../等特殊字符尝试访问受限目录# 禁用不必要的HTTP方法
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 405;
}
# 隐藏Nginx版本信息
server_tokens off;
# 限制请求大小防止缓冲区溢出
client_body_buffer_size 1k;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
# 确保只接受完整的请求
http {
# 拒绝非标准端口请求
server {
listen 80 default_server;
return 444;
}
# 主服务器配置
server {
listen 80;
server_name yourdomain.com;
# 拒绝畸形请求
if ($http_transfer_encoding ~* "chunked") {
return 400;
}
# 严格解析请求头
merge_slashes on;
underscores_in_headers off;
}
}
# 验证Host头
server {
listen 80;
server_name yourdomain.com;
if ($host !~* ^(yourdomain.com|www.yourdomain.com)$ ) {
return 444;
}
}
# 清理X-Forwarded-For头
map $http_x_forwarded_for $real_ip {
~^(\d+\.\d+\.\d+\.\d+) $1;
default $remote_addr;
}
# 阻止路径遍历尝试
location ~* \.(php|asp|aspx|jsp)$ {
if ($request_uri ~* "\.\./") {
return 403;
}
}
# 或更通用的防御
if ($request_uri ~* "(^|/)(\.\.|~)") {
return 403;
}
# 阻止CRLF注入尝试
if ($http_user_agent ~* (%0D|%0A|%0D%0A)) {
return 403;
}
if ($http_referer ~* (%0D|%0A|%0D%0A)) {
return 403;
}
# 安装ModSecurity后配置
load_module modules/ngx_http_modsecurity_module.so;
http {
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
}
# 限制连接频率
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
server {
location / {
limit_req zone=one burst=5;
}
}
# 只允许特定国家IP访问
geo $allowed_country {
default no;
CN yes;
US yes;
JP yes;
}
server {
if ($allowed_country = no) {
return 403;
}
}
# 详细日志记录
log_format security '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time '
'$http_x_forwarded_for';
access_log /var/log/nginx/security.log security;
通过以上配置和措施,可以显著提高Nginx反向代理环境的安全性,有效防御各种HTTP链接攻击。