Nginx安全加固01
Nginx安全加固:
Clear-Site-Data,
Content-Security-Policy,
Permissions-Policy,
Strict-Transport-Security,
X-Permitted-Cross-Domain-Policies,
X-Frame-Options响应头缺失问题
项目被扫出了漏洞,需要安全加固,看了下大部分都是和请求头相关的,
以下为nginx配置文件
...
#加载去server头插件
load_module modules/ngx_http_headers_more_filter_module.so;
...
http{
...
#启用gzip
gzip on;
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
...
client_max_body_size 300M;
#去掉server头信息
more_clear_headers 'Server';
#安全加固
keepalive_timeout 55;
client_body_timeout 10;
client_header_timeout 10;
send_timeout 10;
limit_conn ops 2000;
limit_conn_zone $binary_remote_addr zone=ops:10m;
autoindex off;
dav_methods off;
server_tokens off;
client_body_buffer_size 1K;
client_header_buffer_size 1k;
large_client_header_buffers 2 1k;
#add_header Content-Security-Policy "default-src 'self' https://a.cn:8822/ https://b.cn/ https://c.cn/ https://d.cn:8553/ 'unsafe-inline' 'unsafe-eval' blob: data:;";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Permitted-Cross-Domain-Policies "master-only";
add_header Referrer-Policy "origin";
add_header X-Download-Options "noopen" always;
#add_header Clear-Site-Data: "*";
#add_header Clear-Site-Data "storage";
add_header Cross-Origin-Embedder-Policy require-corp;
add_header Cross-Origin-Opener-Policy same-site;
add_header Cross-Origin-Resource-Policy same-site;
add_header Permissions-Policy "interest-cohort=()";
#防止XSS攻击
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
include /etc/nginx/conf.d/*.conf;
...
server{
...
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE:ECDH:AES:HIGH:EECDH+CHACHA20:EECDH+CHACHA20- draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!NULL:!aNULL:!eNULL:!EXPORT:!PSK:!ADH:!DH:!DES:!MD5:!RC4;
ssl_prefer_server_ciphers on;
# ssl会话复用超时时间以及会话复用缓存大小
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
#强匹配,禁止访问某个页面,比如接口调用说明,不影响该地址后面加其他参数的访问
if ($request_uri = "/api/JBXQ_DLST/")
{
return 403;
}
#配置重定向404页面
proxy_intercept_errors on;
error_page 404 https://X.X.X.X/404;
#安全加固
#防止盗链或者恶意域名解析
if ( $host !~* ^(abc.com.cn|192.168.100.93|172.31.255.3)$ )
{
return 403;
}
#限制请求类型
if ($request_method !~ ^(GET|OPTIONS|POST)$ )
{
return 501;
}
#封杀各种user-agent
if ($http_user_agent ~* "python|perl|ruby|curl|bash|echo|uname|base64|decode|md5sum|select|concat|httprequest|nmap|scan|nessus|wvs" ) {
return 403;
}
#if ($http_user_agent ~* "" ) {
# return 403;
#}
#封杀特定的文件扩展名比如.bak以及目录;
location ~* \.(bak|swp|save|sh|sql|mdb|svn|git|old)$ {
rewrite ^/(.*)$ $host permanent;
}
location /(admin|phpadmin|status) { deny all; }
#禁止访问接口测试页面
if ($request_uri = "/online-api/")
{
return 403 'Access denied';
}
if ($request_uri ~* "swagger")
{
return 403 'Access denied';
}
if ($request_uri ~* "actuator")
{
return 403 'Access denied';
}
...
}
}
浙公网安备 33010602011771号