基础安全
先说一些基本安全设置,由开始发展到现在,其实nginx的安全做得比以前已经好不少,不过有些还是要强调一下。
Nginx默认是不允许列出整个目录的,不过,我们为了安全,最好还是确认这个真的关闭了,不然代码被拉走了就悲剧了。
http {
autoindex off;
}
nginx默认是会在返回的数据包中显示版本号,原本这个并不是大问题,但是被别有用心的人专门攻击这个版本的话,那就不好了,所以,我们还是隐藏好一点。
http {
server_tokens off;
}
IP安全
白名单高度安全配置(适用于授权IP较少的情况,其余全部deny封锁),可配置在http、server、location中
location / { allow 192.168.1.1; deny all; }
黑名单配置(适用于授权IP较多的情况,allow其余),可配置在http、server、location中
location / { deny 192.168.1.1; allow all; }
连接安全
设置https连接的模块
1. ssl on | off;
是否开启ssl连接
2. ssl_certificate file;
当前虚拟主机使用PEM格式的证书文件;
3. ssl_certificate_key file;
当前虚拟主机上与其证书匹配的私钥文件;
4. ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2];
支持ssl协议版本,默认为后三个;
5. ssl_session_cache off | none | [builtin[:size]] [shared:name:size];
builtin[:size]:使用OpenSSL内建的缓存,此缓存为每worker进程私有;
[shared:name:size]:在各worker之间使用一个共享的缓存;
6. ssl_session_timeout time;
客户端一侧的连接可以复用ssl session cache中缓存 的ssl参数的有效时长;
先自建一个CA,创建证书和私钥文件
在CA证书服务器生成自签证书 [root@C711 ~]# cd /etc/pki/CA/ [root@C711 CA]# ls certs crl newcerts private [root@C711 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ...........+++ ......+++ e is 65537 (0x10001) [root@C711 CA]# ll private 总用量 4 -rw------- 1 root root 1675 7月 9 23:02 cakey.pem [root@C711 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pm [root@C711 CA]# touch index.txt [root@C711 CA]# echo 01 > serial 在nginx服务器上: [root@C712 ~]# mkdir /etc/nginx/ssl #创建ssl目录 [root@C712 ~]# cd /etc/nginx/ssl [root@C712 ssl]# (umask 077; openssl genrsa -out nginx.key 2048) #创建秘钥 [root@C712 ssl]# ll #查询 总用量 4 -rw------- 1 root root 1679 7月 9 23:19 nginx.key [root@C712 ssl]# openssl req -new -key nginx.key -out nginx.csr #创建私钥 [root@C712 ssl]# ll #查询 总用量 8 -rw-r--r-- 1 root root 989 7月 9 23:22 nginx.csr -rw------- 1 root root 1679 7月 9 23:19 nginx.key [root@C712 ssl]# scp nginx.csr 192.168.1.11:/tmp/#传输到CA服务器上 在CA服务器上认证 [root@C711 CA]# openssl ca -in /tmp/nginx.csr -out /etc/pki/CA/certs/nginx.crt -days 365 [root@C711 CA]#scp certs/nginx.crt 192.168.1.12:/etc/nginx/ssl #传送回nginx服务器 回到nginx服务器上 [root@C712 ~]# cd /etc/nginx [root@C712 nginx]# cp conf.d/vhost1.conf conf.d/vhost1_ssl.conf [root@C712 nginx]# vim conf.d/vhost1_ssl.conf server{ listen 443 ssl; #修改监听端口 server_name www.ilinux.io; root /data/nginx/vhost1; access_log /var/log/nginx/vhost1_ssl_access.log main; ssl on; #开启ssl ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_protocols sslv3 tlsv1 tlsv1.1 tlsv1.2;#支持哪些协议 ssl_session_cache shared:sslcache:20m;#指明缓存大小,1M能够缓存4000个会话 location ~* ^/(admin|login){ auth_basic "admin area or login url"; auth_basic_user_file /etc/nginx/.ngxpasswd; } } [root@C712 ~]# nginx -s reload
HTTPS SSL
server { listen 6003; server_name localhost; client_max_body_size 2000m; ssl on; ssl_certificate /usr/local/nginx/conf/cert/server.crt; ssl_certificate_key /usr/local/nginx/conf/cert/server.key; ssl_client_certificate /usr/local/nginx/conf/cert/ca.crt; ssl_verify_client on; ssl_session_cache shared:SSL8:1m; ssl_session_timeout 2h; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://11.8.130.167; proxy_redirect default; } location /xmpptalk { proxy_pass http://11.8.130.168:8080/xmpptalk; proxy_redirect default; } }
如果是建立类似xmpp之类的双向ssl,可以参考客户端配置:
https://www.cnblogs.com/starcrm/p/9705276.html
TCP SSL
相关的nginx服务器反向代理设置为tcp结点,对xmpp的5222端口进行ssl反向代理。
tcp { timeout 1d; proxy_read_timeout 10d; proxy_send_timeout 10d; proxy_connect_timeout 30; upstream nytalk_im { server 11.8.130.166:5222; check interval=3000 rise=2 fall=5 timeout=1000; } server { listen 6001; so_keepalive on; proxy_pass nytalk_im; tcp_nodelay on; #ssl on; ssl_certificate /usr/local/nginx/conf/cert/server.crt; ssl_certificate_key /usr/local/nginx/conf/cert/server.key; ssl_client_certificate /usr/local/nginx/conf/cert/ca.crt; ssl_verify_client on; ssl_session_cache shared:SSL2:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; } upstream nytalk_file { server 11.8.130.167:80; check interval=3000 rise=2 fall=5 timeout=1000; } server { listen 6002; so_keepalive on; proxy_pass nytalk_file; ssl on; ssl_certificate /usr/local/nginx/conf/cert/server.crt; ssl_certificate_key /usr/local/nginx/conf/cert/server.key; ssl_client_certificate /usr/local/nginx/conf/cert/ca.crt; ssl_verify_client on; ssl_session_cache shared:SSL2:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; } upstream nytalk_ssl { server 11.8.130.166:5223; check interval=3000 rise=2 fall=5 timeout=1000; }