作为IT工程师,我将为您提供全面的Nginx服务器安全配置建议,帮助您加固Web服务器安全性。
server_tokens off;
location / {
limit_except GET POST {
deny all;
}
}
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
location /admin {
allow 192.168.1.0/24;
allow 10.0.0.1;
deny all;
}
location ~* \.(env|log|htaccess)$ {
deny all;
}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
client_max_body_size 10M;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy "no-referrer-when-downgrade";
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
log_format security '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/security.log security;
error_log /var/log/nginx/error.log warn;
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
server {
location / {
limit_req zone=one burst=20 nodelay;
}
}
limit_conn_zone $binary_remote_addr zone=addr:10m;
server {
limit_conn addr 10;
}
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
location / {
# OWASP CRS规则
ModSecurityEnabled on;
ModSecurityConfig /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf;
}
通过实施这些安全配置,您可以显著提高Nginx服务器的安全性,减少潜在的攻击面。根据您的具体应用需求,可能需要进一步调整这些配置。