Nginx高安全性配置与防火墙策略指南

1. Nginx基础安全配置

1.1 版本信息隐藏

server_tokens off;

1.2 禁用不必要的HTTP方法

if ($request_method !~ ^(GET|HEAD|POST)$ ) {
    return 405;
}

1.3 安全头部配置

add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "default-src 'self'";
add_header Referrer-Policy "no-referrer-when-downgrade";

1.4 SSL/TLS安全配置

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;

2. 访问控制

2.1 IP访问限制

location /admin {
    allow 192.168.1.0/24;
    allow 10.0.0.1;
    deny all;
}

2.2 速率限制

limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;

server {
    location / {
        limit_req zone=one burst=20 nodelay;
    }
}

2.3 文件访问限制

location ~* \.(env|log|htaccess|htpasswd|ini|conf|sh|sql)$ {
    deny all;
}

3. 防火墙策略

3.1 UFW防火墙配置 (Ubuntu)

# 安装UFW
sudo apt install ufw

# 基本配置
sudo ufw default deny incoming
sudo ufw default allow outgoing

# 允许SSH
sudo ufw allow ssh

# 允许HTTP/HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# 启用防火墙
sudo ufw enable

3.2 iptables防火墙配置

# 清除现有规则
iptables -F
iptables -X

# 默认策略
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# 允许本地回环
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# 允许已建立的连接
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# 允许SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# 允许HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# 允许ICMP (ping)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# 保存规则 (根据系统不同)
iptables-save > /etc/iptables.rules

3.3 Fail2Ban配置

# 安装Fail2Ban
sudo apt install fail2ban

# 创建Nginx特定配置
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# 编辑配置文件
sudo nano /etc/fail2ban/jail.local

# 添加以下内容
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log

[nginx-badbots]
enabled = true
filter = apache-badbots
port = http,https
logpath = /var/log/nginx/access.log

[nginx-noscript]
enabled = true
port = http,https
filter = nginx-noscript
logpath = /var/log/nginx/access.log

# 重启Fail2Ban
sudo systemctl restart fail2ban

4. 日志与监控

4.1 Nginx日志配置

log_format security '$remote_addr - $remote_user [$time_local] '
                   '"$request" $status $body_bytes_sent '
                   '"$http_referer" "$http_user_agent" '
                   '$request_time $upstream_response_time '
                   '$http_x_forwarded_for';

access_log /var/log/nginx/security.log security;

4.2 日志轮转

在/etc/logrotate.d/nginx中添加：

/var/log/nginx/*.log {
    daily
    missingok
    rotate 30
    compress
    delaycompress
    notifempty
    create 0640 www-data adm
    sharedscripts
    postrotate
        /usr/sbin/nginx -s reopen
    endscript
}

5. 其他安全建议

1. 定期更新：保持Nginx和操作系统最新
2. 最小权限原则：以非root用户运行Nginx
3. 禁用目录列表： nginx autoindex off;
4. 限制缓冲区大小： nginx client_body_buffer_size 1k; client_header_buffer_size 1k; client_max_body_size 1k; large_client_header_buffers 2 1k;
5. 使用ModSecurity：安装WAF模块增强防护

通过以上配置，您可以显著提高Nginx服务器的安全性。请根据您的具体需求调整这些配置，并在生产环境部署前进行全面测试。