以下是 nginx 最小安全配置模板,涵盖基础加固、访问控制、传输加密、安全响应头等常见安全项,可直接作为生产环境的起点。
1.完整配置模板
# ================= 全局配置 =================
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /usr/local/nginx/logs/nginx.pid;
events {
worker_connections 65535;
use epoll;
multi_accept on;
}
http {
# ============ 基础安全 ============
# 隐藏版本号(防止泄露版本信息被针对性攻击)
server_tokens off;
# 禁用目录列表(防止目录遍历泄露文件结构)
autoindex off;
# 禁用 ssi(防止服务端包含执行)
ssi off;
# 重定向时不暴露端口号
port_in_redirect off;
# 隐藏后端技术标识(反向代理场景)
proxy_hide_header x-powered-by;
proxy_hide_header server;
# ============ 日志格式 ============
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
# ============ 请求限制 ============
# 单ip请求频率限制:10r/s,突发20,不延迟
limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s;
# 单ip并发连接数限制:最多20个
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
# ============ 文件上传限制 ============
# 最大请求体大小(防止大文件上传耗尽资源)
client_max_body_size 10m;
# 请求体缓冲区大小
client_body_buffer_size 128k;
# ============ 缓冲区溢出防护 ============
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
# ============ 超时设置(防慢速攻击) ============
client_header_timeout 10s;
client_body_timeout 10s;
send_timeout 10s;
keepalive_timeout 65s;
# ============ mime类型安全 ============
include mime.types;
default_type application/octet-stream;
# ============ 默认server(拦截非法host头) ============
server {
listen 80 default_server;
server_name _;
return 403;
}
# ============ 业务server ============
server {
listen 80;
server_name example.com www.example.com;
# 强制跳转https
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com www.example.com;
# ============ ssl/tls安全配置 ============
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
# 仅启用tls 1.2和1.3
ssl_protocols tlsv1.2 tlsv1.3;
# 安全加密套件(前向保密)
ssl_ciphers 'ecdhe-ecdsa-aes128-gcm-sha256:ecdhe-rsa-aes128-gcm-sha256:ecdhe-ecdsa-aes256-gcm-sha384:ecdhe-rsa-aes256-gcm-sha384:ecdhe-ecdsa-chacha20-poly1305:ecdhe-rsa-chacha20-poly1305';
ssl_prefer_server_ciphers on;
# 会话复用
ssl_session_timeout 1d;
ssl_session_cache shared:mozssl:10m;
# ocsp装订(提升ssl握手效率)
ssl_stapling on;
ssl_stapling_verify on;
# hsts(强制浏览器使用https,一年)
add_header strict-transport-security "max-age=31536000; includesubdomains" always;
# ============ 安全响应头 ============
# 防点击劫持
add_header x-frame-options "sameorigin" always;
# 防mime类型嗅探
add_header x-content-type-options "nosniff" always;
# 启用xss过滤
add_header x-xss-protection "1; mode=block" always;
# 控制referer信息传递
add_header referrer-policy "strict-origin-when-cross-origin" always;
# 内容安全策略(根据实际业务调整)
add_header content-security-policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self'; frame-ancestors 'self';" always;
# ============ 限制http方法 ============
if ($request_method !~ ^(get|head|post|put|delete|options)$) {
return 405;
}
# ============ 应用请求限制 ============
limit_req zone=req_limit burst=20 nodelay;
limit_conn conn_limit 20;
# ============ 站点根目录 ============
root /var/www/html;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
# ============ 敏感路径保护 ============
# 管理后台:ip白名单 + 基础认证
location /admin {
allow 192.168.1.0/24;
allow 10.0.0.0/8;
deny all;
auth_basic "admin area";
auth_basic_user_file /etc/nginx/.htpasswd;
}
# 禁止访问敏感文件
location ~* \.(conf|log|bak|sql|git|htaccess|htpasswd)$ {
deny all;
}
# 禁止在上传目录执行脚本
location ~* /uploads/.*\.(php|php5|pl|py|jsp|asp)$ {
deny all;
}
# ============ 自定义错误页面 ============
error_page 403 /403.html;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /403.html {
root /var/www/html;
internal;
}
location = /404.html {
root /var/www/html;
internal;
}
location = /50x.html {
root /var/www/html;
internal;
}
}
}2.各模块作用速查
| 模块 | 关键配置 | 防护目标 |
|---|---|---|
| 基础安全 | server_tokens off、autoindex off | 隐藏版本信息、防止目录遍历 |
| 请求限制 | limit_req_zone、limit_conn_zone | 防cc攻击、防暴力破解 |
| 文件上传 | client_max_body_size 10m | 防止大文件耗尽磁盘/内存 |
| 超时设置 | client_body_timeout 10s 等 | 防御慢速http攻击(slowloris) |
| ssl/tls | ssl_protocols tlsv1.2 tlsv1.3 | 禁用弱协议,启用前向保密 |
| 安全响应头 | x-frame-options、csp 等 | 防点击劫持、xss、mime嗅探 |
| http方法限制 | if ($request_method !~ ...) | 禁用危险方法(trace、connect等) |
| 敏感路径保护 | location /admin + allow/deny | ip白名单 + 基础认证双重防护 |
| 敏感文件拦截 | `location ~* .(conf | log |
3.部署后验证清单
# 1. 测试配置语法 /usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf # 2. 重载生效 systemctl reload nginx # 3. 检查响应头是否包含安全头 curl -i https://example.com | grep -e "x-frame|x-content|x-xss|strict-transport" # 4. 验证版本号已隐藏 curl -i https://example.com | grep server # 5. ssl评级检测(浏览器访问 https://www.ssllabs.com/ssltest/)
到此这篇关于nginx 最小安全配置模板的文章就介绍到这了,更多相关nginx配置模板内容请搜索代码网以前的文章或继续浏览下面的相关文章希望大家以后多多支持代码网!
发表评论