Under Linux server security configuration of Nginx
1, some common sense
under Linux, you want to read a file, you first need to have execute permissions for the folder where the file, and then you need to read permissions on the file.
Execute permissions php files do not need the file, you only need read permission nginx and php-fpm run accounts.
After uploading Trojans, you can not list the contents of a folder with php-fpm running account permission to read the relevant folder permissions Trojans execute commands with the account permissions php-fpm related.
If the Trojan to execute the command, you need php-fpm account the corresponding sh Executive authority.
Reads a file within the folder, the folder is not necessary to have read access, only for folders have execute permissions.
1, the top of the configuration
1, the top of the configuration
#define Nginx users and user groups to run
user nginx;
# processes Files
pid /var/run/nginx.pid;
#Error log locations and levels, Debug, the info, Notice, The warn, error, criteres
error_log /var/log/nginx/error.log warn;
#Nginx number of worker processes, and can be set for the number of CPU cores available.
worker_processes 8;
# each worker limit the maximum number of open file descriptors. The theoretical value should be opened up to the number (the value of the system ulimit -n) divided by the number of processes and nginx file, but nginx allocation request is not uniform, it is proposed that is consistent with the value of ulimit -n.
worker_rlimit_nofile 65535;
2, Events module
events {
# worker processes simultaneously set a maximum number of connections open
worker_connections 2048;
# tell nginx connection after receiving a new notification to accept as many connections
multi_accept on;
#set for multiplexing client thread polling method. If you use Linux 2.6+, you should use epoll. If you use * BSD, you should use kqueue.
use epoll;
}
3?HTTP
http {
#hide Nginx version number, to improve security.
server_tokens off;
# Open and efficient file transfer mode, sendfile sendfile directive specifies Nginx whether to call a function to output files for common applications is set on, if used to download applications such as disk IO heavy duty applications, can be set off, in order to balance the disk and network I / O processing speed and reduce the load on the system.
sendfile on;
# whether open access directory listing, turned off by default.
autoindex off;
#?? Nginx
tcp_nopush on;
# tell Nginx to send a data package in all the header files, not one by one to send
# Nginx told not to cache data, but transmits a section – when the need for timely sending data, it should be when setting this property to the application, which sends a small piece of data can not be obtained immediately return a value. Nginx default tcp nopush always work in the state. However, when the open front sendfile on; when its work is characterized by a final package nopush will automatically switch to turn nopush off. To reduce that delay of 200ms, open nodelay on;
it is quickly transmitted. The conclusion is that sendfile on; when open, tcp_nopush and tcp_nodelay are on is possible.
tcp_nodelay on;
# log format set
log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
‘$status $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” “$http_x_forwarded_for”‘;
# define access log set to off to turn off logging, improve performance
access_log /var/log/nginx/access.log main;
#Connection timeout, in seconds
keepalive_timeout 120;
# read the HTTP header timeout, the default value of 60. Client and server to establish a connection start after receiving HTTP header, in the process, if not read in a time interval (timeout) to the client sent byte is considered overtime, returned to the client 408 ( “Request timed out”) response.
client_header_timeout 60;
# the default value of 60. Similar client_header_timeout, but this time-out only when valid HTTP packet body read.
client_body_timeout 10;
# send a response, the default value of 60. That Nginx server to the client to send data packets, but the client does not have to receive the packet. If a connection over send_timeout defined timeout period, then Nginx will close the connection.
send_timeout 60;
# by sending RST packets to the client after a direct connection timeout to reset the connection. When this option is turned on, Nginx will timeout after a connection, instead of using the normal case under the four-way handshake to close a TCP connection, but sends RST reset packets directly to users without waiting for user’s response, released directly on Nginx server All about the cache (such as TCP sliding window) socket used. Compared to the normal shutdown mode, which allows the server to avoid many in FIN_WAIT_1, FIN_WAIT_2, TCP TIME_WAIT state connection.
