文章
  • JS插件
  • 整站源码
  • html模板
  • 共享资源
  • 文章
热门搜索: 微信小程序 qq登陆 thinkphp 微信登陆
窝币充值 开通VIP
插件窝 干货文章 Nginx的HTTP协议安全设置

Nginx的HTTP协议安全设置

Nginx header server ssl 171    来源:    2025-04-20

Nginx HTTP协议安全设置指南

作为IT工程师,以下是为Nginx配置HTTP协议安全性的详细建议:

1. 禁用不安全的HTTP方法

location / {
    limit_except GET POST HEAD {
        deny all;
    }
}

2. 启用HTTPS并强制重定向

server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
    # 其他SSL配置...
}

3. 安全头部设置

add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.example.com;";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

4. 禁用服务器信息暴露

server_tokens off;
more_clear_headers Server;

5. 防止MIME类型混淆攻击

types {
    text/html html htm shtml;
    text/css css;
    # 其他MIME类型...
}

6. 限制缓冲区大小防止溢出攻击

client_body_buffer_size 16k;
client_header_buffer_size 1k;
client_max_body_size 1m;
large_client_header_buffers 4 8k;

7. 防止点击劫持

add_header X-Frame-Options "DENY";
# 或
add_header X-Frame-Options "SAMEORIGIN";

8. 禁用内容嗅探

add_header X-Content-Type-Options "nosniff";

9. 安全的Cookie设置

proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=Strict";

10. 限制请求方法

if ($request_method !~ ^(GET|HEAD|POST)$ ) {
    return 405;
}

11. 防止目录遍历

location ~* \.(php|pl|py|jsp|asp|sh|cgi)$ {
    deny all;
    return 403;
}

location ~ /\. {
    deny all;
    return 403;
}

12. 安全的SSL配置

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;

13. 防止HTTP请求走私

http {
    # 确保只接受明确的Host头
    server {
        listen 80 default_server;
        server_name _;
        return 444;
    }

    # 禁用分块传输编码
    chunked_transfer_encoding off;
}

14. 限制连接和请求速率

limit_conn_zone $binary_remote_addr zone=addr:10m;
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;

server {
    location / {
        limit_conn addr 10;
        limit_req zone=one burst=20 nodelay;
    }
}

15. 日志记录和安全监控

log_format security '$remote_addr - $remote_user [$time_local] '
                   '"$request" $status $body_bytes_sent '
                   '"$http_referer" "$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/security.log security;

实施这些设置后,建议使用以下工具验证配置: - Qualys SSL Labs (测试SSL/TLS配置) - SecurityHeaders.io (检查HTTP安全头) - OWASP ZAP (全面安全扫描) - Nginx Amplify (监控和安全分析)

记得在修改配置后测试并重新加载Nginx:

nginx -t && nginx -s reload
上一篇:如何保护Nginx服务器免受DDoS攻击
下一篇:在Nginx中配置安全的SSL证书传输

推荐文章

热门文章

关于我们 | 免责声明 | 注册协议 | 客服QQ: 236095280 236095279
Copyright©2018-2025 All Rights Reserved. 琼ICP备16003363号-7