nginx产品环境安全配置-主配置文件
以下配置为产品环境的nginx基于安全和效率的主配置文件,不包含fastcgi相关配置
cat /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
use epoll;
multi_accept on;
worker_connections 2048;
}
http {
# 基本安全设置
## 1.不返回版本号
server_tokens off;
## 2.只允许同源的fram/iframe/object加载,避免劫持
add_header X-Frame-Options SAMEORIGIN;
## 3.关闭资源类型猜想,避免资源代码攻击
add_header X-Content-Type-Options nosniff;
## 4.开启XSS过滤,若检查到XSS攻击,停止渲染页面
add_header X-XSS-Protection "1; mode=block";
# 配置文件包含和媒体文件包含
include /etc/nginx/conf.d/*.conf;
include mime.types;
default_type application/octet-stream;
# sendfile和tcp连接设置
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# 开启gzip压缩
gzip on;
gzip_min_length 5k;
gzip_buffers 4 16k;
gzip_comp_level 2;
gzip_vary on;
# 设定请求大小和缓冲大小
client_max_body_size 100m;
client_body_buffer_size 8K;
client_header_buffer_size 64k;
large_client_header_buffers 4 128k;
# 防DDOS攻击配置
## 2.同一IP总共最多存在50个并发
limit_conn_zone $binary_remote_addr zone=TCLZone:20m ;
limit_conn_log_level notice;
limit_conn TCLZone 50;
## 3.同一IP每秒最多处理10个请求,5个排队
limit_req_zone $binary_remote_addr zone=CLZone:20m rate=10r/s;
limit_req_log_level notice;
limit_req zone=CLZone burst=5 nodelay;
# 日志格式及日志路径,产品环境用json格式,其他环境用默认
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format main_json '{"@timestamp":"$time_local",'
'"N_client_ip": "$remote_addr",'
'"N_request": "$request",'
'"N_request_time": "$request_time",'
'"N_status": "$status",'
'"N_bytes": "$body_bytes_sent",'
'"N_user_agent": "$http_user_agent",'
'"N_x_forwarded": "$http_x_forwarded_for",'
'"N_referer": "$http_referer"'
'}';
access_log /var/log/nginx/access.log main_json;
# 禁止使用IP解析,禁止非法域名解析
server {
listen 80;
server_name - ;
return 501;
}
}