Nginx安全

安装nginx

[root@proxy ~]# yum -y install gcc openssl-devel  pcre-devel
[root@proxy ~]# tar -zxf nginx-1.12.2.tar.gz 
[root@proxy ~]# useradd nginx
[root@proxy ~]# cd nginx-1.12.2/
[root@proxy nginx-1.12.2]# ./configure --user=nginx --group=nginx --without-http_autoindex_module  --without-http_ssi_module     
//禁用自动索引（autoindex）模块  
[root@proxy nginx-1.12.2]# make
[root@proxy nginx-1.12.2]# make install 
[root@proxy nginx-1.12.2]# ln -s /usr/local/nginx/sbin/nginx  /sbin

修改版本信息，隐藏具体的版本号

[root@proxy ~]# curl -I 192.168.4.51
HTTP/1.1 200 OK
Server: nginx/1.12.2                     //版本号
Date: Thu, 03 Jan 2019 01:44:00 GMT
...

[root@proxy ~]# vim /usr/local/nginx/conf/nginx.conf
...
 35     server {
 36         listen       80;
 37         server_name  localhost;
 38         server_tokens off;            //屏蔽版本号
 39         #charset koi8-r;
 40 
[root@proxy ~]# nginx -s reload
[root@proxy ~]# curl -I 192.168.4.51
HTTP/1.1 200 OK
Server: nginx                            //版本号已经屏蔽
Date: Thu, 03 Jan 2019 01:44:12 GMT
...

[root@proxy nginx-1.12.2]# vim  +48 src/http/ngx_http_header_filter_module.c 
 //+48 代表光标直接定位在48行
...
 49 static u_char ngx_http_server_string[] = "http" CRLF;    //改动源码不显示nginx
 50 static u_char ngx_http_server_full_string[] = "Server:http "  CRLF;
 51 static u_char ngx_http_server_build_string[] = "Server: http" CRLF;
 52 

[root@proxy nginx-1.12.2]# ./configure --user=nginx --group=nginx --without-http_autoindex_module  --without-http_ssi_module 
[root@proxy nginx-1.12.2]# make && make install
[root@proxy nginx-1.12.2]# nginx -s stop
[root@proxy nginx-1.12.2]# nginx 
[root@proxy nginx-1.12.2]# curl -I 192.168.4.51
HTTP/1.1 200 OK
http                                            //显示的是我们修改的名字
Date: Thu, 03 Jan 2019 02:01:47 GMT
Content-Type: text/html

限制并发访问量

DDOS攻击者会发送大量的并发链接，占用服务器资源，比如连接数，带宽等，这样会导致正常用户处于等待无法访问服务器的状态

可以修改nginx的ngx_http_lmit_req_module模块，降低风险

[root@guo ~]# yum -y install httpd-tools  
[root@guo ~]# ab -c 1000 -n  1000  http://192.168.4.51/      //修改之前，客户端压力访问
...
Finished 1000 requests
...
Concurrency Level:      1000
Time taken for tests:   0.227 seconds
Complete requests:      1000
Failed requests:        0
...

[root@proxy nginx-1.12.2]# vim /usr/local/nginx/conf/nginx.conf
...
http {
    include       mime.types;
    default_type  application/octet-stream;
    limit_req_zone $binary_remote_addr  zone=one:10m  rate=1r/s;
    limit_req zone=one burst=5;  
     //将ip信息存储到名称为one的共享内存，空间为10m（1m可以存8k的ip信息）没秒钟仅接受1个请求，多余的把5个放入漏斗。也就是每个ip处理六个
[root@proxy nginx-1.12.2]# nginx -t             测试配置文件是否正确
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@proxy nginx-1.12.2]# nginx 

[root@guo ~]# ab -c 10 -n  10  http://192.168.4.51/         //客户端访问
...
Server Software:        
Server Hostname:        192.168.4.51
Server Port:            80

Document Path:          /
Document Length:        618 bytes

Concurrency Level:      10
Time taken for tests:   5.001 seconds
Complete requests:      10
Failed requests:        4                                //可以看出，有四个失败了，总共处理了6个 =，所用时间5.001s

拒绝非法访问

http定义了很多方法，实际中一般仅用get和post

请求方法	功能描述
GET	请求指定的页面信息，并返回实体主体
HEAD	类似于get请求，只不过返回的响应中没有具体的内容，用于获取报头
POST	向指定资源提交数据进行处理请求（例如提交表单或者上传文件）
DELETE	请求服务器删除指定的页面
PUT	向服务器特定位置上传资料

[root@proxy nginx-1.12.2]# curl -i -X  GET  http://192.168.4.51
HTTP/1.1 200 OK
http
Date: Thu, 03 Jan 2019 03:04:31 GMT
...

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
...

[root@proxy nginx-1.12.2]# curl -i -X  HEAD  http://192.168.4.51
HTTP/1.1 200 OK
http
Date: Thu, 03 Jan 2019 03:04:17 GMT
Content-Type: text/html
Content-Length: 618
Last-Modified: Thu, 03 Jan 2019 01:23:38 GMT
Connection: keep-alive
ETag: "5c2d641a-26a"
Accept-Ranges: bytes
...
[root@proxy nginx-1.12.2]# nginx -s stop
[root@proxy nginx-1.12.2]# vim /usr/local/nginx/conf/nginx.conf
  ...
  server {
        listen       80;
        server_name  localhost;
      ...
        if ($request_method !~ ^(GET|POST)$ ) {
                return 444;
          }
   }

[root@proxy nginx-1.12.2]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@proxy nginx-1.12.2]# nginx

[root@proxy nginx-1.12.2]# curl -i -X  HEAD  http://192.168.4.51    //返回错误
curl: (52) Empty reply from server
[root@proxy nginx-1.12.2]# curl -i -X  GET  http://192.168.4.51
HTTP/1.1 200 OK
http
Date: Thu, 03 Jan 2019 03:11:41 GMT
Content-Type: text/html

防止buffer溢出

防止客户端请求数据溢出，有效降低dos攻击风险

[root@proxy nginx-1.12.2]# vim /usr/local/nginx/conf/nginx.conf
http {
...
    client_body_buffer_size 1k;
    client_header_buffer_size 1k;
    client_max_body_size 16k;
    large_client_header_buffers 4 4k;
...

}
[root@proxy nginx-1.12.2]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful