[infobox title="前言"]
本站点配置文件教程,参考梦の彼方网站部分配置文件编写。如有不足,敬请谅解并留言指出不足,我会及时改正,感谢。
[/infobox]
[successbox title="配置站点SSL"]
SSL证书等配置我写在了全局配置文件当中,具体配置可参考《Nginx全局配置文件安全性能优化日志》
配置HSTS
[block]
add_header Strict-Transport-Security "max-age=31536000"; # HSTS过期时间1年
[/block]
[/successbox]
[successbox title="自定义404页面"]
在server{}内添加以下代码,实现自定义404页面。
[block]
error_page 404 http://www.xgxdmx.com/404.php;
[/block]
[/successbox]
[successbox title="nginx限制请求数量"]
针对用户ip限制并发请求数量
[block]
limit_req zone=ConnLimitZone burst=66 nodelay; # 最多66个排队请求,超出返回503
[/block]
[/successbox]
[successbox title="SQL注入防护"]
"防止SQL注入,返回错误页面"
展开 / 收起
[highlight lanaguage="nginx"]
<pre>#防止 SQL 注入
if ($query_string ~* (\$|'|--|[+|(%20)]union[+|(%20)]|[+|(%20)]insert[+|(%20)]|[+|(%20)]drop[+|(%20)]|[+|(%20)]truncate[+|(%20)]|[+|(%20)]update[+|(%20)]|[+|(%20)]from[+|(%20)]|[+|(%20)]grant[+|(%20)]|[+|(%20)]exec[+|(%20)]|[+|(%20)]where[+|(%20)]|[+|(%20)]select[+|(%20)]|[+|(%20)]and[+|(%20)]|[+|(%20)]or[+|(%20)]|[+|(%20)]count[+|(%20)]|[+|(%20)]exec[+|(%20)]|[+|(%20)]chr[+|(%20)]|[+|(%20)]mid[+|(%20)]|[+|(%20)]like[+|(%20)]|[+|(%20)]iframe[+|(%20)]|[\<|%3c]script[\>|%3e]|javascript|alert|webscan|dbappsecurity|confirm\(|innerhtml|innertext)(.*)$) { return 555; }
if ($uri ~* (/~).*) { return 501; }
if ($uri ~* (\\x.)) { return 501; }
#防止 SQL 注入
if ($query_string ~* "[;'<>].*") { return 509; }
if ($request_uri ~ " ") { return 509; }
if ($request_uri ~ (\/\.+)) { return 509; }
if ($request_uri ~ (\.+\/)) { return 509; }
#if ($uri ~* (insert|select|delete|update|count|master|truncate|declare|exec|\*|\')(.*)$ ) { return 503; }
#防止 SQL 注入
if ($request_uri ~* "(cost\()|(concat\()") { return 504; }
if ($request_uri ~* "[+|(%20)]union[+|(%20)]") { return 504; }
if ($request_uri ~* "[+|(%20)]and[+|(%20)]") { return 504; }
if ($request_uri ~* "[+|(%20)]select[+|(%20)]") { return 504; }
if ($request_uri ~* "[+|(%20)]or[+|(%20)]") { return 504; }
if ($request_uri ~* "[+|(%20)]delete[+|(%20)]") { return 504; }
if ($request_uri ~* "[+|(%20)]update[+|(%20)]") { return 504; }
if ($request_uri ~* "[+|(%20)]insert[+|(%20)]") { return 504; }
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { return 505; }
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { return 505; }
if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { return 505; }
if ($query_string ~ "proc/self/environ") { return 505; }
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { return 505; }
if ($query_string ~ "base64_(en|de)code\(.*\)") { return 505; }
if ($query_string ~ "[a-zA-Z0-9_]=http://") { return 506; }
if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { return 506; }
if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { return 506; }
if ($query_string ~ "b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)b") { return 507; }
if ($query_string ~ "b(erections|hoodia|huronriveracres|impotence|levitra|libido)b") {return 507; }
if ($query_string ~ "b(ambien|bluespill|cialis|cocaine|ejaculation|erectile)b") { return 507; }
if ($query_string ~ "b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)b") { return 507; }</pre>
[/highlight]
"防止一些压力测试工具、程序爬虫等过度消耗服务器资源,返回错误页面"
展开 / 收起
[highlight lanaguage="nginx"]
<pre>#这里大家根据自己情况添加删减上述判断参数,cURL、wget 这类的屏蔽有点儿极端了,但要“宁可错杀一千,不可放过一个”。
if ($http_user_agent ~* YisouSpider|ApacheBench|WebBench|Jmeter|JoeDog|Havij|GetRight|TurnitinBot|GrabNet|masscan|mail2000|github|wget|curl|Java|python) { return 508; }
#同上,大家根据自己站点实际情况来添加删减下面的屏蔽拦截参数。
if ($http_user_agent ~* "Go-Ahead-Got-It") { return 508; }
if ($http_user_agent ~* "GetWeb!") { return 508; }
if ($http_user_agent ~* "Go!Zilla") { return 508; }
if ($http_user_agent ~* "Download Demon") { return 508; }
if ($http_user_agent ~* "Indy Library") { return 508; }
if ($http_user_agent ~* "libwww-perl") { return 508; }
if ($http_user_agent ~* "Nmap Scripting Engine") { return 508; }
if ($http_user_agent ~* "~17ce.com") { return 508; }
if ($http_user_agent ~* "WebBench*") { return 508; }</pre>
[/highlight]
[/successbox]
[successbox title="只允许Nginx接受GET、POST请求,屏蔽其他请求,并返回错误页面"]
[block]
if ($request_method !~* GET|POST) { return 444; }
[/block]
[/successbox]
[successbox title="支持WEBP格式图片以及设置图片防盗链"]
[highlight lanaguage="nginx"]
location ~* .(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
location ~* ^(/.+).(jpg|jpeg|jpe|png|gif)$ {
add_header Vary Accept;
if ($http_accept ~* "webp"){
set $imwebp A;
}
if (-f $request_filename.webp) {
set $imwebp "${imwebp}B";
}
if ($imwebp = AB) {
rewrite ^(.*) $1.webp last;
}
valid_referers none blocked 白名单域名;
if ($invalid_referer) {
rewrite ^/ 强制跳转域名;
}
}
[/highlight]
[/successbox]
[successbox title="隐藏指定文件或目录"]
[highlight lanaguage="nginx"]
location ~ /\. {
deny all;
}
[/highlight]
[/successbox]
[successbox title="Gzip压缩"]
[highlight lanaguage="nginx"]
gzip on; # 开启Gzip
gzip_min_length 1k; # 启用gzip压缩的最小文件,小于设置值的文件将不会压缩
gzip_disable "MSIE [1-6]\.(?!.*SV1)"; # 禁用IE 6 Gzip
gzip_vary on; # 是否在http header中添加Vary: Accept-Encoding,建议开启
gzip_proxied any; # 无条件启用压缩
gzip_comp_level 5; # Gzip压缩等级
gzip_buffers 16 8k; # 设置系统获取几个单位的缓存用于存储Gzip的压缩结果数据流
gzip_http_version 1.1; # 识别http的协议版本
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # 匹配MIME类型进行压缩
[/highlight]
[/successbox]
Comments NOTHING