Nginx 常用配置、SSL、安全加固

starnight_cbj

已于 2024-03-21 14:18:58 修改

阅读量92

点赞数

分类专栏：信息安全文章标签： nginx 安全网络

于 2024-03-21 12:07:50 首次发布

本文链接：https://blog.csdn.net/starnight_cbj/article/details/136904572

版权

信息安全专栏收录该内容

2 篇文章 0 订阅

订阅专栏

本文介绍了Nginx的常用配置技巧，包括代理、负载均衡、缓存设置等，并详细讲解了如何为Nginx部署SSL证书以实现HTTPS，同时提供了Nginx服务器的安全加固建议，确保网络服务的安全稳定。

摘要由CSDN通过智能技术生成

http {
    include       mime.types;
    default_type  application/octet-stream;

	# 按日期产生日志-begin
	map $time_iso8601 $logdate {
		'~^(?<ymd>\d{4}-\d{2}-\d{2})' $ymd;
		default    'date-not-found';
	}
	
	log_format main '{"@timestamp":"$time_iso8601",'
                    '"@source":"$server_addr",'
                    '"hostname":"$hostname",'
                    '"remote_user":"$remote_user",'
                    '"ip":"$http_x_forwarded_for",'
                    '"client":"$remote_addr",'
                    '"request_method":"$request_method",'
                    '"scheme":"$scheme",'
                    '"domain":"$server_name",'
                    '"referer":"$http_referer",'
                    '"request":"$request_uri",'
                    '"requesturl":"$request",'
                    '"args":"$args",'
                    '"size":$body_bytes_sent,'
                    '"status": $status,'
                    '"responsetime":$request_time,'
                    '"upstreamtime":"$upstream_response_time",'
                    '"upstreamaddr":"$upstream_addr",'
                    '"http_user_agent":"$http_user_agent",'
                    '"http_cookie":"$http_cookie",'
                    '"https":"$https"'
                    '}';
	
	access_log logs/access-$logdate.log main;
	# 按日期产生日志-end

    ...
    
    server {
        listen 443 ssl;
        server_name  www.mynet.com;
		
        # 配置ssl
        ssl_certificate      /home/web/nginx-1.19.10/conf/cert/www.mynet.com.cn_bundle.crt;
        ssl_certificate_key  /home/web/nginx-1.19.10/conf/cert/www.mynet.com.key;
		ssl_session_timeout  5m;
				
		ssl_protocols TLSv1.2;
		#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;
		#ssl_ciphers ECDH:AESGCM:HIGH:!RC4:!DH:!MD5:!aNULL:!eNULL;
		ssl_ciphers HIGH:!ADH:!MD5;
		ssl_prefer_server_ciphers on;
		#add_header Strict-Transport-Security max-age=15768000;
		
		
		#安全加固
		add_header Content-Security-Policy "frame-ancestors 'self' 127.0.0.1:58890 127.0.0.1:58891 localhost:58890 localhost:58891 gw.alipayobjects.com 'unsafe-inline' 'unsafe-eval' blob: data: ;";
		add_header X-Frame-Options SAMEORIGIN;
		add_header X-Content-Type-Options: nosniff;
		add_header X-Xss-Protection: "1;mod=block";
		add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        add_header 'Referrer-Policy' 'origin';
		
		#跨域访问限制
		add_header Access-Control-Allow-Origin https://www.mynet.com always;
		add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS always;
        add_header Access-Control-Allow-Credentials true always;
		
		#缓存配置
		proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie;

		#开启错误代理
        proxy_intercept_errors on;
        #隐藏nginx版本号
        server_tokens off;
		# gzip config
		gzip on;
		gzip_min_length 1k;
		gzip_comp_level 9;
		gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
		gzip_vary on;
		gzip_disable "MSIE [1-6]\.";

        ...

        # 防止黑客遍历目录，统一把403错误改为界面无法访问错误
        error_page 403 404 /40x.html;
        location = /40x.html {
            root   html;
        }
		
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # 限制host
        if ($host != 'www.mynet.com') {
			return 403;
		}

        ...
        

    }

    ...
}