nginx\u5b89\u5168\u914d\u7f6e\u6307\u5357\uff0c\u9632\u6b62\u7f51\u7ad9\u653b\u51fb\u548c\u6076\u610f\u8bbf\u95ee<\/p>\n
\u5f15\u8a00\uff1a
\u968f\u7740\u4e92\u8054\u7f51\u7684\u5feb\u901f\u53d1\u5c55\uff0c\u7f51\u7edc\u5b89\u5168\u95ee\u9898\u8d8a\u6765\u8d8a\u53d7\u5173\u6ce8\u3002\u4f5c\u4e3a\u4e00\u4e2a\u7f51\u7ad9\u7ba1\u7406\u5458\uff0c\u4fdd\u62a4\u7f51\u7ad9\u514d\u53d7\u653b\u51fb\u548c\u6076\u610f\u8bbf\u95ee\u662f\u81f3\u5173\u91cd\u8981\u7684\u3002Nginx\u4f5c\u4e3a\u4e00\u4e2a\u9ad8\u6027\u80fd\u7684Web\u670d\u52a1\u5668\u548c\u53cd\u5411\u4ee3\u7406\u670d\u52a1\u5668\uff0c\u63d0\u4f9b\u4e86\u4e30\u5bcc\u7684\u5b89\u5168\u914d\u7f6e\u9009\u9879\uff0c\u53ef\u4ee5\u5e2e\u52a9\u6211\u4eec\u52a0\u5f3a\u7f51\u7ad9\u7684\u5b89\u5168\u6027\u3002\u672c\u6587\u5c06\u4ecb\u7ecd\u4e00\u4e9b\u5e38\u7528\u7684Nginx\u5b89\u5168\u914d\u7f6e\uff0c\u5e2e\u52a9\u7f51\u7ad9\u7ba1\u7406\u5458\u9632\u6b62\u7f51\u7ad9\u653b\u51fb\u548c\u6076\u610f\u8bbf\u95ee\u3002<\/p>\n
\u4e00\u3001\u9650\u5236\u8bbf\u95ee\u65b9\u6cd5<\/p>\n
\u7981\u6b62\u4e0d\u5b89\u5168\u7684HTTP\u65b9\u6cd5
\u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0cNginx\u652f\u6301\u591a\u79cdHTTP\u65b9\u6cd5\uff0c\u5305\u62ecGET\u3001POST\u3001OPTIONS\u7b49\u3002\u7136\u800c\uff0c\u67d0\u4e9bHTTP\u65b9\u6cd5\u53ef\u80fd\u5b58\u5728\u5b89\u5168\u98ce\u9669\uff0c\u4f8b\u5982TRACE\u65b9\u6cd5\u53ef\u4ee5\u88ab\u7528\u4e8e\u8de8\u7ad9\u811a\u672c(XSS)\u653b\u51fb\u3002\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528Nginx\u7684”limit_except”\u6307\u4ee4\u6765\u9650\u5236\u67d0\u4e9bHTTP\u65b9\u6cd5\u7684\u8bbf\u95ee\u3002
\u793a\u4f8b\u4ee3\u7801\uff1a<\/p>\n
location \/ {\n limit_except GET POST {\n deny all;\n }\n}<\/pre>\n \u767b\u5f55\u540e\u590d\u5236 <\/li>\n
\u5173\u95ed\u4e0d\u5fc5\u8981\u7684\u76ee\u5f55\u5217\u8868
\u5982\u679cNginx\u7684\u76ee\u5f55\u6ca1\u6709\u9ed8\u8ba4\u7684index\u6587\u4ef6\uff0c\u4f1a\u81ea\u52a8\u5c55\u793a\u76ee\u5f55\u4e0b\u7684\u6587\u4ef6\u5217\u8868\uff0c\u8fd9\u53ef\u80fd\u4f1a\u66b4\u9732\u654f\u611f\u4fe1\u606f\u3002\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u7981\u6b62\u81ea\u52a8\u76ee\u5f55\u5217\u8868\u7684\u65b9\u5f0f\u6765\u963b\u6b62\u6b64\u884c\u4e3a\u3002
\u793a\u4f8b\u4ee3\u7801\uff1a<\/p>\n
location \/ {\n autoindex off;\n}<\/pre>\n \u767b\u5f55\u540e\u590d\u5236 <\/li>\n<\/ol>\n
\u4e8c\u3001\u9632\u6b62\u6076\u610f\u8bf7\u6c42\u548c\u653b\u51fb<\/p>\n
\n- \n
\u9632\u6b62\u6076\u610f\u8bf7\u6c42
\u6076\u610f\u8bf7\u6c42\u5305\u62ec\u5927\u91cf\u7684\u8bf7\u6c42\u3001\u5927\u6587\u4ef6\u4e0a\u4f20\u3001\u6076\u610f\u811a\u672c\u7b49\u7b49\uff0c\u8fd9\u4f1a\u5bfc\u81f4\u670d\u52a1\u5668\u8d1f\u8f7d\u8fc7\u9ad8\u3002\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u8bbe\u7f6e\u8bf7\u6c42\u9650\u5236\uff0c\u6765\u9632\u6b62\u8fd9\u79cd\u60c5\u51b5\u53d1\u751f\u3002
