Security is no small matter, nginx as a web server, is exposed at the top of the application, so to create a secure website, need to start the security configuration nginx.
1, hide the version number
{HTTP
server_tokens OFF;
}
there is often a version of nginx for security loopholes, hidden nginx version number has become one of the main means of optimized security, of course, the most important is the time to upgrade bug fixes
2, open HTTPS
server {
listen 443;
server_name ops-coffee.cn;
ON SSL;
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers to HIGH: aNULL:!! the MD5;
}
SSL ON: Open HTTPS
ssl_certificate: Configuration Nginx ssl certificate path
ssl_certificate_key: configure Nginx ssl key certificate path
ssl_protocols: Specifies the client to establish ssl protocol version used by the connection, if no compatible TSLv1, can be removed directly
ssl_ciphers: Specifies the encryption algorithm used by client connection , then here you can configure a higher security algorithms
3. Add black and white list
White List Configuration
LOCATION / ADMIN / {
the allow 192.168.1.0/24;
the deny All;
}
top represents only allows access to the host network of 192.168.1.0/24, reject all other
Can also be written blacklists banning certain address access, allowing all other such
LOCATION / OPS-Coffee / {
the deny 192.168.1.0/24;
the allow All;
}
More when client requests through layers of agents, we need to be limited by $ HTTP_X_FORWARDED_FOR, can write
set $allow false;
if ($http_x_forwarded_for = "211.144.204.2") { set $allow true; }
if ($http_x_forwarded_for ~ "108.2.66.[89]") { set $allow true; }
if ($allow = false) { return 404; }
4, add the account authentication
server {
location / {
auth_basic "please input user&passwd";
auth_basic_user_file key/auth.key;
}
}
5, restriction request method
IF (REQUEST_METHOD ~ $ ^ (the GET | the POST) $!) {
return 405;
}
$ REQUEST_METHOD method can obtain the request nginx
GETPOST configured to allow only way to access other method returns 405
6, User-Agent refused
IF ($ HTTP_USER_AGENT LWP :: ~ * the Simple | BBBike | wget | curl) {
return 444;
}
There may be some unscrupulous persons would use wget / curl scanning tools such as our website, we can disable the corresponding user-agent simply prevention
444 state Nginx is rather special, if returned 444 then the client will not receive the information returned from the server, like the website can not connect as
7, anti-hotlinking pictures
LOCATION / Images / {
valid_referers none blocked www.ops-coffee.cn ops-coffee.cn;
IF ($ invalid_referer) {
return 403;
}
}
valid_referers: verification referer, wherein none allow referer empty, blocked without allowing protocol request, in addition to the above two types of access is allowed only referer resources under the picture images when www.ops-coffee.cn or ops-coffee.cn, otherwise 403
Of course you can not conform to the rules referer redirects the request to a default image, such as below this
location /images/ {
valid_referers blocked www.ops-coffee.cn ops-coffee.cn
if ($invalid_referer) {
rewrite ^/images/.*.(gif|jpg|jpeg|png)$ /static/qrcode.jpg last;
}
}
8, the control concurrent connections
You can limit the number of concurrent connections through one IP module ngx_http_limit_conn_module
http {
limit_conn_zone $binary_remote_addr zone=ops:10m;
server {
listen 80;
server_name ops-coffee.cn;
the root / Home / Project / the webapp;
index index.html;
LOCATION / {
limit_conn OPS 10;
}
access_log main /tmp/nginx_access.log;
}
}
limit_conn_zone: setting holding respective keys (e.g., $ binary_remote_addr is) the state of the shared memory space parameters, zone = space name: size
Calculate the size of the variables, e.g. $ size binary_remote_addr variable of the recording IPV4 address is fixed 4 bytes, while the recording IPV6 address fixed 16 bytes, the storage state occupies 32 or 64 bytes in the 32-bit platform, the 64-bit platform occupy 64 bytes. 1m shared memory space can hold about 32,000 state 32-bit, 64-bit 16000 state
Specifies the maximum number of connections a shared memory space already set (e.g., name of spatial ops), and each of the given key value: limit_conn
The above example represents one time only the same IP connection 10
When there are a plurality of instructions configured limit_conn, all connection limit will take effect
http {
limit_conn_zone $binary_remote_addr zone=ops:10m;
limit_conn_zone $server_name zone=coffee:10m;
server {
listen 80;
server_name ops-coffee.cn;
root /home/project/webapp;
index index.html;
LOCATION / {
limit_conn OPS 10;
limit_conn Coffee 2000;
}
}
}
of the total number of connections connected to the upper side single IP configuration will not only limit the source 10, but also limiting to a single virtual server 2000
9, buffer overflow ***
*** Buffer overflow is accomplished by writing data to the buffer and beyond the boundaries of the buffer memory and rewriting fragments, limiting the size of the buffer can be effectively prevented
1K client_body_buffer_size;
client_header_buffer_size 1K;
client_max_body_size 1K;
large_client_header_buffers 2 1K;
client_body_buffer_size: default 8k or 16k, it represents a client request body occupied buffer size. If the connection request buffer exceeds a specified value, then the whole or part of the requesting entity attempts to write to a temporary file.
