Shulou(Shulou.com)06/01 Report--

This article is about how Nginx can improve security and performance. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

It mainly shows how to configure X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Strict-Transport-Security, https and other security configurations in Nginx.

The Nginx.conf configuration is as follows

# do not display the Nginx version number in the error page or server header server_tokens off;# does not allow the page to be displayed from the frame frame or iframe, so as to avoid clickjacking# http://en.wikipedia.org/wiki/Clickjacking# if you allow [I] frames, you can use SAMEORIGIN or set your allowed url# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Optionsadd_header X-Frame-Options SAMEORIGIN in ALLOW-FROM # when your website is user-provided content such as blog forums, etc. Use the X-Content-Type-Options: nosniff header # this is to disable the content type sniffing of some browsers. # https://www.owasp.org/index.php/List_of_useful_HTTP_headers# currently supports http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85). versions above IE > 8. Aspx#Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020add_header X-Content-Type-Options nosniff # prevent cross-site scripting Cross-site scripting (XSS), which is currently supported by most browsers. It is activated by default. If it is disabled by the user, you can use this configuration to activate it. # https://www.owasp.org/index.php/List_of_useful_HTTP_headersadd_header X-XSS-Protection "1; mode=block"; # activate content security policy Content Security Policy (CSP). Most browsers support # telling browsers that scripts can only be downloaded from this domain name and the URL you explicitly specify. # http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmfuladd_header Content-Security-Policy "default-src 'self'; script-src' self' 'unsafe-inline'' unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; Img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src' self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src' self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; Object-src 'none' "; server {listen 443 ssl default deferred;server_name. Forgott.com; ssl_certificate / etc/nginx/ssl/star_forgott_com.crt;ssl_certificate_key / etc/nginx/ssl/star_forgott_com.key;# activation session resurrection improves https performance # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.htmlssl_session_cache shared:SSL:50m;ssl_session_timeout 5m # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bitsssl_dhparam / etc/nginx/ssl/dhparam.pem;# Activation Server-side Protection from BEAST attacks # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.htmlssl_prefer_server_ciphers on;# invalidated SSLv3 (default activation since nginx 0.8.19) http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0ssl_protocols TLSv1 TLSv1.1 TLSv1.2 # choose a password for confidentiality and compatibility # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.htmlssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA DHESumi RSAQ: DHERSAQ AES256MZ DHEMY RSAMY AES128MZ SHA256V SHAHEV DHEV RSAMY RSAMY AES256V SHAHEV DHEV DHEV RSAMY DHERSAMY CBC3 SHAVOV EDH PREMAFEN DESMY CBC3 SHAMOVOEDH PHEMAMAFEN DES3MACEC3 SHAVONA256MAE GCMMA384MUE SHA128CMSHA256MYA256AE128MAXSHA256MAE128MAZOSHA256MYAE128MAZOSHA256MAEDESCBC3with SHAAGMAX Hidney nulls NULLMNUELLMIN EXPORTWORE DESMDD 5MDS # activate ocsp stapling (a mechanism: a website can protect the privacy of certificate revocation information conveyed to visitors in a scalable way) mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner) # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/resolver 8.8.8.8 # configure to activate HSTS (HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_strippingadd_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; #... The rest of your configuration} # redirect all http traffic to httpsserver {listen 80th serverroomname. Forgott.com; return 301 https://$host$request_uri;} Thank you for reading! This is the end of the article on "how to improve security and performance of Nginx". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.