Home » Linux » 一个比较全面的,包括一些常见安全设置的Nginx配置示例

这个配置示例包括了一些常见的安全设置,如 SSL/TLS 配置、HTTP/2 支持、缓存设置、防止暴力破解、防止恶意请求等。请注意,这只是一个示例配置,具体的配置需要根据实际需求和环境进行调整和优化。另外,确保替换示例中的域名、路径和证书等信息为实际的值。

# 全局配置
user nginx;
worker_processes auto;
pid /run/nginx.pid;
worker_rlimit_nofile 65535;

# 事件模块配置
events {
    worker_connections 4096;
    multi_accept on;
    use epoll;
}

# HTTP 配置
http {
    # 基本设置
    include mime.types;
    default_type application/octet-stream;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 15;
    client_max_body_size 10m;
    server_tokens off;

    # 访问日志
    access_log /var/log/nginx/access.log combined;
    error_log /var/log/nginx/error.log;

    # SSL 配置
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    # HTTP/2 配置
    http2_max_field_size 16k;
    http2_max_header_size 32k;
    http2_max_requests 100;

    # 缓存设置
    proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=10g inactive=60m use_temp_path=off;

    # 虚拟主机配置
    server {
        listen 80;
        server_name example.com;
        return 301 https://$host$request_uri;
    }

    server {
        listen 443 ssl http2;
        server_name example.com;

        # SSL 证书和私钥
        ssl_certificate /path/to/certificate.crt;
        ssl_certificate_key /path/to/private.key;

        # 安全设置
        location / {
            # 防止目录遍历攻击
            try_files $uri $uri/ =404;
            
            # 启用 HTTP 基本认证
            auth_basic "Restricted";
            auth_basic_user_file /path/to/.htpasswd;

            # 防止恶意请求
            if ($bad_bot) {
                return 403;
            }

            # 防止恶意文件上传
            client_body_temp_path /var/tmp;
            client_body_in_file_only on;
            client_body_buffer_size 32K;
            client_max_body_size 10m;
            client_body_timeout 12;

            # 防止目录索引
            autoindex off;

            # 配置代理服务器
            proxy_pass http://backend;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            # 启用缓存
            proxy_cache my_cache;
            proxy_cache_valid 200 302 10m;
            proxy_cache_valid 404 1m;
            proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
            proxy_cache_bypass $cookie_nocache $arg_nocache $http_pragma $http_authorization;
            add_header X-Cache-Status $upstream_cache_status;
        }

        # 防止暴力破解
        location /wp-login.php {
            limit_req zone=login burst=5 nodelay;
            try_files $uri =404;
        }

        # 静态文件缓存
        location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
            expires 1y;
            add_header Cache-Control "public";
        }

        # 阻止访问隐藏文件
        location ~ /\. {
            deny all;
            access_log off;
            log_not_found off;
        }
    }
}

标签: Nginx SSL/TLS 配置 HTTP/2 支持 防止暴力破解 防止恶意请求

添加新评论

V