Nginx在Ubuntu上的安全设置指南
编辑Nginx主配置文件/etc/nginx/nginx.conf,在http块中添加server_tokens off;,重启Nginx后,响应头中将不再显示Nginx版本号,减少攻击者利用已知版本漏洞的风险。
在server或location块中添加规则,仅允许必要的HTTP方法(如GET、HEAD、POST),拒绝PUT、DELETE等不安全方法:
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 444; # 直接关闭连接
}
通过add_header指令添加以下安全头,防范XSS、点击劫持、内容嗅探等攻击:
add_header X-XSS-Protection "1; mode=block"; # 启用XSS防护
add_header X-Frame-Options "SAMEORIGIN"; # 防止点击劫持
add_header X-Content-Type-Options "nosniff"; # 禁止内容类型嗅探
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; # 强制HTTPS
http或server块中设置client_max_body_size 10M;,防止大文件上传耗尽服务器资源。limit_conn_zone和limit_conn指令限制每个IP的并发连接数(如每个IP最多1个连接):http {
limit_conn_zone $binary_remote_addr zone=ops:10m;
}
server {
location / {
limit_conn ops 1;
limit_rate 300k; # 限制每个连接的速率(300KB/s)
}
}
通过allow/deny指令限制特定IP或网段访问敏感路径(如管理后台/admin/):
location /admin/ {
allow 192.168.1.0/24; # 允许内网IP
allow 10.0.0.0/8;
deny all; # 拒绝其他所有IP
}
在http块中定义共享内存区域,通过limit_req_zone和limit_req指令限制请求频率,防范DDoS和暴力破解:
http {
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=1r/s; # 每秒1个请求
}
server {
location /login/ {
limit_req zone=mylimit burst=5 nodelay; # 允许突发5个请求,无延迟
}
}
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
/etc/nginx/sites-available/default):server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$host$request_uri; # 永久跳转
}
在server块中配置安全的SSL协议和加密套件:
server {
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3; # 仅使用TLS 1.2及以上版本
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256'; # 强加密套件
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1h;
}
UFW(Uncomplicated Firewall)是Ubuntu默认的防火墙工具,操作简单:
sudo apt install ufw
sudo ufw enable # 启用防火墙
允许HTTP(80)、HTTPS(443)和SSH(22)流量,拒绝其他不必要的端口:
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
sudo ufw allow 22/tcp # SSH(默认端口)
sudo ufw deny 22/tcp # 先拒绝所有SSH,再通过以下命令限制IP
sudo ufw allow from <your_ip> to any port 22 # 仅允许你的IP访问SSH
sudo ufw status # 查看当前规则(需开启UFW后显示)
ModSecurity是一款开源WAF,可拦截SQL注入、XSS等常见攻击:
sudo apt install libapache2-mod-security2 libmodsecurity3
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/modsecurity/modsecurity.conf # 启用防护模式
sudo apt install modsecurity-crs
sudo cp /etc/modsecurity/crs-setup.conf.example /etc/modsecurity/crs-setup.conf
/etc/nginx/nginx.conf,在http块中加载模块:load_module modules/ngx_http_modsecurity_module.so;
server块中启用ModSecurity并指定规则文件:server {
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
}
/etc/nginx/modsec/main.conf,包含CRS规则:Include /etc/modsecurity/crs-setup.conf
Include /etc/modsecurity/rules/*.conf
保持Nginx、系统及依赖库的最新状态,及时修复安全漏洞:
sudo apt update && sudo apt upgrade -y # 更新系统
sudo apt install --only-upgrade nginx # 仅升级Nginx
配置详细的访问日志和错误日志,定期审查异常行为:
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log warn;
}
使用工具(如fail2ban)监控日志,自动封禁恶意IP:
sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
备份Nginx配置文件和网站数据,设置定时任务(如每天凌晨2点备份):
sudo tar -czvf nginx-backup-$(date +%F).tar.gz /etc/nginx /var/www/html
echo "0 2 * * * tar -czvf /backup/nginx-$(date +\%F).tar.gz /etc/nginx /var/www/html" | sudo tee -a /etc/crontab
制定应急响应手册,包含以下步骤:
/var/log/modsec_audit.log);