项目:https://github.com/Safe3/openresty-manager
文档:https://github.com/Safe3/openresty-manager/blob/main/README_CN.md
基于OpenResty提供的强大web的管理界面,具有服务器状态监控、安全防护、免费SSL证书、主机管理、应用商店等功能。
安装
curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/om.sh && chmod +x om.sh && ./om.sh
固定版
curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/omm.sh && chmod +x omm.sh && ./omm.sh
访问 https://your-ip:34567 ,用户名: admin ,密码: #Passw0rd
备份脚本
curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/om-b.sh && chmod +x om-b.sh && ./om-b.sh
还原
tar --warning=no-timestamp -xzf /root/backup_20251211_225222.tar.gz -C /opt/om && /opt/om/oms -s restart
启动
# 启动服务
/opt/om/oms -s start
# 检查服务状态
/opt/om/oms -s status
# 停止服务
/opt/om/oms -s stop
# 重新启动
/opt/om/oms -s start
配置
这部分是DIY,为了满足个性化需求
DNS解析, 在系统设置-OpenResty-DNS解析修改
resolver 1.1.1.1 8.8.8.8 1.0.0.1 valid=300s ipv6=off local=off;
HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options nosniff always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
将 HTTPS 请求重定向到 HTTP(特殊情况,关闭强制ssl和hsts)
# 添加:将 HTTPS 请求重定向到 HTTP
if ($scheme = https) {
return 301 http://$host$request_uri;
}
301重定向(在站点高级配置修改)
return 301 'http://www.xxxx.cc$request_uri';
屏蔽敏感信息头(在系统设置-OpenResty-缓存资源)修改
add_header X-Cf-Cache $upstream_cache_status always;
more_set_headers "Server: ";
负载均衡(轮询)
server 3.3.3.3:80 weight=3 max_fails=3 fail_timeout=30s;
server 6.6.6.6:80 weight=1 max_fails=3 fail_timeout=30s;
keepalive 320;
keepalive_requests 1000;
禁止敏感文件与目录访问
# 敏感文件防护(放在主要 location 之前,优先匹配)
location ~ /\. {
deny all;
return 404;
}
location ~* \.(env|git|bak|log|sql|zip)$ {
deny all;
return 403;
}
禁止访问ip ,添加上游(127.0.0.1:80)添加ip站点,配置如下
server {
listen 80;
listen 443;
http2 on;
server_name '面板ip';
# 直接关闭连接,不返回任何内容
return 444;
}
haproxy反代
(在在系统设置-OpenResty-Real IP)后面添加
set_real_ip_from 反代ip;
real_ip_header proxy_protocol;
real_ip_recursive on;
站点修改
listen 443 ssl proxy_protocol;
一键替换
curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/update_proxy_protocol.sh && chmod +x update_proxy_protocol.sh && ./update_proxy_protocol.sh
查看站点日志
grep "xxx.com" /opt/om/nginx/logs/access.log | tail -n 10
仅允许中国大陆访问
curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/op-cn-whitelist.sh && chmod +x op-cn-whitelist.sh && ./op-cn-whitelist.sh
然后在站点添加
# IP 白名单:仅允许中国大陆IP和必应蜘蛛访问
include /opt/om/nginx/conf/bing-bot.conf;
include /opt/om/nginx/conf/china-ipv4.conf;
include /opt/om/nginx/conf/china-ipv6.conf;
allow 127.0.0.1;
allow ::1;
deny all;
拦截恶意爬虫
cat > /opt/om/nginx/conf/ai_bot_block.conf << 'EOF'
if ($http_user_agent ~* "ClaudeBot|Claude-User|Claude-SearchBot|OAI-SearchBot|ChatGPT-User|GPTBot|Amazonbot|facebookexternalhit|facebookcatalog|meta-webindexer|meta-externalads|meta-externalagent|meta-externalfetcher") {
return 403;
}
EOF
openresty -t -p /opt/om/nginx && openresty -s reload -p /opt/om/nginx
在站点配置中添加 (location前面)
include ai_bot_block.conf;
测试拦截效果(403)
curl -I -A "ClaudeBot" https://www.xxxx.cc
curl -I -A "GPTBot" https://www.xxxx.cc
curl -I -A "ChatGPT-User" https://www.xxxx.cc
应用限流
(在在系统设置-OpenResty-Real IP)后面添加
limit_req_zone $binary_remote_addr zone=one:30m rate=50r/s;
limit_conn_zone $binary_remote_addr zone=addr:20m;
limit_req_status 429;
limit_conn_status 429;
站点添加 , 在站点的 include acme_challenge.conf;后面添加
limit_req zone=one burst=100 nodelay;
limit_conn addr 50;
HTTP 方法限制
# HTTP 方法限制:只允许 GET、HEAD、POST(强烈推荐)
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 405;
}
测试
curl -I -X TRACE https://www.xxxx.cc
配置参考
include log.conf;
include acme_challenge.conf;
# IP 白名单:仅允许中国大陆IP和必应蜘蛛访问
include /opt/om/nginx/conf/bing-bot.conf;
