nginx xxs漏铜修复、nginx 域名配置、nginx https证书配置、Http不安全处理方法

因为工作原因,很久没有发布博客了,今天正好总结一下。

nginx xxs漏铜修复: server_name oris.pkuph.cn;

#配置 CSP(内容安全策略)

add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self';";

#Http缺失或不安全的处理方法

add_header X-Content-Type-Options "nosniff";

nginx 域名配置:

server_name oris.pkuph.cn;

nginx https证书配置:

ssl_certificate /wanmagroup/projects/acme-challenge/_.pkuph.cn.crt;

ssl_certificate_key /wanmagroup/projects/acme-challenge/_.pkuph.cn.key;

ssl_session_cache shared:SSL:1m;

ssl_session_timeout 5m;

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;

ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

ssl_prefer_server_ciphers on;

复制代码
#user  nginx;
worker_processes  1;

error_log  /usr/share/nginx/logs/error.log notice;
#pid        /run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /usr/share/nginx/logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    #WebSocket支持配置
	map $http_upgrade $connection_upgrade {
		default upgrade;
		'' close;
	}
		
    upstream mtis-server{
        server localhost:15686;
    }
    
    server {
        listen       443 ssl;
	#listen       8088;
	#域名配置
    server_name  oris.pkuph.cn;
       
    #配置 CSP(内容安全策略)
	add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self';";
    #Http缺失或不安全的处理方法
    add_header X-Content-Type-Options "nosniff";
    #证书配置
	ssl_certificate      /wanmagroup/projects/acme-challenge/_.pkuph.cn.crt;   
	ssl_certificate_key  /wanmagroup/projects/acme-challenge/_.pkuph.cn.key; 
	
	ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
	ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

	ssl_prefer_server_ciphers on;

		#关闭Nginx版本显示
		server_tokens off;
		
		proxy_set_header Host $http_host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;

        charset utf-8;

		client_header_buffer_size 512k;
		large_client_header_buffers 4 512k;

        access_log  logs/host.access.log  main;
	  
		
		location ^~ /wm-iot/ {
			proxy_pass http://mtis-server;
			proxy_set_header Host $http_host;
			#proxy_read_timeout 3600s;   #默认60s没有传输数据就会关闭,延长时间
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection $connection_upgrade;
        }

	location ^~ /wm-haikang/ {
			proxy_pass http://mtis-server;
			proxy_set_header Host $http_host;
        }
		
        location ^~ /wm-mtis/ {
			proxy_pass http://mtis-server;
			proxy_set_header Host $http_host;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_connect_timeout 5s;
			proxy_read_timeout 60s;
        }
		
	
		location ~* .*\.(gif|ico|png|jpg|eot|svg|ttf|woff|txt|pdf|json) {
			root  /wanmagroup/projects/static;
			expires 30d;
		}
		
		location ~* .*\.(js|css|json)$ {
			root  /wanmagroup/projects/static;
			expires 1h;
		}
		
		#织物平台配置 默认访问织物系统
		location / {
            root  /wanmagroup/projects/static/page;
            index index.html index.htm;
        }
		
		location /page/ {
           rewrite "^/page/(.*)$" $scheme://$http_host/$1 permanent;
        }
		
		error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }	

    include /etc/nginx/conf.d/*.conf;
}
相关推荐
小白银子2 小时前
零基础从头教学Linux(Day 52)
linux·运维·服务器·python·python3.11
从零开始的ops生活5 小时前
【Day 80】Linux-NAS 和 SAN 存储
linux·运维·php
Wang's Blog6 小时前
Linux小课堂: 输入重定向与管道操作详解
linux·运维·服务器
python百炼成钢7 小时前
3.Linux 网络相关
linux·运维·网络·stm32·单片机
Jtti7 小时前
香港硬防服务器防御DDOS攻击的优点
运维·服务器·ddos
比特森林探险记9 小时前
Nginx+Lua动态加载黑名单
nginx·junit·lua
lpfasd12310 小时前
第2部分:Netty核心架构与原理解析
运维·服务器·架构
小蜜蜂爱编程10 小时前
gerrit的部署与配置关联到不同服务器上的git仓库
运维·服务器·git·gerrit
心灵宝贝11 小时前
申威(sw_64)架构下如何安装java-1.8.0-swjdk的rpm包?
linux·运维·服务器