JZTXT

nginx安全加固:

发布时间 2024-01-09 14:24:43作者: 06

项目被扫出了漏洞,需要安全加固,看了下大部分都是和请求头相关的,特地记录下

以下为nginx配置文件

http{
...

      client_max_body_size 300M;

    #安全加固
    keepalive_timeout 55;
    client_body_timeout 10;
    client_header_timeout 10;
    send_timeout 10;
    limit_conn ops 20;
    limit_conn_zone $binary_remote_addr zone=ops:10m;
    autoindex off;
    dav_methods off;
    server_tokens off;
    client_body_buffer_size 1K;
    client_header_buffer_size 1k;
    large_client_header_buffers 2 1k;
    add_header Cotent-Security-Policy  "default-src 'self' https://a.cn:8822/ https://b.cn/ https://c.cn/ https://d.cn:8553/ 'unsafe-inline' 'unsafe-eval' blob: data:;";
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Permitted-Cross-Domain-Policies  "master-only";
    add_header 'Referrer-Policy' 'origin';
    add_header X-Download-Options "noopen" always;

    #防止XSS攻击
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";




    #配置重定向404页面
    proxy_intercept_errors on;
    error_page  404  https://X.X.X.X/404;

...
   server{
     ...

      ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
      ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE:ECDH:AES:HIGH:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!NULL:!aNULL:!eNULL:!EXPORT:!PSK:!ADH:!DH:!DES:!MD5:!RC4;
      ssl_prefer_server_ciphers on;



       # ssl会话复用超时时间以及会话复用缓存大小
          ssl_session_timeout 1d;
          ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions




      #防止恶意域名解析和盗链


      if ( $host !~* 'a.cn' )
          {
            return 403;
          }






 


      #请求方法限制


      if ($request_method !~ ^(GET|HEAD|POST)$ )
           {
             return 501;
           }





          #封杀各种user-agent
          if ($http_user_agent ~* "python|perl|ruby|curl|bash|echo|uname|base64|decode|md5sum|select|concat|httprequest|nmap|scan|nessus|wvs" ) {
            return 403;
          }




       #if ($http_user_agent ~* "" ) {
          #  return 403;
          #}




       #封杀特定的文件扩展名比如.bak以及目录;
          location ~* \.(bak|swp|save|sh|sql|mdb|svn|git|old)$ {
            rewrite ^/(.*)$  $host  permanent;
          }
          location /(admin|phpadmin|status)    { deny all; }
          stub_status off;


     ...

  }

}