1.隐藏nginx版本信息
在 nginx.conf 中配置
http {
...
# 隐藏版本信息
server_tokens off;
...
}可以看到已经没有nginx信息了
2.隐藏powered-by
一些 WEB 语言或框架默认输出的 x-powered-by 也会泄露网站信息,他们一般都提供了修改或移除的方法,可以自行查看手册。如果部署上用到了 Nginx 的反向代理,也可以通过 proxy_hide_header 指令隐藏它:
location / {
...
# 隐藏powered-by
proxy_hide_header X-Powered-By;
...
}3.相关安全设置
# CSP 通过指定允许浏览器加载和执行那些资源,使服务器管理者有能力减少或消除 XSS 攻击的可能性
add_header Content-Security-Policy "default-src 'self'; img-src 'self' *.alicdn.com; object-src 'none'; script-src 'self' *.alicdn.com; style-src 'self' *.alicdn.com; frame-ancestors 'self'; base-uri 'self'; form-action 'self'";
# X-Content-Type-Options 响应头相当于一个提示标志,被服务器用户提示浏览器一定要遵循 Content-Type 头中 MIME 类型的设定,而不能对其进行修改。
add_header X-Content-Type-Options nosniff;
# Strict-Transport-Security(HSTS) 告诉浏览器该站点只能通过 HTTPS 访问,如果使用了子域,也建议对任何该站点的子域强制执行此操作。
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
# 给浏览器指示允许一个页面可否在frame嵌入
# DENY 表示该页面不允许在 frame 中展示,即便是在相同域名的页面中嵌套也不允许
# SAMEORIGIN # 表示该页面可以在相同域名页面的 frame 中展示
# ALLOW-FROM uri # 表示该页面可以在指定来源的 frame 中展示。
add_header X-Frame-Options SAMEORIGIN;
# 跨域访问
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Origin *.xx.com;
# xss攻击防护
add_header X-XSS-Protection "1; mode=block";
# cookie读取设置
add_header Set-Cookie "Path=/; HttpOnly; Secure";
# 反向代理时要设置参数解决Cookie跨域丢失
proxy_cookie_path / "/; httponly; secure; SameSite=None";4.跨域请求设置
通过配置Access-Control-Allow-Origin参数可以指定哪些域可以访问你的服务器,这个值要么是* 要么是带协议端口号确定的值, *.xx.com都是错误的值。
set $cors "";
if ($http_origin ~* (.*\.atpool.com)) {
set $cors $http_origin;
}
add_header Access-Control-Allow-Origin $cors;
add_header Access-Control-Allow-Methods "GET,POST,OPTIONS,DELETE,PUT";
add_header Access-Control-Allow-Credentials true;
add_header Access-Control-Allow-Headers *;
if ($request_method = "OPTIONS") {
return 204;
}完整配置
server {
listen 80;
server_name test.xx.com;
# 证书设置
ssl_certificate cert/xx.com.pem;
ssl_certificate_key cert/xx.com.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
# 只启用TLS1.2 以上
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
# 安全相关设置
add_header Content-Security-Policy "default-src 'self' *.xx.com data: 'unsafe-inline';";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Set-Cookie "Path=/; HttpOnly; Secure";
add_header Cache-Control max-age=86400;
# 跨域设置
set $cors "";
if ($http_origin ~* (.*\.xx.com)) {
set $cors $http_origin;
}
add_header Access-Control-Allow-Origin $cors;
add_header Access-Control-Allow-Methods "GET,POST,OPTIONS,DELETE,PUT";
add_header Access-Control-Allow-Credentials true;
add_header Access-Control-Allow-Headers *;
if ($request_method = "OPTIONS") {
return 204;
}
location / {
gzip on;
gzip_comp_level 6;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_types text/plain application/x-javascript text/css application/xml application/javascript application/json application/vnd.ms-fontobject font/ttf font/opentype font/x-woff image/svg+xml;
proxy_pass http://127.0.0.1:8000;
proxy_hide_header X-Powered-By; # 隐藏 powered-by
proxy_cookie_path / "/; httponly; secure; SameSite=None";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect default;
}
}