http {
include mime.types;
default_type application/octet-stream;
# 按日期产生日志-begin
map $time_iso8601 $logdate {
'~^(?<ymd>\d{4}-\d{2}-\d{2})' $ymd;
default 'date-not-found';
}
log_format main '{"@timestamp":"$time_iso8601",'
'"@source":"$server_addr",'
'"hostname":"$hostname",'
'"remote_user":"$remote_user",'
'"ip":"$http_x_forwarded_for",'
'"client":"$remote_addr",'
'"request_method":"$request_method",'
'"scheme":"$scheme",'
'"domain":"$server_name",'
'"referer":"$http_referer",'
'"request":"$request_uri",'
'"requesturl":"$request",'
'"args":"$args",'
'"size":$body_bytes_sent,'
'"status": $status,'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"upstreamaddr":"$upstream_addr",'
'"http_user_agent":"$http_user_agent",'
'"http_cookie":"$http_cookie",'
'"https":"$https"'
'}';
access_log logs/access-$logdate.log main;
# 按日期产生日志-end
...
server {
listen 443 ssl;
server_name www.mynet.com;
# 配置ssl
ssl_certificate /home/web/nginx-1.19.10/conf/cert/www.mynet.com.cn_bundle.crt;
ssl_certificate_key /home/web/nginx-1.19.10/conf/cert/www.mynet.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2;
#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;
#ssl_ciphers ECDH:AESGCM:HIGH:!RC4:!DH:!MD5:!aNULL:!eNULL;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_prefer_server_ciphers on;
#add_header Strict-Transport-Security max-age=15768000;
#安全加固
add_header Content-Security-Policy "frame-ancestors 'self' 127.0.0.1:58890 127.0.0.1:58891 localhost:58890 localhost:58891 gw.alipayobjects.com 'unsafe-inline' 'unsafe-eval' blob: data: ;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options: nosniff;
add_header X-Xss-Protection: "1;mod=block";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header 'Referrer-Policy' 'origin';
#跨域访问限制
add_header Access-Control-Allow-Origin https://www.mynet.com always;
add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS always;
add_header Access-Control-Allow-Credentials true always;
#缓存配置
proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie;
#开启错误代理
proxy_intercept_errors on;
#隐藏nginx版本号
server_tokens off;
# gzip config
gzip on;
gzip_min_length 1k;
gzip_comp_level 9;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
...
# 防止黑客遍历目录,统一把403错误改为界面无法访问错误
error_page 403 404 /40x.html;
location = /40x.html {
root html;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# 限制host
if ($host != 'www.mynet.com') {
return 403;
}
...
}
...
}
Nginx 常用配置、SSL、安全加固
于 2024-03-21 12:07:50 首次发布
本文介绍了Nginx的常用配置技巧,包括代理、负载均衡、缓存设置等,并详细讲解了如何为Nginx部署SSL证书以实现HTTPS,同时提供了Nginx服务器的安全加固建议,确保网络服务的安全稳定。
摘要由CSDN通过智能技术生成