Nginx Web security attack and defense practice

Nginx is a high-performance web server widely used in Internet and enterprise-level applications. In addition to providing excellent performance and reliability, Nginx also has some powerful security features. In this article, we will delve into Nginx's practical web security attack and defense, and introduce how to protect web applications from various attacks.

1. Configuring SSL/TLS

SSL/TLS is an encrypted communication protocol essential for protecting web applications. By using SSL/TLS, you can encrypt all web communications, thereby protecting sensitive data from hackers theft and tampering. To enable SSL/TLS in Nginx, you need to install an SSL/TLS certificate, which needs to be signed by a trusted Certificate Authority (CA). The following is a simple Nginx configuration to enable SSL/TLS:

server {
    listen 443 ssl;
    server_name mywebsite.com;

    ssl_certificate /path/to/cert.crt;
    ssl_certificate_key /path/to/cert.key;

    location / {
        # Your web application logic...
    }
}

In the above configuration, the listen 443 ssl; directive tells Nginx to use the standard 443 port and enable SSL/TLS. The ssl_certificate and ssl_certificate_key directives specify the file path of the SSL/TLS certificate and private key.

2. Configuring HTTP2

HTTP2 is a new network protocol that can provide faster web page loading speed and better performance than the traditional HTTP 1.1. When you use HTTP2, you can get multiple files or resources from the server at the same time, and they can use binary instead of text format, making communication faster. At the same time, HTTP2 also provides better security, such as server push, which can transfer multiple files to the client at once, thus reducing round-trip time. To enable HTTP2 in Nginx, you can use the following configuration:

server {
    listen 443 ssl http2;
    server_name mywebsite.com;

    ssl_certificate /path/to/cert.crt;
    ssl_certificate_key /path/to/cert.key;

    location / {
        # Your web application logic...
    }
}

In the above configuration, we added the http2 option to the in the listen directive ssl option to enable HTTP2.

3. Prevent SQL Injection

SQL injection is a very popular attack method. Hackers can access the database by injecting malicious code, steal sensitive information or destroy data integrity. . In Nginx, you can prevent SQL injection attacks by using the following configuration:

location / {
    # Your web application logic...

    # Block SQL injection attacks
    if ($args ~ "(<|%3C).*script.*(>|%3E)" ) {
        return 403;
    }
}

In the above configuration, we have used a regular expression to check whether the script is included in the parameters of the request. If it is because of a script, a 403 error will be returned and the request will be rejected.

4. Preventing Cross-site Request Forgery (CSRF)

Cross-site request forgery (CSRF) is a very common attack method that hackers can use to deceive users into doing things they don’t know perform malicious actions under certain circumstances. To prevent CSRF attacks, you can add the following code to your Nginx configuration:

location / {
    # Your web application logic...

    # Block CSRF attacks
    if ($http_referer !~ "^https?://mywebsite.com") {
        return 403;
    }
}

In the above configuration, we have used a regular expression to check if the Referer header of the request matches our Match your own website domain name. If there is no match, a 403 error will be returned and the request will be rejected.

5. Preventing DDoS attacks

Distributed denial of service (DDoS) attacks are a very popular attack method. Hackers will use a large amount of computing resources to simulate a large number of networks. traffic, causing the target web server to crash. In Nginx, you can prevent DDoS attacks through the following configuration:

http {
    # Define blacklist zone
    geo $blacklist {
        default 0;
        # Add IP address to blacklist if over 100 connections per IP
        # in the last 10 seconds
        limit_conn_zone $binary_remote_addr zone=blacklist:10m;
        limit_conn blacklist 100;
    }
 
    server {
        listen 80 default_server;
        server_name mywebsite.com;

        # Add IP addresses to whitelist
        allow 192.168.1.1/24;
        deny all;

        # Block blacklisted IP addresses
        if ($blacklist = 1) {
            return 403;
        }

        location / {
            # Your web application logic...
        }
    }
}

In the above configuration, we used Nginx’s limit_conn_zone and limit_conn modules to limit each The number of simultaneous connections to an IP address. We have also added a whitelist that allows specific IP address ranges and only blocks access if the IP address is not in the whitelist and exceeds the connection limit.

Summary

Nginx has many powerful web security features that you can use to protect your web applications from various attacks. In this article, we introduce the following important security measures:

• Configure SSL/TLS certificate and encrypt communication data.
• Configure HTTP2 protocol to improve web page loading speed and performance.
• Prevent SQL injection and prevent attacks by detecting scripts in request parameters.
• Prevent CSRF attacks by checking the Referer header in the request to reject illegal requests.
• Prevent DDoS attacks, use the limit_conn_zone and limit_conn modules to limit the number of simultaneous connections per IP address, and use whitelists to allow access to specific IP addresses.

By using the security measures described above, you can protect the security of your web applications and protect them from various attacks.

The above is the detailed content of Nginx Web security attack and defense practice. For more information, please follow other related articles on the PHP Chinese website!