client_header_buffer_size: represents a client request buffer size of the head. In most cases a request header is not greater than 1k, but if you have come from a large cookie wap client it may be greater than 1k, Nginx will assign it a larger buffer, this value can be set inside the large_client_header_buffers
client_max_body_size: represents a client request maximum acceptable size of the body, as it appears in the Content-Length header field of the request, if the request is greater than the specified value, the client will receive a "request Entity Too Large" (413 ) errors, usually uploading a file to the server may be limited
large_client_header_buffers represent some of the larger buffer number and size of the request header using the default buffer size for the operation of a system paging file size, or 8K 4k usually, not more than one request field buffer area size, and if the client sends a relatively large head, Nginx returns "request URI too large" (414 ), the request header field not be greater than the longest one buffer, otherwise the server returns a "Bad request" (400)
At the same time the need to modify the configuration of several timeout
10 client_body_timeout;
client_header_timeout 10;
keepalive_timeout. 5. 5;
send_timeout 10;
client_body_timeout: reading request time represents the body, if the connection more than this time without any response to the client, Nginx returns "Request time out" (408) Error
client_header_timeout: It represents read timeout client request header, if the connection more than this time without any response to the client, Nginx returns "request time out" (408) error
keepalive_timeout: a first parameter value represents a client and a server connected to the long timeout, more than this time, the server will close the connection, optional second parameter parameter represents Response header Keep-Alive: timeout = time value of the time, this value can cause some browsers know when the connection is closed, so that server not repeat off if you do not specify this parameter, nginx will not be sending Keep-Alive response header information in
send_timeout: representation sent to a timeout after the client response, timeout refers not enter the state established a complete, finished only two handshake If after this time there is no response to the client, nginx connection will be closed
10, Header head is provided
Can be effectively prevented by setting XSS ***
the add_header X--Frame-the Options "SAMEORIGIN";
the add_header X--XSS-Protection ". 1; MODE = Block";
the add_header X--the Content-the Type-the Options "nosniff";
X--Frame-the Options: response header indicates whether to allow the browser to load frame attributes, there are arranged three DENY prohibit any page is embedded, only nested SAMEORIGIN this site, aLLOW-FROM allows nested specified address
X-XSS-Protection: represents XSS filtering enabled (disabled filter to X-XSS- Protection: 0), mode = block said that if the examination is to stop rendering the page XSS ***
X-Content-type-Options: response header is used to specify the browser unspecified or specified incorrectly guess the real type of behavior Content-type resources , nosniff is not allowed any speculation
in the usual request response, the browser will be resolved according to the type of response Content-type, but does not specify the type of response or error is specified, the browser will attempt to guess enable MIME-sniffing response resources type, which is very dangerous
For example, a .jpg picture file embedded in a malicious executable js code, in the case of open speculation of resource types, the browser will execute embedded js code, there may be unintended consequences
There are also several security configuration on request header Note
Content-Security-Policy: define what resources can load the page,
add_header Content-Security-Policy "default -src 'self'";
the top configuration will limit all external resources, can only be loaded from the current domain, where default-src-defined default loading strategy for all types of resources, self permit from content from the same source
Strict-Transport-Security: will tell browser with the HTTPS protocol instead of HTTP to access the target site
add_header Strict-Transport-Security "max -age = 31536000; includeSubDomains";
upper side after the first configuration means that when a user accesses, a return field contains the response Strict-Transport-Security header, this field tells the browser, over the next 31,536,000 seconds, all current requests site uses the https protocol to access, includeSubDomains parameter is optional, meaning that all subdomains will also adopt the same rules