nginx安全设置
- 添加认证
yum install httpd-tools
htpasswd -c -b /etc/nginx/passwd/kibana.passwd user
auth_basic "Kibana Auth";
auth_basic_user_file /etc/nginx/passwd/kibana.passwd;
- 更改默认超时时间
client_header_timeout 20s; #读取客户端请求头超时时间,默认60s
client_body_timeout 10s; #读取客户端body超时时间,默认60s
send_timeout 30s; #服务端向客户端传输数据的超时时间,默认60s
增加上面三个参数,增强抵抗Slow HTTP Denial of Service Attack 能力
- 黑名单功能 location字段中增加IP黑名单
if ($http_x_forwarded_for ~ 192.168.1.14|192.168.1.5|192.168.2.23) {
return 403;
}
http指令内
map $http_x_forwarded_for $ip_allowed {
default allow;
192.168.3.12 deny;
192.168.21.3 deny;
}
server指令内
if ($ip_allowed = "deny") {
return 444;
}
location ^~ /admin/
{
set $realip 0;
set $flag 0;
if ($http_x_forwarded_for ~ "^(\d+\.\d+\.\d+\.\d+)") {
set $realip $1;
}
if ($realip !~ 116.228.89.244|222.44.226.12|222.44.226.13|222.44.226.34) {
set $flag "${flag}1";
}
if ($uri !~ (/admin/userfiles/).*) {
set $flag "${flag}1";
}
if ($flag = "011") {
return 444;
}
index index.html index.jsp index.php;
proxy_pass http://10.253.41.74:8082;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
expires -1;
}
- 网站图片防盗链
location ~* \.(gif|jpg|png|bmp)$ {
valid_referers none blocked *.weiqijr.com *.qihailicai.com *.qihaijr.com *.weiqijr.cn *.qihaijr.cn *.qihailicai.cn \
server_names ~\.google\. ~\.baidu\.;
if ($invalid_referer) {
return 403;
}
}