Nginx 安全配置
Nginx Security Configuration
我对将 Nginx 配置为内部 Web 服务的代理有点陌生,需要使用 SSL 连接进行转发。
目前的设置涉及为内部 Web 应用程序提供服务,该应用程序当前 运行 在 public 云基础设施上。
下面是我的nginx
配置:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name www.somedomain.com;
# Refer:
# https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
# Discourage deep links by using a permanent redirect to home page of HTTPS site
return 301 https://$server_name;
}
server {
# User Defined
listen 443 ssl http2;
# SSL Certificate Paths
ssl_certificate /home/secured/ssl/certs/mycustomapp.cert;
ssl_certificate_key /home/secured/ssl/private/mycustomapp.key;
# Nginx Access and Error Logs
access_log /var/log/nginx/mycustomapp.access.log;
error_log /var/log/nginx/mycustomapp.error.log;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
# User Defined
server_name www.somedomain.com;
# HSTS header for always https option
add_header Strict-Transport-Security "max-age=36000; includeSubDomains" always;
add_header X-Frame-Options "DENY";
location / {
# User Defined
include /etc/nginx/proxy_params;
proxy_pass http://localhost:9090;
proxy_read_timeout 90s;
proxy_redirect http://localhost:9090 https://$server_name;
}
}
我为服务器生成了一个自签名证书:mycustomapp.cert
和相应的密钥:mycustomapp.key
,本地service/application是运行在http://localhost:9090
并且在全局访问端口 0.0.0.0:9090
上 不是 运行。
这里是 access.log
的片段,可以在这个位置 /var/log/nginx/
。
106.51.17.223 - - [23/Dec/2018:17:51:22 +0000] "GET / HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
47.75.165.214 - - [23/Dec/2018:18:16:47 +0000] "PROPFIND / HTTP/1.1" 301 194 "-" "-"
47.75.165.214 - - [23/Dec/2018:18:16:47 +0000] "GET /webdav/ HTTP/1.1" 301 194 "-" "Mozilla/5.0"
47.75.165.214 - - [23/Dec/2018:18:16:47 +0000] "GET /help.php HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
47.75.165.214 - - [23/Dec/2018:18:16:48 +0000] "GET /java.php HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
47.75.165.214 - - [23/Dec/2018:18:16:58 +0000] "POST /wuwu11.php HTTP/1.1" 301 194 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
47.75.165.214 - - [23/Dec/2018:18:16:58 +0000] "POST /xw.php HTTP/1.1" 301 194 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
47.75.165.214 - - [23/Dec/2018:18:16:59 +0000] "POST /xw1.php HTTP/1.1" 301 194 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
47.75.165.214 - - [23/Dec/2018:18:16:59 +0000] "POST /9678.php HTTP/1.1" 301 194 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
我还在 access.log
和 mycustomapp.access.log
中观察到一些格式错误的请求(此处未复制)。
配置是否足以delaying/thwarting这些渗透攻击尝试,或者是否存在冗余配置暴露了我目前无法理解的通道?
目前,当有人需要访问权限时,我会启用该服务,但随着越来越多的人开始使用该应用程序,这将不是一个合适的场景。
这个配置照样够用了。如需更多安全性,请观看此列表:
- https://github.com/nbs-system/naxsi
- 使用 this 优化 SSL 性能。
- 了解 server_tokens 并禁用它。
- 了解 error_page 并使用您自己的页面。
我对将 Nginx 配置为内部 Web 服务的代理有点陌生,需要使用 SSL 连接进行转发。
目前的设置涉及为内部 Web 应用程序提供服务,该应用程序当前 运行 在 public 云基础设施上。
下面是我的nginx
配置:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name www.somedomain.com;
# Refer:
# https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
# Discourage deep links by using a permanent redirect to home page of HTTPS site
return 301 https://$server_name;
}
server {
# User Defined
listen 443 ssl http2;
# SSL Certificate Paths
ssl_certificate /home/secured/ssl/certs/mycustomapp.cert;
ssl_certificate_key /home/secured/ssl/private/mycustomapp.key;
# Nginx Access and Error Logs
access_log /var/log/nginx/mycustomapp.access.log;
error_log /var/log/nginx/mycustomapp.error.log;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
# User Defined
server_name www.somedomain.com;
# HSTS header for always https option
add_header Strict-Transport-Security "max-age=36000; includeSubDomains" always;
add_header X-Frame-Options "DENY";
location / {
# User Defined
include /etc/nginx/proxy_params;
proxy_pass http://localhost:9090;
proxy_read_timeout 90s;
proxy_redirect http://localhost:9090 https://$server_name;
}
}
我为服务器生成了一个自签名证书:mycustomapp.cert
和相应的密钥:mycustomapp.key
,本地service/application是运行在http://localhost:9090
并且在全局访问端口 0.0.0.0:9090
上 不是 运行。
这里是 access.log
的片段,可以在这个位置 /var/log/nginx/
。
106.51.17.223 - - [23/Dec/2018:17:51:22 +0000] "GET / HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
47.75.165.214 - - [23/Dec/2018:18:16:47 +0000] "PROPFIND / HTTP/1.1" 301 194 "-" "-"
47.75.165.214 - - [23/Dec/2018:18:16:47 +0000] "GET /webdav/ HTTP/1.1" 301 194 "-" "Mozilla/5.0"
47.75.165.214 - - [23/Dec/2018:18:16:47 +0000] "GET /help.php HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
47.75.165.214 - - [23/Dec/2018:18:16:48 +0000] "GET /java.php HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
47.75.165.214 - - [23/Dec/2018:18:16:58 +0000] "POST /wuwu11.php HTTP/1.1" 301 194 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
47.75.165.214 - - [23/Dec/2018:18:16:58 +0000] "POST /xw.php HTTP/1.1" 301 194 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
47.75.165.214 - - [23/Dec/2018:18:16:59 +0000] "POST /xw1.php HTTP/1.1" 301 194 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
47.75.165.214 - - [23/Dec/2018:18:16:59 +0000] "POST /9678.php HTTP/1.1" 301 194 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
我还在 access.log
和 mycustomapp.access.log
中观察到一些格式错误的请求(此处未复制)。
配置是否足以delaying/thwarting这些渗透攻击尝试,或者是否存在冗余配置暴露了我目前无法理解的通道?
目前,当有人需要访问权限时,我会启用该服务,但随着越来越多的人开始使用该应用程序,这将不是一个合适的场景。
这个配置照样够用了。如需更多安全性,请观看此列表:
- https://github.com/nbs-system/naxsi
- 使用 this 优化 SSL 性能。
- 了解 server_tokens 并禁用它。
- 了解 error_page 并使用您自己的页面。