Note that the use RST reset packets to close the connection will bring some problems, by default will not open.
reset_timedout_connection off;
# To restrict access, you must have a connection to the container counts, “zone =” is to give it a name, you can easily call, agreed to keep the name below limit_conn. $ binary_remote_addr binary to store the client’s address, 1m can store 32,000 concurrent sessions.
limit_conn_zone $binary_remote_addr zone=addr:5m;
# given the key to set the maximum number of connections. Here is the key addr, we set value is 100, which means that we allow each IP address to open up to 100 simultaneous connections.
limit_conn addr 100;
# 100k limit for each connection. That if one IP allows two concurrent connections, then the IP is the speed limit 200K.
limit_rate 100k;
#include directive is another file that contains the contents of the current file. Here we use it to load the file extension and the file type mapping table. nginx according to the mapping relationship set http request response Content-Type header value. When not found in the mapping table, the default value nginx.conf in default-type specified.
include /etc/nginx/mime.types;
#default MIME-type # settings files used
default_type text/html;
# default encoding
charset UTF-8;
# This module can read the pre-compressed gz file, thus reducing each request gzip compression CPU resource consumption. After the module is enabled, nginx first checks whether the file exists gz ending requests for static files, if there is a direct return to the gz file contents.
gzip_static off;
# Turn gzip compression.
gzip on;
# disable client is IE6 when gzip functions.
gzip_disable “msie6”;
##Nginx as a reverse proxy when enabled. Available Values: OFF | expired The | NO-Cache | NO-Sotre | Private | no_last_modified | no_etag | the auth | the any
gzip_proxied any;
# set the minimum number of pages that allow compressed bytes, the number of bytes from the header page header Content- Length of the acquired. Recommendations set larger than the number of bytes 1k, 1k may be less than the greater the pressure.
gzip_min_length 1024;
# Set the data compression level. This level can be any number between 1-9, 9 is the slowest but maximum compression ratio
gzip_comp_level 5;
# Set the system to obtain several cache unit for storing gzip compression result data stream. 4 4k 4k representative example as a unit, according to the original data size in units of 4 times 4k application memory. If not set, the default is the same size as the original application with data memory space to store gzip compressed results.
gzip_buffers 4 16k;
# Set the desired compressed data format. Nginx default only text / html compression.
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
# designated as open file cache, the default is not enabled, max specify the cache number of recommendations and open the file number is consistent, inactive refers to how long the file has not been deleted cached request.
open_file_cache max=65535 inactive=30s;
# valid information check how long the cache
open_file_cache_valid 30s;
# within #open_file_cache instruction inactive time parameter file using the least number of times, if this number is exceeded, the file descriptor has been opened in the cache of. Last-Modified the same situation, because when nginx after a static file cache, if it is still access the 30s, so it’s cache has existed until the 30s you do not visit so far.
open_file_cache_min_uses 2;
# whether the records cache error
open_file_cache_errors on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
4, SERVER module
server {
# listening port, nginx based HOST request to determine which configuration section to use SERVER. If no matching server_name, use the default configuration file first. Plus default_server you can not specify the default rule to match.
#listen 80;
listen 80 default_server;
# can have multiple domain names, separated by spaces
server_name www.test.com test.com;
root /user/share/nginx/html/test;
# 404 page configuration
error_page 404 /404.html;
# configuration ssl, when there is need to open.
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
location / {
index index.html index.php;
}
# picture cache time
location ~ .*.(gif|jpg|jpeg|png|bmp|swf)$ {
expires 10d;
}
#js and CSS cache time
location ~ .*.(js|css)?$ {
expires 1h;
}
location ~ [^/]\.php(/|$) {
fastcgi_index index.php;
# open PATH_INFO support role is in accordance with the parameters given regular expression is divided into a $ fastcgi_script_name and $ fastcgi_path_info.
