ini 安全的nginx配置文件

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了ini 安全的nginx配置文件相关的知识,希望对你有一定的参考价值。

user www-data;
worker_processes 1;
pid /run/nginx.pid;

events {
	worker_connections 1024;
	multi_accept on;
}

http {
	#don't send the nginx version number in error pages and Server header
	server_tokens off;
	proxy_hide_header X-Powered-By;
    	more_set_headers 'Server: Windows 98'; #trololo

	# config to don't allow the browser to render the page inside an frame or iframe
	# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
	# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
	# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
	add_header X-Frame-Options SAMEORIGIN;

	# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
	# to disable content-type sniffing on some browsers.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
	# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
	# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
	add_header X-Content-Type-Options nosniff;

	# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
	# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for 
	# this particular website if it was disabled by the user.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	add_header X-XSS-Protection "1; mode=block";

	# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
	# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

	### Directive describes the zone, in which the session states are stored i.e. store in slimits. ###
	### 1m can handle 32000 sessions with 32 bytes/session, set to 5m x 32000 session ###
       limit_zone slimits $binary_remote_addr 5m; #maybe be depreciated (google it)
 
	### Control maximum number of simultaneous connections for one session i.e. ###
	### restricts the amount of connections from a single ip address ###
        limit_conn slimits 5; #maybe be depreciated (google it)

	##Controlling Buffer Overflow Attacks

	client_max_body_size 20M;
	client_body_buffer_size 15K;
	client_body_timeout 12;
	client_header_timeout 12;
	keepalive_timeout 15;
	send_timeout 10;

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	types_hash_max_size 2048;


	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# Logging Settings
	##

	access_log /srv/LOGS/nginx-access.log;	#@CHANGE TO LOG YOUR LOGFILE
	error_log  /src/LOGS/nginx-error.log;	#@CHANGE TO LOG YOUR LOGFILE

	##
	# Gzip Settings
	##
	gzip_disable "msie6";

	gzip on;
	gzip_comp_level 2;
	gzip_min_length 1000;
	gzip_buffers  4 32k;
	gzip_types    text/plain application/x-javascript text/xml text/css  application/xml;
	gzip_vary on;

	# end gzip configuration
	

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}
# Common bandwidth hoggers and hacking tools.
map $http_user_agent $limit_bots {
    default 0;
    ~*(AltaVista|Slurp|BlackWidow|Bot|ChinaClaw|Custo|DISCo|Download|Demon|eCatch|EirGrabber|EmailSiphon|EmailWolf|SuperHTTP|Surfbot|WebWhacker) 1;
    ~*(Express|WebPictures|ExtractorPro|EyeNetIE|FlashGet|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|GrabNet|Grafula|HMView|Go!Zilla|Go-Ahead-Got-It) 1;
     ~*(rafula|HMView|HTTrack|Stripper|Sucker|Indy|InterGET|Ninja|JetCar|Spider|larbin|LeechFTP|Downloader|tool|Navroad|NearSite|NetAnts|tAkeOut|WWWOFFLE) 1;
    ~*(GrabNet|NetSpider|Vampire|NetZIP|Octopus|Offline|PageGrabber|Foto|pavuk|pcBrowser|RealDownload|ReGet|SiteSnagger|SmartDownload|SuperBot|WebSpider) 1;
    ~*(Teleport|VoidEYE|Collector|WebAuto|WebCopier|WebFetch|WebGo|WebLeacher|WebReaper|WebSauger|eXtractor|Quester|WebStripper|WebZIP|Wget|Widow|Zeus) 1;
    ~*(Twengabot|htmlparser|libwww|Python|perl|urllib|scan|Curl|email|PycURL|Pyth|PyQ|WebCollector|WebCopy|webcraw) 1;
} 


server {
    #redirect www to non-www
    server_name www.example.de;
    return 301 $scheme://example.de$request_uri; #@CHANGE TO YOUR DOMAIN
}

server {
        root /var/www/example.de; #@CHANGE TO YOUR DOMAIN ROOT FOLDER
        index index.html index.php;
        listen 80;
        server_name example.de; #@CHANGE TO YOUR DOMAIN

        access_log /var/logs/access.log;        #@CHANGE TO LOG YOUR LOGFILE
        error_log  /var/logs.error.log info;    #@CHANGE TO LOG YOUR LOGFILE

#####################
##SEO / PERFORMANCE #
#####################

        # This block will catch static file requests, such as images, css, js
        # The ?: prefix is a 'non-capturing' mark, meaning we do not require
        # the pattern to be captured into $1 which should help improve performance
        location ~* \.(?:ico|css|js|gif|jpe?g|png|woff|ttf|otf|svg|woff2|eot)$ {
            # Some basic cache-control for static files to be sent to the browser
            expires 30d; # or use max
            add_header Pragma public;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        }
        # 
#####################
##SECURITY          #
#####################

