Web应用漏洞-NGINX各类请求头缺失对应配置

前言

随着越来越多的网络访问通过WEB界面进行操作，WEB安全已经成为互联网安全的一个热点，基于WEB的攻击广为流行，SQL注入、跨站脚本等WEB应用层漏洞的存在使得网站沦陷、页面篡改、网页挂马等攻击行为困扰着网站管理者并威胁着网站以及直接用户的安全。

废话不多说，直接上解决方案，如果有错误的地方希望可以留言共同学习。

新建nginx_sec.conf文件，将下面的代码填充

location / {
    # 设置Cookie的SameSite属性为Lax
    proxy_cookie_flags ~ secure samesite=lax;
}


#已修复，nginx处理
# API Improper Assets Management
location ~ .*nonexistingurl {
    return 404;
}




# 过滤请求协议
if ($request_method !~ ^(GET|POST|PUT|DELETE)$ ) { return 403 '检查到不支持的请求协议'; }


# 拒绝指定的请求代理
if ($http_user_agent ~* (Googlebot|Baiduspider|Yandex)){ return 403; }
if ($http_user_agent ~* (SemrushBot|python|MJ12bot|AhrefsBot|AhrefsBot|hubspot|opensiteexplorer|leiki|webmeup)) { return 403 '检查到不支持的请求代理'; }


# 过滤referer
set $refer "";
if ($http_referer = "") { set $refer "1"; }
if ($http_user_agent != "") { set $refer "${refer}1"; }
if ($request_uri !~ ^/($|api/values$|gmp/index\.html|gmp/login\.html)) { set $refer "${refer}1"; }
# if ($request_uri !~ ^/($|api/values$|gmp/index\.html|gmp/login\.html)) { set $referer_null "${referer_null}1"; }
if ($refer = "111") { return 403; }


set $flag "";
if ($http_referer != "") { set $flag "1"; }
if ($http_referer !~* (crqa\.jjmc\.cn|fedlogin\.jnj\.com|authenticator\.pingone\.com)) { set $flag "${flag}1"; }
if ($flag = "11") { return 403; }
# 防止SQL注入
# %27|
if ($query_string ~* (%3C|%3E|\;)){ return 403; }
#if ($query_string ~* (account=|token=)) { return 403 '检查到不安全的请求内容'; }
if ($query_string ~* ([\?&]account=[^?&]+|[\?&]token=00)) { return 403 '检查到不安全的请求内容'; }
if ($request_uri ~* (insert%20|select%20|delete%20|update%20|count%20|truncate%20|declare%20|exec%20)(.*)$) { return 403 '检查到不安全的请求内容'; }


# 同源策略
add_header Content-Security-Policy "default-src 'self' 'unsafe-eval' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data:; frame-ancestors 'self' https://crqa.jjmc.cn";
#add_header Content-Security-Policy "default-src 'self' 'unsafe-eval' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data:";


# 强制使用HTTPS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";


# 启用HTTPOnly和Secure标记
#add_header Set-Cookie "token=$cookie_token; HttpOnly; Secure";


# 允许跨域请求携带cookie
add_header Access-Control-Allow-Credentials true;


# 允许跨域访问的站点
add_header Access-Control-Allow-Origin crqa.jjmc.cn;


add_header Cache-Control no-cache;
expires -1s;


# 限制每个IP地址的并发连接数为10
#limit_conn limit_conn_ip 10;
#limit_req zone=limit_req_ip burst=50 nodelay;
#limit_conn_zone $binary_remote_addr zone=limit_conn_ip:10m;
#limit_req_zone $binary_remote_addr zone=limit_req_ip:10m rate=100r/s;


# 隐藏NGINX版本信息
#server_tokens off;


# 只允许通过iframe嵌入同源站点（防止被点击劫持）
add_header X-Frame-Options "SAMEORIGIN";


# 不允许任何嵌入，需要和同源策略Content-Security-Policy的frame-ancestors配合使用
#add_header X-Frame-Options DENY


# 启用XSS过滤
add_header X-XSS-Protection "1; mode=block";


# 禁用Content-Type猜测
add_header X-Content-Type-Options "nosniff";


add_header X-Cache "$upstream_cache_status"; 


# 屏蔽搜索引擎
location =/robots.txt { return 200 "User-agent:*\nDisallow:/"; }
location =/readme.txt { return 404; }
#location =/pulish/ { return 404; }
location = /download { return 404; }
location = /download/ { return 404; }
location = /doc/ { return 404; }
location = /doc { return 404; }


if ($request_uri ~* /component.html$) { return 404; }
if ($request_uri ~* ^(/publish/)$) { return 404; }


# [V5]由于禁用了Content-Type猜测，给不满足要求的请求附加Content-Type
location = /eform/default/getextendcode {
    add_header Content-Type "application/javascript; charset=utf-8";
    proxy_pass http://edoc2_ip/eform/default/getextendcode;
}
location = /eform/resources/getlangbygroupid {
    add_header Content-Type "application/javascript; charset=utf-8";
    proxy_pass http://edoc2_ip/eform/resources/getlangbygroupid;
}
location = /eform/resources/index{
    add_header Content-Type "application/javascript; charset=utf-8";
    proxy_pass http://edoc2_ip/eform/resources/index;
}
location = /eform/Resources/SystemResources{
    add_header Content-Type "application/javascript; charset=utf-8";
    proxy_pass http://edoc2_ip/eform/Resources/SystemResources;
}


location = /Admin/Resource/Index {
    add_header Content-Type "application/javascript; charset=utf-8";
    proxy_pass http://edoc2_ip/Admin/Resource/Index;
}


# download/index必须要带有token或者code才能访问
location =  /downLoad/index {
    set $download "";
    # $cookie_token为cookie值  
    set $my_token $cookie_token;
    # 在此处可以使用 $my_token 变量，表示获取到的 token 值，
    if ($my_token = "") { set $download "1"; }
    if ($arg_code = "") { set $download "${download}1"; }
    if ($download = "11") { return 403; }
}


# 禁止 xxx域名访问/api/auth/login
map $http_host $deny_access {
    default 0;
    ~^xxx\.com$ 1;
}
location /api/auth/login {
    if ($deny_access) {
        return 403;
    }
    # 其他配置
}


# 开启对所有响应类型的内容替换，将返回后的|替换为编译字符
sub_filter_types *; # 开启对所有响应类型的内容替换
sub_filter '|' '%7C'; # 将 | 替换为 %7C
sub_filter_once off; # 允许多次替换




# 转发界面
location /preview.html {
       proxy_set_header Cookie $http_cookie;
       rewrite ^/preview.html(.*)$ http://dev.yangzhikeji.cn:8040/wps/v1/api/rewrite$1 permanent;
    }