项目被扫出了漏洞,需要安全加固,看了下大部分都是和请求头相关的,特地记录下
以下为nginx配置文件
http{
...
client_max_body_size 300M;
#安全加固 keepalive_timeout 55; client_body_timeout 10; client_header_timeout 10; send_timeout 10; limit_conn ops 20; limit_conn_zone $binary_remote_addr zone=ops:10m; autoindex off; dav_methods off; server_tokens off; client_body_buffer_size 1K; client_header_buffer_size 1k; large_client_header_buffers 2 1k; add_header Cotent-Security-Policy "default-src 'self' https://a.cn:8822/ https://b.cn/ https://c.cn/ https://d.cn:8553/ 'unsafe-inline' 'unsafe-eval' blob: data:;"; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header X-Permitted-Cross-Domain-Policies "master-only"; add_header 'Referrer-Policy' 'origin'; add_header X-Download-Options "noopen" always; #防止XSS攻击 add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options "nosniff"; #配置重定向404页面 proxy_intercept_errors on; error_page 404 https://X.X.X.X/404; ... server{
...
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE:ECDH:AES:HIGH:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!NULL:!aNULL:!eNULL:!EXPORT:!PSK:!ADH:!DH:!DES:!MD5:!RC4;
ssl_prefer_server_ciphers on;
# ssl会话复用超时时间以及会话复用缓存大小
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
#防止恶意域名解析和盗链
if ( $host !~* 'a.cn' )
{
return 403;
}
#请求方法限制
if ($request_method !~ ^(GET|HEAD|POST)$ )
{
return 501;
}
#封杀各种user-agent
if ($http_user_agent ~* "python|perl|ruby|curl|bash|echo|uname|base64|decode|md5sum|select|concat|httprequest|nmap|scan|nessus|wvs" ) {
return 403;
}
#if ($http_user_agent ~* "" ) {
# return 403;
#}
#封杀特定的文件扩展名比如.bak以及目录;
location ~* \.(bak|swp|save|sh|sql|mdb|svn|git|old)$ {
rewrite ^/(.*)$ $host permanent;
}
location /(admin|phpadmin|status) { deny all; }
stub_status off;
...
}
}