# Nginx 安全加固配置 ## 1. TLS 配置 ```nginx # 仅允许 TLS 1.2 和 1.3 ssl_protocols TLSv1.2 TLSv1.3; # 强密码套件 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256'; ssl_prefer_server_ciphers off; # HSTS add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # 会话配置 ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ``` ## 2. 安全响应头 ```nginx # Content Security Policy add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'self';" always; # 防止点击劫持 add_header X-Frame-Options "SAMEORIGIN" always; # 防止 MIME 类型嗅探 add_header X-Content-Type-Options "nosniff" always; # XSS 保护 (已弃用,建议使用 CSP) add_header X-XSS-Protection "1; mode=block" always; # Referrer 策略 add_header Referrer-Policy "strict-origin-when-cross-origin" always; # 权限策略 add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; ``` ## 3. 隐藏版本号 ```nginx server_tokens off; ``` ## 4. 请求限制 ```nginx # 限制请求体大小 client_max_body_size 10M; # 限制请求体缓冲 client_body_buffer_size 128k; # 连接限制 limit_conn_zone $binary_remote_addr zone=conn_limit:10m; limit_conn conn_limit 100; # 请求速率限制 limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s; limit_req zone=req_limit burst=20 nodelay; ``` ## 5. 阻止恶意请求 ```nginx # 阻止常见攻击 if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 405; } # 阻止可疑 User-Agent if ($http_user_agent ~* (sqlmap|nikto|nmap|masscan|zap|burp|acunetix|nessus)) { return 403; } # 阻止路径遍历 if ($request_uri ~* \.\.) { return 403; } # 阻止 SQL 注入特征 if ($request_uri ~* (union|select|insert|drop|delete|update|script|alert|document\.cookie)) { return 403; } ``` ## 6. 日志安全 ```nginx # 不记录敏感路径 location ~* ^/(login|admin|api/auth) { access_log off; # ... 其他配置 } # 自定义日志格式 (不包含敏感信息) log_format secure '$remote_addr - $remote_user [$time_local] "$request_method $scheme://$host$request_uri" $status $body_bytes_sent "$http_referer"'; ``` ## 7. Cookie 安全 ```nginx # 仅通过 HTTPS 传输 proxy_cookie_path / "/; Secure; HttpOnly; SameSite=Strict"; ``` ## 8. Host 头校验 ```nginx # 定义允许的域名 server { listen 80 default_server; server_name _; return 444; # 关闭连接 } server { listen 443 ssl default_server; server_name _; ssl_certificate /path/to/cert.pem; ssl_certificate_key /path/to/key.pem; return 444; } ``` ## 9. 完整安全配置示例 ```nginx server { listen 443 ssl http2; server_name example.com; # TLS ssl_certificate /etc/ssl/certs/server.crt; ssl_certificate_key /etc/ssl/private/server.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384'; ssl_prefer_server_ciphers off; # 安全头 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Content-Security-Policy "default-src 'self'" always; # 隐藏版本 server_tokens off; # 限制 client_max_body_size 10M; limit_req zone=req_limit burst=20 nodelay; # 应用 location / { proxy_pass http://backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # HTTP 重定向到 HTTPS server { listen 80; server_name example.com; return 301 https://$server_name$request_uri; } # 阻止非法 Host server { listen 80 default_server; listen 443 ssl default_server; server_name _; ssl_certificate /etc/ssl/certs/server.crt; ssl_certificate_key /etc/ssl/private/server.key; return 444; } ```