做的项目需要二级等保测试,各种奇葩的安全要求,基本都是在nginx实现的。特此记录下。
#user nobody;
worker_processes 1;
pid /var/log/nginx/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
client_max_body_size 2048M;
sendfile on;
keepalive_timeout 65;
server_tokens off;
server {
listen 80;
server_name 192.168.**.**;
if ($request_method !~* GET|POST) { #拦截除GET和POST外的所有请求
return 403;
}
if ($http_Host !~* ^192.168.**.**$) #拦截除192.168.**.**外的所有请求的host
{
return 400;
}
if ($request_uri ~ '\.\.\/'){ #请求的URL不能包含../,测试burp拦截路径并加上../也能请求成功。
return 400;
}
valid_referers none blocked 192.168.**.**;
if ($invalid_referer) { #拦截除192.168.**.**以外的所有请求的referer,
return 400;
}
set $origin_flag 0;
if ( $http_origin ~ http://192.168.**.**){
set $origin_flag "${origin_flag}1";
}
if ( $http_origin = ''){
set $origin_flag "${origin_flag}1";
}
if ($origin_flag != "01"){ #拦截除192.168.**.**以外的所有请求的Origin
return 400;
}
location /{
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri $uri/ /index.html;
}
location /static{
set $flag 0;
if ($request_uri ~ \.(js|png)$ ){ #禁止把拦截到的JS文件和PNG文件用浏览器打开
set $flag "${flag}1";
}
if ($http_referer = ''){
set $flag "${flag}1";
}
if ($flag = "011"){
return 403;
}
root /usr/share/nginx/html;
index index.html index.htm;
}
location /abc {
proxy_pass http://192.168.**.**:8888/;
proxy_set_header X-Real-IP $remote_addr;
}
location /sgcc/aaa {
proxy_pass http://192.168.**.**:88888/aaa;
proxy_set_header X-Real-IP $remote_addr;
}
location /abc/bbb {
proxy_pass http://192.168.**.**:8888/bbb ;
proxy_set_header X-Real-IP $remote_addr;
}
location /abc/ccc{
proxy_pass http://192.168.**.**:8888/ccc;
proxy_set_header X-Real-IP $remote_addr;
proxy_intercept_errors on;
error_page 500 /50x.html;
}
location /abc/ddd {
proxy_pass http://192.168.**.**:8888/ddd ;
proxy_set_header X-Real-IP $remote_addr;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}