впихивайте в разные места
map $query_string $block {
default 0;
"~*[a-zA-Z0-9_]=(\.\.//?)+" 1;
"~*[a-zA-Z0-9_]=/([a-z0-9_.]//?)+" 1;
"~*\=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" 1;
"~*(\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/)" 1;
"~*ftp\:" 1;
"~*\=\|w\|" 1;
"~*^(.*)/self/(.*)$" 1;
"~*^(.*)cPath=http://(.*)$" 1;
"~*(\<|%3C).*script.*(\>|%3E)" 1;
"~*(<|%3C)([^s]*s)+cript.*(>|%3E)" 1;
"~*(\<|%3C).*embed.*(\>|%3E)" 1;
"~*(<|%3C)([^e]*e)+mbed.*(>|%3E)" 1;
"~*(\<|%3C).*object.*(\>|%3E)" 1;
"~*(<|%3C)([^o]*o)+bject.*(>|%3E)" 1;
"~*(\<|%3C).*iframe.*(\>|%3E)" 1;
"~*(<|%3C)([^i]*i)+frame.*(>|%3E)" 1;
"~*base64_encode.*\(.*\)" 1;
"~*base64_(en|de)code[^(]*\([^)]*\)" 1;
"~GLOBALS(=|\[|\%[0-9A-Z]{0,2})" 1;
"~_REQUEST(=|\[|\%[0-9A-Z]{0,2})" 1;
"~*^.*(\(|\)|<|>|%3c|%3e).*" 1;
"~*^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).*" 1;
"~(NULL|OUTFILE|LOAD_FILE)" 1;
"~*(\.{1,}/)+(motd|etc|bin)" 1;
"~*(localhost|loopback|127\.0\.0\.1)" 1;
"~*(<|>|’|%0A|%0D|%27|%3C|%3E|%00|%22)" 1;
"~*concat[^\(]*\(" 1;
"~*union([^s]*s)+elect" 1;
"~*union([^a]*a)+ll([^s]*s)+elect" 1;
"~*\-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file)" 1;
"~*(;|<|>|’|\"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|md5|benchmark|encode)" 1;
"~*(sp_executesql)" 1;
}
location ~ /\.(?!well-known).* {
deny all;
access_log off;
log_not_found off;
}
if ($block) {
# SQL injection - reset conn
return 444;
}