NGINX安全加固 - 网站服务器

###限制控制并发连接数及带宽
####注意：要开启限带宽功能，必须开启proxy_buffering，在server块或者location块中添加
	proxy_buffering on;
---
	http{
		#无代理情况
    	limit_req_zone $binary_remote_addr zone=allips:10m rate=1r/s;
    	limit_conn_zone $binary_remote_addr zone=one:10m;
		#有代理情况
		limit_req_zone  $http_x_forwarded_for zone=zone:10m rate=1r/s;
		limit_conn_zone $http_x_forwarded_for zone=one:10m;
		
    	limit_conn_status 503;
    	limit_conn_log_level error;
	}

location / {
        limit_rate_after 1m;
        limit_rate 512k;
        limit_conn one 5;
        limit_req zone=allips burst=5 nodelay;
    }
###防迅雷下载
	#以下代码写入 server {....} 内
	
	if ($http_user_agent ~ ^$) {
	return 503;
	}
	if ($http_user_agent ~* "Mozilla/4.0\ $compatible;\ MSIE\ 6.0;\ Windows\ NT\ 5.1;\ SV1;\ .NET\ CLR\ 1.1.4322;\ .NET\ CLR\ 2.0.50727$") {
	return 503;
	}

###防盗链
	location ~* \.(gif|jpg|png|jpeg)$ {
         valid_referers none blocked www.bao-server.club;# 
         if ($invalid_referer){
             return 403;
             #rewrite ^/ http://bbs.westos.org/daolian.png;
         }
    }

###检查是否控制超时时间-linux
	vi /usr/local/docker/nginx/conf/nginx.conf
	http {
		client_body_timeout 10;
		client_header_timeout 10;
		send_timeout 10;
	}
###未防止目录遍历
	http {
		autoindex off;
	}

###检查是否隐藏nginx版本信息-linux
	http {
		sendfile on;
		tcp_nopush on;
		keepalive_timeout 65;
		tcp_nodelay on;
		server_tokens off;
	}

###未限制IP访问
	vi /usr/local/docker/nginx/conf/nginx.conf
	location / {
	deny 192.168.1.1; #拒绝 IP
	allow 192.168.1.0/24; #允许 IP
	allow 10.1.1.0/16; #允许 IP
	deny all; #拒绝其他所有 IP
	}

---
###检测到弱密码套件：不支持完全前向保密
	#server块加入：
	
	ssl_protocols TLSv1.2;
	ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4:!RSA;
	ssl_prefer_server_ciphers on