{"id":6545,"date":"2026-01-12T17:54:24","date_gmt":"2026-01-12T09:54:24","guid":{"rendered":"https:\/\/dingxuan.info\/wp\/?p=6545"},"modified":"2026-01-13T12:10:36","modified_gmt":"2026-01-13T04:10:36","slug":"%e5%90%af%e7%94%a8imperva-cdn%e6%83%85%e5%86%b5%e4%b8%8b%ef%bc%8c%e4%bd%bf%e7%94%a8fail2ban%e5%b1%8f%e8%94%bd%e6%81%b6%e6%84%8f%e8%ae%bf%e9%97%ae","status":"publish","type":"post","link":"https:\/\/dingxuan.info\/wp\/?p=6545","title":{"rendered":"\u542f\u7528Imperva CDN\u60c5\u51b5\u4e0b\uff0c\u4f7f\u7528Fail2Ban\u5c4f\u853d\u6076\u610f\u8bbf\u95ee"},"content":{"rendered":"<p>\u9488\u5bf9 <strong>Debian<\/strong> \u7cfb\u7edf\uff0c\u4ee5\u53ca <strong>Imperva CDN \u73af\u5883<\/strong>\uff0c\u4f7f\u7528<strong>\u201cFail2Ban + Nginx Deny\u201d<\/strong> \u7684\u65b9\u6848\u3002<\/p>\n<h3 class=\"wp-block-heading\">\u83b7\u53d6\u771f\u5b9eIP<\/h3>\n<p>\u4f7f\u7528Imperva\u65f6\uff0cnginx\u65e5\u5fd7\u4e2d\u53ea\u6709CDN\u7684IP\u5730\u5740\uff0c\u6240\u4ee5\u9996\u5148\u8981\u83b7\u53d6\u771f\u5b9eIP\u3002\n\u914d\u7f6e\u6587\u4ef6\u5728\/etc\/nginx\/conf.d\u4e2d\u52a0\u5165\u914d\u7f6e\u6587\u4ef6\uff1a<\/p>\n<!--more-->\n<pre><code># Imperva (Incapsula) IP Ranges\nset_real_ip_from 199.83.128.0\/21;\nset_real_ip_from 198.143.32.0\/19;\nset_real_ip_from 149.126.72.0\/21;\nset_real_ip_from 103.28.248.0\/22;\nset_real_ip_from 45.64.64.0\/22;\nset_real_ip_from 185.11.124.0\/22;\nset_real_ip_from 192.230.64.0\/18;\nset_real_ip_from 107.154.0.0\/16;\nset_real_ip_from 45.60.0.0\/16;\nset_real_ip_from 45.223.0.0\/16;\nset_real_ip_from 2a02:26f0::\/32;\n\n# \u544a\u8bc9 Nginx \u771f\u5b9e IP \u85cf\u5728\u54ea\u4e2a Header \u91cc\n# Imperva \u5b98\u65b9\u63a8\u8350 Incap-Client-IP\uff0c\u4f46\u4e5f\u652f\u6301\u6807\u51c6 X-Forwarded-For\n# \u6211\u4eec\u5148\u5c1d\u8bd5\u6807\u51c6\u65b9\u5f0f\uff0c\u5e76\u5f00\u542f\u9012\u5f52\u641c\u7d22\n\n#real_ip_header X-Forwarded-For;\nreal_ip_header Incap-Client-IP;\nreal_ip_recursive on;\n<\/code><\/pre>\n<p>\u5b98\u65b9\u5efa\u8bae\u4f7f\u7528real_ip_header Incap-Client-IP; \u800c\u4e0d\u662fX-Forwared-For\u3002\u56e0\u4e3a\u540e\u8005\u53ef\u80fd\u88ab\u4f2a\u9020\u3002<\/p>\n<h3 class=\"wp-block-heading\">\u7b2c\u4e00\u6b65\uff1a\u5b89\u88c5 Fail2Ban<\/h3>\n<pre><code class=\"language-bash\">sudo apt update\nsudo apt install fail2ban -y\nsudo systemctl status fail2ban\n<\/code><\/pre>\n<hr \/>\n<h3 class=\"wp-block-heading\">\u7b2c\u4e8c\u6b65\uff1a\u914d\u7f6e Nginx \u9ed1\u540d\u5355\u6587\u4ef6<\/h3>\n<p>\u521b\u5efa\u4e00\u4e2a\u6587\u4ef6\u4e13\u95e8\u5b58\u653e\u88ab\u5c01\u7981\u7684 IP\uff0c\u5e76\u8ba9 Nginx \u8bfb\u53d6\u5b83\u3002<\/p>\n<ol>\n<li>\n<p><strong>\u521b\u5efa\u9ed1\u540d\u5355\u6587\u4ef6<\/strong>\uff1a<\/p>\n<pre><code