Hidden version number
http {
server_tokens off;
}
Copy the code
There are often security vulnerabilities for a certain version of Nginx. Hiding the version number of NginX is one of the main security optimization methods. Of course, the most important is to update the vulnerability in time
Open the HTTPS
server { listen 443; server_name ops-coffee.cn; ssl on; ssl_certificate /etc/nginx/server.crt; ssl_certificate_key /etc/nginx/server.key; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:! aNULL:! MD5; }Copy the code
- SSL on: HTTPS is enabled
- Ssl_certificate: Specifies the path of the Nginx SSL certificate
- Ssl_certificate_key: Specifies the key path of the Nginx SSL certificate
- Ssl_protocols: Specifies the SSL protocol version used by clients to establish connections. If TSLv1 compatibility is not required, delete this protocol
- Ssl_ciphers: specifies the encryption algorithm used for client connections. You can configure a more secure algorithm here
Adding a blacklist or whitelist
Whitelist Configuration
Location /admin/ {allow 192.168.1.0/24; deny all; }Copy the code
Only hosts in the 192.168.1.0/24 network segment are allowed to access the network
It can also be written as a blacklist to prohibit access to some addresses and allow all others, for example
Location /ops-coffee/ {deny 192.168.1.0/24; allow all; }Copy the code
More often than not, the client request will pass through multiple layers of proxies, which can be restricted by $http_x_forwarded_for
set $allow false;
if ($http_x_forwarded_for = "211.144.204.2") { set $allow true; }
if ($http_x_forwarded_for ~ "108.2.66. [89]") { set $allow true; }
if ($allow = false) { return 404; }
Copy the code
Adding Account Authentication
server {
location / {
auth_basic "please input user&passwd"; auth_basic_user_file key/auth.key; }}Copy the code
Limit request method
if ($request_method! ~ ^(GET|POST)$ ) {return 405;
}
Copy the code
$request_method gets the method that requested nginx
Only the GETPOST method is allowed. The other methods return 405
Reject the user-agent
if ($http_user_agent ~* LWP::Simple|BBBike|wget|curl) {
return 444;
}
Copy the code
There may be some bad actors using wget/curl or other tools to scan our website. We can prevent this simply by disabling the corresponding User-agent
Nginx has a special 444 state. If you return 444, the client will not receive the message from the server, as if the web site was disconnected
Picture anti-theft chain
location /images/ {
valid_referers none blocked www.ops-coffee.cn ops-coffee.cn;
if ($invalid_referer) {
return403; }}Copy the code
Valid_referers: Verify the referer, where None allows the referer to be empty and Blocked allows requests without a protocol. In addition to the above two categories, only access to image resources under images when the referer is www.ops-coffee.cn or OPs-coffee.cn is allowed, otherwise 403 is returned
You can also redirect requests that do not comply with the referer rule to a default image, as shown below
location /images/ {
valid_referers blocked www.ops-coffee.cn ops-coffee.cn
if ($invalid_referer) { rewrite ^/images/.*.(gif|jpg|jpeg|png)$ /static/qrcode.jpg last; }}Copy the code
Control the number of concurrent connections
You can limit the number of concurrent connections to an IP address using the ngx_HTTP_limit_conn_module module
http {
limit_conn_zone $binary_remote_addrzone=ops:10m; server { listen 80; server_name ops-coffee.cn; root /home/project/webapp; index index.html; location / { limit_conn ops 10; } access_log /tmp/nginx_access.log main; }}Copy the code
Limit_conn_zone: set the parameter of the shared memory space that stores the status of each key (for example, $binary_remote_ADDR), zone= Space name: size
For example, the size of the $binary_remote_ADDR variable is fixed at 4 bytes for IPV4 addresses and 16 bytes for IPV6 addresses. The storage state takes up 32 or 64 bytes on 32-bit platforms. 64 bytes on 64-bit platforms. The 1MB shared memory space can hold about 32,000 32-bit states and 16,000 64-bit states
Limit_conn: Specifies a set shared memory space (for example, the space whose name is OPS) and the maximum number of connections for each given key value
The above example indicates that only 10 connections are allowed on the same IP address at one time
All connection limits take effect when multiple limit_CONN directives are configured
http {
limit_conn_zone $binary_remote_addr zone=ops:10m;
limit_conn_zone $server_namezone=coffee:10m; server { listen 80; server_name ops-coffee.cn; root /home/project/webapp; index index.html; location / { limit_conn ops 10; limit_conn coffee 2000; }}}Copy the code
The above configuration limits not only the number of connections from a single IP source to 10, but also the total number of connections from a single virtual server to 2000
Buffer overflow attack
Buffer overflow attacks are implemented by writing data to the buffer beyond the buffer boundary and overwriting memory fragments. Limiting the buffer size can be effectively prevented
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
Copy the code
- Client_body_buffer_size: the default size is 8K or 16K, which indicates the buffer size occupied by the body requested by the client. If the connection request exceeds the value specified by the cache, the whole or part of the request entity will attempt to write to a temporary file.
