background
1. Download openretry
cd /root/ wget https://openresty.org/download/openresty-1.21.4.1.tar.gz
2. Nginx Compilation Security Configuration
tar xvf openresty-1.21.4.1.tar.gz cd /root/openresty-1.21.4.1/bundle/nginx-1.21.4/ #- 1. Hide version vim src/core/nginx.h #define NGINX_VERSION "6666" #define NGINX_VER "FW/" NGINX_VERSION ".6" #define NGINX_VAR "FW" #- 2. Modify the header vim src/http/ngx_http_header_filter_module.c # 49 static u_char ngx_http_server_string[] = "Server: FW" CRLF; #- 3. Modify the response header of the error page vim src/http/ngx_http_special_response.c # 22 "<hr><center>FW</center>" CRLF # ... # 29 "<hr><center>FW</center>" CRLF # ... # 36 "<hr><center>FW</center>" CRLF
3. Add third-party module
3.1 Dynamically Configuring Upstream Modules nginx_upstream_check_module
cd /root git clone https://github.com/yzprofile/ngx_http_dyups_module.git
3.2 Add the upstream monitoring and inspection module nginx_upstream_check_module
git clone https://github.com/yaoweibin/nginx_upstream_check_module.git
3.3 Add nginx monitoring module nginx-module-vts
https://github.com/vozlt/nginx-module-vts.git
4. Compile secure nginx
Switch to nginx source code directory cd /root/openresty-1.21.4.1/bundle/nginx-1.21.4/ patch up patch -p1 < /root/nginx_upstream_check_module/check_1.20.1+.patch
cd /root/openresty-1.21.4.1/ ./configure --prefix=/apps/nginx --with-http_realip_module --with-http_v2_module --with-http_image_filter_module --with-http_iconv_module --with-stream_realip_module --with-stream --with-stream_ssl_module --with-stream_geoip_module --with-http_slice_module --with-http_sub_module --add-module=/root/ngx_http_dyups_module --add-module=/root/nginx_u pstream_check_module --with-http_stub_status_module --with-http_geoip_module --with-http_gzip_static_module --add-module=/root/nginx-module-vts make make install
/root/nginx-module-vts/src/ngx_http_vhost_traffic_status_display_json.c: In function ‘ngx_http_vhost_traffic_status_display_set_upstream_grou’: /root/nginx-module-vts/src/ngx_http_vhost_traffic_status_display_json.c:604:61: error: ‘ngx_http_upstream_rr_peer_t’ {aka ‘struct ngx_http_upstream_rr_peer_s’} has no member named ‘check_index’; did you mean ‘checked’? if (ngx_http_upstream_check_peer_down(peer->check_index)) { ^~~~~~~~~~~ checked make[2]: *** [objs/Makefile:3330: objs/addon/src/ngx_http_vhost_traffic_status_display_json.o] Error 1 make[2]: Leaving directory '/root/openresty-1.21.4.1/build/nginx-1.21.4' make[1]: *** [Makefile:10: build] Error 2 make[1]: Leaving directory '/root/openresty-1.21.4.1/build/nginx-1.21.4' make: *** [Makefile:9: all] Error 2 [ root@localhost.localdomain openrest
yum install patch cd /root/openresty-1.21.4.1/bundle/nginx-1.21.4/ patch -p1 < /root/nginx_upstream_check_module/check_1.20.1+.patch
Start: /apps/nginx/nginx/sbin/nginx -c /apps/nginx/nginx/conf/nginx.conf reload: /apps/nginx/nginx/sbin/nginx -s reload -c /apps/nginx/nginx/conf/nginx.conf
5. Nginx upgrade
Premises: 1. There are multiple nginx, and removing one from the LB will not affect the service 2. pid path:/data/data/nginx/conf/nginx. pid; 3. The conf directory path is independent:/data/data/nginx/conf/ Upgrade steps: 1. Remove the nginx to be upgraded from the LB, observe the nginx log, and make sure there is no traffic before taking the next action 2. Specify a new/ Configure -- prefix=/apps/nginx_new directory 3. After installation, point the conf in the nginx_new directory to/data/data/nginx/conf/ 4. nginx reload : /apps/nginx_new/nginx/sbin/nginx -s reload -c /data/data/nginx/conf//nginx.conf 5. Verify the upgraded nginx. If there is no problem, mount it to LB, and continue to repeat the above steps to complete other nginx upgrades
6. Nginx security configuration
6.1 Information disclosure, turn off nginx version number display
http{ server_tokens off ....
