ÔõÑùʹÓÃNginx¾ÙÐÐHTTPÇëÇóµÄÇå¾²ÐÔ¼Ó¹Ì
ÎÊÌ⣺ÔõÑùʹÓÃnginx¾ÙÐÐhttpÇëÇóµÄÇå¾²ÐÔ¼Ó¹Ì
СÐò£º
Ëæ×Å»¥ÁªÍøµÄ¿ìËÙÉú³¤£¬WebÓ¦ÓóÌÐò³ÉΪÍøÂç¹¥»÷µÄÖ÷ҪĿµÄÖ®Ò»¡£ÎªÁË°ü¹ÜÓû§Êý¾ÝµÄÇå¾²£¬ÎÒÃÇÐèÒª½ÓÄÉһϵÁеIJ½·¥À´¼Ó¹Ì×ðÁú¿Ê±WebЧÀÍÆ÷¡£±¾ÎĽ«ÖصãÏÈÈÝÔõÑùʹÓÃNginxÀ´¼Ó¹ÌHTTPÇëÇóµÄÇå¾²ÐÔ£¬²¢Ìṩ´úÂëʾÀý¹©¶ÁÕ߲ο¼¡£
Ò»¡¢×°ÖÃNginx:
Ê×ÏÈ£¬ÎÒÃÇÐèҪװÖÃNginx¡£ÔÚLinuxÇéÐÎÏ£¬¿ÉÒÔʹÓÃÈçÏÂÏÂÁî¾ÙÐÐ×°Öãº
sudo apt-get update sudo apt-get install nginx
µÇ¼ºó¸´ÖÆ
×°ÖÃÍê³Éºó£¬Æô¶¯NginxЧÀÍ£º
sudo service nginx start
µÇ¼ºó¸´ÖÆ
¶þ¡¢ÉèÖÃHTTPSÐÒ飺
ΪÁËÈ·±£Êý¾Ý´«ÊäµÄÇå¾²ÐÔ£¬ÔÚ¾ÙÐÐHTTPÇëÇó¼Ó¹Ì֮ǰ£¬ÎÒÃÇÐèÒªÉèÖÃHTTPSÐÒé¡£ÎÒÃÇ¿ÉÒÔͨ¹ýÉêÇëÃâ·ÑµÄSSLÖ¤ÊéÀ´ÆôÓÃHTTPS¡£ÏÂÃæÊÇÉèÖÃNginxÖ§³ÖHTTPSµÄʾÀý´úÂ룺
server { listen 443 ssl; server_name example.com; ssl_certificate /etc/nginx/cert/server.crt; ssl_certificate_key /etc/nginx/cert/server.key; location / { ... } }
µÇ¼ºó¸´ÖÆ
Çë×¢ÖØ£¬ÉÏÊöʾÀýÖеÄÖ¤Êé·¾¶ÐèҪƾ֤ÏÖÕæÏàÐξÙÐÐÐ޸ġ£
Èý¡¢Ê¹ÓÃHTTPÏÞÖÆÇëÇóÒªÁ죺
ΪÁ˱ÜÃâ¹¥»÷ÕßʹÓÃÌض¨µÄHTTPÒªÁì¶ÔЧÀÍÆ÷¾ÙÐй¥»÷£¬ÎÒÃÇ¿ÉÒÔʹÓÃNginxµÄ”limit_except”Ö¸ÁîÀ´ÏÞÖÆÖ»ÔÊÐíÌض¨µÄHTTPÒªÌå»á¼ûЧÀÍÆ÷¡£ÒÔÏÂÊÇÒ»¸öʾÀý´úÂ룺
location / { limit_except GET POST { deny all; } ... }
µÇ¼ºó¸´ÖÆ
ÉÏÊöʾÀý´úÂ뽫ֻÔÊÐíGETºÍPOSTÒªÁì¶ÔЧÀÍÆ÷¾ÙÐлá¼û£¬ÆäËûËùÓÐÒªÁ콫±»¾Ü¾ø¡£
ËÄ¡¢ÉèÖÃÇëÇó¾ÞϸÏÞÖÆ£º
ΪÁ˱ÜÃâ¹¥»÷Õß·¢ËÍ´ó×ÚµÄÇëÇóµ¼ÖÂЧÀÍÆ÷¸ºÔعý¸ß»ò¾Ü¾øЧÀÍ£¬ÎÒÃÇ¿ÉÒÔÉèÖÃÇëÇó¾ÞϸµÄÏÞÖÆ¡£ÒÔÏÂÊÇÒ»¸öʾÀý´úÂ룺
client_max_body_size 10m; client_body_buffer_size 128k;
µÇ¼ºó¸´ÖÆ
ÉÏÊöʾÀý´úÂ뽫ÉèÖÃÇëÇóÌåµÄ×î´ó¾ÞϸΪ10MB£¬²¢ÉèÖûº³åÇø¾ÞϸΪ128KB¡£
Îå¡¢ÆôÓÃSSL¼ÓÃÜÐÒ飺
ÆôÓÃSSL¼ÓÃÜÐÒé¿ÉÒÔ±£»¤HTTPÇëÇóµÄÇå¾²ÐÔ¡£ÒÔÏÂÊÇÒ»¸öʾÀý´úÂ룺
ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5;
µÇ¼ºó¸´ÖÆ
ÉÏÊöʾÀý´úÂ뽫ÆôÓÃTLSv1.2ºÍTLSv1.3ÐÒ飬²¢½ûÓò»Çå¾²µÄËã·¨¡£
Áù¡¢ÆôÓÃHTTPÇ徲ͷ²¿£º
ʹÓúÏÊʵÄHTTPÇ徲ͷ²¿¿ÉÒÔ±ÜÃâÐí¶à³£¼ûµÄ¹¥»÷¡£ÒÔÏÂÊÇÒ»¸öʾÀý´úÂ룺
add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options "nosniff";
µÇ¼ºó¸´ÖÆ
ÉÏÊöʾÀý´úÂ뽫ÆôÓÃX-Frame-Options¡¢X-XSS-ProtectionºÍX-Content-Type-OptionsÍ·²¿£¬ÒÔÌá¸ßWebÓ¦ÓóÌÐòµÄÇå¾²ÐÔ¡£
½áÂÛ£º
ͨ¹ýʹÓÃÉÏÊöÒªÁ죬ÎÒÃÇ¿ÉÒÔͨ¹ýNginxÀ´¼Ó¹ÌHTTPÇëÇóµÄÇå¾²ÐÔ¡£ÉèÖÃHTTPSÐÒé¡¢ÏÞÖÆHTTPÒªÁì¡¢ÉèÖÃÇëÇó¾ÞϸÏÞÖÆ¡¢ÆôÓÃSSL¼ÓÃÜÐæźÍHTTPÇ徲ͷ²¿£¬¿ÉÒÔÓÐÓõرÜÃâWeb¹¥»÷²¢°ü¹ÜÓû§Êý¾ÝµÄÇå¾²¡£¶ÁÕß¿ÉÒÔƾ֤×Ô¼ºµÄÐèÇó¾ÙÐÐÏìÓ¦µÄÉèÖ㬲¢ÍŽáÏÖÕæÏàÐξÙÐÐÓÅ»¯¡£
²Î¿¼ÎÄÏ×£º
Nginx Documentation: https://nginx.org/en/docs/
Nginx Security Best Practices: https://www.nginx.com/blog/preventing-a-nginx-hack/
ÒÔÉϾÍÊÇÔõÑùʹÓÃNginx¾ÙÐÐHTTPÇëÇóµÄÇå¾²ÐԼӹ̵ÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