| NginxÊÇÒ»¸öÇáÁ¿¼¶µÄ£¬¸ßÐÔÄܵÄWeb·þÎñÆ÷ÒÔ¼°·´Ïò´úÀíºÍÓÊÏä(IMAP/POP3)´úÀí·þÎñÆ÷¡£ËüÔËÐÐÔÚUNIX,GNU
/linux,BSD ¸÷ÖÖ°æ±¾£¬Mac OS X,SolarisºÍWindows¡£¸ù¾Ýµ÷²éͳ¼Æ£¬6%µÄÍøվʹÓÃNginx
Web·þÎñÆ÷¡£NginxÊÇÉÙÊýÄÜ´¦ÀíC10KÎÊÌâµÄ·þÎñÆ÷Ö®Ò»¡£¸ú´«Í³µÄ·þÎñÆ÷²»Í¬£¬Nginx²»ÒÀÀµÏß³ÌÀ´´¦ÀíÇëÇó¡£Ïà·´£¬ËüʹÓÃÁ˸ü¶àµÄ¿ÉÀ©Õ¹µÄÊÂ
¼þÇý¶¯£¨Òì²½£©¼Ü¹¹¡£NginxΪһЩ¸ßÁ÷Á¿µÄÍøÕ¾Ìṩ¶¯Á¦£¬±ÈÈçWordPress,ÈËÈËÍø£¬ÌÚѶ£¬ÍøÒ׵ȡ£ÕâƪÎÄÕÂÖ÷ÒªÊǽéÉÜÈçºÎÌá¸ßÔËÐÐÔÚ
Linux»òUNIXϵͳµÄNginx Web·þÎñÆ÷µÄ°²È«ÐÔ¡£
ĬÈÏÅäÖÃÎļþºÍNginx¶Ë¿Ú
/usr/local/nginx/conf/ ¨C NginxÅäÖÃÎļþĿ¼£¬/usr/local/nginx/conf/nginx.confÊÇÖ÷ÅäÖÃÎļþ
/usr/local/nginx/html/ ¨C ĬÈÏÍøÕ¾ÎļþλÖÃ
/usr/local/nginx/logs/ ¨C ĬÈÏÈÕÖ¾ÎļþλÖÃ
Nginx HTTPĬÈÏ¶Ë¿Ú : TCP 80
Nginx HTTPSĬÈ϶˿Ú: TCP 443
Äã¿ÉÒÔʹÓÃÒÔÏÂÃüÁîÀ´²âÊÔNginxÅäÖÃÎļþ׼ȷÐÔ¡£
/usr/local/nginx/sbin/nginx -t |
½«»áÊä³ö¡£
the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
configuration file /usr/local/nginx/conf/nginx.conf test is successful |
Ö´ÐÐÒÔÏÂÃüÁîÀ´ÖØмÓÔØÅäÖÃÎļþ¡£
/usr/local/nginx/sbin/nginx -s reload |
Ö´ÐÐÒÔÏÂÃüÁîÀ´Í£Ö¹·þÎñÆ÷¡£
/usr/local/nginx/sbin/nginx -s stop |
Ò»¡¢ÅäÖÃSELinux
°²È«ÔöÇ¿ÐÍLinux£¨SELinux£©µÄÊÇÒ»¸öLinuxÄں˵ŦÄÜ£¬ËüÌṩ֧³Ö·ÃÎÊ¿ØÖƵݲȫÕþ²ß±£»¤»úÖÆ¡£Ëü¿ÉÒԴ󲿷ֵĹ¥»÷¡£ÏÂÃæÎÒÃÇÀ´¿´ÈçºÎÆô¶¯»ùÓÚcentos/RHELϵͳµÄSELinux¡£
°²×°SELinux
libselinux-1.23.10-2
selinux-policy-targeted-1.23.16-6 |
Èç¹ûûÓзµ»ØÈκνá¹û£¬´ú±íûÓа²×° SELinux£¬Èç¹û·µ»ØÁËÀàËÆÉÏÃæµÄ½á¹û£¬Ôò˵Ã÷ϵͳ°²×°ÁË SELinux¡£
²¼Ê²ÖµËø¶¨
ÔËÐÐÃüÁîgetsebool -aÀ´Ëø¶¨ÏµÍ³¡£
getsebool -a | less
getsebool -a | grep off
getsebool -a | grep o |
¶þ¡¢Í¨¹ý·ÖÇø¹ÒÔØÔÊÐí×îÉÙÌØȨ
·þÎñÆ÷ÉϵÄÍøÒ³/html/phpÎļþµ¥¶À·ÖÇø¡£ÀýÈ磬н¨Ò»¸ö·ÖÇø/dev/sda5(µÚÒ»Âß¼·ÖÇø)£¬²¢ÇÒ¹ÒÔØÔÚ/nginx¡£È·±£
/nginxÊÇÒÔnoexec, nodev and nosetuidµÄȨÏÞ¹ÒÔØ¡£ÒÔÏÂÊÇÎÒµÄ/etc/fstabµÄ¹ÒÔØ/nginxµÄÐÅÏ¢£º
LABEL=/nginx /nginx ext3 defaults,nosuid,noexec,nodev 1 2 |
×¢Ò⣺ÄãÐèҪʹÓÃfdiskºÍmkfs.ext3ÃüÁî´´½¨Ò»¸öзÖÇø¡£
Èý¡¢ÅäÖÃ/etc/sysctl.confÇ¿»¯Linux°²È«
Äã¿ÉÒÔͨ¹ý±à¼/etc/sysctl.confÀ´¿ØÖƺÍÅäÖÃLinuxÄںˡ¢ÍøÂçÉèÖá£
# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Don¡¯t act as a router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Turn on execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1
# Tuen IPv6
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1
