在nginx.conf中配置自定义日志格式:
log_format security_audit '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time '
'SSL:$ssl_protocol/$ssl_cipher '
'Header:$http_x_forwarded_for';
access_log /var/log/nginx/access.log security_audit;
使用logrotate进行日志管理:
/var/log/nginx/*.log {
daily
missingok
rotate 30
compress
delaycompress
notifempty
create 0640 www-data adm
sharedscripts
postrotate
/usr/sbin/nginx -s reload
endscript
}
GoAccess:实时日志分析工具
goaccess /var/log/nginx/access.log --log-format=COMBINED -a
AWK:快速分析特定模式
awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head -20
ELK Stack:Elasticsearch + Logstash + Kibana完整解决方案
查找可疑请求:
grep -E 'union.*select|etc/passwd|\.\./|http://|https://' /var/log/nginx/access.log
统计HTTP状态码:
awk '{print $9}' access.log | sort | uniq -c | sort -rn
检查SSL/TLS配置:
openssl s_client -connect example.com:443 -servername example.com | openssl x509 -noout -text
使用SSL Labs测试:
testssl.sh example.com
检查安全头部配置:
curl -I https://example.com | grep -iE 'strict-transport-security|x-frame-options|x-xss-protection|x-content-type-options'
推荐配置:
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
SQL注入检测:
grep -i -E "select.*from|union.*select|insert.*into|delete.*from" /var/log/nginx/access.log
XSS攻击检测:
grep -i -E "<script|javascript:|onload=|onerror=" /var/log/nginx/access.log
防止暴力破解:
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 3
防止扫描器:
[nginx-badbots]
enabled = true
port = http,https
filter = nginx-badbots
logpath = /var/log/nginx/access.log
maxretry = 1
安装与配置:
sudo apt-get install libmodsecurity3 modsecurity-crs
nginx配置:
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
通过以上实践,可以显著提升Nginx服务器的安全性和可审计性,及时发现并防范潜在的安全威胁。