自用nginx配置(常见安全配置,http转https,http和https混合请求,解决http host头攻击漏洞)

自用nginx配置(常见安全配置,http转https,http和https混合请求,解决http host头攻击漏洞)



#user  nobody;
worker_processes 1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;
events {
   worker_connections 1024;
}


http {
   include mime.types;
   default_type application/octet-stream;

   #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
   #                  '$status $body_bytes_sent "$http_referer" '
   #                  '"$http_user_agent" "$http_x_forwarded_for"';

   #access_log  logs/access.log  main;
   access_log off;

   sendfile on;
   #tcp_nopush     on;

   #keepalive_timeout  0;
   #keepalive_timeout  65;
   keepalive_timeout 60 60;

   # 设置请求正文即请求体(request body)的读超时时间
   client_body_timeout 60s;
   # 指定等待client发送一个请求头的超时时间
   client_header_timeout 60s;
   # 设置将响应传输到客户端的超时
   send_timeout 60s;
   # 有大文件上传时,需要指定body的最大值
   client_max_body_size 50m;
   # 限制了同一ip1秒钟内最多可以请求20次
   #limit_req_zone $binary_remote_addr zone=reqperip:20m rate=50r/s;
   # 同一ip的请求使用缓存,大小为10,并且不延迟
   #limit_req zone=reqperip burst=50 nodelay;

   # 限制并发数,$binary_remote_addr是限制同一客户端ip地址;
   limit_conn_zone $binary_remote_addr zone=one:10m;
   # 限制并发数,$server_name是限制同一server最大并发数
   limit_conn_zone $server_name zone=perserver:10m;
   # 最大并发连接数100
   limit_conn one 500;
   # 表示该服务提供的总连接数不得超过2000,超过请求的会被拒绝
   limit_conn perserver 2000;
   # 限制下载带宽,limit_rate为限制下载速度;
   limit_rate 5000k;


   #隐藏Nginx版本号
   server_tokens off;

   #隐藏Nginx后端服务指定Header的状态:
   proxy_hide_header X-Powered-By;
   proxy_hide_header Server;

   #防止XSS攻击
   add_header X-Frame-Options SAMEORIGIN;
   add_header X-XSS-Protection '1;mode=block';
   add_header X-Content-Type-Options nosniff;


   ###############
   gzip on; # 默认压缩配置
   gzip_min_length 2k; # 小于2k的不压缩
   gzip_proxied any; # 无条件压缩
   gzip_comp_level 2; # 压缩级别1~9,越高压缩越小CPU资源消耗越多
   gzip_buffers 16 8k; # 存储压缩结果数据流,以8k为单位,向内存申请16倍


   #gzip  on;
   #定义负载均衡域名,供后面的http和https使用 test.abc.com
   upstream server8180 {
      server 127.0.0.1:8180;
   }


   # another virtual host using mix of IP-, name-, and port-based configuration
   #
   #server {
   #    listen       8000;
   #    listen       somename:8080;
   #    server_name  somename  alias  another.alias;
   #    location / {
   #        root   html;
   #        index  index.html index.htm;
   #    }
   #}
   # HTTPS server
   server {
      listen 80;
      listen 443 ssl;
      # 配置Nginx解决http host头攻击漏洞https://blog.csdn.net/weixin_48207312/article/details/128288660
      server_name 127.0.0.1 test.abc.com localhost;
      if ($http_Host !~* ^127.0.0.1|test.abc.com|localhost$) {
         return 403;
      }

      ssl_certificate my_ssl.pem;
      ssl_certificate_key my_ssl.key;

      ssl_session_cache shared:SSL:1m;
      ssl_session_timeout 5m;

      ssl_ciphers HIGH:!aNULL:!MD5;
      ssl_prefer_server_ciphers on;


      # 自定义错误页(关键参数:这个变量开启后,我们才能自定义错误页面,当后端返回404,nginx拦截错误定义错误页面)
      proxy_intercept_errors on;
      error_page 404 /404.html;
      # 承接上面的location。

      location = /404.html {
         # 放错误页面的目录路径。
         root html;
      }

      location /html {
         # 放错误页面的目录路径。
         root html;
      }

      #强制将http重定向到https
      if ($scheme = http) {
         return 307 https://$host$request_uri;
      }

      #解决Nginx HTTP服务器的报错“400 Bad Request: The plain HTTP request was sent to HTTPS port”

      location ~/ {
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto https;
         proxy_pass http://server8180;
         proxy_redirect http:// https://;

         #解决http和https混合请求报错
         add_header Content-Security-Policy upgrade-insecure-requests;
      }
      #location / {
      #    root   html;
      #    index  index.html index.htm;
      #}
   }

}



posted @ 2023-05-12 11:15  tc310  阅读(717)  评论(0编辑  收藏  举报