# Optimization for port usefor LBs
# Increase system file descriptor limit
fs.file-max = 65535
# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
kernel.pid_max = 65536
# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
# Tcp Windows etc
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1 |
ËÄ¡¢É¾³ýËùÓв»ÐèÒªµÄNginxÄ£¿é
ÄãÐèÒªÖ±½Óͨ¹ý±àÒëNginxÔ´´úÂëʹģ¿éÊýÁ¿×îÉÙ»¯¡£Í¨¹ýÏÞÖÆÖ»ÔÊÐíweb·þÎñÆ÷·ÃÎÊÄ£¿é°Ñ·çÏÕ½µµ½×îµÍ¡£Äã¿ÉÒÔÖ»ÅäÖð²×°nginxÄãËùÐèÒªµÄÄ£¿é¡£ÀýÈ磬½ûÓÃSSLºÍautoindexÄ£¿éÄã¿ÉÒÔÖ´ÐÐÒÔÏÂÃüÁ
./configure ¨Cwithout-http_autoindex_module ¨Cwithout-http_ssi_module
make
make install |
ͨ¹ýÒÔÏÂÃüÁîÀ´²é¿´µ±±àÒënginx·þÎñÆ÷ʱÄĸöÄ£¿éÄÜ¿ª»§»ò¹Ø±Õ£º
./configure ¨Chelp | less |
½ûÓÃÄãÓò»µ½µÄnginxÄ£¿é¡£
£¨¿ÉÑ¡Ï¸ü¸Änginx°æ±¾Ãû³Æ¡£
±à¼Îļþ/http/ngx_http_header_filter_module.c£º
vi +48 src/http/ngx_http_header_filter_module.c |
ÕÒµ½ÐУº
static char ngx_http_server_string[] = ¡°Server: nginx¡± CRLF;
static char ngx_http_server_full_string[] = ¡°Server: ¡± NGINX_VER CRLF; |
°´ÕÕÒÔÏÂÐÐÐ޸ģº
static char ngx_http_server_string[] = ¡°Server: Ninja Web Server¡± CRLF;
static char ngx_http_server_full_string[] = ¡°Server: Ninja Web Server¡± CRLF; |
±£´æ²¢¹Ø±ÕÎļþ¡£ÏÖÔÚÄã¿ÉÒԱ༷þÎñÆ÷ÁË¡£Ôö¼ÓÒÔÏ´úÂëµ½nginx.confÎļþÀ´¹Ø±Õnginx°æ±¾ºÅµÄÏÔʾ¡£
Î塢ʹÓÃmod_security(Ö»ÊʺϺó¶ËApache·þÎñÆ÷)
mod_securityΪApacheÌṩһ¸öÓ¦ÓóÌÐò¼¶µÄ·À»ðǽ¡£Îªºó¶ËApache Web·þÎñÆ÷°²×°mod_security£¬Õâ»á×èÖ¹ºÜ¶à×¢Èëʽ¹¥»÷¡£
Áù¡¢°²×°SELinux²ßÂÔÒÔÇ¿»¯Nginx Web·þÎñÆ÷
ĬÈϵÄSELinux²»»á±£»¤Nginx Web·þÎñÆ÷£¬µ«ÊÇÄã¿ÉÒÔ°²×°ºÍ±àÒë±£»¤Èí¼þ¡£
1¡¢°²×°±àÒëSELinuxËùÐè»·¾³Ö§³Ö
yum -y install selinux-policy-targeted selinux-policy-devel |
2¡¢ÏÂÔØSELinux²ßÂÔÒÔÇ¿»¯Nginx Web·þÎñÆ÷¡£
cd /opt
wget ¡®http://downloads.sourceforge.net/project/selinuxnginx/se-ngix_1_0_10.tar.gz?use_mirror=nchc¡¯ |
3¡¢½âѹÎļþ
tar -zxvf se-ngix_1_0_10.tar.gz |
4¡¢±àÒëÎļþ
cd se-ngix_1_0_10/nginx
make |
½«»áÊä³öÈçÏ£º
Compiling targeted nginx module
/usr/bin/checkmodule: loading policy configuration from tmp/nginx.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 6) to tmp/nginx.mod
Creating targeted nginx.pp policy package |
rm tmp/nginx.mod.fc tmp/nginx.mod |
5¡¢°²×°Éú³ÉµÄnginx.pp SELinuxÄ£¿é£º
/usr/sbin/semodule -i nginx.pp |
Æß¡¢»ùÓÚIptables·À»ðǽµÄÏÞÖÆ
