接入层最佳实践

原创

nanquanyuhao 2023-02-08 12:20:49 ©著作权

©著作权归作者所有：来自51CTO博客作者nanquanyuhao的原创作品，请联系作者获取转载授权，否则将追究法律责任

标题：这是我在51CTO博客的第一篇博文

一、自我介绍

我是web技术爱好者，喜欢技术，熟悉了解javaweb技术、容器化技术、基础中间件技术

二、技术分享——nginx接入层最佳实践

user  nginx;
worker_processes  auto;

# 即处 debug、info日志不被记录外，notice、warn、error、crit、alert、emerg 级别日志均被记录
error_log  logs/error.log notice;
pid        nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    server_tokens off;
    charset utf-8;
    # 编译进 ngx_security_headers 模块可禁用 Server 头
    hide_server_tokens on;
    # 编译进 ngx_security_headers 模块可使用下面配置替换下列四个配置
    security_headers on;    
    # X-Content-Type-Options: nosniff
    # X-XSS-Protection: 1; mode=block
    # X-Frame-Options: SAMEORIGIN
    # Referrer-Policy: strict-origin-when-cross-origin
    
    # 隐藏上游服务相关头信息
    proxy_hide_header X-Powered-By;
    proxy_hide_header Server;

    proxy_cookie_flags ~ httponly samesite=strict;

    # 处理全部未能正确匹配请求的虚拟主机，启用此配置后，必须使用域名方式访问无法再使用 IP
    server {
        listen       443 ssl default_server;
        ssl_reject_handshake on;
    }

    server {
        listen       443 ssl;
        server_name  liyh.jsbnb.top;

        ssl_certificate      conf.d/cert/6920756__jsbnb.top.pem;
        ssl_certificate_key  conf.d/cert/6920756__jsbnb.top.key;

        ssl_session_cache    shared:SSL:10m;
        ssl_session_timeout  5m;
        ssl_session_tickets off;

        # 根据涉及软件版本进行推荐：https://ssl-config.mozilla.org
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers  on;
        ssl_protocols       TLSv1.2;

        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
        add_header Strict-Transport-Security "max-age=63072000" always;
        proxy_cookie_flags ~ secure;
        
        # add_header Set-Cookie "Path=/; Secure; HttpOnly";
        add_header X-Download-Options "value";
        add_header X-Permitted-Cross-Domain-Policies "value";
        add_header Cache-Control "no-store";

        # 根据实际情况进行调整
        add_header Content-Security-Policy "script-src 'self' 'sha256-ICF/xw6+Mn7uEuzpCyyK0Ob3YCNMMWhJ8Ft+Kn0O6TE='; font-src 'self' data:; object-src 'self'; frame-src 'self';";

        # 禁止出现以 / 结尾的路径
        # ~ 表示后面跟着区分大小写的正则表达式；^/ 表示以 / 开头；.* 表示包含任意个字符；/$ 表示以 / 结尾
        location ~ ^/.+/$ {
            return 403;
        }
        
        # 带有 swagger、api-docs、actuator、.. 等关键字的被拦截
        # ~ 表示后面跟着区分大小写的正则表达式；^/ 表示以 / 开头；.* 表示包含任意个字符；\.\. 表示包含 .. 关键字；| 表示“或”
        location ~ ^/.*(swagger | api-docs | actuator | \.\.) {
            return 403;
        }

        # 前端资源
        location / {
            root   /usr/local/nginx/html;
            index  index.html index.htm;
        }

        # 后端请求
        location /api {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host $http_host;
            proxy_pass http://localhost;
        }
    }
}