项目:https://github.com/Safe3/openresty-manager
文档:https://github.com/Safe3/openresty-manager/blob/main/README_CN.md
基于OpenResty提供的强大web的管理界面,具有服务器状态监控、安全防护、免费SSL证书、主机管理、应用商店等功能。
安装
curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/om.sh && chmod +x om.sh && ./om.sh
固定版
curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/omm.sh && chmod +x omm.sh && ./omm.sh
访问 https://your-ip:34567 ,用户名: admin ,密码: #Passw0rd
备份脚本
curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/om-b.sh && chmod +x om-b.sh && ./om-b.sh
启动
# 启动服务
/opt/om/oms -s start
# 检查服务状态
/opt/om/oms -s status
# 停止服务
/opt/om/oms -s stop
# 重新启动
/opt/om/oms -s start
配置
这部分是DIY,为了满足个性化需求
DNS解析, 在系统设置-OpenResty-DNS解析修改
resolver 1.1.1.1 8.8.8.8 1.0.0.1 valid=300s ipv6=off local=off;
HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options nosniff always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
将 HTTPS 请求重定向到 HTTP(特殊情况,关闭强制ssl和hsts)
# 添加:将 HTTPS 请求重定向到 HTTP
if ($scheme = https) {
return 301 http://$host$request_uri;
}
301重定向(在站点高级配置修改)
return 301 'http://www.xxxx.cc$request_uri';
屏蔽敏感信息头(在系统设置-OpenResty-缓存资源)修改
add_header X-Cf-Cache $upstream_cache_status always;
more_set_headers "Server: ";
负载均衡(轮询)
server 3.3.3.3:80 weight=3 max_fails=3 fail_timeout=30s;
server 6.6.6.6:80 weight=1 max_fails=3 fail_timeout=30s;
keepalive 320;
keepalive_requests 1000;
仅允许中国大陆访问
curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/op-cn-whitelist.sh && chmod +x op-cn-whitelist.sh && ./op-cn-whitelist.sh
然后在站点添加
# IP 白名单:仅允许中国大陆IP和必应蜘蛛访问
include /opt/om/nginx/conf/bing-bot.conf;
include /opt/om/nginx/conf/china-ipv4.conf;
include /opt/om/nginx/conf/china-ipv6.conf;
allow 127.0.0.1;
allow ::1;
deny all;
应用限流
(在在系统设置-OpenResty-Real IP)后面添加
# 限流配置
limit_req_zone $binary_remote_addr zone=one:30m rate=50r/s;
limit_conn_zone $binary_remote_addr zone=addr:20m;
站点添加 , 在站点的 include acme_challenge.conf;后面添加
# 限流配置:防止单个IP高频请求
limit_req zone=one burst=100 nodelay;
limit_conn addr 50;
limit_req_status 429;
limit_conn_status 429;
HTTP 方法限制
# HTTP 方法限制:只允许 GET、HEAD、POST(强烈推荐)
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 405;
}
拦截恶意爬虫
# 拦截恶意爬虫
if ($http_user_agent ~* "YandexBot|DotBot|SemrushBot|AhrefsBot|BLEXBot|YaK|MJ12bot|MauiBot|MegaIndex|GPTBot|meta-externalagent|ClaudeBot|Amazonbot|SearchBot|DataForSeoBot|Barkrowler|GoogleOther|Googlebot|python|curl|scrapy|wget") {
set $block_agent 1;
}
搜索引擎白名单
# 搜索引擎白名单:保护 SEO
if ($http_user_agent ~* (baiduspider|bingbot|msnbot|sogou|yisouspider|sosospider|qwantbot|qwantify|bytespider)) {
set $block_agent 0;
}
if ($block_agent = 1) {
return 403;
}
测试
# 1. 测试恶意爬虫 - Python(应该返回 403)
curl -I -A "python-requests/2.28.0" https://www.xxxx.cc
# 2. 测试恶意爬虫 - ClaudeBot(应该返回 403)
curl -I -A "ClaudeBot" www.xxxx.cc
# 3. 测试百度蜘蛛(应该返回 200 - 白名单保护)
curl -I -A "BaiduSpider" www.xxxx.cc
# 4. 测试 HTTP 方法限制 - TRACE(应该返回 405)
curl -I -X TRACE https://www.xxxx.cc
配置参考
include log.conf;
include acme_challenge.conf;
# IP 白名单:仅允许中国大陆IP和必应蜘蛛访问
include /opt/om/nginx/conf/bing-bot.conf;
include /opt/om/nginx/conf/china-ipv4.conf;
include /opt/om/nginx/conf/china-ipv6.conf;
allow 127.0.0.1;
allow ::1;
deny all;
# 限流配置:防止单个IP高频请求
limit_req zone=one burst=100 nodelay;
limit_conn addr 50;
limit_req_status 429;
limit_conn_status 429;
# HTTP 方法限制:只允许 GET、HEAD、POST
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 405;
}
# 拦截恶意爬虫
if ($http_user_agent ~* "YandexBot|DotBot|SemrushBot|AhrefsBot|BLEXBot|YaK|MJ12bot|MauiBot|MegaIndex|GPTBot|meta-externalagent|ClaudeBot|Amazonbot|SearchBot|DataForSeoBot|Barkrowler|GoogleOther|Googlebot|python|curl|scrapy|wget") {
set $block_agent 1;
}
# 搜索引擎白名单:保护 SEO
if ($http_user_agent ~* (baiduspider|bingbot|msnbot|sogou|yisouspider|sosospider|qwantbot|qwantify|bytespider)) {
set $block_agent 0;
}
if ($block_agent = 1) {
return 403;
}
升级
# 1. 停止服务
/opt/om/oms -s stop
# 2. 备份当前版本
cp -r /opt/om /opt/om_backup_$(date +%Y%m%d)
# 3. 下载新版本
if [ "$(uname -m)" = "x86_64" ]; then
curl -L https://download.uusec.com/om.tgz -o /tmp/om_new.tgz
else
curl -L https://download.uusec.com/om_arm64.tgz -o /tmp/om_new.tgz
fi
# 4. 解压到临时目录
mkdir -p /tmp/om_new
tar -zxf /tmp/om_new.tgz -C /tmp/om_new/
# 5. 替换程序文件(保留配置)
# 注意:这里需要根据实际情况调整,只替换二进制文件
cp -f /tmp/om_new/om/oms /opt/om/
# 6. 重启服务
/opt/om/oms -s start
# 7. 清理临时文件
rm -rf /tmp/om_new /tmp/om_new.tgz
卸载
curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/uninstall.sh && chmod +x uninstall.sh && ./uninstall.sh