ÏÂÃæµÄ·À»ðǽ½Å±¾×èÖ¹ÈκγýÁËÔÊÐí£º
1.À´×ÔHTTP(TCP¶Ë¿Ú80)µÄÇëÇó
2.À´×ÔICMP pingµÄÇëÇó
3.ntp(¶Ë¿Ú123)µÄÇëÇóÊä³ö
4.smtp(TCP¶Ë¿Ú25)µÄÇëÇóÊä³ö
#!/bin/bash
IPT=¡±/sbin/iptables¡±
#### IPS ######
# Get server public ip
SERVER_IP=$(ifconfig eth0 | grep ¡®inet addr:¡¯ | awk -F¡¯inet addr:¡¯ ¡®{ print $2}¡¯ | awk ¡®{ print $1}¡¯)
LB1_IP=¡±204.54.1.1¡å
LB2_IP=¡±204.54.1.2¡å
# Do some smart logic so that we can use damm script on LB2 too
OTHER_LB=¡±"
SERVER_IP=¡±"
[[ "$SERVER_IP" == "$LB1_IP" ]] && OTHER_LB=¡±$LB2_IP¡± || OTHER_LB=¡±$LB1_IP¡±
[[ "$OTHER_LB" == "$LB2_IP" ]] && OPP_LB=¡±$LB1_IP¡± || OPP_LB=¡±$LB2_IP¡±
### IPs ###
PUB_SSH_ONLY=¡±122.xx.yy.zz/29¡å
#### FILES #####
BLOCKED_IP_TDB=/root/.fw/blocked.ip.txt
SPOOFIP=¡±127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16 0.0.0.0
/8 240.0.0.0/4 255.255.255.255/32 168.254.0.0/16 224.0.0.0/4 240.0.0.0/5 248.0.0.0/5 192.0.2.0/24¡å
BADIPS=$( [[ -f ${BLOCKED_IP_TDB} ]] && egrep -v ¡°^#|^$¡± ${BLOCKED_IP_TDB})
### Interfaces ###
PUB_IF=¡±eth0¡å # public interface
LO_IF=¡±lo¡± # loopback
VPN_IF=¡±eth1¡å # vpn / private net
### start firewall ###
echo ¡°Setting LB1 $(hostname) Firewall¡¡±
# DROP and close everything
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# Unlimited lo access
$IPT -A INPUT -i ${LO_IF} -j ACCEPT
$IPT -A OUTPUT -o ${LO_IF} -j ACCEPT
# Unlimited vpn / pnet access
$IPT -A INPUT -i ${VPN_IF} -j ACCEPT
$IPT -A OUTPUT -o ${VPN_IF} -j ACCEPT
# Drop sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! ¨Csyn -m state ¨Cstate NEW -j DROP
# Drop Fragments
$IPT -A INPUT -i ${PUB_IF} -f -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp ¨Ctcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp ¨Ctcp-flags ALL ALL -j DROP
# Drop NULL packets
$IPT -A INPUT -i ${PUB_IF} -p tcp ¨Ctcp-flags ALL NONE -m limit ¨Climit 5
/m ¨Climit-burst 7 -j LOG ¨Clog-prefix ¡± NULL Packets ¡°
$IPT -A INPUT -i ${PUB_IF} -p tcp ¨Ctcp-flags ALL NONE -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp ¨Ctcp-flags SYN,RST SYN,RST -j DROP
# Drop XMAS
$IPT -A INPUT -i ${PUB_IF} -p tcp ¨Ctcp-flags SYN,FIN SYN,FIN -m limit ¨Climit 5
/m ¨Climit-burst 7 -j LOG ¨Clog-prefix ¡± XMAS Packets ¡°
