Appearance
Nginx 安全配置
安全配置是Nginx部署中非常重要的一环,本章将介绍如何配置Nginx以增强安全性。
SSL/TLS配置
基本SSL配置
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /path/to/certificate.crt;
ssl_certificate_key /path/to/private.key;
# 推荐的SSL安全配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
}
HTTP严格传输安全(HSTS)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
隐藏服务器信息
隐藏Nginx版本
server_tokens off;
自定义错误页面
error_page 400 401 402 403 404 500 501 502 503 504 /40x.html;
location = /40x.html {
root /path/to/error/pages;
}
防止DDoS攻击
限制连接数
# 限制每个IP的连接数
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
server {
location / {
limit_conn conn_limit_per_ip 10;
proxy_pass http://backend;
}
}
限制请求频率
# 限制请求速率
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
server {
location / {
limit_req zone=general burst=20 nodelay;
proxy_pass http://backend;
}
# 登录页面更严格的限制
location /login {
limit_req zone=general burst=5 nodelay;
proxy_pass http://backend;
}
}
防止恶意请求
阻止特定User-Agent
if ($http_user_agent ~* (bot|crawler|spider|robot|crawling) ) {
return 403;
}
阻止特定IP
deny 192.168.1.100;
allow 192.168.1.0/24;
deny all;
请求过滤
限制请求方法
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
过滤恶意URL
location ~* /\.(git|svn|hg|htaccess|env)$ {
return 404;
}
location ~* (eval|exec|expression|javascript|vbscript|base64|concat|union|select|drop) {
return 404;
}
安全头设置
常见安全头
# 内容安全策略
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';" always;
# X-Frame-Options 防止点击劫持
add_header X-Frame-Options "SAMEORIGIN" always;
# X-Content-Type-Options 防止MIME类型嗅探
add_header X-Content-Type-Options "nosniff" always;
# X-XSS-Protection 启用浏览器XSS过滤
add_header X-XSS-Protection "1; mode=block" always;
# Referrer Policy
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
文件上传安全
# 限制上传文件大小
client_max_body_size 10M;
# 限制上传文件类型
location /uploads {
location ~* \.(php|pl|py|jsp|asp|sh|cgi)$ {
deny all;
}
}
访问控制
基于IP的访问控制
location /admin {
allow 192.168.1.100;
allow 10.0.0.0/8;
deny all;
}
基于Referer的访问控制
valid_referers none blocked server_names ~\.google\. ~\.bing\.;
if ($invalid_referer) {
return 403;
}
日志安全
自定义日志格式
log_format security_log '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$http_x_forwarded_for"';
access_log /var/log/nginx/security.log security_log;
完整的安全配置示例
server {
listen 443 ssl http2;
server_name example.com;
# SSL配置
ssl_certificate /path/to/certificate.crt;
ssl_certificate_key /path/to/private.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# 安全头
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
# 隐藏服务器信息
server_tokens off;
# 限制连接和请求
limit_conn conn_limit_per_ip 20;
limit_req zone=general burst=20 nodelay;
# 主要内容
location / {
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}