include /opt/om/nginx/conf/china-ipv4.conf;
include /opt/om/nginx/conf/china-ipv6.conf;
allow 127.0.0.1;
allow ::1;
deny all;
# AI 爬虫拦截
include ai_bot_block.conf;
# 限流配置:防止单个IP高频请求
limit_req zone=one burst=100 nodelay;
limit_conn addr 50;
limit_req_status 429;
limit_conn_status 429;
# HTTP 方法限制:只允许 GET、HEAD、POST
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 405;
}
日志分析
分析脚本
curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/nginx_report.sh && chmod +x nginx_report.sh && ./nginx_report.sh
使用方式
./nginx_report.sh # 使用默认配置
./nginx_report.sh /opt/om/nginx/logs/xxx.com.log # 指定日志文件
./nginx_report.sh /opt/om/nginx/logs/access.log 7 # 分析最近7天
./nginx_report.sh /opt/om/nginx/logs/access.log 1 > report.txt # 保存报告
便捷方式
mkdir -p /opt/om/nginx/scripts
mv nginx_report.sh /opt/om/nginx/scripts/
echo "alias log='/opt/om/nginx/scripts/nginx_report.sh'" >> ~/.bashrc
source ~/.bashrc
终端输入log即可查看日志
502分析脚本
curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/nginx_502_dashboard.sh && chmod +x nginx_502_dashboard.sh && ./nginx_502_dashboard.sh
快捷键(502)
mkdir -p /opt/om/nginx/scripts
mv nginx_502_dashboard.sh /opt/om/nginx/scripts/
echo "alias 502='/opt/om/nginx/scripts/nginx_502_dashboard.sh'" >> ~/.bashrc
source ~/.bashrc
统计 502 次数最多的 IP(重点恶意)
awk '$9==502 {print $1}' /opt/om/nginx/logs/access.log \
| sort | uniq -c | sort -nr | head -10
👉 优先封这些 IP
命中恶意 URL 的 IP, 针对你给出的高风险路径:
grep -E ' /(wp-login\.php|zabbix|xmldata|dns-query|status\.php|sugar_version\.json|/aab9|/aaa9|cgi-bin|\.jsp|\.axd|login\.do)' \
/opt/om/nginx/logs/access.log \
| awk '$9==502 {print $1, $7}' \
| sort | uniq -c | sort -nr
这些基本都是:
- 漏洞扫描
- 僵尸网络探测
- DNS over HTTPS 滥用
- WordPress / Zabbix 扫描器
判断是否“封段”而不是封 IP
awk '$9==502 {
split($1,ip,".");
print ip[1]"."ip[2]"."ip[3]".0/24"
}' /opt/om/nginx/logs/access.log \
| sort | uniq -c | sort -nr | head -10
经验法则
- 同一
/24≥ 5 次 👉 封段优于封 IP
按「小时 + IP」定位异常源(对照你给的时段)
例如查看 07:00 的攻击 IP:
grep '13/Dec/2025:07:' /opt/om/nginx/logs/access.log \
| awk '$9==502 {print $1}' \
| sort | uniq -c | sort -nr
同时看 IP + URL(确认是否恶意)
awk '$9==502 {print $1, $7}' /opt/om/nginx/logs/access.log \
| sort | uniq -c | sort -nr | head -30
你会清楚看到:
IP -> 不断扫 /
IP -> wp-login.php
IP -> dns-query
直接生成封禁 IP 列表(iptables / ipset 用)
awk '$9==502 {print $1}' /opt/om/nginx/logs/access.log \
| sort | uniq -c | awk '$1>=10 {print $2}' > bad_502_ips.txt
规则:502 ≥ 10 次直接视为恶意
一行直接丢进 ipset(如果你在用)
while read ip; do ipset add blacklist $ip; done < bad_502_ips.txt
再看 502 是否下降(最直观)
tail -n 200 /opt/om/nginx/logs/access.log | grep ' 502 ' | wc -l
查找 IP 37.27.51.141 的最近 10 条访问日志
grep '37.27.51.141' /opt/om/nginx/logs/access.log | tail -n 10
同时看「时间 + URL + 状态码」(更直观)
grep '78.153.140.203' /opt/om/nginx/logs/access.log \
| awk '{print $4, $7, $9}' \
| tail -n 10
或者
grep '78.153.140.203' /opt/om/nginx/logs/access.log \
| awk '{print "https://" $3 $7, $9}' \
| tail -n 10
或者
grep '78.153.140.203' /opt/om/nginx/logs/access.log \
| tail -n 10
升级
# 1. 停止服务
/opt/om/oms -s stop
# 2. 备份当前版本
cp -r /opt/om /opt/om_backup_$(date +%Y%m%d)
# 3. 下载新版本
if [ "$(uname -m)" = "x86_64" ]; then
curl -L https://download.uusec.com/om.tgz -o /tmp/om_new.tgz
else
curl -L https://download.uusec.com/om_arm64.tgz -o /tmp/om_new.tgz
fi
# 4. 解压到临时目录
mkdir -p /tmp/om_new
tar -zxf /tmp/om_new.tgz -C /tmp/om_new/
# 5. 替换程序文件(保留配置)
# 注意:这里需要根据实际情况调整,只替换二进制文件
cp -f /tmp/om_new/om/oms /opt/om/
# 6. 重启服务
/opt/om/oms -s start
# 7. 清理临时文件
rm -rf /tmp/om_new /tmp/om_new.tgz
卸载
curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/uninstall.sh && chmod +x uninstall.sh && ./uninstall.sh