$IPT -A INPUT -i ${PUB_IF} -p tcp ¨Ctcp-flags SYN,FIN SYN,FIN -j DROP
# Drop FIN packet scans
$IPT -A INPUT -i ${PUB_IF} -p tcp ¨Ctcp-flags FIN,ACK FIN -m limit ¨Climit 5
/m ¨Climit-burst 7 -j LOG ¨Clog-prefix ¡± Fin Packets Scan ¡°
$IPT -A INPUT -i ${PUB_IF} -p tcp ¨Ctcp-flags FIN,ACK FIN -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp ¨Ctcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Log and get rid of broadcast / multicast and invalid
$IPT -A INPUT -i ${PUB_IF} -m pkttype ¨Cpkt-type broadcast -j LOG ¨Clog-prefix ¡± Broadcast ¡°
$IPT -A INPUT -i ${PUB_IF} -m pkttype ¨Cpkt-type broadcast -j DROP
$IPT -A INPUT -i ${PUB_IF} -m pkttype ¨Cpkt-type multicast -j LOG ¨Clog-prefix ¡± Multicast ¡°
$IPT -A INPUT -i ${PUB_IF} -m pkttype ¨Cpkt-type multicast -j DROP
$IPT -A INPUT -i ${PUB_IF} -m state ¨Cstate INVALID -j LOG ¨Clog-prefix ¡± Invalid ¡°
$IPT -A INPUT -i ${PUB_IF} -m state ¨Cstate INVALID -j DROP
# Log and block spoofed ips
$IPT -N spooflist
for ipblock in $SPOOFIP
do
$IPT -A spooflist -i ${PUB_IF} -s $ipblock -j LOG ¨Clog-prefix ¡± SPOOF List Block ¡°
$IPT -A spooflist -i ${PUB_IF} -s $ipblock -j DROP
done
$IPT -I INPUT -j spooflist
$IPT -I OUTPUT -j spooflist
$IPT -I FORWARD -j spooflist
# Allow ssh only from selected public ips
for ip in ${PUB_SSH_ONLY}
do
$IPT -A INPUT -i ${PUB_IF} -s ${ip} -p tcp -d ${SERVER_IP}
¨Cdestination-port 22 -j ACCEPT
$IPT -A OUTPUT -o ${PUB_IF} -d ${ip} -p tcp -s ${SERVER_IP} ¨Csport 22 -j ACCEPT
done
# allow incoming ICMP ping pong stuff
$IPT -A INPUT -i ${PUB_IF} -p icmp ¨Cicmp-type 8 -s 0/0
-m state ¨Cstate NEW,ESTABLISHED,RELATED -m limit ¨Climit 30/sec -j ACCEPT
$IPT -A OUTPUT -o ${PUB_IF} -p icmp ¨Cicmp-type 0 -d 0/0
-m state ¨Cstate ESTABLISHED,RELATED -j ACCEPT
# allow incoming HTTP port 80
$IPT -A INPUT -i ${PUB_IF} -p tcp -s 0/0 ¨Csport 1024:65535 ¨Cdport 80
-m state ¨Cstate NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${PUB_IF} -p tcp ¨Csport 80 -d 0/0
¨Cdport 1024:65535 -m state ¨Cstate ESTABLISHED -j ACCEPT
# allow outgoing ntp
$IPT -A OUTPUT -o ${PUB_IF} -p udp ¨Cdport 123 -m state
¨Cstate NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p udp ¨Csport 123 -m state ¨Cstate ESTABLISHED -j ACCEPT
