Home > Article > Operation and Maintenance > Nginx Web security attack and defense practice
Nginx is a high-performance web server widely used in Internet and enterprise-level applications. In addition to providing excellent performance and reliability, Nginx also has some powerful security features. In this article, we will delve into Nginx's practical web security attack and defense, and introduce how to protect web applications from various attacks.
SSL/TLS is an encrypted communication protocol essential for protecting web applications. By using SSL/TLS, you can encrypt all web communications, thereby protecting sensitive data from hackers theft and tampering. To enable SSL/TLS in Nginx, you need to install an SSL/TLS certificate, which needs to be signed by a trusted Certificate Authority (CA). The following is a simple Nginx configuration to enable SSL/TLS:
server { listen 443 ssl; server_name mywebsite.com; ssl_certificate /path/to/cert.crt; ssl_certificate_key /path/to/cert.key; location / { # Your web application logic... } }
In the above configuration, the listen 443 ssl;
directive tells Nginx to use the standard 443 port and enable SSL/TLS. The ssl_certificate
and ssl_certificate_key
directives specify the file path of the SSL/TLS certificate and private key.
HTTP2 is a new network protocol that can provide faster web page loading speed and better performance than the traditional HTTP 1.1. When you use HTTP2, you can get multiple files or resources from the server at the same time, and they can use binary instead of text format, making communication faster. At the same time, HTTP2 also provides better security, such as server push, which can transfer multiple files to the client at once, thus reducing round-trip time. To enable HTTP2 in Nginx, you can use the following configuration:
server { listen 443 ssl http2; server_name mywebsite.com; ssl_certificate /path/to/cert.crt; ssl_certificate_key /path/to/cert.key; location / { # Your web application logic... } }
In the above configuration, we added the http2
option to the in the
listen directive ssl
option to enable HTTP2.
SQL injection is a very popular attack method. Hackers can access the database by injecting malicious code, steal sensitive information or destroy data integrity. . In Nginx, you can prevent SQL injection attacks by using the following configuration:
location / { # Your web application logic... # Block SQL injection attacks if ($args ~ "(<|%3C).*script.*(>|%3E)" ) { return 403; } }
In the above configuration, we have used a regular expression to check whether the script is included in the parameters of the request. If it is because of a script, a 403 error will be returned and the request will be rejected.
Cross-site request forgery (CSRF) is a very common attack method that hackers can use to deceive users into doing things they don’t know perform malicious actions under certain circumstances. To prevent CSRF attacks, you can add the following code to your Nginx configuration:
location / { # Your web application logic... # Block CSRF attacks if ($http_referer !~ "^https?://mywebsite.com") { return 403; } }
In the above configuration, we have used a regular expression to check if the Referer
header of the request matches our Match your own website domain name. If there is no match, a 403 error will be returned and the request will be rejected.
Distributed denial of service (DDoS) attacks are a very popular attack method. Hackers will use a large amount of computing resources to simulate a large number of networks. traffic, causing the target web server to crash. In Nginx, you can prevent DDoS attacks through the following configuration:
http { # Define blacklist zone geo $blacklist { default 0; # Add IP address to blacklist if over 100 connections per IP # in the last 10 seconds limit_conn_zone $binary_remote_addr zone=blacklist:10m; limit_conn blacklist 100; } server { listen 80 default_server; server_name mywebsite.com; # Add IP addresses to whitelist allow 192.168.1.1/24; deny all; # Block blacklisted IP addresses if ($blacklist = 1) { return 403; } location / { # Your web application logic... } } }
In the above configuration, we used Nginx’s limit_conn_zone
and limit_conn
modules to limit each The number of simultaneous connections to an IP address. We have also added a whitelist that allows specific IP address ranges and only blocks access if the IP address is not in the whitelist and exceeds the connection limit.
Summary
Nginx has many powerful web security features that you can use to protect your web applications from various attacks. In this article, we introduce the following important security measures:
Referer
header in the request to reject illegal requests. limit_conn_zone
and limit_conn
modules to limit the number of simultaneous connections per IP address, and use whitelists to allow access to specific IP addresses. By using the security measures described above, you can protect the security of your web applications and protect them from various attacks.
The above is the detailed content of Nginx Web security attack and defense practice. For more information, please follow other related articles on the PHP Chinese website!