nginx产品环境安全配置-主配置文件

以下配置为产品环境的nginx基于安全和效率的主配置文件,不包含fastcgi相关配置

cat /etc/nginx/nginx.conf
user                   nginx;
worker_processes       auto;
error_log              /var/log/nginx/error.log;
pid                    /run/nginx.pid;
include                /usr/share/nginx/modules/*.conf;
events {
    use                epoll;
    multi_accept       on;
    worker_connections 2048;
}
http {
   # 基本安全设置
    ## 1.不返回版本号
    server_tokens       off;
    ## 2.只允许同源的fram/iframe/object加载,避免劫持
    add_header          X-Frame-Options SAMEORIGIN;
    ## 3.关闭资源类型猜想,避免资源代码攻击
    add_header          X-Content-Type-Options nosniff;
    ## 4.开启XSS过滤,若检查到XSS攻击,停止渲染页面
    add_header          X-XSS-Protection "1; mode=block";
   # 配置文件包含和媒体文件包含
    include             /etc/nginx/conf.d/*.conf; 
    include             mime.types;
    default_type        application/octet-stream;
   # sendfile和tcp连接设置
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
   # 开启gzip压缩
    gzip                on; 
    gzip_min_length     5k;
    gzip_buffers        4 16k;
    gzip_comp_level     2;
    gzip_vary           on;
   # 设定请求大小和缓冲大小
    client_max_body_size        100m;
    client_body_buffer_size     8K;
    client_header_buffer_size   64k; 
    large_client_header_buffers 4 128k;
   # 防DDOS攻击配置
    ## 2.同一IP总共最多存在50个并发
    limit_conn_zone $binary_remote_addr zone=TCLZone:20m ;
    limit_conn_log_level notice;
    limit_conn  TCLZone  50;
    ## 3.同一IP每秒最多处理10个请求,5个排队
    limit_req_zone $binary_remote_addr  zone=CLZone:20m rate=10r/s;
    limit_req_log_level notice;
    limit_req zone=CLZone burst=5 nodelay;
   # 日志格式及日志路径,产品环境用json格式,其他环境用默认
    log_format  main    '$remote_addr - $remote_user [$time_local] "$request" '
                        '$status $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for"';
    log_format main_json '{"@timestamp":"$time_local",'
                         '"N_client_ip": "$remote_addr",'
                         '"N_request": "$request",'
                         '"N_request_time": "$request_time",'
                         '"N_status": "$status",'
                         '"N_bytes": "$body_bytes_sent",'
                         '"N_user_agent": "$http_user_agent",'
                         '"N_x_forwarded": "$http_x_forwarded_for",'
                         '"N_referer": "$http_referer"'
                         '}';
    access_log  /var/log/nginx/access.log  main_json;
   # 禁止使用IP解析,禁止非法域名解析
    server {
        listen 80;
        server_name - ;
        return 501;
    }
}

posted @ 2019-09-27 14:57  noah-罗  阅读(209)  评论(0编辑  收藏  举报