Need Help Converting htaccess to Nginx

#1

Hi,

How can I convert below rule from htaccess to nginx?

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond $1 !^(css|js|images|inc|lang)
RewriteRule ^anasayfa$  index.php [L]
RewriteRule ^girisyap$  giris.php [L]
RewriteRule ^kayitol$  kayit.php [L]
RewriteRule ^cikis$  cikis.php [L]
RewriteRule ^bankalar$  bankalar.php [L]
RewriteRule ^instagram-ucretsiz-takipci$  ucretsiz-takipci.php [L]

RewriteRule ^hizmetler/(.*)/(.*)$ hizmet.php?h=$1&hizmet=$2 [QSA]
RewriteRule ^paketler/(.*)/(.*)$ paket.php?p=$1&paket=$2 [QSA]
RewriteRule ^satinal/(.*)/(.*)$ buy.php?p=$1&paket=$2 [QSA]

Thank you!

#2

These rules are fairly simple to convert,

Just follow this general rule:

location /example {
return https://example.com/example.php;
}

You can carry the argument using &args;

Let me know if there is something specific that you can’t get on.

1 Like
#3

Thank you, finally I fixed it :slight_smile:

However I’m under attack now: https://community.cloudflare.com/t/im-under-attack-now-need-help-immidiately/77001

Although Vultr Ddos protection is activated, Vultr, UFW or Cloudflare doesn’t help.

#4

I’d need some details regarding what kind of attack it is?

I may be able to help in mitigation.

#5

Thank you brother.

Here is the some logs:

     57.0.2987.108 UCBrowser/12.11.2.1184 Mobile Safari/537.36"
    124.120.122.30 - - [19/Apr/2019:14:44:28 +0300] "GET /=?fqkkc HTTP/1.1" 404 134 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/73.0.3683.68 Mobile/15E148 Safari/605.1"
    2409:4052:2089:eee1::2567:58a1 - - [19/Apr/2019:14:44:28 +0300] "GET /?hbjkw HTTP/1.1" 502 568 "-" "Mozilla/5.0 (Linux; U; Android 8.1.0; en-US; SM-J701F Build/M1AJQ) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 UCBrowser/12.8.0.1120 Mobile Safari/537.36"
    125.27.109.35 - - [19/Apr/2019:14:44:28 +0300] "GET /?s=qgxnx HTTP/1.1" 502 166 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/71.1.241847734 Mobile/15E148 Safari/605.1"
    124.120.122.30 - - [19/Apr/2019:14:44:28 +0300] "GET /?s=bguqo HTTP/1.1" 502 166 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/73.0.3683.68 Mobile/15E148 Safari/605.1"
    14.207.32.171 - - [19/Apr/2019:14:44:27 +0300] "GET /?s=ferqq HTTP/1.1" 200 950 "-" "Mozilla/5.0 (Linux; Android 8.1.0; SM-J730GM) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.90 Mobile Safari/537.36"
    171.99.59.35 - - [19/Apr/2019:14:44:27 +0300] "GET /?s=ljicl HTTP/1.1" 502 166 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/73.0.3683.68 Mobile/15E148 Safari/605.1"
    2001:44c8:4381:c25b:1:2:b77c:248a - - [19/Apr/2019:14:44:27 +0300] "GET /=?plcrj HTTP/1.1" 404 191 "-" "Mozilla/5.0 (Linux; Android 6.0.1; SM-J700F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.137 Mobile Safari/537.36"
    2001:44c8:42c4:ec1:8b9:1d3f:4470:6f41 - - [19/Apr/2019:14:44:27 +0300] "GET /=?rcizw HTTP/1.1" 404 134 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/71.1.241847734 Mobile/15E148 Safari/605.1"
    27.55.83.160 - - [19/Apr/2019:14:44:27 +0300] "GET /?s=elkiy HTTP/1.1" 502 568 "-" "Mozilla/5.0 (Linux; Android 8.1.0; CPH1823) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36"
    171.97.76.54 - - [19/Apr/2019:14:44:27 +0300] "GET /?s=dsjoc HTTP/1.1" 502 568 "-" "Mozilla/5.0 (Linux; Android 7.1.1; CPH1723) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.90 Mobile Safari/537.36"
    171.97.76.54 - - [19/Apr/2019:14:44:27 +0300] "GET /?s=nbszp HTTP/1.1" 502 568 "-" "Mozilla/5.0 (Linux; Android 7.1.1; CPH1723) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.90 Mobile Safari/537.36"
    171.99.59.35 - - [19/Apr/2019:14:44:27 +0300] "GET /=?xnkmd HTTP/1.1" 404 134 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/73.0.3683.68 Mobile/15E148 Safari/605.1"
    1.46.226.202 - - [19/Apr/2019:14:44:27 +0300] "GET /=?psxul HTTP/1.1" 404 191 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SM-J600G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.90 Mobile Safari/537.36"
    49.229.217.224 - - [19/Apr/2019:14:44:27 +0300] "GET /?s=ovmdh HTTP/1.1" 502 166 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1"
    115.84.117.62 - - [19/Apr/2019:14:44:27 +0300] "GET /=?myoac HTTP/1.1" 404 191 "-" "Mozilla/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.96 Mobile Safari/537.36"
    125.27.109.35 - - [19/Apr/2019:14:44:28 +0300] "GET /?s=ysrcb HTTP/1.1" 502 166 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/71.1.241847734 Mobile/15E148 Safari/605.1" 