# allow outgoing smtp
$IPT -A OUTPUT -o ${PUB_IF} -p tcp ¨Cdport 25 -m state
¨Cstate NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p tcp ¨Csport 25 -m state
¨Cstate ESTABLISHED -j ACCEPT
### add your other rules here ####
#######################
# drop and log everything else
$IPT -A INPUT -m limit ¨Climit 5/m ¨Climit-burst 7 -j LOG ¨Clog-prefix ¡± DEFAULT DROP ¡°
$IPT -A INPUT -j DROP
exit 0 |
°Ë¡¢¿ØÖÆ»º³åÇøÒç³ö¹¥»÷
±à¼nginx.conf£¬ÎªËùÓпͻ§¶ËÉèÖûº³åÇøµÄ´óСÏÞÖÆ¡£
vi /usr/local/nginx/conf/nginx.conf |
±à¼ºÍÉèÖÃËùÓпͻ§¶Ë»º³åÇøµÄ´óСÏÞÖÆÈçÏ£º
## Start: Size Limits & Buffer Overflows ##
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
## END: Size Limits & Buffer Overflows ## |
½âÊÍ£º
1¡¢client_body_buffer_size 1k-£¨Ä¬ÈÏ8k»ò16k£©Õâ¸öÖ¸Áî¿ÉÒÔÖ¸¶¨Á¬½ÓÇëÇóʵÌåµÄ»º³åÇø´óС¡£Èç¹ûÁ¬½ÓÇëÇ󳬹ý»º´æÇøÖ¸¶¨µÄÖµ£¬ÄÇôÕâЩÇëÇóʵÌåµÄÕûÌå»ò²¿·Ö½«³¢ÊÔдÈëÒ»¸öÁÙʱÎļþ¡£
2¡¢client_header_buffer_size 1k-Ö¸ÁîÖ¸¶¨¿Í»§¶ËÇëÇóÍ·²¿µÄ»º³åÇø´óС¡£¾ø´ó¶àÊýÇé¿öÏÂÒ»¸öÇëÇóÍ·²»»á´óÓÚ1k£¬²»¹ýÈç¹ûÓÐÀ´×ÔÓÚwap¿Í»§¶ËµÄ½Ï´óµÄcookieËü¿ÉÄÜ»á´óÓÚ
1k£¬Nginx½«·ÖÅä¸øËüÒ»¸ö¸ü´óµÄ»º³åÇø£¬Õâ¸öÖµ¿ÉÒÔÔÚlarge_client_header_buffersÀïÃæÉèÖá£
3¡¢client_max_body_size 1k-Ö¸ÁîÖ¸¶¨ÔÊÐí¿Í»§¶ËÁ¬½ÓµÄ×î´óÇëÇóʵÌå´óС£¬Ëü³öÏÖÔÚÇëÇóÍ·²¿µÄContent-Length×ֶΡ£
Èç¹ûÇëÇó´óÓÚÖ¸¶¨µÄÖµ£¬¿Í»§¶Ë½«ÊÕµ½Ò»¸ö¡±Request Entity Too
Large¡± (413)´íÎó¡£¼Çס£¬ä¯ÀÀÆ÷²¢²»ÖªµÀÔõÑùÏÔʾÕâ¸ö´íÎó¡£
4¡¢large_client_header_buffers-Ö¸¶¨¿Í»§¶ËһЩ±È½Ï´óµÄÇëÇóͷʹÓõĻº³åÇøÊýÁ¿ºÍ´óС¡£ÇëÇó×ֶβ»ÄÜ´óÓÚÒ»¸ö»º³åÇø´óС£¬Èç¹û¿Í»§¶Ë·¢ËÍÒ»¸ö±È½Ï´óµÄÍ·£¬nginx½«·µ»Ø¡±Request
URI too large¡± (414)
ͬÑù£¬ÇëÇóµÄÍ·²¿××ֶβ»ÄÜ´óÓÚÒ»¸ö»º³åÇø£¬·ñÔò·þÎñÆ÷½«·µ»Ø¡±Bad request¡±
(400)¡£»º³åÇøÖ»ÔÚÐèÇóʱ·Ö¿ª¡£Ä¬ÈÏÒ»¸ö»º³åÇø´óСΪ²Ù×÷ϵͳÖзÖÒ³Îļþ´óС£¬Í¨³£ÊÇ4k»ò8k£¬Èç¹ûÒ»¸öÁ¬½ÓÇëÇó×îÖÕ½«×´Ì¬×ª»»Îªkeep-
alive£¬ËüËùÕ¼ÓõĻº³åÇø½«±»ÊÍ·Å¡£
Ä㻹ÐèÒª¿ØÖƳ¬Ê±À´Ìá¸ß·þÎñÆ÷ÐÔÄܲ¢Óë¿Í»§¶Ë¶Ï¿ªÁ¬½Ó¡£°´ÕÕÈçϱ༣º
## Start: Timeouts ##
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
## End: Timeouts ## |
1¡¢client_body_timeout 10;-Ö¸ÁîÖ¸¶¨¶ÁÈ¡ÇëÇóʵÌåµÄ³¬Ê±Ê±¼ä¡£ÕâÀïµÄ³¬Ê±ÊÇÖ¸Ò»¸öÇëÇóʵÌåûÓнøÈë¶ÁÈ¡²½Ö裬Èç¹ûÁ¬½Ó³¬¹ýÕâ¸öʱ¼ä¶ø¿Í»§¶ËûÓÐÈκÎÏìÓ¦£¬Nginx½«·µ»ØÒ»¸ö¡±Request
time out¡± (408)´íÎó¡£
