1. Application

This applies to Web sites that use Nginx for deployment.

2. Skill requirements

Familiar with Nginx configuration, can deploy Nginx, and can use Nginx for site security hardening.

3. Preconditions

1. According to the site open port and process ID, confirm that the site uses Nginx for deployment;

2. Find the Nginx installation directory and modify the configuration file for your site.

3. If there are any questions or suggestions during the implementation, feedback should be given in time.

4. Perform detailed operations

4.1 Log Configuration

1. Back up the nginx.conf configuration file.

Modify the configuration and set the log file, log content, and log format as follows. Add the log_format format labeled main

(HTTP tag, available in all server tags) :  log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"';Copy the code

2. In the Server TAB, define the log path

access_log logs/host.access.log main
Copy the code

3. Save the configuration and restart the nginx service.

4.2 Disabling Directory Browsing

Back up the nginx.conf configuration file.

Edit the configuration file and add the following line to the HTTP module:

autoindex off;
Copy the code

Save and then restart the nginx service.

4.3 Limiting Directory Execution Permissions

Back up the nginx.conf configuration file.

Edit the configuration file and add the following content to the Server TAB:

# example: removing a single directory location of the PHP executing authority of ~ / attachments /. * \. (PHP | php5)? $ { deny all; } # example: get rid of the location of the PHP executing authority of ~ / directories (attachments | upload) /. * \. (PHP | php5)? $ { deny all; }Copy the code

Save and then restart the nginx service.

Two points to note:

Location ~.php{… } above, if placed below is invalid;

2. Attachments need relative paths, not absolute ones.

4.4 Error Page Redirection

Back up the nginx.conf configuration file.

Modify the configuration by adding the following content in the HTTP {} section

http { ... fastcgi_intercept_errors on; error_page 401 /401.html; error_page 402 /402.html; error_page 403 /403.html; error_page 404 /404.html; error_page 405 /405.html; error_page 500 /500.html; . } Modify content:  ErrorDocument 400 /custom400.html ErrorDocument 401 /custom401.html ErrorDocument 403 /custom403.html ErrorDocument 404  /custom404.html ErrorDocument 405 /custom405.html ErrorDocument 500 /custom500.html HTML, 402.html, 403.html, 404.html, 404.html, 405.html, and 500. HTML are error pages to be specified.Copy the code

Save the Settings and restart the nginx service to take effect

4.5 Best practices

4.5.1 Hiding Version Information

Back up the nginx.conf configuration file.

Edit the configuration file and add the following line in the HTTP module:

server_tokens off;
Copy the code

Save and then restart the nginx service.

4.5.2 Limiting HTTP request methods

Back up the nginx.conf configuration file.

Edit the configuration file and add the following content:

if ($request_method ! ~ ^(GET|HEAD|POST)$ ) { return 444; }Copy the code

Save and then restart the nginx service.

Note: Only the usual GET and POST methods are allowed, plus at most one HEAD method

4.5.3 Restricting IP access

Back up the nginx.conf configuration file.

Edit the configuration file and add the following content to the Server TAB:

Location / {deny 192.168.1.1; IP allow 192.168.1.0/24; # allow IP 10.1.1.0/16; # allow IP deny all; # reject all other IP addresses}Copy the code

Save and then restart the nginx service.

4.5.4 Limit concurrency and speed

Back up the nginx.conf configuration file.

Edit the configuration file and add the following content to the Server TAB:

limit_zone one $binary_remote_addr 10m; server { listen 80; server_name down.test.com; index index.html index.htm index.php; root /usr/local/www; #Zone limit; location / { limit_conn one 1; limit_rate 20k; }...... }Copy the code

Save and then restart the nginx service.

4.5.5 Controlling the timeout period

Back up the nginx.conf configuration file.

Edit the configuration file as follows:

client_body_timeout 10; Client_header_timeout 10; Keepalive_timeout 5 5; # the first parameter specifies the timeout for the client connection to remain active. The second parameter, optional, specifies the timeout for the header to remain active, send_timeout10. Specifies the timeout for the response clientCopy the code

Save and then restart the nginx service.

4.6 Risky Operations

4.6.1 Nginx drop

Back up the nginx.conf configuration file.

Edit the configuration file and add the following line:

user nobody;Copy the code

Save and then restart the nginx service.

4.6.2 hotlinking prevention

Back up the nginx.conf configuration file.

Edit the configuration file and add the following content to the Server TAB:

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip)$ { valid_referers none blocked server_names *.nsfocus.com http://localhost baidu.com; if ($invalid_referer) { rewrite ^/ [img]http://www.XXX.com/images/default/logo.gif[/img]; # return 403; }}Copy the code

Save and then restart the nginx service.

4.6.3 Patch Updates

1. Software information

View the software version nginx -v test configuration file nginx -tCopy the code

2. Patch installation

Manually install patches or install the latest software version

The last

Welcome to pay attention to personal wechat public number: Bypass–, an original technical dry goods every week.