class=\"language-bash\">\nsudo touch \/etc\/nginx\/conf.d\/ip_blacklist.conf\n# \u8bbe\u7f6e\u6743\u9650\uff0c\u786e\u4fdd Nginx \u53ef\u8bfb\nsudo chmod 644 \/etc\/nginx\/conf.d\/ip_blacklist.conf\n<\/code><\/pre>\n<\/li>\n<li>\n<p><strong>\u4fee\u6539 Nginx \u4e3b\u914d\u7f6e\u5f15\u5165\u8be5\u6587\u4ef6<\/strong>\uff1a\n\u7f16\u8f91 <code>\/etc\/nginx\/nginx.conf<\/code>\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo nano \/etc\/nginx\/nginx.conf\n<\/code><\/pre>\n<p>\u5728 <code>http { ... }<\/code> \u4ee3\u7801\u5757\u5185\u90e8\uff0c\u6dfb\u52a0\u4e00\u884c <code>include<\/code> \u6307\u4ee4\uff1a<\/p>\n<pre><code class=\"language-nginx\">http {\n    # ... \u5176\u4ed6\u539f\u6709\u914d\u7f6e ...\n\n    # \u5f15\u5165 Fail2Ban \u81ea\u52a8\u751f\u6210\u7684\u9ed1\u540d\u5355\n    include \/etc\/nginx\/conf.d\/ip_blacklist.conf;\n\n    # ...\n}\n<\/code><\/pre>\n<\/li>\n<li>\n<p><strong>\u6d4b\u8bd5\u5e76\u91cd\u8f7d Nginx<\/strong>\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo nginx -t\n# \u5982\u679c\u663e\u793a successful\uff0c\u5219\u91cd\u8f7d\nsudo systemctl reload nginx\n<\/code><\/pre>\n<\/li>\n<\/ol>\n<hr \/>\n<h3 class=\"wp-block-heading\">\u7b2c\u4e09\u6b65\uff1a\u914d\u7f6e Fail2Ban \u7684\u201c\u52a8\u4f5c\u201d (Action)<\/h3>\n<p>\u544a\u8bc9 Fail2Ban\uff1a<strong>\u201c\u5c01\u7981 IP \u65f6\uff0c\u4e0d\u8981\u53bb\u52a8\u9632\u706b\u5899\uff0c\u800c\u662f\u628a <code>deny IP;<\/code> \u5199\u5165\u521a\u624d\u90a3\u4e2a\u6587\u4ef6\u91cc\u3002\u201d<\/strong><\/p>\n<ol>\n<li>\n<p>\u521b\u5efa\u81ea\u5b9a\u4e49\u52a8\u4f5c\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo nano \/etc\/fail2ban\/action.d\/nginx-deny.conf\n<\/code><\/pre>\n<\/li>\n<li>\n<p>\u7c98\u8d34\u4ee5\u4e0b\u5185\u5bb9\uff1a<\/p>\n<\/li>\n<\/ol>\n<pre><code class=\"language-ini\">   [Definition]\n   # \u5c01\u7981\u65f6\uff1a\u8ffd\u52a0 deny \u89c4\u5219\u5230\u6587\u4ef6\uff0c\u5e76\u91cd\u8f7d Nginx\n   actionban = printf &quot;deny &lt;ip&gt;;\\n&quot; &gt;&gt; \/etc\/nginx\/conf.d\/ip_blacklist.conf &amp;&amp; systemctl reload nginx\n\n   # \u89e3\u5c01\u65f6\uff1a\u4f7f\u7528 sed \u5220\u9664\u5bf9\u5e94\u884c\uff0c\u5e76\u91cd\u8f7d Nginx\n   actionunban = sed -i &quot;\/deny &lt;ip&gt;;\/d&quot; \/etc\/nginx\/conf.d\/ip_blacklist.conf &amp;&amp; systemctl reload nginx\n<\/code><\/pre>\n<p><em>\u6309 <code>Ctrl+O<\/code> \u4fdd\u5b58\uff0c<code>Ctrl+X<\/code> \u9000\u51fa\u3002<\/em><\/p>\n<hr \/>\n<h3 class=\"wp-block-heading\">\u7b2c\u56db\u6b65\uff1a\u914d\u7f6e Fail2Ban \u7684\u201c\u8fc7\u6ee4\u89c4\u5219\u201d (Filter)<\/h3>\n<p>\u9700\u8981\u544a\u8bc9 Fail2Ban \u5982\u4f55\u4ece\u65e5\u5fd7\u91cc\u8bc6\u522b\u90a3\u4e9b\u626b\u63cf WordPress \u540e\u95e8\u7684\u653b\u51fb\u3002<\/p>\n<ol>\n<li>\n<p>\u521b\u5efa\u8fc7\u6ee4\u89c4\u5219\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo nano \/etc\/fail2ban\/filter.d\/nginx-php-scan.conf\n<\/code><\/pre>\n<\/li>\n<li>\n<p>\u7c98\u8d34\u4ee5\u4e0b\u5185\u5bb9\uff08<strong>\u53ef\u80fd\u9700\u8981\u4fee\u6539\uff0c\u5339\u914d\u4f60\u7684\u65e5\u5fd7\u683c\u5f0f<\/strong>\uff09\uff1a<\/p>\n<\/li>\n<\/ol>\n<pre><code class=\"language-ini\">   [Definition]\n   # \u5339\u914d &quot;Primary script unknown&quot; \u9519\u8bef\uff0cNginx \u4f1a\u81ea\u52a8\u628a &lt;HOST&gt; \u66ff\u6362\u4e3a\u771f\u5b9e IP\nfailregex = ^\\s*\\[error\\] \\d+#\\d+: \\*\\d+ FastCGI sent in stderr: &quot;Primary script unknown&quot; while reading response header from upstream, client: \n&lt;host&gt;\n            ^\\s*\\[error\\] \\d+#\\d+: \\*\\d+ access forbidden by rule, client: &lt;\/host&gt;\n&lt;host&gt;\n\n   ignoreregex =\n&lt;\/host&gt;<\/code><\/pre>\n<p><strong>\u6d4b\u8bd5\u89c4\u5219<\/strong><\/p>\n<p>\u5728\u91cd\u542f\u670d\u52a1\u524d\uff0c\u5148\u9a8c\u8bc1\u4e00\u4e0b\u65b0\u89c4\u5219\u662f\u5426\u80fd\u8bc6\u522b\u4f60\u7684\u65e5\u5fd7\u6587\u4ef6\u3002\n\u8fd0\u884c\u4ee5\u4e0b\u547d\u4ee4\uff08\u5047\u8bbe\u4f60\u7684\u65e5\u5fd7\u8def\u5f84\u662f\u00a0<code>\/var\/log\/nginx\/error.log<\/code>\uff09\uff1a<\/p>\n<p><code>sudo fail2ban-regex \/var\/log\/nginx\/error.log \/etc\/fail2ban\/filter.d\/nginx-php-scan.conf<\/code><\/p>\n<p><strong>\u9884\u671f\u7684\u8f93\u51fa\u7ed3\u679c\uff1a<\/strong><br \/>\n\u4f60\u5e94\u8be5\u80fd\u770b\u5230\u7c7b\u4f3c\u8fd9\u6837\u7684\u7edf\u8ba1\uff1a<\/p>\n<pre><code>Lines: 198 lines, 0 ignored, 20 matched, 178 missed \n[processed] \n|-  matched \n|  \/var\/log\/nginx\/error.log: \n|     78.142.18.40  (Mon Jan 13 06:08:19 2026) \n|     78.142.18.40  (Mon Jan 13 06:08:20 2026) \n|     ...<\/code><\/pre>\n<p>\u5982\u679c\u80fd\u770b\u5230\u00a0<code>matched<\/code>\u00a0\u6570\u91cf\u589e\u52a0\uff0c\u4e14\u8bc6\u522b\u51fa\u4e86\u00a0<code>78.142.18.40<\/code>\uff0c\u8bf4\u660e\u914d\u7f6e\u6b63\u786e\u3002<\/p>\n<hr \/>\n<h3 class=\"wp-block-heading\">\u7b2c\u4e94\u6b65\uff1a\u542f\u7528\u76d1\u63a7 (Jail)<\/h3>\n<p>\u6700\u540e\uff0c\u5c06\u89c4\u5219\u548c\u52a8\u4f5c\u7ec4\u5408\u8d77\u6765\uff0c\u542f\u7528\u76d1\u63a7\u3002<\/p>\n<ol>\n<li>\n<p>\u521b\u5efa\/\u7f16\u8f91\u672c\u5730\u914d\u7f6e\u6587\u4ef6\uff08<strong>\u6c38\u8fdc\u4e0d\u8981\u76f4\u63a5\u4fee\u6539 jail.conf<\/strong>\uff09\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo nano \/etc\/fail2ban\/jail.local\n<\/code><\/pre>\n<\/li>\n<li>\n<p>\u5728\u6587\u4ef6\u4e2d\u6dfb\u52a0\u4ee5\u4e0b\u5185\u5bb9\uff1a<\/p>\n<\/li>\n<\/ol>\n<pre><code class=\"language-ini\">   [DEFAULT]\n   # \u5ffd\u7565\u4f60\u81ea\u5df1\u7684 IP\uff08\u5982\u679c\u6709\u56fa\u5b9a IP\uff0c\u5efa\u8bae\u586b\u5165\uff0c\u9632\u6b62\u8bef\u5c01\u81ea\u5df1\uff09\n   ignoreip = 127.0.0.1\/8 ::1\n\n   [nginx-php-scan]\n   enabled = true\n   # \u4f7f\u7528\u6211\u4eec\u521a\u624d\u5b9a\u4e49\u7684 filter\n   filter = nginx-php-scan\n   # \u6307\u5b9a Nginx \u9519\u8bef\u65e5\u5fd7\u8def\u5f84\uff08\u8bf7\u786e\u8ba4\u4f60\u7684\u8def\u5f84\u662f\u5426\u6b63\u786e\uff09\n   logpath = \/var\/log\/nginx\/error.log\n   # \u4f7f\u7528\u6211\u4eec\u521a\u624d\u5b9a\u4e49\u7684 action (nginx-deny)\n   banaction = nginx-deny\n   # 600\u79d2(10\u5206\u949f)\u5185\u5931\u8d25 3 \u6b21\u5373\u5c01\u7981\n   maxretry = 3\n   findtime = 600\n   # \u5c01\u7981\u65f6\u95f4\uff1a86400\u79d2 (1\u5929)\n   bantime = 86400\n<\/code><\/pre>\n<hr \/>\n<h3 class=\"wp-block-heading\">\u7b2c\u516d\u6b65\uff1a\u91cd\u542f\u5e76\u9a8c\u8bc1<\/h3>\n<ol>\n<li>\n<p><strong>\u91cd\u542f Fail2Ban<\/strong>\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo systemctl restart fail2ban\n<\/code><\/pre>\n<\/li>\n<li>\n<p><strong>\u9a8c\u8bc1\u72b6\u6001<\/strong>\uff1a\n\u67e5\u770b jail \u662f\u5426\u542f\u52a8\u6210\u529f\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo fail2ban-client status nginx-php-scan\n<\/code><\/pre>\n<p><em>\u4e0b\u9762\u5e94\u8be5\u770b\u5230 <code>Currently failed<\/code> \u548c <code>Currently banned<\/code> \u7684\u7edf\u8ba1\u6570\u636e\u3002<\/em><\/p>\n<\/li>\n<li>\n<p><strong>\u5982\u4f55\u624b\u52a8\u6d4b\u8bd5\uff1f<\/strong>\n\u53ef\u4ee5\u624b\u52a8\u5f80\u65e5\u5fd7\u91cc\u5199\u5165\u4e00\u6761\u6a21\u62df\u653b\u51fb\u8bb0\u5f55\uff08\u5c0f\u5fc3\u4e0d\u8981\u586b\u81ea\u5df1\u7684 IP\uff0c\u586b\u4e00\u4e2a\u5047 IP\uff0c\u6bd4\u5982 <code>1.2.3.4<\/code>\uff09\uff1a<\/p>\n<pre><code class=\"language-bash\"># \u6a21\u62df\u5199\u5165\u65e5\u5fd7\nsudo sh -c 'echo &quot;2026\/01\/12 16:13:04 [error] 123#123: *1 FastCGI sent in stderr: \\&quot;Primary script unknown\\&quot; while reading response header from upstream, client: 1.2.3.4, server: test&quot; &gt;&gt; \/var\/log\/nginx\/error.log'\n<\/code><\/pre>\n<p>\u91cd\u590d\u6267\u884c\u8be5\u547d\u4ee4 3 \u6b21\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u68c0\u67e5\u662f\u5426\u751f\u6548<\/strong>\uff1a<\/p>\n<ul>\n<li>\u68c0\u67e5 Fail2Ban \u72b6\u6001\uff1a<pre><code class=\"language-bash\">sudo fail2ban-client status nginx-php-scan\n<\/code><\/pre>\n\u5e94\u8be5\u770b\u5230 <code>Banned IP list: 1.2.3.4<\/code>\u3002<\/li>\n<li>\u68c0\u67e5 