2¡¢client_header_timeout 10;-Ö¸ÁîÖ¸¶¨¶ÁÈ¡¿Í»§¶ËÇëÇóÍ·±êÌâµÄ³¬Ê±Ê±¼ä¡£ÕâÀïµÄ³¬Ê±ÊÇÖ¸Ò»¸öÇëÇóͷûÓнøÈë¶ÁÈ¡²½Ö裬Èç¹ûÁ¬½Ó³¬¹ýÕâ¸öʱ¼ä¶ø¿Í»§¶ËûÓÐÈκÎÏìÓ¦£¬Nginx½«·µ»ØÒ»¸ö¡±Request
time out¡± (408)´íÎó¡£
3¡¢keepalive_timeout 5 5; ¨C ²ÎÊýµÄµÚÒ»¸öÖµÖ¸¶¨ÁË¿Í»§¶ËÓë·þÎñÆ÷³¤Á¬½ÓµÄ³¬Ê±Ê±¼ä£¬³¬¹ýÕâ¸öʱ¼ä£¬·þÎñÆ÷½«¹Ø±ÕÁ¬½Ó¡£²ÎÊýµÄµÚ¶þ¸öÖµ£¨¿ÉÑ¡£©Ö¸¶¨ÁËÓ¦´ðÍ·ÖÐKeep-Alive:
timeout=timeµÄtimeÖµ£¬Õâ¸öÖµ¿ÉÒÔʹһЩä¯ÀÀÆ÷ÖªµÀʲôʱºò¹Ø±ÕÁ¬½Ó£¬ÒÔ±ã·þÎñÆ÷²»ÓÃÖظ´¹Ø±Õ£¬Èç¹û²»Ö¸¶¨Õâ¸ö²ÎÊý£¬nginx²»»áÔÚÓ¦
´ðÍ·Öз¢ËÍKeep-AliveÐÅÏ¢¡££¨µ«Õâ²¢²»ÊÇÖ¸ÔõÑù½«Ò»¸öÁ¬½Ó¡°Keep-Alive¡±£©²ÎÊýµÄÕâÁ½¸öÖµ¿ÉÒÔ²»Ïàͬ¡£
4¡¢send_timeout 10; Ö¸ÁîÖ¸¶¨ÁË·¢Ë͸ø¿Í»§¶ËÓ¦´ðºóµÄ³¬Ê±Ê±¼ä£¬TimeoutÊÇָûÓнøÈëÍêÕûestablished״̬£¬Ö»Íê³ÉÁËÁ½´ÎÎÕÊÖ£¬Èç¹û³¬¹ýÕâ¸öʱ¼ä¿Í»§¶ËûÓÐÈκÎÏìÓ¦£¬nginx½«¹Ø±ÕÁ¬½Ó¡£
¾Å¡¢¿ØÖƲ¢·¢Á¬½Ó
Äã¿ÉÒÔʹÓÃNginxHttpLimitZoneÄ£¿éÀ´ÏÞÖÆÖ¸¶¨µÄ»á»°»òÕßÒ»¸öIPµØÖ·µÄÌØÊâÇé¿öϵIJ¢·¢Á¬½Ó¡£±à¼nginx.conf:
### Directive describes the zone, in which the session states are stored i.e. store in slimits. ###
### 1m can handle 32000 sessions with 32 bytes/session, set to 5m x 32000 session ###
limit_zone slimits $binary_remote_addr 5m;
### Control maximum number of simultaneous connections for one session i.e. ###
### restricts the amount of connections from a single ip address ###
limit_conn slimits 5; |
ÉÏÃæ±íʾÏÞÖÆÿ¸öÔ¶³ÌIPµØÖ·µÄ¿Í»§¶Ëͬʱ´ò¿ªÁ¬½Ó²»Äܳ¬¹ý5¸ö¡£
Ê®¡¢Ö»ÔÊÐíÎÒÃǵÄÓòÃûµÄ·ÃÎÊ
Èç¹û»úÆ÷ÈËÖ»ÊÇËæ»úɨÃè·þÎñÆ÷µÄËùÓÐÓòÃû£¬ÄǾܾøÕâ¸öÇëÇó¡£Äã±ØÐëÔÊÐíÅäÖõÄÐéÄâÓò»ò·´Ïò´úÀíÇëÇó¡£Äã²»±ØʹÓÃIPµØÖ·À´¾Ü¾ø¡£
## Only requests to our Host are allowed i.e. nixcraft.in, images.nixcraft.in and www.nixcraft.in
if ($host !~ ^(nixcraft.in|www.nixcraft.in|images.nixcraft.in)$ ) {
return 444;
}
## |
ʮһ¡¢ÏÞÖÆ¿ÉÓõÄÇëÇó·½·¨
GETºÍPOSTÊÇ»¥ÁªÍøÉÏ×î³£Óõķ½·¨¡£ Web·þÎñÆ÷µÄ·½·¨±»¶¨ÒåÔÚRFC
2616¡£Èç¹ûWeb·þÎñÆ÷²»ÒªÇóÆôÓÃËùÓпÉÓõķ½·¨£¬ËüÃÇÓ¦¸Ã±»½ûÓá£ÏÂÃæµÄÖ¸Á¹ýÂËÖ»ÔÊÐíGET£¬HEADºÍPOST·½·¨£º
## Only allow these request methods ##
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
## Do not accept DELETE, SEARCH and other methods ## |
¸ü¶à¹ØÓÚHTTP·½·¨µÄ½éÉÜ
1.GET·½·¨ÊÇÓÃÀ´ÇëÇó¡£
2.HEAD·½·¨ÊÇÒ»ÑùµÄ£¬³ý·Ç¸Ã·þÎñÆ÷µÄGETÇëÇóÎÞ·¨·µ»ØÏûÏ¢Ìå¡£
3.POST·½·¨¿ÉÄÜÉæ¼°µ½ºÜ¶à¶«Î÷£¬Èç´¢´æ»ò¸üÐÂÊý¾Ý£¬»ò¶©¹º²úÆ·£¬»òͨ¹ýÌá½»±íµ¥·¢Ë͵ç×ÓÓʼþ¡£Õâͨ³£ÊÇʹÓ÷þÎñÆ÷¶Ë´¦Àí£¬ÈçPHP£¬PerlºÍPythonµÈ½Å±¾¡£Èç¹ûÄãÒªÉÏ´«µÄÎļþºÍÔÚ·þÎñÆ÷´¦ÀíÊý¾Ý£¬Äã±ØÐëʹÓÃÕâ¸ö·½·¨¡£