They have got thousands of ips. Also they’re changing their own ip address too much.

  • Authenticated Origin Pulls is enabled.
  • I blocked all requests except those from Cloudflare in my system firewall (UFW) and Vultr’s own firewall both.
  • The orange cloud is activated on Cloudflare for all of my DNS records.
  • My origin ip is completely hidden. Some one can’t found the origin ip in the DNS history at all.
  • Also Vultr Ddos protection for my origin ip (10$/mo) is fully activated.

I can’t understand how can they attack after those.

#6

Their locations are China, India, Bangladesh, Thailand and etc…

#7

Maybe they managed to get the system IP before You enabled all of those security measures. Can You confirm if they’re accessing something specific or if they are just regular requests?

I’d really suggest to re-check your firewalls.

#8

Yes bro I checked Firewall rules both UFW and Vultr’s own Firewall.

Same ips are allowed with Cloudflare: cloudflare.com/ips


May be they are attacking on Cloudflare.

#9

Tried contacting cloudflare?

1 Like
#10
(http.request.uri.query contains "s=" and not cf.client.bot) or (http.request.uri.query contains "=?")

Fixed via Cloudflare rule. They are blocked now :slight_smile:

#11

220 m request within 24 hours. Cloudflare blocks those attacks. And every ip is unique and they are attacking from everywhere in the world. it is Layer 7 attack?

1 Like
#12

Definitely, and I hope you’ve changed cloudflare to “I’m under attack”

In the meanwhile please send me a screenshot of your DNS tab for review.

1 Like
#13

but still i think this is temporary solution…

as instead of using query string … they can send request to some random urls…

#14

you can try threat score also

(cf.threat_score gt 10)

1 Like
#15

@itsbhanusharma There are two DNS records only. A and CNAME records. All of these are orange for hiding origin ip.

@iamHappy The attack is still continuing for 2 days. 300 million requests within 24 hours. Cloudflare is excellent. I will add threat score rule too. Thanks!

#16

Hiding Origin IP is definitely not helping you so You got to be smarter than that.

If Possible, spin up. A 2nd server, migrate your website to that, change your DNS to move to the new server.

That way, if they had somehow acquired the original IP, they would fail to get this one.

I also strongly suggest enabling ful DNSSEC and setting minimum TLS Level to 1.2 before proceeding to ensure that they aren’t using any escalation type attack.

1 Like
#17

Should I always set TLS level: 1.2? Or set it 1.2 while I’m under attack only?

the TLS 1.0 and 1.1 won’t work soon: https://www.zdnet.com/article/chrome-edge-ie-firefox-and-safari-to-disable-tls-1-0-and-tls-1-1-in-2020/

Thank you.

#18

I am managing at least 50 websites of myself and my clients, all of them are on TLS1.2 or Higher…

My mailserver is strict to TLS1.3 and that is very helpful in escaping traditional DDoS attacks since most of these try to degrade the TLS connection to use a vulnerability in older versions to execute other types of attacks which can be anything from Privilege escalation to MITM attacks.

1 Like
#19

Do you think MITM attacks can happen if we choose Flexible SSL in cloudflare …

#20

There’s a strong chance of that happening if Your IP address has been leaked.

1 Like