Nginx安全策略设计指南

作为IT工程师，设计Nginx的安全策略需要考虑多个层面。以下是一套全面的Nginx安全配置方案：

1. 基础安全配置

1.1 隐藏Nginx版本信息

server_tokens off;

1.2 禁用不必要的HTTP方法

if ($request_method !~ ^(GET|HEAD|POST)$ ) {
    return 405;
}

1.3 限制请求大小

client_max_body_size 1m;
client_body_buffer_size 1k;
client_header_buffer_size 1k;
large_client_header_buffers 2 1k;

2. SSL/TLS配置

2.1 强制HTTPS

server {
    listen 80;
    server_name example.com;
    return 301 https://$server_name$request_uri;
}

2.2 安全SSL配置

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;

3. 访问控制

3.1 IP限制

location /admin {
    allow 192.168.1.0/24;
    allow 10.0.0.1;
    deny all;
}

3.2 速率限制

limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;

server {
    location / {
        limit_req zone=one burst=5 nodelay;
    }
}

4. 内容安全策略(CSP)

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.example.com; img-src 'self' data: https://*.example.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; frame-ancestors 'none';";

5. 其他安全头

add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "no-referrer-when-downgrade";
add_header Permissions-Policy "geolocation=(), microphone=()";

6. 文件访问限制

location ~* \.(env|log|htaccess)$ {
    deny all;
}

location ~ /\. {
    deny all;
    access_log off;
    log_not_found off;
}

7. 日志与监控

log_format security '$remote_addr - $remote_user [$time_local] '
                   '"$request" $status $body_bytes_sent '
                   '"$http_referer" "$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/security.log security;

8. 防止信息泄露

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}

9. 反向代理安全

proxy_hide_header X-Powered-By;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

10. 定期维护建议

1. 保持Nginx版本更新
2. 定期审查访问日志
3. 使用自动化工具扫描配置漏洞
4. 定期更新SSL证书
5. 监控异常流量模式

以上配置需要根据实际业务需求进行调整，建议在实施前进行充分测试。安全是一个持续的过程，需要定期审查和更新策略。