- Client_header_buffer_size: Specifies the buffer size of the client request header. Most of the time a request header will not be larger than 1K, but if there is a large cookie from a WAP client that may be larger than 1K, Nginx will allocate it a larger buffer, which can be set in large_client_header_buffers
- Client_max_body_size: Represents the maximum acceptable body size for a client Request. It appears in the Content-Length field in the Request header. If the Request is larger than the specified value, the client will receive a “Request Entity Too Large” (413) error, which is usually limited when uploading files to the server
- Large_client_header_buffers Specifies the number and size of buffers used by some large request headers. By default, a buffer is the size of a paging file in the operating system, usually 4k or 8K. The request field cannot be larger than a buffer size. Nginx will return “Request URI too large” (414). The longest field in the header of the Request must not be larger than a buffer, otherwise the server will return “Bad Request “(400).
Several timeout Settings need to be modified
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
Copy the code
- Client_body_timeout: Specifies the timeout for reading the body of a Request. If the connection exceeds this timeout without any response from the client, Nginx will return a “Request timeout “(408) error
- Client_header_timeout: Specifies the timeout period for reading the client Request header. If the connection exceeds this time without any response from the client, Nginx will return a “Request timeout “(408) error
- Keepalive_timeout: The first value of the keepalive_timeout parameter indicates the timeout period for the long connection between the client and the server. After this timeout, the server will close the connection. The optional second parameter indicates the keep-alive parameter in the Response header. Timeout =time the time value that allows some browsers to know when to close a connection so that the server does not have to close it again. If this parameter is not specified, nginx will not send keep-alive messages in the Response header
- Send_timeout: Indicates the Timeout period after sending the reply to the client. Timeout means that the complete ESTABLISHED state is not entered, and only two handshakes are completed. If there is no response from the client after this time, nginx closes the connection
The Header head set
You can set the following parameters to effectively prevent XSS attacks
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
Copy the code
- X-frame-options: the response header indicates whether the browser is allowed to load Frame and other attributes. There are three Settings DENY that prohibit any web pages FROM being embedded. SAMEORIGIN only allows nesting of this site, and allow-from allows nesting of specific addresses
- X-xss-protection: indicates that XSS filtering is enabled (x-xSS-protection: 0 is disabled). Mode =block indicates that the page rendering is stopped if XSS attacks are detected
- X-content-type-options: The response header is used to identify guesses about the true Type of unspecified or incorrectly specified content-type resources. Nosniffing indicates that no guesses are allowed
In a typical request response, the browser will identify the response Type based on the Content-Type, but when the response Type is not specified or incorrectly specified, the browser will try to enable MIME-Sniffing to guess the response Type of the resource, which can be dangerous
For example, a.jpg image file is maliciously embedded with executable JS code. With resource type guessing turned on, the browser will execute the embedded JS code, possibly with unintended consequences
There are also a few other security configurations for request headers that need to be noted
Content-security-policy: defines which resources a page can load,
add_header Content-Security-Policy "default-src 'self'";
Copy the code
The above configuration restricts all external resources to be loaded from the current domain name, where default-src defines the default loading policy for all types of resources and self allows content from the same source
Strict-transport-security: tells the browser to use HTTPS instead of HTTP to access the destination site
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
Copy the code
The above configuration indicates that when the user accesses the site for the first time, a field containing the strict-transport-Security response header is returned. This field tells the browser that for the next 31536,000 seconds, all requests to the current site are accessed using HTTPS. Parameters includeSubDomains are optional, indicating that the same rules will apply to all subdomains