如何设置Nginx 防护配置?
美国、香港服务器
如何设置Nginx 防护配置?
05-12 来源:
一、直接替换 Nginx 主配置(最强防护版)
打开配置:
bash
运行
nano /etc/nginx/nginx.conf
全选删除原有内容,复制粘贴下面这套:
nginx
user nginx;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 65535;
use epoll;
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# 基础性能优化
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 60;
keepalive_requests 1000;
# ==================== 安全防护开始 ====================
server_tokens off; # 隐藏Nginx版本
autoindex off; # 禁止目录浏览
port_in_redirect off;
server_name_in_redirect off;
# 防CC、单IP并发限制
limit_req_zone $binary_remote_addr zone=one:10m rate=15r/s;
limit_req zone=one burst=20 nodelay;
# 防文件上传漏洞
client_max_body_size 10m;
client_body_timeout 10;
client_header_timeout 10;
# 屏蔽恶意请求
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 403;
}
# 防SQL注入、XSS、恶意扫描
if ($query_string ~* "union|select|insert|delete|update|drop|script|%27|%22|%3C|%3E") {
return 403;
}
# 屏蔽常见黑客工具UA
if ($http_user_agent ~* "nmap|curl|wget|python|java|dotdot|scan|attack") {
return 403;
}
# 禁止访问敏感目录
location ~ /(\.git|\.env|\.svn|vendor|backup|database) {
return 403;
}
# 禁止访问敏感文件
location ~* \.(ini|sql|log|sh|bak|tmp|zip|rar|gz)$ {
return 403;
}
# 防图片盗链
location ~* \.(jpg|jpeg|png|gif|ico|webp)$ {
expires 30d;
add_header Cache-Control public;
valid_referers none blocked server_names;
if ($invalid_referer) {
return 403;
}
}
# ==================== 安全防护结束 ====================
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_types text/plain text/css application/javascript application/json;
include /etc/nginx/conf.d/*.conf;
}
二、检查配置是否正确
bash
运行
nginx -t
出现 test is successful 就是正确。
三、重启 Nginx 生效
bash
运行
systemctl restart nginx
三二互联专业提供香港VPS,美国VPS主机,香港云服务器租用等业务香港美国到大陆CN2 GIA速度最快
