Nginx高安全性配置

SSL加密套件

#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_ecdh_curve X25519:secp384r1;
ssl_prefer_server_ciphers on;
ssl_session_tickets off;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout  5m;

Nginx全局配置

支持 more_clear_headers需要安装插件 apt-get install libnginx-mod-http-headers-more-filter

#max-age头   
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
#清除上游nginx的头配置，如果上有Nginx也配置相关的header
more_clear_headers "x-content-type-options";
more_clear_headers "x-frame-options";
more_clear_headers "x-xss-protection";
more_clear_headers "Strict-Transport-Security";

拓展

nginx安装插件，先查找后安装

root@MK-U:/opt/auto-bak# apt-cache search libnginx
libnginx-mod-http-geoip2 - GeoIP2 HTTP module for Nginx
libnginx-mod-http-image-filter - HTTP image filter module for Nginx
libnginx-mod-http-xslt-filter - XSLT Transformation module for Nginx
libnginx-mod-mail - Mail module for Nginx
libnginx-mod-stream - Stream module for Nginx
libnginx-mod-stream-geoip2 - GeoIP2 Stream module for Nginx
libnginx-mod-http-auth-pam - PAM authentication module for Nginx
libnginx-mod-http-cache-purge - Purge content from Nginx caches
libnginx-mod-http-dav-ext - WebDAV missing commands support for Nginx
libnginx-mod-http-echo - Bring echo and more shell style goodies to Nginx
libnginx-mod-http-fancyindex - Fancy indexes module for the Nginx
libnginx-mod-http-geoip - GeoIP HTTP module for Nginx
libnginx-mod-http-headers-more-filter - Set and clear input and output headers for Nginx
libnginx-mod-http-ndk - Nginx Development Kit module
libnginx-mod-http-perl - Perl module for Nginx
libnginx-mod-http-subs-filter - Substitution filter module for Nginx
libnginx-mod-http-uploadprogress - Upload progress system for Nginx
libnginx-mod-http-upstream-fair - Nginx Upstream Fair Proxy Load Balancer
libnginx-mod-nchan - Fast, flexible pub/sub server for Nginx
libnginx-mod-rtmp - RTMP support for Nginx
libnginx-mod-stream-geoip - GeoIP Stream module for Nginx

root@MK-U:/opt/auto-bak# apt-get install libnginx-mod-stream-geoip