作为高性能的Web服务器和反向代理,Nginx在性能与安全之间需要精细的平衡。以下是一些关键实践:
worker_processes auto; # 自动设置工作进程数
worker_connections 1024; # 每个工作进程的最大连接数
keepalive_timeout 65; # 保持连接的超时时间
sendfile on; # 启用高效文件传输模式
tcp_nopush on; # 仅在sendfile开启时有效,优化数据包发送
gzip on; # 启用Gzip压缩
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m inactive=60m;
proxy_cache_key "$scheme$request_method$host$request_uri";
proxy_cache_valid 200 302 10m;
upstream backend {
least_conn; # 最少连接负载均衡
server backend1.example.com;
server backend2.example.com;
keepalive 32; # 保持连接池大小
}
server_tokens off; # 隐藏Nginx版本信息
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location /admin {
allow 192.168.1.0/24;
deny all;
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
}
limit_conn_zone $binary_remote_addr zone=addr:10m;
limit_conn addr 100; # 每个IP最多100个连接
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
limit_req zone=one burst=20 nodelay;
client_max_body_size 10m; # 限制上传文件大小
client_body_buffer_size 128k;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main buffer=32k flush=5m;
error_log /var/log/nginx/error.log warn;
nginx -t测试配置通过以上措施,可以在不显著影响性能的前提下,大幅提升Nginx的安全性。实际配置应根据具体业务需求进行调整和优化。