Nginx log analysis and HTTP/HTTPS security audit practice

With the continuous development of the Internet, network security issues have received more and more attention. As an IT practitioner, log analysis and security auditing are one of the skills we must master. In this article, we will focus on how to use the Nginx log analysis tool to conduct HTTP/HTTPS security audit practices.

1. Nginx log analysis

Nginx, as a high-performance web server, provides rich logging functions. The Nginx log file is located in the /usr/local/nginx/logs/ directory, and access.log is the access log we use most often.

Nginx access log formats are very rich, the common formats are as follows:

$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"

Among them, $remote_addr represents the client's IP address, $remote_user represents the user's name, $time_local represents the access time, $ request represents the request content, $status represents the response status, $body_bytes_sent represents the number of bytes sent, $http_referer represents the reference source, $http_user_agent represents the client's User Agent, and $http_x_forwarded_for represents the IP address of the proxy server.

Through the analysis of Nginx access logs, we can understand the user's access path, request type, client type, return status code and other information, which provides a favorable basis for subsequent security audits.

2. HTTP/HTTPS security audit practice

1. Monitor HTTP requests

The network is filled with a large number of malicious requests, such as SQL injection and XSS attacks Etc., these attacks often use HTTP to deliver harmful data. By analyzing Nginx access logs, we can discover these malicious requests in time, and then intercept and prevent them.

We can monitor HTTP requests through Nginx configuring the log format and log path. The common configuration methods are as follows:

log_format monitor '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /usr/local/nginx/logs/monitor.log monitor;

In this way, we can output the log to the monitor .log file to facilitate subsequent analysis.

2. Monitoring HTTPS requests

The encrypted transmission mechanism of HTTPS makes malicious requests more difficult to detect. We need to use more sophisticated log analysis methods to monitor HTTPS requests. .

Nginx provides logs of the SSL handshake and certificate verification process. We can enable these logs by configuring ssl_protocols and ssl_ciphers. Common configuration methods are as follows:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

# 开启SSL握手和证书验证日志
ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /usr/local/nginx/conf/cert/ca.pem;
ssl_certificate /usr/local/nginx/conf/cert/server.pem;
ssl_certificate_key /usr/local/nginx/conf/cert/server.key;
ssl_session_log /usr/local/nginx/logs/ssl_session.log;

Among them, ssl_session_log enables SSL handshake and certificate verification logs, and the logs can be output to the ssl_session.log file to facilitate subsequent analysis.

3. Monitor access sources

Network attacks often use HTTP Referer or HTTP User Agent to deceive the server and obtain illegal permissions. Therefore, we need to monitor access sources in a timely manner to prevent malicious access.

We can use Nginx to configure the access_log log format and log path to monitor access sources. The common configuration methods are as follows:

log_format referer '$remote_addr [$time_local] "$request" "$http_referer" "$http_user_agent"';

access_log /usr/local/nginx/logs/referer.log referer;

In this way, we can combine Referer and User Agent outputs to the referer.log file for subsequent analysis.

4. Summary

Nginx log analysis and HTTP/HTTPS security audit practices can improve network security prevention capabilities and help us discover and handle security vulnerabilities and malicious requests in a timely manner. Through the configuration method introduced in this article, we can easily monitor HTTP and HTTPS requests and analyze the access source. I hope everyone can make good use of these tools in actual work and improve their safety level.

The above is the detailed content of Nginx log analysis and HTTP/HTTPS security audit practice. For more information, please follow other related articles on the PHP Chinese website!