nginx安全设置

#禁止境内常见爬虫(根据需求自行控制是否禁止)
if ($http_user_agent ~* "qihoobot|Yahoo! Slurp China|Baiduspider|Baiduspider-image|spider|Sogou spider|Sogou web spider|Sogou inst spider|Sogou spider2|Sogou blog|Sogou News Spider|Sogou Orion spider|ChinasoSpider|Sosospider|YoudaoBot|yisouspider|EasouSpider|Tomato Bot|Scooter") { return 403; }
#禁止境外常见爬虫(根据需求自行控制是否禁止)
if ($http_user_agent ~* "Googlebot|Googlebot-Mobile|AdsBot-Google|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|MSNBot|Catall Spider|ArchitextSpider|AcoiRobot|Applebot|Bingbot|Discordbot|Twitterbot|facebookexternalhit|ia_archiver|LinkedInBot|Naverbot|Pinterestbot|seznambot|Slurp|teoma|TelegramBot|Yandex|Yeti|Infoseek|Lycos|Gulliver|Fast|Grabber") { return 403; }
#禁止指定 UA 及 UA 为空的访问
if ($http_user_agent ~ "Googlebot/2.1|bingbot/2.0|Baiduspider-render/2.0|WinHttp|WebZIP|FetchURL|node-superagent|Bytespider|FeedDemon|Jullo|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|CoolpadWebkit|Feedly|Apache-HttpAsyncClient|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|Python|python|lightDeckReports Bot|YYSpider|DigExt|HttpClient|MJ12bot|heritrix|Ezooms|BOT/0.1|YandexBot|FlightDeckReports|Linguee Bot|iaskspider|^$") { return 403; }
#禁止非 GET|HEAD|POST 方式的抓取 if ($request_method !~ ^(GET|HEAD|POST)$) { return 403; }
#禁止 Scrapy 等工具的抓取
if ($http_user_agent ~* (Scrapy|HttpClient)) { return 403; }

#if ($request_uri ~* "(\.gz)|(\")|(\.tar)|(\.sql)|($_GET)|(eval)|(\?php)|(\.php)|(\.aspx)|(\')|(\.bak)") {return 301;}
if ($request_uri ~* "(\")|(\.tar)|(\.sql)|($_GET)|(eval)|(\?php)|(\.php)|(\.aspx)|(\')|(\.bak)") {return 301;}

#检测到目标X-Content-Type-Options响应头缺失
add_header X-Content-Type-Options: nosniff;
#检测到目标X-XSS-Protection响应头缺失
add_header X-Xss-Protection: 1;
add_header X-Xss-Protection: mod=block;
#检测到目标服务器启用了OPTIONS方法
#if ($request_method ~* OPTIONS) {
#return 403;
#}
#检测到目标Strict-Transport-Security响应头缺失
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
#检测到目标Referrer-Policy响应头缺失
add_header 'Referrer-Policy' 'origin';
#检测到目标X-Permitted-Cross-Domain-Policies响应头缺失
add_header X-Permitted-Cross-Domain-Policies "master-only";
#检测到目标X-Download-Options响应头缺失
add_header X-Download-Options "noopen" always;
#检测到目标Content-Security-Policy响应头缺失
# add_header Content-Security-Policy "default-src 'self' script-src 'self' frame-ancestors 'self'";
#add_header Content-Security-Policy "script-src * 'unsafe-inline' 'unsafe-eval'";
#点击劫持：X-Frame-Options未配置
# add_header X-Frame-Options SAMEORIGIN;
#http动词篡改的认证旁路
#if ($request_method !~ ^(GET|HEAD|POST)$ ) {
#return 403;
#}