user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
load_module /usr/lib/nginx/modules/ngx_http_naxsi_module.so;
worker_rlimit_nofile 65535;
events {
worker_connections 20480;
}
http {
include /etc/nginx/mime.types;
include /etc/nginx/naxsi_core.rules;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
gzip on;
reset_timedout_connection on;
#读取http头部的超时时间,单位秒,连接建立后,服务端接收http头部,规定时间内没收到,则超时,返回给客服端408(request time out)
client_header_timeout 60;
#读取http body的超时时间,单位秒,连接建立后,服务端接收body,规定时间内没收到,则超时,返回给客服端408(request time out)
client_body_timeout 300;
#发送响应超时时间,单位秒,服务端向客户端发送数据包,规定时间内客户端没收到,则超时
send_timeout 300;
#保持闲置连接的超时时间,单位秒,超过后服务器和浏览器都会关闭连接
keepalive_timeout 75;
#域名解析超时时间,单位秒
#resolve_timeout 30;
#nginx服务器与被代理服务连接超时时间,代理超时
proxy_connect_timeout 300;
#nginx服务器发送数据给被代理服务器超时时间,单位秒,规定时间内nginx服务器没发送数据,则超时
proxy_send_timeout 300;
#nginx服务器接收被代理服务器数据超时时间,单位秒,规定时间内nginx服务器没收到数据,则超时
proxy_read_timeout 300;
client_max_body_size 100m;
client_body_buffer_size 10m;
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
server_name wxapp-admin-web.hongkun-dev.com wxapp-admin-web.hongkun.com.cn;
location ^~ /api/ {
SecRulesEnabled; #enable naxsi
LearningMode; #enable learning mode
LibInjectionSql; #enable libinjection support for SQLI
LibInjectionXss; #enable libinjection support for XSS
DeniedUrl "/RequestDenied"; #the location where naxsi will redirect the request when it is blocked
CheckRule "$SQL >= 8" BLOCK; #the action to take when the $SQL score is superior or equal to 8
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 5" BLOCK;
CheckRule "$UPLOAD >= 5" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
include uwsgi_params;
proxy_pass http://wxapp-admin-api:8080/;
proxy_redirect http://$host/ http://$host/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_buffer_size 512k;
proxy_buffers 8 512k;
proxy_busy_buffers_size 512k;
proxy_temp_file_write_size 512k;
}
location /RequestDenied {
internal;
return 403;
}
location / {
SecRulesEnabled; #enable naxsi
LearningMode; #enable learning mode
LibInjectionSql; #enable libinjection support for SQLI
LibInjectionXss; #enable libinjection support for XSS
DeniedUrl "/RequestDenied"; #the location where naxsi will redirect the request when it is blocked
CheckRule "$SQL >= 8" BLOCK; #the action to take when the $SQL score is superior or equal to 8
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 5" BLOCK;
CheckRule "$UPLOAD >= 5" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
root /usr/share/nginx/html;
try_files $uri $uri/ /index.html;
}
}
}