Nginx \u9ed1\u540d\u5355\u6587\u4ef6\uff1a<pre><code class=\"language-bash\">cat \/etc\/nginx\/conf.d\/ip_blacklist.conf\n<\/code><\/pre>\n\u5e94\u8be5\u80fd\u770b\u5230 <code>deny 1.2.3.4;<\/code>\u3002<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>\u624b\u52a8\u89e3\u5c01\uff08\u6d4b\u8bd5\u7528\uff09<\/strong>\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo fail2ban-client set nginx-php-scan unbanip 1.2.3.4\n<\/code><\/pre>\n<\/li>\n<\/ol>\n<h3 class=\"wp-block-heading\">\u5173\u952e\u63d0\u793a<\/h3>\n<p>\u4f7f\u7528Imperva\u6216\u5176\u4ed6\u7684CDN\u670d\u52a1\uff0c<strong>\u4e00\u5b9a\u786e\u8ba4 Nginx \u7684 <code>set_real_ip_from<\/code> \u548c <code>real_ip_header<\/code> \u914d\u7f6e\u5df2\u7ecf\u751f\u6548<\/strong>\u3002\u5982\u679c Nginx \u65e5\u5fd7\u91cc\u8bb0\u5f55\u7684\u8fd8\u662f CDN \u7684 IP\uff0cFail2Ban \u5c31\u4f1a\u8bef\u5c01 CDN \u8282\u70b9\uff0c\u5bfc\u81f4\u6240\u6709\u7528\u6237\u65e0\u6cd5\u8bbf\u95ee\uff01<\/p>","protected":false},"excerpt":{"rendered":"<p>\u9488\u5bf9 Debian \u7cfb\u7edf\uff0c\u4ee5\u53ca Imperva CDN \u73af\u5883\uff0c\u4f7f\u7528\u201cFail2Ban + Nginx Deny &hellip; <a href=\"https:\/\/dingxuan.info\/wp\/?p=6545\" class=\"more-link\">\u7ee7\u7eed\u9605\u8bfb<span class=\"screen-reader-text\">\u542f\u7528Imperva CDN\u60c5\u51b5\u4e0b\uff0c\u4f7f\u7528Fail2Ban\u5c4f\u853d\u6076\u610f\u8bbf\u95ee<\/span><\/a><\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[117],"tags":[],"class_list":["post-6545","post","type-post","status-publish","format-standard","hentry","category-network"],"_links":{"self":[{"href":"https:\/\/dingxuan.info\/wp\/index.php?rest_route=\/wp\/v2\/posts\/6545","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dingxuan.info\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dingxuan.info\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dingxuan.info\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dingxuan.info\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6545"}],"version-history":[{"count":4,"href":"https:\/\/dingxuan.info\/wp\/index.php?rest_route=\/wp\/v2\/posts\/6545\/revisions"}],"predecessor-version":[{"id":6549,"href":"https:\/\/dingxuan.info\/wp\/index.php?rest_route=\/wp\/v2\/posts\/6545\/revisions\/6549"}],"wp:attachment":[{"href":"https:\/\/dingxuan.info\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6545"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dingxuan.info\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6545"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dingxuan.info\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6545"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}