HTTP请求嗅探是一种常见的安全威胁,攻击者可能通过拦截或监听HTTP请求获取敏感信息。在Nginx反向代理环境中,可以通过以下方法增强防御:
server {
listen 80;
server_name example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
# 启用HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# 其他配置...
}
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.example.com;";
add_header Referrer-Policy "strict-origin-when-cross-origin";
# 限制HTTP方法
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 405;
}
# 防止HTTP请求走私
proxy_http_version 1.1;
proxy_set_header Connection "";
# 防止Host头攻击
if ($host !~* ^(example.com|www.example.com)$ ) {
return 444;
}
# 禁止代理缓存敏感内容
location ~* \.(php|asp|aspx|jsp|do|action)$ {
proxy_no_cache 1;
proxy_cache_bypass 1;
}
# 隐藏服务器信息
server_tokens off;
more_clear_headers Server;
more_clear_headers X-Powered-By;
# 限制请求体大小
client_max_body_size 10m;
# 限制请求速率
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
location / {
limit_req zone=one burst=20;
# 其他配置...
}
# 防止慢速攻击
client_body_timeout 10s;
client_header_timeout 10s;
# 使用ModSecurity进行WAF防护
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
# 或使用NAXSI
location / {
# 启用NAXSI核心规则
SecRulesEnabled;
# 引用基础规则集
DeniedUrl "/RequestDenied";
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
# 其他配置...
}
# 详细日志记录
log_format security '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time '
'$http_x_forwarded_for';
access_log /var/log/nginx/security.log security;
通过以上措施的综合应用,可以显著降低HTTP请求被嗅探的风险,提高Nginx反向代理环境的安全性。