Shulou(Shulou.com)06/01 Report--

It is believed that many inexperienced people are at a loss about how to achieve tamper-proof web cache in nginx. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Brief introduction

Use website tamper-proof to set caching for specified sensitive pages. Even if the content of the page on the origin server is maliciously tampered with after caching, WAF will return the pre-cached page content to the visitor to ensure that the user sees the correct page.

Enable the web page tamper-proof, sensitive information anti-disclosure switch to use this feature.

Enter the exact path to be protected to protect the text, html, images and other contents under the path.

Cache the user-configured url page to openresty. Get the page from the nginx cache each time the user request is processed.

The configured url page sets the cache configuration in nginx.conf--- > http--- > server--- > local,local, which varies from 10 to 30 days according to your business characteristics.

If the protected page is updated, manually trigger the update cache to the latest page.

That is, the page corresponding to the set url is always synchronized with the page corresponding to the real server in the cache, even if the page of the real server is tampered with.

The page requested by the user comes from the openresty cache.

After a large number of tests, it is found that the priority of the factors that play a role in cache expiration and cleanup is from high to low:

Inactive configuration items, Expires of source server settings, Max-Age and proxy_cache_valid configuration items of source server settings

Implementation of web page caching

Configure cached cache within http {}

Proxy_buffering on

Proxy_buffer_size 16k

# set the Web cache name to cache_one, the memory cache size to 500m, and automatically clear the cached data without being accessed for more than one day; for the accessed cached data, the hard disk cache space is 30g

Proxy_cache_path / home/waf/openresty/proxy_cache_path levels=1:2 keys_zone=cache_one:500m inactive=365d max_size=30g

When the cache page set by the user is modified, manually operate on the console, clear the cache and re-cache the latest resources from the origin server.

Location ~ / purge (/. *) {

Allow 127.0.0.1

Allow 10.10.10.10

Deny all

Proxy_cache_purge cache_one $host$1 $is_args$args

}

Location *\. (jpg | jpeg | png) ${

# use Web cache cache_one, which has been named in the cache configuration of nginx.conf.

Proxy_cache cache_one

# set the key value of Web cache. Nginx stores the cache according to Key value md5 hash. Here, according to "domain name, URI"

# parameters "combined into Key

Proxy_cache_key $host$uri$is_args$args

Proxy_cache_valid 200 304 365d

Proxy_cache_revalidate on

Proxy_cache_lock on

Proxy_ignore_headers Set-Cookie Cache-Control

Proxy_set_header Range $http_range

Proxy_set_header If-Range $http_if_range

Proxy_no_cache $http_range $http_if_range; # range requests are not cached

Add_header X-Cache $upstream_cache_status

Proxy_pass http://rp_10_11_12_10_80cert_cn;

Session_sticky_hide_cookie upstream=rp_10_12_52_89_80cert_placuna_cn

}

Location / test/index.php {

# use Web cache cache_one, which has been named in the cache configuration of nginx.conf.

Proxy_cache cache_one

# set the key value of Web cache. Nginx stores the cache according to Key value md5 hash. Here, according to "domain name, URI"

# parameters "combined into Key

Proxy_cache_key $host$uri$is_args$args

Proxy_cache_valid 200 304 365d

Proxy_cache_revalidate on

Proxy_cache_lock on

Proxy_ignore_headers Set-Cookie Cache-Control

Proxy_set_header Range $http_range

Proxy_set_header If-Range $http_if_range

Proxy_no_cache $http_range $http_if_range; # range requests are not cached

Add_header X-Cache $upstream_cache_status

Proxy_pass http://rp_10_11_12_10_80cert_cn;

Session_sticky_hide_cookie upstream= http://rp_10_11_12_10_80cert_cn;

After reading the above, have you mastered how to realize the tamper-proof method of web cache in nginx? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.