• nginx产品环境安全配置-主配置文件


    以下配置为产品环境的nginx基于安全和效率的主配置文件,不包含fastcgi相关配置

    cat /etc/nginx/nginx.conf
    user                   nginx;
    worker_processes       auto;
    error_log              /var/log/nginx/error.log;
    pid                    /run/nginx.pid;
    include                /usr/share/nginx/modules/*.conf;
    events {
        use                epoll;
        multi_accept       on;
        worker_connections 2048;
    }
    http {
       # 基本安全设置
        ## 1.不返回版本号
        server_tokens       off;
        ## 2.只允许同源的fram/iframe/object加载,避免劫持
        add_header          X-Frame-Options SAMEORIGIN;
        ## 3.关闭资源类型猜想,避免资源代码攻击
        add_header          X-Content-Type-Options nosniff;
        ## 4.开启XSS过滤,若检查到XSS攻击,停止渲染页面
        add_header          X-XSS-Protection "1; mode=block";
       # 配置文件包含和媒体文件包含
        include             /etc/nginx/conf.d/*.conf; 
        include             mime.types;
        default_type        application/octet-stream;
       # sendfile和tcp连接设置
        sendfile            on;
        tcp_nopush          on;
        tcp_nodelay         on;
        keepalive_timeout   65;
        types_hash_max_size 2048;
       # 开启gzip压缩
        gzip                on; 
        gzip_min_length     5k;
        gzip_buffers        4 16k;
        gzip_comp_level     2;
        gzip_vary           on;
       # 设定请求大小和缓冲大小
        client_max_body_size        100m;
        client_body_buffer_size     8K;
        client_header_buffer_size   64k; 
        large_client_header_buffers 4 128k;
       # 防DDOS攻击配置
        ## 2.同一IP总共最多存在50个并发
        limit_conn_zone $binary_remote_addr zone=TCLZone:20m ;
        limit_conn_log_level notice;
        limit_conn  TCLZone  50;
        ## 3.同一IP每秒最多处理10个请求,5个排队
        limit_req_zone $binary_remote_addr  zone=CLZone:20m rate=10r/s;
        limit_req_log_level notice;
        limit_req zone=CLZone burst=5 nodelay;
       # 日志格式及日志路径,产品环境用json格式,其他环境用默认
        log_format  main    '$remote_addr - $remote_user [$time_local] "$request" '
                            '$status $body_bytes_sent "$http_referer" '
                            '"$http_user_agent" "$http_x_forwarded_for"';
        log_format main_json '{"@timestamp":"$time_local",'
                             '"N_client_ip": "$remote_addr",'
                             '"N_request": "$request",'
                             '"N_request_time": "$request_time",'
                             '"N_status": "$status",'
                             '"N_bytes": "$body_bytes_sent",'
                             '"N_user_agent": "$http_user_agent",'
                             '"N_x_forwarded": "$http_x_forwarded_for",'
                             '"N_referer": "$http_referer"'
                             '}';
        access_log  /var/log/nginx/access.log  main_json;
       # 禁止使用IP解析,禁止非法域名解析
        server {
            listen 80;
            server_name - ;
            return 501;
        }
    }
    
    
  • 相关阅读:
    PHP漏洞全解(四)-xss跨站脚本攻击
    PHP漏洞全解(三)-客户端脚本植入
    Oauth2 接口api
    Linux重复执行上条命令
    Nginx配置文件nginx.conf中文详解
    资料收集
    Apache Rewrite常用设置说明
    微信分享,使用js,分享给朋友,朋友圈,QQ微博
    SSHFS
    Navicate
  • 原文地址:https://www.cnblogs.com/noah-luo/p/11598003.html
Copyright © 2020-2023  润新知