hao/websafe-kb
1
0
派生 0
代码 工单 合并请求 1 工作流 软件包 项目 发布 百科 活动

kb: expand authorized lab coverage and intel automation

浏览代码
这个提交包含在:
hao
2026-03-16 22:04:51 -07:00
父节点 cda31e86c7
当前提交 d0120fbf10
修改 592 个文件,包含 29025 行新增267 行删除
下载 Patch 文件 下载 Diff 文件 展开所有文件 折叠所有文件

246
05-defense/hardening/nginx-hardening.conf
查看文件

@@ -1,184 +1,76 @@
# Nginx 安全加固配置
# LAB ONLY
# 用途: 授权攻防实验中的实验网关、响应头观测、限速演示和反向代理对照
# 目标范围: 本地实验集群、自有公网测试资产、已授权验证目标
# 风险: 可能影响流量路径、触发告警、改变缓存与安全头表现
# 不适用: 生产安全基线、默认公网部署、未授权第三方站点
## 1. TLS 配置
worker_processes 1;
```nginx
# 仅允许 TLS 1.2 和 1.3
ssl_protocols TLSv1.2 TLSv1.3;
# 强密码套件
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers off;
# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# 会话配置
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
```
## 2. 安全响应头
```nginx
# Content Security Policy
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'self';" always;
# 防止点击劫持
add_header X-Frame-Options "SAMEORIGIN" always;
# 防止 MIME 类型嗅探
add_header X-Content-Type-Options "nosniff" always;
# XSS 保护 (已弃用,建议使用 CSP)
add_header X-XSS-Protection "1; mode=block" always;
# Referrer 策略
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# 权限策略
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
```
## 3. 隐藏版本号
```nginx
server_tokens off;
```
## 4. 请求限制
```nginx
# 限制请求体大小
client_max_body_size 10M;
# 限制请求体缓冲
client_body_buffer_size 128k;
# 连接限制
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
limit_conn conn_limit 100;
# 请求速率限制
limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s;
limit_req zone=req_limit burst=20 nodelay;
```
## 5. 阻止恶意请求
```nginx
# 阻止常见攻击
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 405;
events {
worker_connections 1024;
}
# 阻止可疑 User-Agent
if ($http_user_agent ~* (sqlmap|nikto|nmap|masscan|zap|burp|acunetix|nessus)) {
return 403;
}
# 阻止路径遍历
if ($request_uri ~* \.\.) {
return 403;
}
# 阻止 SQL 注入特征
if ($request_uri ~* (union|select|insert|drop|delete|update|script|alert|document\.cookie)) {
return 403;
}
```
## 6. 日志安全
```nginx
# 不记录敏感路径
location ~* ^/(login|admin|api/auth) {
access_log off;
# ... 其他配置
}
# 自定义日志格式 (不包含敏感信息)
log_format secure '$remote_addr - $remote_user [$time_local] "$request_method $scheme://$host$request_uri" $status $body_bytes_sent "$http_referer"';
```
## 7. Cookie 安全
```nginx
# 仅通过 HTTPS 传输
proxy_cookie_path / "/; Secure; HttpOnly; SameSite=Strict";
```
## 8. Host 头校验
```nginx
# 定义允许的域名
server {
listen 80 default_server;
server_name _;
return 444; # 关闭连接
}
server {
listen 443 ssl default_server;
server_name _;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
return 444;
}
```
## 9. 完整安全配置示例
```nginx
server {
listen 443 ssl http2;
server_name example.com;
# TLS
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# 安全头
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Content-Security-Policy "default-src 'self'" always;
# 隐藏版本
http {
server_tokens off;
# 限制
client_max_body_size 10M;
limit_req zone=req_limit burst=20 nodelay;
# 应用
location / {
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
sendfile on;
limit_conn_zone $binary_remote_addr zone=lab_conn_limit:10m;
limit_req_zone $binary_remote_addr zone=lab_req_limit:10m rate=10r/s;
upstream lab_backend {
server 127.0.0.1:9001;
}
log_format lab_trace
'$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log logs/access.log lab_trace;
error_log logs/error.log warn;
server {
listen 8088;
server_name lab-gateway.local;
# 实验用途: 便于观察头部、缓存和浏览器保护行为。
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
# 注意:
# 下面的 CSP 仅用于实验演示,故意保留了较宽松的脚本执行能力,
# 便于复现 XSS、CSP 绕过和前端资源加载差异。
# 这不是生产推荐策略。
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' https:; frame-ancestors 'self';" always;
client_max_body_size 10M;
client_body_buffer_size 128k;
limit_conn lab_conn_limit 50;
limit_req zone=lab_req_limit burst=20 nodelay;
# 实验用途: 便于观察代理层对异常方法和扫描器指纹的处理。
# 这些规则仅用于教学和日志对照,不是生产推荐的主要防护手段。
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 405;
}
if ($http_user_agent ~* (sqlmap|nikto|nmap|masscan|zap|burp|acunetix|nessus)) {
return 403;
}
if ($request_uri ~* \.\.) {
return 403;
}
location / {
proxy_pass http://lab_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
}
# HTTP 重定向到 HTTPS
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
# 阻止非法 Host
server {
listen 80 default_server;
listen 443 ssl default_server;
server_name _;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
return 444;
}
```