html;   index  index.html index.htm;   proxy_set_header Host $host;   proxy_set_header X-Real-IP $remote_addr;   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;   proxy_pass http://wiki443.XXX.com.cn;   proxy_connect_timeout 6000s;   proxy_send_timeout 6000s;   proxy_read_timeout 6000s;   proxy_buffer_size 64k;   proxy_buffers   4 64k;   proxy_busy_buffers_size 128k;   proxy_temp_file_write_size 128k;   proxy_http_version 1.1;   proxy_set_header Connection "";   }   error_page  404   /50x.html;   error_page   500 502 503 504  /50x.html;   location = /50x.html {      root   html; }

標(biāo)簽：業(yè)務(wù)系統(tǒng) 代理服務(wù)器服務(wù)器的