Security Controls
安全控制
Access Based on IP Address
location /admin/ {
deny 10.0.0.1;
allow 10.0.0.0/20;
allow 2001:0db8::/32; #IPV6
deny all; #其他地址返回403状态码
}
Allowing Cross-Origin Resource Sharing(CORS)
部分资源来自于其他域名时,需要允许CORS
map $request_method $cors_method {
OPTIONS 11; #三种方式OPTIONS,GET,POST允许CORS
GET 1;
POST 1;
default 0;
}
server {
...
location / {
if ($cors_method ~ '1') { #在add_header中定义
add_header 'Access-Control-Allow-Methods'
'GET,POST,OPTIONS';
add_header 'Access-Control-Allow-Origin'
'*.example.com';
add_header 'Access-Control-Allow-Headers'
'DNT,
Keep-Alive,
User-Agent,
X-Requested-With,
If-Modified-Since,
Cache-Control,
Content-Type';
}
if ($cors_method = '11') {
add_header 'Access-Control-Max-Age' 1728000; #允许缓存时间1728000s,也就是20天
add_header 'Content-Type' 'text/plain; charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
}
}
Client-Side Encryption
用户端加密
http { # All directives used below are also valid in stream
server {
listen 8433 ssl;
ssl_protocols TLSv1.2 TLSv1.3; #TLS协议比SSL协议更安全
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_certificate /etc/nginx/ssl/example.pem;
ssl_certificate_key /etc/nginx/ssl/example.key;
ssl_certificate /etc/nginx/ssl/example.ecdsa.crt;
ssl_certificate_key /etc/nginx/ssl/example.ecdsa.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
}
}
Upstream Encryption
上游加密
location / {
proxy_pass https://upstream.example.com;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_protocols TLSv1.2; #至使用TLS version 1.2版本进行验证
}
Securing a Location
加密一个location块
location /resources { #公开的localtion位置public-facing
secure_link_secret mySecret; #秘钥位置
if ($secure_link = "") { return 403; }
rewrite ^ /secured/$secure_link; #$secure_link是一个空值,除非秘钥在URL中被认证通过。Nginx会快速生成MD5 hash并保存URL在$secure_link中
}
location /secured/ {
internal;
root /var/www;
}
Generating a Secure Link with a Secret
生成一个加密链接。
和上面加密location块配合使用
echo -n 'index.htmlmySecret' | openssl md5 -hex
(stdin)= a53bee08a4bf0bbea978ddf736363a12
现在我们的访问链接变成
www.example.com/resources/a53bee08a4bf0bbea978ddf736363a12/index.html
Securing a Location with an Expire Date
location /resources {
root /var/www;
secure_link $arg_md5,$arg_expires; #第一个参数是md5 hash,第二个是过期时间
secure_link_md5 "$secure_link_expires$uri$remote_addr mySecret";
if ($secure_link = "") { return 403; }
if ($secure_link = "0") { return 410; }
}
Generating an Expiring Link
指定页面定时过期。1609372800是一个近期的时间戳,也就是过期时间。然后自定义secure_link_md5字符串的值即可
/resources/index.html?md5=TG6ck3OpAttQ1d7jW3JOcw&expires=1609372800'
HTTPS Redirects
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri; #301重定向,也可以重定向到子网页部分,如添加/login
}
Redirecting to HTTPS where SSL/TLS Is Terminated Before NGINX
当SSL/TLS层在Nginx之前,例如一些云平台,例如腾讯云CLB
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
if ($http_x_forwarded_proto = 'http') {
return 301 https://$host$request_uri;
}
}
HTTP Strict Transport Security
加强HTTP安全。限制浏览器发送HTTP请求
使用HTTP Strict Transport Security (HSTS)
add_header Strict-Transport-Security max-age=31536000;
Satisfying Any Number of Security Methods
适应多种安全方法
location / {
satisfy any; #请求必须满足以下任一安全方法。其值可为any(任一)/all(全部)
allow 192.168.1.0/24;
deny all;
auth_basic "closed site";
auth_basic_user_file conf/htpasswd;
}