\u793a\u4f8b\u4ee3\u7801\uff1a<\/p>\n
http {\n limit_req_zone $binary_remote_addr zone=req_limit:10m rate=1r\/s;\n \n server {\n location \/ {\n limit_req zone=req_limit burst=5 nodelay;\n # \u5176\u4ed6\u914d\u7f6e\n }\n }\n}<\/pre>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\u4e0a\u8ff0\u4ee3\u7801\u4e2d\uff0c\u6211\u4eec\u4f7f\u7528”limit_req_zone”\u6307\u4ee4\u6765\u5b9a\u4e49\u8bf7\u6c42\u9650\u5236\u533a\u57df\uff0c\u8bbe\u7f6e\u9650\u5236\u7684\u5927\u5c0f\u548c\u901f\u7387\uff08\u6bcf\u79d2\u6700\u591a\u5141\u8bb81\u4e2a\u8bf7\u6c42\uff09\u3002\u7136\u540e\uff0c\u5728\u76f8\u5e94\u7684”server”\u914d\u7f6e\u4e2d\u4f7f\u7528”limit_req”\u6307\u4ee4\u6765\u5e94\u7528\u8be5\u9650\u5236\u533a\u57df\u3002<\/p>\n<\/li>\n
- \u9632\u6b62\u5e38\u89c1\u653b\u51fb
Nginx\u9ed8\u8ba4\u63d0\u4f9b\u4e86\u4e00\u4e9b\u9632\u6b62\u5e38\u89c1\u653b\u51fb\u7684\u914d\u7f6e\u9009\u9879\uff0c\u4f8b\u5982\uff1a<\/li>\n - \u9632\u6b62\u7f13\u51b2\u533a\u6ea2\u51fa\u653b\u51fb\uff1aproxy_buffer_size \u548c proxy_buffers \u914d\u7f6e\u9009\u9879<\/li>\n
- \u9632\u6b62HTTP\u8bf7\u6c42\u5934\u8fc7\u5927\u653b\u51fb\uff1alarge_client_header_buffers \u914d\u7f6e\u9009\u9879<\/li>\n
- \u9632\u6b62URI\u957f\u5ea6\u8fc7\u5927\u653b\u51fb\uff1alarge_client_header_buffers \u914d\u7f6e\u9009\u9879<\/li>\n
- \u9632\u6b62\u6076\u610f\u8bf7\u6c42\uff1aclient_max_body_size \u914d\u7f6e\u9009\u9879<\/li>\n
- \u9632\u6b62DDoS\u653b\u51fb\uff1alimit_conn \u548c limit_req \u914d\u7f6e\u9009\u9879<\/li>\n<\/ol>\n
\u4e09\u3001\u4f7f\u7528HTTPS\u4fdd\u8bc1\u6570\u636e\u4f20\u8f93\u5b89\u5168<\/p>\n
HTTPS\u534f\u8bae\u53ef\u4ee5\u4fdd\u8bc1\u6570\u636e\u4f20\u8f93\u7684\u673a\u5bc6\u6027\u548c\u5b8c\u6574\u6027\uff0c\u9632\u6b62\u6570\u636e\u88ab\u7a83\u53d6\u6216\u7be1\u6539\u3002\u4f7f\u7528HTTPS\u53ef\u4ee5\u9632\u6b62\u4e2d\u95f4\u4eba\u653b\u51fb\u3001\u6570\u636e\u52ab\u6301\u7b49\u5b89\u5168\u95ee\u9898\u3002\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528Nginx\u63d0\u4f9b\u7684SSL\u6a21\u5757\u6765\u914d\u7f6eHTTPS\u3002
\u793a\u4f8b\u4ee3\u7801\uff1a<\/p>\n
server {\n listen 443 ssl;\n server_name example.com;\n\n ssl_certificate \/path\/to\/certificate.crt;\n ssl_certificate_key \/path\/to\/private.key;\n\n location \/ {\n # \u5176\u4ed6\u914d\u7f6e\n }\n}<\/pre>\n \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\u4e0a\u8ff0\u4ee3\u7801\u4e2d\uff0c\u6211\u4eec\u4f7f\u7528listen 443 ssl\u6307\u4ee4\u6765\u76d1\u542c443\u7aef\u53e3\uff0c\u5e76\u4f7f\u7528ssl_certificate\u548cssl_certificate_key\u914d\u7f6e\u9009\u9879\u6307\u5b9aSSL\u8bc1\u4e66\u8def\u5f84\u3002<\/p>\n
\u7ed3\u8bba\uff1a
