nginx网络安全配置

1.隐藏nginx版本信息

在 nginx.conf 中配置

http {
  ...

  # 隐藏版本信息
  server_tokens off;

  ...
}

 

可以看到已经没有nginx信息了

 

2、隐藏powered-by

一些 WEB 语言或框架默认输出的 x-powered-by 也会泄露网站信息，他们一般都提供了修改或移除的方法，可以自行查看手册。如果部署上用到了 Nginx 的反向代理，也可以通过 proxy_hide_header 指令隐藏它：

location / {
  ...
  # 隐藏powered-by
  proxy_hide_header        X-Powered-By;
  ...
}

 

3、相关安全设置

# CSP 通过指定允许浏览器加载和执行那些资源，使服务器管理者有能力减少或消除 XSS 攻击的可能性
add_header  Content-Security-Policy  "default-src 'self'; img-src 'self' *.alicdn.com; object-src 'none'; script-src 'self' *.alicdn.com; style-src 'self' *.alicdn.com; frame-ancestors 'self'; base-uri 'self'; form-action 'self'";

# X-Content-Type-Options 响应头相当于一个提示标志，被服务器用户提示浏览器一定要遵循 Content-Type 头中 MIME 类型的设定，而不能对其进行修改。
add_header  X-Content-Type-Options nosniff;

# Strict-Transport-Security(HSTS) 告诉浏览器该站点只能通过 HTTPS 访问，如果使用了子域，也建议对任何该站点的子域强制执行此操作。
add_header  Strict-Transport-Security "max-age=31536000; includeSubDomains";

# 给浏览器指示允许一个页面可否在frame嵌入
# DENY 表示该页面不允许在 frame 中展示，即便是在相同域名的页面中嵌套也不允许
# SAMEORIGIN # 表示该页面可以在相同域名页面的 frame 中展示
# ALLOW-FROM uri # 表示该页面可以在指定来源的 frame 中展示。
add_header  X-Frame-Options SAMEORIGIN;

# 跨域访问
add_header  Access-Control-Allow-Origin *;
add_header  Access-Control-Allow-Origin *.xx.com;

# xss攻击防护
add_header  X-XSS-Protection  "1; mode=block";

# cookie读取设置
add_header  Set-Cookie "Path=/; HttpOnly; Secure";
# 反向代理时要设置参数解决Cookie跨域丢失
proxy_cookie_path / "/; httponly; secure; SameSite=None";

 

4.跨域请求设置

通过配置Access-Control-Allow-Origin参数可以指定哪些域可以访问你的服务器，这个值要么是* 要么是带协议端口号确定的值， *.xx.com都是错误的值。

  set $cors "";
  if ($http_origin ~* (.*\.atpool.com)) {
    set $cors $http_origin;
  }
  add_header Access-Control-Allow-Origin $cors;
  add_header Access-Control-Allow-Methods "GET,POST,OPTIONS,DELETE,PUT";
  add_header Access-Control-Allow-Credentials true;
  add_header Access-Control-Allow-Headers *;
  if ($request_method = "OPTIONS") {
    return 204;
  }

 

 

完整配置
 

server {
  listen  80;
  server_name test.xx.com;
  
  # 证书设置
  ssl_certificate cert/xx.com.pem;
  ssl_certificate_key cert/xx.com.key;
  ssl_session_timeout 5m;
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  # 只启用TLS1.2 以上
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  
  # 安全相关设置
  add_header  Content-Security-Policy  "default-src 'self' *.xx.com data: 'unsafe-inline';";
  add_header  Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  add_header  X-Frame-Options  SAMEORIGIN;
  add_header  X-Content-Type-Options nosniff;
  add_header  X-XSS-Protection  "1; mode=block";
  add_header  Set-Cookie "Path=/; HttpOnly; Secure";
  add_header  Cache-Control  max-age=86400;
  
  # 跨域设置
  set $cors "";
  if ($http_origin ~* (.*\.xx.com)) {
    set $cors $http_origin;
  }
  add_header Access-Control-Allow-Origin $cors;
  add_header Access-Control-Allow-Methods "GET,POST,OPTIONS,DELETE,PUT";
  add_header Access-Control-Allow-Credentials true;
  add_header Access-Control-Allow-Headers *;
  if ($request_method = "OPTIONS") {
    return 204;
  }

  location / {
    gzip on;
    gzip_comp_level 6;
    gzip_min_length 1k;
    gzip_buffers 4 16k;
    gzip_types text/plain application/x-javascript text/css application/xml application/javascript application/json application/vnd.ms-fontobject font/ttf font/opentype font/x-woff image/svg+xml;

    proxy_pass   http://127.0.0.1:8000;
    proxy_hide_header   X-Powered-By; # 隐藏 powered-by
    proxy_cookie_path   / "/; httponly; secure; SameSite=None";
    proxy_set_header    X-Real-IP        $remote_addr;
    proxy_set_header    X-Forwarded-For  $remote_addr;
    proxy_set_header    X-Forwarded-Proto $scheme;
    proxy_set_header    Host $http_host;
    proxy_redirect      default;
  }
 
}