在Debian上利用Nginx进行安全防护涉及多个关键步骤,以下是一些重要的安全配置措施:
server_tokens off;
以关闭版本信息显示。add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1;mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'";
limit_conn_zone $binary_remote_addr zone=addr:10m;
limit_conn addr 100;
limit_req_zone $binary_remote_addr zone=req_zone:10m rate=10r/s burst=20;
location /admin/ {
allow 192.168.1.0/24;
allow 10.0.0.0/8;
deny all;
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.htpasswd;
}
listen 443 ssl;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
if ($scheme != "https") {
return 301 https://$server_name$request_uri;
}
add_header Strict-Transport-Security "max-age=31536000" always;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
ssl_prefer_server_ciphers on;
sudo ufw allow 'Nginx Full'
sudo ufw allow 22/tcp
sudo ufw enable
sudo apt update && sudo apt upgrade nginx
sudo
命令来获取必要的权限。