            #BLOCK FROM MAP
            if ($limit_bots = 1) {
              return 403;
            }
            ##


            ## Deny certain Referers ###
            if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen) )
            {
                 return 403;
            }
            ##



            ## Block SQL injections 
            set $block_sql_injections 0;
            if ($query_string ~ "union.*select.*\(") {
                set $block_sql_injections 1;
            }
            if ($query_string ~ "union.*all.*select.*") {
                set $block_sql_injections 1;
            }
            if ($query_string ~ "concat.*\(") {
                set $block_sql_injections 1;
            }
            if ($block_sql_injections = 1) {
                return 403;
            }

            ## Block file injections
            set $block_file_injections 0;
            if ($query_string ~ "[a-zA-Z0-9_]=http://") {
                set $block_file_injections 1;
            }
            if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
                set $block_file_injections 1;
            }
            if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
                set $block_file_injections 1;
            }
            if ($block_file_injections = 1) {
                return 403;
            }

            ## Block common exploits
            set $block_common_exploits 0;
            if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
                set $block_common_exploits 1;
            }
            if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
                set $block_common_exploits 1;
            }
            if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
                set $block_common_exploits 1;
            }
            if ($query_string ~ "proc/self/environ") {
                set $block_common_exploits 1;
            }
            if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
                set $block_common_exploits 1;
            }
            if ($query_string ~ "base64_(en|de)code\(.*\)") {
                set $block_common_exploits 1;
            }
            if ($block_common_exploits = 1) {
                return 403;
            }

            ## Block spam
            set $block_spam 0;
            if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
                set $block_spam 1;
            }
            if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
                set $block_spam 1;
            }
            if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
                set $block_spam 1;
            }
            if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
                set $block_spam 1;
            }
            if ($block_spam = 1) {
                return 403;
            }


            # Protect specific TXT and config files
            location ~ /(\.|wp-config.php|readme.html|license.txt|schema.txt|password.txt|passwords.txt) 
            { 
                    deny all; 
            }

            # Protect ~ files
            location ~ ~$ 
            { 
                    access_log off; 
                    log_not_found off; 
                    deny all; 
            }

            # Protect .git files
            location ~ /\.git 
            { 
                    access_log off; 
                    log_not_found off; 
                    deny all; 
            }

            # Protect Perl/CGI/etc files
            location ~* \.(pl|cgi|py|sh|lua)\$ 
            {
                    return 444;
            }

            # Block web attacks
            location ~* (roundcube|webdav|smtp|http\:|soap|w00tw00t) 
            {
                    return 444;
            }

            # Protect other sensitive files
            location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_
            {
                    return 444;
            }

            # Block execution of PHP files in uploads folders
            location ~* /(?:uploads|files)/.*\.php$ 
            {
                    deny all;
            }
#####################
##LOCATIONS         #
#####################

            ## Location example with auth##
            #location /auth-example {
            #   auth_basic "Administrator Login";
            #    auth_basic_user_file /var/www/.htpasswd-example;
            #}  

            location / {
                    try_files $uri $uri/ /index.php?q=$uri&$args;
            }
            #@IMPORTANT CHECK YOUR PHP VERSION!!!
            ## For php5-fpm
            location ~ \.php$ {
                    try_files $uri =404;
                    fastcgi_split_path_info ^(.+\.php)(/.+)$;
                    fastcgi_pass unix:/var/run/php5-fpm.sock;
                    fastcgi_index index.php;
                    include fastcgi_params;
            }
            
             ## For php7.0-fpm
             #location ~ \.php$ {
             #   include snippets/fastcgi-php.conf;
             #   fastcgi_pass unix:/run/php/php7.0-fpm.sock;
             #}

}

以上是关于ini 安全的nginx配置文件的主要内容,如果未能解决你的问题,请参考以下文章

ini 终极nginx配置,提高了安全性和性能。

ini 最佳nginx配置,可提高安全性(和性能)。完整的博客文章http://tautt.com/best-nginx-configuration-for-secur

ini 最佳nginx配置,可提高安全性(和性能)。完整的博客文章http://tautt.com/best-nginx-configuration-for-secur

ini 最佳nginx配置,可提高安全性(和性能)。完整的博客文章http://tautt.com/best-nginx-configuration-for-secur

ini 最佳nginx配置,可提高安全性(和性能)。完整的博客文章http://tautt.com/best-nginx-configuration-for-secur

ini 最佳nginx配置,可提高安全性(和性能)。完整的博客文章http://tautt.com/best-nginx-configuration-for-secur