作为IT工程师,我将为您详细介绍如何为Nginx配置全面的URL安全策略,以保护您的Web应用免受常见攻击。
server_tokens off;
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 405;
}
location ~* \.(php|pl|py|jsp|asp|sh|cgi)$ {
deny all;
return 403;
}
location / {
# 防止SQL注入
if ($query_string ~* "union.*select.*\(") {
return 403;
}
# 防止XSS攻击
if ($args ~* "<script|<SCRIPT>|javascript:|alert\(") {
return 403;
}
# 防止路径遍历
if ($request_uri ~* "\.\./|\.\.\\|~|//") {
return 403;
}
}
http {
large_client_header_buffers 4 8k;
client_header_buffer_size 1k;
client_body_buffer_size 8k;
}
location ~ /\.(ht|git|svn) {
deny all;
}
location ~* ^/(config|database|logs)/ {
deny all;
}
location /admin/ {
allow 192.168.1.0/24;
allow 10.0.0.1;
deny all;
}
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://trusted.cdn.com; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "no-referrer-when-downgrade";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
server {
location / {
limit_req zone=one burst=20 nodelay;
}
}
log_format security '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time '
'$http_x_forwarded_for';
access_log /var/log/nginx/security.log security;
以上配置可根据您的具体应用需求进行调整。建议在实施前充分测试,确保不会影响正常业务功能。