\u672c\u6587\u4ecb\u7ecd\u4e86\u4e00\u4e9b\u5e38\u7528\u7684Nginx\u5b89\u5168\u914d\u7f6e\u9009\u9879\uff0c\u5305\u62ec\u9650\u5236\u8bbf\u95ee\u65b9\u6cd5\u3001\u9632\u6b62\u6076\u610f\u8bf7\u6c42\u548c\u653b\u51fb\u3001\u4f7f\u7528HTTPS\u4fdd\u8bc1\u6570\u636e\u4f20\u8f93\u5b89\u5168\u7b49\u3002\u5f53\u7136\uff0cNginx\u7684\u5b89\u5168\u914d\u7f6e\u8fd8\u6709\u5f88\u591a\u5176\u4ed6\u7684\u9009\u9879\uff0c\u9488\u5bf9\u4e0d\u540c\u7684\u60c5\u51b5\u53ef\u4ee5\u8fdb\u884c\u76f8\u5e94\u7684\u914d\u7f6e\u3002\u4f5c\u4e3a\u7f51\u7ad9\u7ba1\u7406\u5458\uff0c\u6211\u4eec\u9700\u8981\u5bc6\u5207\u5173\u6ce8\u7f51\u7ad9\u5b89\u5168\u95ee\u9898\uff0c\u5e76\u4e0d\u65ad\u52a0\u5f3a\u5b89\u5168\u914d\u7f6e\uff0c\u4ee5\u4fdd\u62a4\u7f51\u7ad9\u514d\u53d7\u653b\u51fb\u548c\u6076\u610f\u8bbf\u95ee\u7684\u5a01\u80c1\u3002<\/p>\n
\u4ee5\u4e0a\u5c31\u662fNginx\u5b89\u5168\u914d\u7f6e\u6307\u5357\uff0c\u9632\u6b62\u7f51\u7ad9\u653b\u51fb\u548c\u6076\u610f\u8bbf\u95ee\u7684\u8be6\u7ec6\u5185\u5bb9\uff0c\u66f4\u591a\u8bf7\u5173\u6ce8\u7c73\u4e91\u5176\u5b83\u76f8\u5173\u6587\u7ae0\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
nginx\u5b89\u5168\u914d\u7f6e\u6307\u5357\uff0c\u9632\u6b62\u7f51\u7ad9\u653b\u51fb\u548c\u6076\u610f\u8bbf\u95ee \u5f15\u8a00\uff1a\u968f\u7740\u4e92\u8054\u7f51\u7684\u5feb\u901f\u53d1\u5c55\uff0c\u7f51\u7edc\u5b89\u5168\u95ee\u9898\u8d8a\u6765\u8d8a\u53d7\u5173\u6ce8\u3002\u4f5c\u4e3a\u4e00\u4e2a\u7f51\u7ad9\u7ba1\u7406\u5458\uff0c\u4fdd\u62a4\u7f51\u7ad9\u514d\u53d7\u653b\u51fb\u548c\u6076\u610f\u8bbf\u95ee\u662f\u81f3\u5173\u91cd\u8981\u7684\u3002Nginx\u4f5c\u4e3a\u4e00\u4e2a\u9ad8\u6027\u80fd\u7684Web\u670d\u52a1\u5668\u548c\u53cd\u5411\u4ee3\u7406\u670d\u52a1\u5668\uff0c\u63d0\u4f9b\u4e86\u4e30\u5bcc\u7684\u5b89\u5168\u914d\u7f6e\u9009\u9879\uff0c\u53ef\u4ee5\u5e2e\u52a9\u6211\u4eec\u52a0\u5f3a\u7f51\u7ad9\u7684\u5b89\u5168\u6027\u3002\u672c\u6587\u5c06\u4ecb\u7ecd\u4e00\u4e9b\u5e38\u7528\u7684Nginx\u5b89\u5168\u914d\u7f6e\uff0c\u5e2e\u52a9\u7f51\u7ad9\u7ba1\u7406\u5458\u9632\u6b62\u7f51\u7ad9\u653b\u51fb\u548c\u6076\u610f\u8bbf\u95ee\u3002 \u4e00\u3001\u9650\u5236\u8bbf\u95ee\u65b9\u6cd5 \u7981\u6b62\u4e0d\u5b89\u5168\u7684HTTP\u65b9\u6cd5\u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0cNginx\u652f\u6301\u591a\u79cdHTTP\u65b9\u6cd5\uff0c\u5305\u62ecGET\u3001POST\u3001OPTIONS\u7b49\u3002\u7136\u800c\uff0c\u67d0\u4e9bHTTP\u65b9\u6cd5\u53ef\u80fd\u5b58\u5728\u5b89\u5168\u98ce\u9669\uff0c\u4f8b\u5982TRACE\u65b9\u6cd5\u53ef\u4ee5\u88ab\u7528\u4e8e\u8de8\u7ad9\u811a\u672c(XSS)\u653b\u51fb\u3002\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528Nginx\u7684”limit_except”\u6307\u4ee4\u6765\u9650\u5236\u67d0\u4e9bHTTP\u65b9\u6cd5\u7684\u8bbf\u95ee\u3002\u793a\u4f8b\u4ee3\u7801\uff1a location \/ { limit_except GET POST { deny all; } } \u767b\u5f55\u540e\u590d\u5236 \u5173\u95ed\u4e0d\u5fc5\u8981\u7684\u76ee\u5f55\u5217\u8868\u5982\u679cNginx\u7684\u76ee\u5f55\u6ca1\u6709\u9ed8\u8ba4\u7684index\u6587\u4ef6\uff0c\u4f1a\u81ea\u52a8\u5c55\u793a\u76ee\u5f55\u4e0b\u7684\u6587\u4ef6\u5217\u8868\uff0c\u8fd9\u53ef\u80fd\u4f1a\u66b4\u9732\u654f\u611f\u4fe1\u606f\u3002\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u7981\u6b62\u81ea\u52a8\u76ee\u5f55\u5217\u8868\u7684\u65b9\u5f0f\u6765\u963b\u6b62\u6b64\u884c\u4e3a\u3002\u793a\u4f8b\u4ee3\u7801\uff1a location \/ { autoindex off; } \u767b\u5f55\u540e\u590d\u5236 \u4e8c\u3001\u9632\u6b62\u6076\u610f\u8bf7\u6c42\u548c\u653b\u51fb \u9632\u6b62\u6076\u610f\u8bf7\u6c42\u6076\u610f\u8bf7\u6c42\u5305\u62ec\u5927\u91cf\u7684\u8bf7\u6c42\u3001\u5927\u6587\u4ef6\u4e0a\u4f20\u3001\u6076\u610f\u811a\u672c\u7b49\u7b49\uff0c\u8fd9\u4f1a\u5bfc\u81f4\u670d\u52a1\u5668\u8d1f\u8f7d\u8fc7\u9ad8\u3002\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u8bbe\u7f6e\u8bf7\u6c42\u9650\u5236\uff0c\u6765\u9632\u6b62\u8fd9\u79cd\u60c5\u51b5\u53d1\u751f\u3002\u793a\u4f8b\u4ee3\u7801\uff1a http { limit_req_zone $binary_remote_addr zone=req_limit:10m rate=1r\/s; server { location \/ { limit_req zone=req_limit burst=5 nodelay; # \u5176\u4ed6\u914d\u7f6e } } } \u767b\u5f55\u540e\u590d\u5236 \u4e0a\u8ff0\u4ee3\u7801\u4e2d\uff0c\u6211\u4eec\u4f7f\u7528”limit_req_zone”\u6307\u4ee4\u6765\u5b9a\u4e49\u8bf7\u6c42\u9650\u5236\u533a\u57df\uff0c\u8bbe\u7f6e\u9650\u5236\u7684\u5927\u5c0f\u548c\u901f\u7387\uff08\u6bcf\u79d2\u6700\u591a\u5141\u8bb81\u4e2a\u8bf7\u6c42\uff09\u3002\u7136\u540e\uff0c\u5728\u76f8\u5e94\u7684”server”\u914d\u7f6e\u4e2d\u4f7f\u7528”limit_req”\u6307\u4ee4\u6765\u5e94\u7528\u8be5\u9650\u5236\u533a\u57df\u3002 \u9632\u6b62\u5e38\u89c1\u653b\u51fbNginx\u9ed8\u8ba4\u63d0\u4f9b\u4e86\u4e00\u4e9b\u9632\u6b62\u5e38\u89c1\u653b\u51fb\u7684\u914d\u7f6e\u9009\u9879\uff0c\u4f8b\u5982\uff1a \u9632\u6b62\u7f13\u51b2\u533a\u6ea2\u51fa\u653b\u51fb\uff1aproxy_buffer_size \u548c proxy_buffers \u914d\u7f6e\u9009\u9879 \u9632\u6b62HTTP\u8bf7\u6c42\u5934\u8fc7\u5927\u653b\u51fb\uff1alarge_client_header_buffers \u914d\u7f6e\u9009\u9879 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"class_list":["post-15812","post","type-post","status-publish","format-standard","hentry","category-os"],"_links":{"self":[{"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/posts\/15812","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/comments?post=15812"}],"version-history":[{"count":0,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/posts\/15812\/revisions"}],"wp:attachment":[{"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/media?parent=15812"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/categories?post=15812"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/tags?post=15812"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}