Nginx及相关服务安全性能优化指南

一、Nginx基础安全配置

1. 隐藏Nginx版本信息

server_tokens off;

2. 限制HTTP方法

if ($request_method !~ ^(GET|HEAD|POST)$ ) {
    return 405;
}

3. 禁用不必要的HTTP头

more_clear_headers 'Server';
more_clear_headers 'X-Powered-By';

4. 防止点击劫持

add_header X-Frame-Options "SAMEORIGIN";

5. 启用XSS保护

add_header X-XSS-Protection "1; mode=block";

二、SSL/TLS安全配置

1. 禁用不安全的协议和加密套件

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';

2. 启用HSTS

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

3. OCSP Stapling配置

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

三、访问控制与限流

1. 限制IP访问

location /admin {
    allow 192.168.1.0/24;
    deny all;
}

2. 请求速率限制

limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;

server {
    limit_req zone=one burst=20 nodelay;
}

3. 连接数限制

limit_conn_zone $binary_remote_addr zone=addr:10m;

server {
    limit_conn addr 10;
}

四、性能优化配置

1. 启用Gzip压缩

gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip_min_length 1000;
gzip_proxied any;
gzip_comp_level 6;

2. 启用缓存

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m inactive=60m use_temp_path=off;

server {
    location / {
        proxy_cache my_cache;
        proxy_cache_valid 200 302 10m;
        proxy_cache_valid 404 1m;
    }
}

3. 文件描述符优化

worker_rlimit_nofile 65535;
events {
    worker_connections 8192;
    multi_accept on;
    use epoll;
}

五、日志与监控

1. 自定义访问日志格式

log_format security '$remote_addr - $remote_user [$time_local] '
                   '"$request" $status $body_bytes_sent '
                   '"$http_referer" "$http_user_agent" '
                   '$request_time $upstream_response_time';

access_log /var/log/nginx/access.log security;

2. 错误日志级别调整

error_log /var/log/nginx/error.log warn;

3. 实时监控配置

location /nginx_status {
    stub_status on;
    access_log off;
    allow 127.0.0.1;
    deny all;
}

六、WAF集成

1. ModSecurity配置

load_module modules/ngx_http_modsecurity_module.so;

http {
    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsec/main.conf;
}

2. NAXSI配置

load_module modules/ngx_http_naxsi_module.so;

http {
    include /etc/nginx/naxsi_core.rules;

    location / {
        SecRulesEnabled;
        DeniedUrl "/RequestDenied";
    }

    location /RequestDenied {
        internal;
        return 403;
    }
}

七、系统层面优化

1. 内核参数优化

# /etc/sysctl.conf
net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 30

2. 文件描述符限制

# /etc/security/limits.conf
* soft nofile 65535
* hard nofile 65535
nginx soft nofile 65535
nginx hard nofile 65535

八、定期维护建议

1. 定期更新：保持Nginx和相关模块的最新版本
2. 日志分析：使用工具如GoAccess、ELK分析访问日志
3. 安全扫描：定期使用Nessus、OpenVAS进行漏洞扫描
4. 配置审计：使用nginx -t测试配置，定期审查配置文件
5. 备份策略：定期备份Nginx配置和SSL证书

通过实施以上优化措施，可以显著提升Nginx服务的安全性和性能，同时保持服务的稳定性和可靠性。