6.2 Disabling Unwanted Nginx Modules
# ./ configure --without-http_autoindex_module # make # make install
6.3 Control resources and restrictions
## Start: Size Limits & Buffer Overflows ## client_body_buffer_size 1K; client_header_buffer_size 1k; client_max_body_size 1k; large_client_header_buffers 2 1k; ## END: Size Limits & Buffer Overflows ##
Client_body_buffer_size 1k;: (default 8k or 16k) This command can specify the buffer size of the connection request entity. If the connection request exceeds the value specified in the cache, the whole or part of these request entities will try to write a temporary file. Client_header_buffer_size 1k;: Specifies the buffer size of the client request header. In most cases, a request header will not be larger than 1k. However, if there is a larger cookie from the wap client, it may be larger than 1k. Nginx will allocate a larger buffer to it. This value can be set in large_client_header_buffers. Client_max_body_size 1k;: The instruction specifies the maximum request entity size allowed for client connections, which appears in the Content Length field of the request header. If the request is greater than the specified value, the client will receive a "Request Entity Too Large" (413) error. Remember, browsers don't know how to display this error. Large_client_header_buffers 2 1k;: specifies the number and size of buffers used by some large request headers on the client. The request field cannot be larger than a buffer size. If the client sends a relatively large header, nginx will return "Request URI too large" (414). Similarly, the longest field in the request header cannot be larger than a buffer, otherwise the server will return "Bad request" (400). Buffers are separated only when required. The default size of a buffer is the paging file size in the operating system, usually 4k or 8k. If a connection request finally transitions to keep alive, the buffer it occupies will be released.
## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 5 5; send_timeout 10; ## End: Timeouts ##
Client_body_timeout 10;: The instruction specifies the timeout for reading the request entity. The timeout here means that a request entity does not enter the read step. If the connection exceeds this time and the client does not respond, Nginx will return a "Request time out" (408) error. Client_header_timeout 10;: The instruction specifies the timeout for reading the header header of the client request. The timeout here means that a request header does not enter the read step. If the connection exceeds this time and the client does not respond, Nginx will return a "Request time out" (408) error. Keepalive_timeout 5 5;: The first value of the parameter specifies the timeout period for a long connection between the client and the server. After this time, the server will close the connection. The second value (optional) of the parameter specifies the time value of Keep Alive: timeout=time in the response header. This value enables some browsers to know when to close the connection, so that the server does not have to close repeatedly. If this parameter is not specified, nginx will not send Keep Alive information in the response header. (This does not mean how to connect a "Keep Alive" parameter.) The two values of the parameter can be different. Send_timeout 10;: specifies the timeout period after sending the response to the client. Timeout means that the client has not entered the fully established state and only completed two handshakes. If the client does not respond after this time, nginx will close the connection.
6.4 Disable all unnecessary HTTP methods
location / { limit_except GET HEAD POST { deny all; } }
if ($request_method !~ ^ (GET|HEAD|POST)$ ) { return 444; }
6.5 Preventing Host Header Attacks
server { listen 80 default; server_name _; location / { return 403; } }
6.6 Configuring SSL and cipher suites
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on
6.7 Preventing Picture Piracy
location /images/ { valid_referers none blocked www.example.com example.com; if ($invalid_referer) { return 403; } }
valid_referers blocked www.example.com example.com; if ($invalid_referer) { rewrite ^/images/uploads.*.(gif|jpg|jpeg|png)$ http://www.examples.com/banned.jpg last }
6.8 Directory restrictions
location /docs/ { ## block one workstation deny 192.168.1.1; ## allow anyone in 192.168.1.0/24 allow 192.168.1.0/24; ## drop rest of the world deny all; }
mkdir /app/nginx/nginx/conf/.htpasswd/ htpasswd -c /app/nginx/nginx/conf/.htpasswd/passwd user
location ~ /(personal-images/.*|delta/.*) { auth_basic "Restricted"; auth_basic_user_file /usr/local/nginx/conf/.htpasswd/passwd; }
htpasswd -s /usr/local/nginx/conf/.htpasswd/passwd userName
6.9 Reject some User Agents
## Block download agents ## if ($http_user_agent ~* LWP::Simple|BBBike|wget) { return 403; } ##
6.10 nginx to Internet IP
6.11 Configure reasonable response head
add_header X-Frame-Options "SAMEORIGIN";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
6.12 Full site https
server { listen 80 default_server; listen [::]:80 default_server; server_name .example.com; return 301 https://$host$request_uri; }
6.13 Control the number of concurrent connections
http { limit_conn_zone $binary_remote_addr zone=limit1:10m; server { listen 80; server_name example.com; root /apps/project/webapp; index index.html; location / { limit_conn limit 10; } access_log /data/log/nginx/nginx_access.log main; } }
http { limit_conn_zone $binary_remote_addr zone=limit1:10m; limit_conn_zone $server_name zone=limit2:10m; server { listen 80; server_name example.com; root /data/project/webapp; index index.html; location / { limit_conn limit1 10; limit_conn limit2 2000; } } }
6.14 Connection authority control
user www; worker_processes 4; error_log /data/log/nginx/nginx_error.log crit; pid /data/data/nginx/conf/nginx.pid; events { use epoll; worker_connections 65535; }
HttpLimitReqModul: Limit the number of requests per second for a single IP HttpLimitZoneModule: Limit the number of connections to a single IP
http { limit_req_zone $binary_remote_addr zone=test_req:10m rate=20r/s; … server { … location /download/ { limit_req zone=test_req burst=5 nodelay; } } }
http { limit_conn_zone test_zone $binary_remote_addr 10m; server { location /download/ { limit_conn test_zone 10; limit_rate 500k; } } }
6.15 Regular upgrade