{"id":50493,"date":"2024-10-08T11:35:12","date_gmt":"2024-10-08T03:35:12","guid":{"rendered":"https:\/\/server.hk\/cnblog\/50493\/"},"modified":"2024-10-08T11:35:13","modified_gmt":"2024-10-08T03:35:13","slug":"nginx-%e5%ae%89%e5%85%a8%e7%ad%96%e7%95%a5%ef%bc%9a%e9%80%9a%e9%81%8e-nginx-%e9%85%8d%e7%bd%ae%e5%9f%b7%e8%a1%8c%e5%ae%89%e5%85%a8%e9%a0%ad","status":"publish","type":"post","link":"https:\/\/server.hk\/cnblog\/50493\/","title":{"rendered":"Nginx \u5b89\u5168\u7b56\u7565\uff1a\u901a\u904e Nginx \u914d\u7f6e\u57f7\u884c\u5b89\u5168\u982d"},"content":{"rendered":"<h1 id=\"nginx-%e5%ae%89%e5%85%a8%e7%ad%96%e7%95%a5%ef%bc%9a%e9%80%9a%e9%81%8e-nginx-%e9%85%8d%e7%bd%ae%e5%9f%b7%e8%a1%8c%e5%ae%89%e5%85%a8%e9%a0%ad-eYeeVNUPOz\">Nginx \u5b89\u5168\u7b56\u7565\uff1a\u901a\u904e Nginx \u914d\u7f6e\u57f7\u884c\u5b89\u5168\u982d<\/h1>\n<p>Nginx \u662f\u4e00\u6b3e\u9ad8\u6548\u7684\u7db2\u9801\u4f3a\u670d\u5668\uff0c\u5ee3\u6cdb\u7528\u65bc\u8655\u7406\u975c\u614b\u5167\u5bb9\u548c\u53cd\u5411\u4ee3\u7406\u3002\u96a8\u8457\u7db2\u7d61\u5b89\u5168\u5a01\u8105\u7684\u589e\u52a0\uff0c\u78ba\u4fdd\u4f3a\u670d\u5668\u7684\u5b89\u5168\u6027\u8b8a\u5f97\u5c24\u70ba\u91cd\u8981\u3002\u672c\u6587\u5c07\u63a2\u8a0e\u5982\u4f55\u901a\u904e Nginx \u914d\u7f6e\u5b89\u5168\u982d\u4f86\u589e\u5f37\u7db2\u7ad9\u7684\u5b89\u5168\u6027\u3002<\/p>\n<h2 id=\"%e4%bb%80%e9%ba%bc%e6%98%af%e5%ae%89%e5%85%a8%e9%a0%ad%ef%bc%9f-eYeeVNUPOz\">\u4ec0\u9ebc\u662f\u5b89\u5168\u982d\uff1f<\/h2>\n<p>\u5b89\u5168\u982d\uff08Security Headers\uff09\u662f HTTP \u97ff\u61c9\u982d\u7684\u4e00\u90e8\u5206\uff0c\u65e8\u5728\u5e6b\u52a9\u4fdd\u8b77\u7db2\u7ad9\u514d\u53d7\u5404\u7a2e\u653b\u64ca\u3002\u9019\u4e9b\u982d\u90e8\u53ef\u4ee5\u9632\u6b62\u8de8\u7ad9\u8173\u672c\uff08XSS\uff09\u3001\u9ede\u64ca\u52ab\u6301\uff08Clickjacking\uff09\u548c\u5176\u4ed6\u5e38\u898b\u7684\u5b89\u5168\u6f0f\u6d1e\u3002\u901a\u904e\u6b63\u78ba\u914d\u7f6e\u9019\u4e9b\u5b89\u5168\u982d\uff0c\u7db2\u7ad9\u7ba1\u7406\u54e1\u53ef\u4ee5\u986f\u8457\u63d0\u9ad8\u7db2\u7ad9\u7684\u5b89\u5168\u6027\u3002<\/p>\n<h2 id=\"%e5%b8%b8%e8%a6%8b%e7%9a%84%e5%ae%89%e5%85%a8%e9%a0%ad-eYeeVNUPOz\">\u5e38\u898b\u7684\u5b89\u5168\u982d<\/h2>\n<ul>\n<li><strong>Content-Security-Policy (CSP)<\/strong>: \u7528\u65bc\u9632\u6b62 XSS \u653b\u64ca\uff0c\u901a\u904e\u9650\u5236\u53ef\u52a0\u8f09\u7684\u8cc7\u6e90\u4f86\u589e\u5f37\u5b89\u5168\u6027\u3002<\/li>\n<li><strong>X-Content-Type-Options<\/strong>: \u9632\u6b62\u700f\u89bd\u5668 MIME \u985e\u578b\u55c5\u63a2\uff0c\u78ba\u4fdd\u700f\u89bd\u5668\u6309\u7167\u6b63\u78ba\u7684 MIME \u985e\u578b\u8655\u7406\u5167\u5bb9\u3002<\/li>\n<li><strong>X-Frame-Options<\/strong>: \u9632\u6b62\u9ede\u64ca\u52ab\u6301\u653b\u64ca\uff0c\u901a\u904e\u9650\u5236\u7db2\u7ad9\u5728 iframe \u4e2d\u7684\u986f\u793a\u3002<\/li>\n<li><strong>X-XSS-Protection<\/strong>: \u555f\u7528\u700f\u89bd\u5668\u7684 XSS \u9632\u8b77\u529f\u80fd\u3002<\/li>\n<li><strong>Strict-Transport-Security (HSTS)<\/strong>: \u5f37\u5236\u4f7f\u7528 HTTPS \u9023\u63a5\uff0c\u9632\u6b62\u4e2d\u9593\u4eba\u653b\u64ca\u3002<\/li>\n<\/ul>\n<h2 id=\"%e5%a6%82%e4%bd%95%e5%9c%a8-nginx-%e4%b8%ad%e9%85%8d%e7%bd%ae%e5%ae%89%e5%85%a8%e9%a0%ad-eYeeVNUPOz\">\u5982\u4f55\u5728 Nginx \u4e2d\u914d\u7f6e\u5b89\u5168\u982d<\/h2>\n<p>\u5728 Nginx \u4e2d\u914d\u7f6e\u5b89\u5168\u982d\u975e\u5e38\u7c21\u55ae\u3002\u4ee5\u4e0b\u662f\u4e00\u4e9b\u5e38\u898b\u7684\u914d\u7f6e\u793a\u4f8b\uff1a<\/p>\n<pre><code>server {\n    listen 80;\n    server_name example.com;\n\n    # \u5f37\u5236\u4f7f\u7528 HTTPS\n    return 301 https:\/\/$host$request_uri;\n}\n\nserver {\n    listen 443 ssl;\n    server_name example.com;\n\n    # SSL \u914d\u7f6e\n    ssl_certificate \/path\/to\/certificate.crt;\n    ssl_certificate_key \/path\/to\/private.key;\n\n    # \u914d\u7f6e\u5b89\u5168\u982d\n    add_header Content-Security-Policy \"default-src 'self';\";\n    add_header X-Content-Type-Options nosniff;\n    add_header X-Frame-Options DENY;\n    add_header X-XSS-Protection \"1; mode=block\";\n    add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;\n\n    location \/ {\n        try_files $uri $uri\/ =404;\n    }\n}<\/code><\/pre>\n<h2 id=\"%e6%b8%ac%e8%a9%a6%e5%ae%89%e5%85%a8%e9%a0%ad%e7%9a%84%e6%9c%89%e6%95%88%e6%80%a7-eYeeVNUPOz\">\u6e2c\u8a66\u5b89\u5168\u982d\u7684\u6709\u6548\u6027<\/h2>\n<p>\u914d\u7f6e\u5b8c\u5b89\u5168\u982d\u5f8c\uff0c\u5efa\u8b70\u4f7f\u7528\u4e00\u4e9b\u5de5\u5177\u4f86\u6e2c\u8a66\u5176\u6709\u6548\u6027\u3002\u53ef\u4ee5\u4f7f\u7528\u4ee5\u4e0b\u5de5\u5177\u9032\u884c\u6aa2\u67e5\uff1a<\/p>\n<ul>\n<li><a href=\"https:\/\/securityheaders.com\/\" rel=\"nofollow noopener\" target=\"_blank\">Security Headers<\/a>: \u63d0\u4f9b\u7db2\u7ad9\u5b89\u5168\u982d\u7684\u8a55\u4f30\u548c\u5efa\u8b70\u3002<\/li>\n<li><a href=\"https:\/\/www.ssllabs.com\/ssltest\/\" rel=\"nofollow noopener\" target=\"_blank\">SSL Labs<\/a>: \u6e2c\u8a66 SSL \u914d\u7f6e\u548c\u5b89\u5168\u6027\u3002<\/li>\n<\/ul>\n<h2 id=\"%e7%b5%90%e8%ab%96-eYeeVNUPOz\">\u7d50\u8ad6<\/h2>\n<p>\u901a\u904e\u5728 Nginx \u4e2d\u914d\u7f6e\u5b89\u5168\u982d\uff0c\u7db2\u7ad9\u7ba1\u7406\u54e1\u53ef\u4ee5\u986f\u8457\u63d0\u9ad8\u7db2\u7ad9\u7684\u5b89\u5168\u6027\uff0c\u9632\u6b62\u5404\u7a2e\u7db2\u7d61\u653b\u64ca\u3002\u9019\u4e9b\u5b89\u5168\u63aa\u65bd\u4e0d\u50c5\u80fd\u4fdd\u8b77\u7528\u6236\u7684\u6578\u64da\uff0c\u9084\u80fd\u589e\u5f37\u7db2\u7ad9\u7684\u6574\u9ad4\u4fe1\u4efb\u5ea6\u3002\u5c0d\u65bc\u4f7f\u7528 <a href=\"https:\/\/server.hk\">\u9999\u6e2f VPS<\/a> \u7684\u7528\u6236\u4f86\u8aaa\uff0c\u78ba\u4fdd\u4f3a\u670d\u5668\u7684\u5b89\u5168\u6027\u662f\u81f3\u95dc\u91cd\u8981\u7684\u3002\u900f\u904e\u6b63\u78ba\u7684\u914d\u7f6e\u548c\u6301\u7e8c\u7684\u5b89\u5168\u6aa2\u67e5\uff0c\u60a8\u53ef\u4ee5\u70ba\u60a8\u7684\u7db2\u7ad9\u63d0\u4f9b\u4e00\u500b\u66f4\u5b89\u5168\u7684\u74b0\u5883\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u63a2\u7d22\u5982\u4f55\u901a\u904e Nginx \u914d\u7f6e\u5b89\u5168\u982d\u4f86\u52a0\u5f37\u7db2\u7ad9\u5b89\u5168\u6027\uff0c\u4fdd\u8b77\u7528\u6236\u6578\u64da\uff0c\u9632\u7bc4\u6f5b\u5728\u653b\u64ca\u3002<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4924],"tags":[],"class_list":["post-50493","post","type-post","status-publish","format-standard","hentry","category-setup-tutorials"],"_links":{"self":[{"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/posts\/50493","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/comments?post=50493"}],"version-history":[{"count":1,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/posts\/50493\/revisions"}],"predecessor-version":[{"id":50494,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/posts\/50493\/revisions\/50494"}],"wp:attachment":[{"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/media?parent=50493"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/categories?post=50493"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/tags?post=50493"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}