# For example: When requested index.php / id / 1 without this line configuration, fastcgi_script_name is /index.php/id/1,fastcgi_path_info is empty.
# Plus, fastcgi_script_name is index.php, fastcgi_path_info is / the above mentioned id / 1
fastcgi_split_path_info ^(.+\.php)(.*)$;
# This value is the PHP in $ _SERVER [ ‘SCRIPT_FILENAME’] value
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
# specify the FastCGI server listening port and address. PHP-FPM and shall be the same settings.
127.0.0.1:9000;#fastcgi_pass;
fastcgi_pass unix:/var/run/php5-fpm.sock;
include fastcgi_params;
}
}
2, prohibit access to IP
2, the common mode
1. Let Trojans after uploading can not be performed: Upload directory for added configured in nginx configuration file, so this directory is unable to resolve PHP
2. Let Trojans do not see the non-execution site directory files: Cancel php-fpm running account read permissions for other directories
3. run can not be performed after the Trojan: cancel php-fpm execute permissions for the account of sh
4. after command execution permission is not too high: php-fpm account with root or not root join group
3, the specific configuration of
1 to deny access to files and execute php
3, the specific configuration of
1 to deny access to files and execute php
location ~ /(attachments|upload)/.*\.(php|php5)?$ {
deny all;
}
2, prohibit access to IP
// Disable the wording of
the deny 10.0.0.0/24;
// wording allowed
the allow 10.0.0.0/24;
the deny All;
3, according to the user’s real IP connection limits do
## Here for the original user’s IP address
map $http_x_forwarded_for $clientRealIp {
“” $remote_addr;
~^(?P<firstAddr>[0-9\.]+),?.*$ $firstAddr;
}
## For the original user IP address restrictions do
limit_conn_zone $clientRealIp zone=TotalConnLimitZone:20m ;
limit_conn TotalConnLimitZone 50;
limit_conn_log_level notice;
## for the original user’s IP address restrictions do
limit_req_zone $clientRealIp zone=ConnLimitZone:20m rate=10r/s;
#limit_req zone=ConnLimitZone burst=10 nodelay;
limit_req_log_level notice;
## specific server configuration
server {
the listen 80;
LOCATION ~ \ .php $ {
## queuing up to 5, since the processing 10 requests per second + 5 line, one second you send up to 15 request over more direct return 503 error to you
limit_req Zone = ConnLimitZone Burst = 5 NoDelay ™;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index the index.php;
the include fastcgi_params;
}
}
4, after a multi-CDN obtain the original user’s IP address, nginx configuration
$ HTTP_X_FORWARDED_FOR $ clientRealIp {Map
## not through a proxy, the direct use of REMOTE_ADDR
“” $ REMOTE_ADDR;
## with a regular match, made from the user’s original x_forwarded_for the IP
##, for example X-Forwarded-For: 202.123.123.11, 208.22.22.234 , 192.168.2.100, …
## where the first 202.123.123.11 is the user’s real IP, behind other is through the CDN server
~ ^ (? P <firstAddr> [0-9 \.] +) ,? . * $ $ firstAddr;
}
## through the map command, we created a variable nginx $ clientRealIp, this is the real IP address of the original user,
## whether the user is a direct access, or access through a bunch of CDN after we You can obtain the correct IP address of the original
5?hide version
server_tokens off;
proxy_hide_header X-Powered-By;
// compile time or modify the source code
6?disable non-essential method
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
7 Disable extension
location ~* .(txt|doc|sql|gz|svn|git)$ {
deny all;
}
8, the rational allocation response header
add_header Strict-Transport-Security “max-age=31536000”;
add_header X-Frame-Options deny;
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy “default-src ‘self’; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ https://a.disquscdn.com; img-src ‘self’ data: https://www.google-analytics.com; style-src ‘self’ ‘unsafe-inline’; frame-src https://disqus.com”;
Strict-Transport-Security (abbreviated as HSTS) you can tell the browser within the specified max-age, always through HTTPS access
X-Frame-Options page to specify whether to allow this to be nested iframe, deny that allowed any nested occur
9, refused several User-Agents
if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
return 403;
}
10, to prevent image hotlinking
valid_referers blocked www.example.com example.com;
if ($invalid_referer) {
rewrite ^/images/uploads.*\.(gif|jpg|jpeg|png)$ http://www.examples.com/banned.jpg last
}
11, a control buffer overflow attacks
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
explain
1, client_body_buffer_size 1k- (default 8k or 16k) This instruction can specify a connection request buffer size entities. If the value exceeds the specified buffer connection request, then the whole or part of the requesting entity will attempt to write to a temporary file.
