初始化: Web安全攻防知识库
- 靶场环境: DVWA/WebGoat/Pikachu/BWAPP/SQLi-Labs/XSS-Labs - SQL注入工具: sqli-scanner.py, blind-sqli.py, sqli-exploit.go - XSS工具: xss-fuzzer.py, xss-scanner.go - 认证攻击: web-brute.py, jwt-cracker.py - 服务端安全: port-scanner.py, tls-scanner.py - 防御配置: nginx-hardening.conf - 案例研究: 福建政采网安全评估报告 (13份) - 同步脚本: sync-gitea.sh
这个提交包含在:
hao
@@ -0,0 +1,184 @@
|
||||
# Nginx 安全加固配置
|
||||
|
||||
## 1. TLS 配置
|
||||
|
||||
```nginx
|
||||
# 仅允许 TLS 1.2 和 1.3
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
|
||||
# 强密码套件
|
||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
# HSTS
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
|
||||
# 会话配置
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_tickets off;
|
||||
```
|
||||
|
||||
## 2. 安全响应头
|
||||
|
||||
```nginx
|
||||
# Content Security Policy
|
||||
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'self';" always;
|
||||
|
||||
# 防止点击劫持
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
|
||||
# 防止 MIME 类型嗅探
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
|
||||
# XSS 保护 (已弃用,建议使用 CSP)
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
|
||||
# Referrer 策略
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
|
||||
# 权限策略
|
||||
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
|
||||
```
|
||||
|
||||
## 3. 隐藏版本号
|
||||
|
||||
```nginx
|
||||
server_tokens off;
|
||||
```
|
||||
|
||||
## 4. 请求限制
|
||||
|
||||
```nginx
|
||||
# 限制请求体大小
|
||||
client_max_body_size 10M;
|
||||
|
||||
# 限制请求体缓冲
|
||||
client_body_buffer_size 128k;
|
||||
|
||||
# 连接限制
|
||||
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
|
||||
limit_conn conn_limit 100;
|
||||
|
||||
# 请求速率限制
|
||||
limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s;
|
||||
limit_req zone=req_limit burst=20 nodelay;
|
||||
```
|
||||
|
||||
## 5. 阻止恶意请求
|
||||
|
||||
```nginx
|
||||
# 阻止常见攻击
|
||||
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
|
||||
return 405;
|
||||
}
|
||||
|
||||
# 阻止可疑 User-Agent
|
||||
if ($http_user_agent ~* (sqlmap|nikto|nmap|masscan|zap|burp|acunetix|nessus)) {
|
||||
return 403;
|
||||
}
|
||||
|
||||
# 阻止路径遍历
|
||||
if ($request_uri ~* \.\.) {
|
||||
return 403;
|
||||
}
|
||||
|
||||
# 阻止 SQL 注入特征
|
||||
if ($request_uri ~* (union|select|insert|drop|delete|update|script|alert|document\.cookie)) {
|
||||
return 403;
|
||||
}
|
||||
```
|
||||
|
||||
## 6. 日志安全
|
||||
|
||||
```nginx
|
||||
# 不记录敏感路径
|
||||
location ~* ^/(login|admin|api/auth) {
|
||||
access_log off;
|
||||
# ... 其他配置
|
||||
}
|
||||
|
||||
# 自定义日志格式 (不包含敏感信息)
|
||||
log_format secure '$remote_addr - $remote_user [$time_local] "$request_method $scheme://$host$request_uri" $status $body_bytes_sent "$http_referer"';
|
||||
```
|
||||
|
||||
## 7. Cookie 安全
|
||||
|
||||
```nginx
|
||||
# 仅通过 HTTPS 传输
|
||||
proxy_cookie_path / "/; Secure; HttpOnly; SameSite=Strict";
|
||||
```
|
||||
|
||||
## 8. Host 头校验
|
||||
|
||||
```nginx
|
||||
# 定义允许的域名
|
||||
server {
|
||||
listen 80 default_server;
|
||||
server_name _;
|
||||
return 444; # 关闭连接
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl default_server;
|
||||
server_name _;
|
||||
ssl_certificate /path/to/cert.pem;
|
||||
ssl_certificate_key /path/to/key.pem;
|
||||
return 444;
|
||||
}
|
||||
```
|
||||
|
||||
## 9. 完整安全配置示例
|
||||
|
||||
```nginx
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name example.com;
|
||||
|
||||
# TLS
|
||||
ssl_certificate /etc/ssl/certs/server.crt;
|
||||
ssl_certificate_key /etc/ssl/private/server.key;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
# 安全头
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Content-Security-Policy "default-src 'self'" always;
|
||||
|
||||
# 隐藏版本
|
||||
server_tokens off;
|
||||
|
||||
# 限制
|
||||
client_max_body_size 10M;
|
||||
limit_req zone=req_limit burst=20 nodelay;
|
||||
|
||||
# 应用
|
||||
location / {
|
||||
proxy_pass http://backend;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
}
|
||||
|
||||
# HTTP 重定向到 HTTPS
|
||||
server {
|
||||
listen 80;
|
||||
server_name example.com;
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
# 阻止非法 Host
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen 443 ssl default_server;
|
||||
server_name _;
|
||||
ssl_certificate /etc/ssl/certs/server.crt;
|
||||
ssl_certificate_key /etc/ssl/private/server.key;
|
||||
return 444;
|
||||
}
|
||||
```
|
||||
在新工单中引用
屏蔽一个用户