nginx xxs漏铜修复、nginx 域名配置、nginx https证书配置、Http不安全处理方法

因为工作原因,很久没有发布博客了,今天正好总结一下。

nginx xxs漏铜修复: server_name oris.pkuph.cn;

#配置 CSP(内容安全策略)

add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self';";

#Http缺失或不安全的处理方法

add_header X-Content-Type-Options "nosniff";

nginx 域名配置:

server_name oris.pkuph.cn;

nginx https证书配置:

ssl_certificate /wanmagroup/projects/acme-challenge/_.pkuph.cn.crt;

ssl_certificate_key /wanmagroup/projects/acme-challenge/_.pkuph.cn.key;

ssl_session_cache shared:SSL:1m;

ssl_session_timeout 5m;

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;

ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

ssl_prefer_server_ciphers on;

复制代码
#user  nginx;
worker_processes  1;

error_log  /usr/share/nginx/logs/error.log notice;
#pid        /run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /usr/share/nginx/logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    #WebSocket支持配置
	map $http_upgrade $connection_upgrade {
		default upgrade;
		'' close;
	}
		
    upstream mtis-server{
        server localhost:15686;
    }
    
    server {
        listen       443 ssl;
	#listen       8088;
	#域名配置
    server_name  oris.pkuph.cn;
       
    #配置 CSP(内容安全策略)
	add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self';";
    #Http缺失或不安全的处理方法
    add_header X-Content-Type-Options "nosniff";
    #证书配置
	ssl_certificate      /wanmagroup/projects/acme-challenge/_.pkuph.cn.crt;   
	ssl_certificate_key  /wanmagroup/projects/acme-challenge/_.pkuph.cn.key; 
	
	ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
	ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

	ssl_prefer_server_ciphers on;

		#关闭Nginx版本显示
		server_tokens off;
		
		proxy_set_header Host $http_host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;

        charset utf-8;

		client_header_buffer_size 512k;
		large_client_header_buffers 4 512k;

        access_log  logs/host.access.log  main;
	  
		
		location ^~ /wm-iot/ {
			proxy_pass http://mtis-server;
			proxy_set_header Host $http_host;
			#proxy_read_timeout 3600s;   #默认60s没有传输数据就会关闭,延长时间
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection $connection_upgrade;
        }

	location ^~ /wm-haikang/ {
			proxy_pass http://mtis-server;
			proxy_set_header Host $http_host;
        }
		
        location ^~ /wm-mtis/ {
			proxy_pass http://mtis-server;
			proxy_set_header Host $http_host;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_connect_timeout 5s;
			proxy_read_timeout 60s;
        }
		
	
		location ~* .*\.(gif|ico|png|jpg|eot|svg|ttf|woff|txt|pdf|json) {
			root  /wanmagroup/projects/static;
			expires 30d;
		}
		
		location ~* .*\.(js|css|json)$ {
			root  /wanmagroup/projects/static;
			expires 1h;
		}
		
		#织物平台配置 默认访问织物系统
		location / {
            root  /wanmagroup/projects/static/page;
            index index.html index.htm;
        }
		
		location /page/ {
           rewrite "^/page/(.*)$" $scheme://$http_host/$1 permanent;
        }
		
		error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }	

    include /etc/nginx/conf.d/*.conf;
}
相关推荐
神秘人X7073 小时前
Nginx 访问控制、用户认证与 HTTPS 配置指南
nginx·https
莫克_Cheney3 小时前
Ubuntu 24.04 安装搜狗输入法完整教程
linux·运维·ubuntu
wanhengidc3 小时前
云手机ARM架构都具有哪些挑战
运维·服务器·安全·游戏·智能手机
欢喜躲在眉梢里4 小时前
mysql之二进制日志
运维·数据库·mysql·日志·数据·mysql日志
丬氼乀A4 小时前
io的异步处理io_uring,实现io_uring_tcp_server
运维·服务器
失因5 小时前
Nginx 反向代理、负载均衡与 Keepalived 高可用
运维·nginx·负载均衡
迎風吹頭髮5 小时前
UNIX下C语言编程与实践6-Make 工具与 Makefile 编写:从基础语法到复杂项目构建实战
运维·c语言·unix
码界奇点6 小时前
Nginx 502 Bad Gateway从 upstream 日志到 FastCGI 超时深度复盘
运维·nginx·阿里云·性能优化·gateway
struggle20256 小时前
Lightpanda:专为 AI 和自动化设计的无头浏览器
运维·人工智能·自动化