Nginx HTTP代理安全性能优化指南

作为一款高性能的HTTP代理服务器，Nginx在安全性和性能方面的配置至关重要。以下是一套全面的优化方案：

1. 基础安全加固

1.1 隐藏服务器信息

server_tokens off;
more_clear_headers Server;
more_clear_headers X-Powered-By;

1.2 禁用不必要的方法

if ($request_method !~ ^(GET|HEAD|POST)$ ) {
    return 405;
}

1.3 限制HTTP协议版本

if ($server_protocol !~* "HTTP/1.1|HTTP/2.0") {
    return 444;
}

2. 访问控制

2.1 IP访问限制

location /admin/ {
    allow 192.168.1.0/24;
    allow 10.0.0.1;
    deny all;
}

2.2 速率限制

limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s;

server {
    location / {
        limit_req zone=req_limit burst=20 nodelay;
    }
}

3. 头部安全配置

3.1 安全相关HTTP头

add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "default-src 'self'";
add_header Referrer-Policy "no-referrer-when-downgrade";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

4. SSL/TLS优化

4.1 强加密套件配置

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;

5. 代理性能优化

5.1 缓冲区优化

proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 24k;
proxy_max_temp_file_size 0;

5.2 连接优化

proxy_http_version 1.1;
proxy_set_header Connection "";
keepalive_timeout 75s;
keepalive_requests 100;

5.3 缓存优化

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m inactive=60m use_temp_path=off;

server {
    location / {
        proxy_cache my_cache;
        proxy_cache_valid 200 302 10m;
        proxy_cache_valid 404 1m;
        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
    }
}

6. 高级安全防护

6.1 防止信息泄露

location ~* \.(bak|conf|sh|sql|ini)$ {
    deny all;
    return 404;
}

6.2 防DDoS配置

limit_conn_zone $binary_remote_addr zone=conn_limit:10m;

server {
    limit_conn conn_limit 20;
    client_body_timeout 10s;
    client_header_timeout 10s;
    send_timeout 10s;
}

7. 日志与监控

7.1 详细日志记录

log_format security '$remote_addr - $remote_user [$time_local] '
                   '"$request" $status $body_bytes_sent '
                   '"$http_referer" "$http_user_agent" '
                   '$request_time $upstream_response_time '
                   '$upstream_cache_status';

access_log /var/log/nginx/security.log security;

实施建议

1. 逐步实施这些配置变更，每次修改后测试功能
2. 使用nginx -t测试配置语法
3. 定期审计Nginx配置和安全头
4. 监控性能指标和错误日志
5. 保持Nginx版本更新以获取最新安全补丁

通过以上配置，您的Nginx HTTP代理将在安全性和性能方面得到显著提升，同时保持对现代Web应用的兼容性。