Ê®¶þ¡¢ÈçºÎ¾Ü¾øһЩUser-Agents£¿
Äã¿ÉÒÔºÜÈÝÒ×µØ×èÖ¹User-Agents,ÈçɨÃèÆ÷£¬»úÆ÷ÈËÒÔ¼°ÀÄÓÃÄã·þÎñÆ÷µÄÀ¬»øÓʼþ·¢ËÍÕß¡£
## Block download agents ##
if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
return 403;
}
## |
×èÖ¹SosoºÍÓеÀµÄ»úÆ÷ÈË£º
## Block some robots ##
if ($http_user_agent ~* Sosospider|YodaoBot) {
return 403;
} |
Ê®Èý¡¢ÈçºÎ·ÀֹͼƬµÁÁ´
ͼƬ»òHTMLµÁÁ´µÄÒâ˼ÊÇÓÐÈËÖ±½ÓÓÃÄãÍøÕ¾µÄͼƬµØÖ·À´ÏÔʾÔÚËûµÄÍøÕ¾ÉÏ¡£×îÖյĽá¹û£¬ÄãÐèÒªÖ§¸¶¶îÍâµÄ¿í´ø·ÑÓá£Õâͨ³£ÊÇÔÚÂÛ̳ºÍ²©¿Í¡£ÎÒÇ¿ÁÒ½¨ÒéÄú·âËø£¬²¢×èÖ¹µÁÁ´ÐÐΪ¡£
# Stop deep linking or hot linking
location /images/ {
valid_referers none blocked www.example.com example.com;
if ($invalid_referer) {
return 403;
}
} |
ÀýÈ磺Öض¨Ïò²¢ÏÔʾָ¶¨Í¼Æ¬
valid_referers blocked www.example.com example.com;
if ($invalid_referer) {
rewrite ^/images/uploads.*\.(gif|jpg|jpeg|png)$ http://www.examples.com/banned.jpg last
} |
Ê®ËÄ¡¢Ä¿Â¼ÏÞÖÆ
Äã¿ÉÒÔ¶ÔÖ¸¶¨µÄĿ¼ÉèÖ÷ÃÎÊȨÏÞ¡£ËùÓеÄÍøվĿ¼Ӧ¸ÃÒ»Ò»µÄÅäÖã¬Ö»ÔÊÐí±ØÐëµÄĿ¼·ÃÎÊȨÏÞ¡£
ͨ¹ýIPµØÖ·ÏÞÖÆ·ÃÎÊ
Äã¿ÉÒÔͨ¹ýIPµØÖ·À´ÏÞÖÆ·ÃÎÊĿ¼/admin/:
location /docs/ {
## block one workstation
deny 192.168.1.1;
## allow anyone in 192.168.1.0/24
allow 192.168.1.0/24;
## drop rest of the world
deny all;
} |
ͨ¹ýÃÜÂë±£»¤Ä¿Â¼
Ê×ÏÈ´´½¨ÃÜÂëÎļþ²¢Ôö¼Ó¡°user¡±Óû§£º
mkdir /usr/local/nginx/conf/.htpasswd/
htpasswd -c /usr/local/nginx/conf/.htpasswd/passwd user |
±à¼nginx.conf,¼ÓÈëÐèÒª±£»¤µÄĿ¼£º
### Password Protect /personal-images/ and /delta/ directories ###
location ~ /(personal-images/.*|delta/.*) {
auth_basic ¡°Restricted¡±;
auth_basic_user_file /usr/local/nginx/conf/.htpasswd/passwd;
} |
Ò»µ©ÃÜÂëÎļþÒѾÉú³É£¬ÄãÒ²¿ÉÒÔÓÃÒÔϵÄÃüÁîÀ´Ôö¼ÓÔÊÐí·ÃÎʵÄÓû§£º
htpasswd -s /usr/local/nginx/conf/.htpasswd/passwd userName |
Ê®Îå¡¢Nginx SSLÅäÖÃ
HTTPÊÇÒ»¸ö´¿Îı¾ÐÒ飬ËüÊÇ¿ª·ÅµÄ±»¶¯¼à²â¡£ÄãÓ¦¸ÃʹÓÃSSLÀ´¼ÓÃÜÄãµÄÓû§ÄÚÈÝ¡£
´´½¨SSLÖ¤Êé
Ö´ÐÐÒÔÏÂÃüÁ
cd /usr/local/nginx/conf
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt |
±à¼nginx.conf²¢°´ÈçÏÂÀ´¸üУº
server {
server_name example.com;
listen 443;
ssl on;
ssl_certificate /usr/local/nginx/conf/server.crt;
ssl_certificate_key /usr/local/nginx/conf/server.key;
access_log /usr/local/nginx/logs/ssl.access.log;
error_log /usr/local/nginx/logs/ssl.error.log;
} |
ÖØÆônginx:
/usr/local/nginx/sbin/nginx -s reload |
Ê®Áù¡¢NginxÓëPHP°²È«½¨Òé
PHPÊÇÁ÷ÐеķþÎñÆ÷¶Ë½Å±¾ÓïÑÔÖ®Ò»¡£Èçϱà¼/etc/php.iniÎļþ£º
# Disallow dangerous functions
disable_functions = phpinfo, system, mail, exec
## Try to limit resources ##
# Maximum execution time of each script, in seconds
max_execution_time = 30
# Maximum amount of time each script may spend parsing request data
max_input_time = 60
# Maximum amount of memory a script may consume (8MB)
memory_limit = 8M
# Maximum size of POST data that PHP will accept.
post_max_size = 8M
# Whether to allow HTTP file uploads.
file_uploads = Off
# Maximum allowed size for uploaded files.
upload_max_filesize = 2M
# Do not expose PHP error messages to external users
display_errors = Off
# Turn on safe mode
safe_mode = On
# Only allow access to executables in isolated directory
safe_mode_exec_dir = php-required-executables-path
# Limit external access to PHP environment
safe_mode_allowed_env_vars = PHP_
# Restrict PHP information leakage
expose_php = Off
# Log all errors
log_errors = On
# Do not register globals for input data
register_globals = Off
# Minimize allowable PHP post size
post_max_size = 1K
# Ensure PHP redirects appropriately
cgi.force_redirect = 0
# Disallow uploading unless necessary
file_uploads = Off
# Enable SQL safe mode
sql.safe_mode = On
# Avoid Opening remote files
allow_url_fopen = Off |
Ê®Æß¡¢Èç¹û¿ÉÄÜÈÃNginxÔËÐÐÔÚÒ»¸öchroot¼àÓü
°Ñnginx·ÅÔÚÒ»¸öchroot¼àÓüÒÔ¼õСDZÔڵķǷ¨½øÈëÆäËüĿ¼¡£Äã¿ÉÒÔʹÓô«Í³µÄÓënginxÒ»Æð°²×°µÄchroot¡£Èç¹û¿ÉÄÜ£¬ÄÇʹÓÃFreeBSD
jails£¬Xen£¬OpenVZÐéÄ⻯µÄÈÝÆ÷¸ÅÄî¡£
Ê®°Ë¡¢ÔÚ·À»ðǽ¼¶ÏÞÖÆÿ¸öIPµÄÁ¬½ÓÊý
ÍøÂç·þÎñÆ÷±ØÐë¼àÊÓÁ¬½ÓºÍÿÃëÁ¬½ÓÏÞÖÆ¡£PFºÍIptales¶¼Äܹ»ÔÚ½øÈëÄãµÄnginx·þÎñÆ÷֮ǰ×èÖ¹×îÖÕÓû§µÄ·ÃÎÊ¡£
Linux Iptables:ÏÞÖÆÿ´ÎNginxÁ¬½ÓÊý
ÏÂÃæµÄÀý×Ó»á×èÖ¹À´×ÔÒ»¸öIPµÄ60ÃëÖÓÄÚ³¬¹ý15¸öÁ¬½Ó¶Ë¿Ú80µÄÁ¬½ÓÊý¡£
/sbin/iptables -A INPUT -p tcp ¨Cdport 80 -i eth0 -m state ¨Cstate NEW -m recent ¨Cset
/sbin/iptables -A INPUT -p tcp ¨Cdport 80 -i eth0 -m state ¨Cstate NEW -m recent ¨Cupdate ¨Cseconds 60
¨Chitcount 15 -j DROP
service iptables save |
Çë¸ù¾ÝÄãµÄ¾ßÌåÇé¿öÀ´ÉèÖÃÏÞÖƵÄÁ¬½ÓÊý¡£
Ê®¾Å£ºÅäÖòÙ×÷ϵͳ±£»¤Web·þÎñÆ÷
ÏñÒÔÉϽéÉܵÄÆô¶¯SELinux.ÕýÈ·ÉèÖÃ/nginxÎĵµ¸ùĿ¼µÄȨÏÞ¡£NginxÒÔÓû§nginxÔËÐС£µ«ÊǸùĿ¼£¨/nginx»òÕß/usr
/local/nginx/html£©²»Ó¦¸ÃÉèÖÃÊôÓÚÓû§nginx»ò¶ÔÓû§nginx¿Éд¡£ÕÒ³ö´íÎóȨÏÞµÄÎļþ¿ÉÒÔʹÓÃÈçÏÂÃüÁ
find /nginx -user nginx
find /usr/local/nginx/html -user nginx |
È·±£Äã¸üËùÓÐȨΪroot»òÆäËüÓû§£¬Ò»¸öµäÐ͵ÄȨÏÞÉèÖà /usr/local/nginx/html/
ls -l /usr/local/nginx/html/ |
ʾÀýÊä³ö£º
-rw-r¨Cr¨C 1 root root 925 Jan 3 00:50 error4xx.html
-rw-r¨Cr¨C 1 root root 52 Jan 3 10:00 error5xx.html
-rw-r¨Cr¨C 1 root root 134 Jan 3 00:52 index.html |
Äã±ØÐëɾ³ýÓÉvi»òÆäËüÎı¾±à¼Æ÷´´½¨µÄ±¸·ÝÎļþ£º
find /nginx -name ¡®.?*¡¯ -not -name .ht* -or -name ¡®*~¡¯ -or -name ¡®*.bak*¡¯ -or -name ¡®*.old*¡¯
find /usr/local/nginx/html/ -name ¡®.?*¡¯ -not -name .ht* -or -name
¡®*~¡¯ -or -name ¡®*.bak*¡¯ -or -name ¡®*.old*¡¯ |
ͨ¹ýfindÃüÁîµÄ-deleteÑ¡ÏîÀ´É¾³ýÕâЩÎļþ¡£
¶þÊ®¡¢ÏÞÖÆNginxÁ¬½Ó´«³ö
ºÚ¿Í»áʹÓù¤¾ßÈçwgetÏÂÔØÄã·þÎñÆ÷±¾µØµÄÎļþ¡£Ê¹ÓÃIptables´ÓnginxÓû§À´×èÖ¹´«³öÁ¬½Ó¡£ipt_ownerÄ£¿éÊÔͼƥÅä±¾µØ²úÉúµÄÊý¾Ý°üµÄ´´½¨Õß¡£ÏÂÃæµÄÀý×ÓÖÐÖ»ÔÊÐíuserÓû§ÔÚÍâÃæʹÓÃ80Á¬½Ó¡£
/sbin/iptables -A OUTPUT -o eth0 -m owner ¨Cuid-owner vivek -p tcp
¨Cdport 80 -m state ¨Cstate NEW,ESTABLISHED -j ACCEPT |
ͨ¹ýÒÔÉϵÄÅäÖã¬ÄãµÄnginx·þÎñÆ÷ÒѾ·Ç³£°²È«Á˲¢¿ÉÒÔ·¢²¼ÍøÒ³¡£¿ÉÊÇ£¬Ä㻹Ӧ¸Ã¸ù¾ÝÄãÍøÕ¾³ÌÐò²éÕÒ¸ü¶àµÄ°²È«ÉèÖÃ×ÊÁÏ¡£ÀýÈ磬wordpress»òÕßµÚÈý·½³ÌÐò¡£
|