2, client_header_buffer_size 1k- directive specifies the client request buffer size of the head. In most cases a request header is not greater than 1k, but if there is a large cookie wap from clients it may be greater than 1k, Nginx will be assigned to it a larger buffer, this value can be set inside the large_client_header_buffers .
3, client_max_body_size 1k- directive specifies the maximum allowable size of the client requesting entity connected, it appears in the Content-Length header field of the request. If the request is greater than the specified value, the client will receive a “Request Entity Too Large” (413 ) error. Remember, the browser does not know how to show this error.
4, large_client_header_buffers- specify the client number and size of some of the larger buffer request header use. Request a field can not be greater than the buffer size, if the client sends a relatively large head, nginx returns “Request URI too large” (414 )
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
1, client_body_timeout 10; – read instruction specified timeout request entity. Here timeout refers to a requesting entity did not enter the reading step, if the connection after this time the client does not have any response, Nginx will return a “Request time out” (408) error.
2, client_header_timeout 10; – directive specifies the client request header headline read timeout. Here timeout refers to a request header did not enter the reading step, if the connection after this time the client does not have any response, Nginx will return a “Request time out” (408) error.
3, keepalive_timeout 5 5; – the first parameter specifies the timeout length of the client and server connections, over this time, the server closes the connection. The second value of the parameter (optional) specifies the response header Keep-Alive: timeout = time value of the time, this value can make some browsers know when to close the connection to the server without having to repeatedly shut down, if you do not specify this parameter , nginx does not send Keep-Alive header information in the response. (This does not refer to how to connect a “Keep-Alive”) values of these two parameters can be different.
4, send_timeout 10; directive specifies the timeout is sent to the client after the response, Timeout refers not enter the state established a complete, finished only two handshakes, if more than this time the client send nothing, nginx will close the connection.
12, a control concurrent connections
limit_zone slimits $binary_remote_addr 5m;
limit_conn slimits 5;
13?sysctl.conf
# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Don’t act as a router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Turn on execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1
# Tuen IPv6
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1
# Optimization for port usefor LBs
# Increase system file descriptor limit
fs.file-max = 65535
# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
kernel.pid_max = 65536
# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
# Tcp Windows etc
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
14 Firewall Rules
/sbin/iptables -A INPUT -p tcp –dport 80 -i eth0 -m state –state NEW -m recent –set
/sbin/iptables -A INPUT -p tcp –dport 80 -i eth0 -m state –state NEW -m recent –update –seconds 60 –hitcount 15 -j DROP
15?Nginx
/sbin/iptables -A OUTPUT -o eth0 -m owner –uid-owner vivek -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT
www.rmohan.com
www.rmohan.net
nginx
nginx.conf
www.rmohan.com http://192.168.1.18:8080
www.rmohan.net http://192.168.1.18:8181
server1?
server {
listen 80;
server_name www.rmohan.com;
location / {
proxy_set_header Host rmohan.com;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://192.168.95.180:8080;
}
}
server2?
server {
listen 80;
server_name www.rmohan.net;
location / {
proxy_set_header Host rmohan.net;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://192.168.95.181:8181;
}
}
Recent Comments