优化链接参数

优化前 优化后 参数说明
worker_processes 1; worker_processes auto; 进程数
worker_connections 1024; worker_connections 65535; 每个进程允许的最多链接

安全策略优化

禁止空主机头访问

禁止IP直接访问,防止非法域名直接解析到IP上

# 禁止使用IP直接访问,返回403错误码
    server {
        listen       80 default;
        server_name _;
        return 403;
}
#server_name处定义允许访问的域名,将80端口的http请求转发到https
    server {
        listen       80;
        server_name  www.itgod.org itgod.org;
        rewrite ^(.*)$ https://$host$1 permanent;

禁止目录浏览

  • 在Http中配置autoindex off;关闭目录浏览
http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;
    include vhost/*.conf;
    #添加这行
    autoindex off;

防盗链配置

  • 只允许referer为空或者referer为信任站点时才能拉取图片
  • 允许referer为空是为了允许浏览器直接访问图片路径
  • 伪造referer很容易,所以此方法只能防止一般的盗链
        location ~*\.(gif|jpg|png|swf|flv|bmp)$ {
            valid_referers none blocked *.itgod.org itgod.org;
            if ($invalid_referer) {
                return 403;
            }
        }

隐藏Nginx版本号

屏蔽Nginx版本号,减低被版本漏洞攻击风险,在HTTP下添加一行内容 server_tokens off;

例:

http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;

封禁指定的url

  • 恶意攻击通常会尝试通过URL执行一些命令,有必要禁用包含一些特殊字符串的链接访问,比如URL中包含.sh old bak sql等关键词,直接进行URL访问限制
        location ~*\.(sh|git|bak|sql|old)$ {
                return 403;
        }

系统内核参数优化

vim /etc/sysctl.conf

net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1

一个配置文件示例

  • 以下不包含图片缓存等配置,可以根据自身业务需求再合理添加图片等缓存、日志格式化等
worker_processes  auto;
events {
    worker_connections  65535;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;
    sendfile        on;
    keepalive_timeout  65;
    server {
        listen       80 default;
    server_name _;
    return 403;
}
    server {
        listen       80;
        server_name  www.itgod.org itgod.org;
    rewrite ^(.*)$ https://$host$1 permanent;
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
}


    server {
        listen       443 ssl default;
    server_name _;
        server_name  www.itgod.org itgod.org;
        error_page  404              /404.html;
        ssl_certificate      /etc/ssl/1_www.itgod.org_bundle.crt;
        ssl_certificate_key  /etc/ssl/2_www.itgod.org.key;
     ssl_session_cache    shared:SSL:1m;
      ssl_session_timeout  5m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
        location ~*\.(gif|jpg|png|swf|flv|bmp)$ {
        valid_referers none blocked *.itgod.org itgod.org;
        if ($invalid_referer) {
        return 403;}
        }
        location ~*\.(sh|git|bak|sql|old)$ {
        return 403;
        }
        location / {
            root   html;
            index  index.html index.htm;
        }
        location /first {
            alias   /home/gitbook/_book/;
            index  index.html index.htm;
        }
        location /two {
            alias   /home/gitbook2/_book/;
            index  index.html index.htm;
        }
    }
}
Copyright © 运维知识库 all right reserved. 蜀ICP备16012425号文件修订时间: 2019-10-28 01:26:13

results matching ""

    No results matching ""