為 Nginx Web 伺服器保駕護航的若干要點
- 2019 年 12 月 13 日
- 筆記
Nginx是全球發展勢頭最猛的開源輕量級高性能Web伺服器系統。Nginx可在Linux、 Windows、Mac OS和Solaris等作業系統上運行。Nginx繼續人氣激增,意味著越來越多的Nginx部署環境需要加以保護。
我們在本教程中將介紹幾個常見的Nginx伺服器安全要點。
要求
- 運行Ubuntu 18.04或Debian 9的伺服器
- 你的伺服器上已設置了root密碼
1.安裝Nginx
首先要把Nginx安裝到系統上。運行下列命令來安裝它:
apt-get install nginx -y
一旦Nginx安裝完畢,可以用下列命令檢查Nginx的狀態:
systemctl status nginx
你應該會看到下列輸出:
?nginx.service - A high performance web server and a reverse proxy server Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2019-03-10 02:43:14 UTC; 4min 40s ago Docs: man:nginx(8) Process: 2271 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS) Process: 2281 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS) Process: 2274 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS) Main PID: 2285 (nginx) Tasks: 2 (limit: 1111) CGroup: /system.slice/nginx.service ??2285 nginx: master process /usr/sbin/nginx -g daemon on; master_process on; ??2290 nginx: worker process Mar 10 02:43:14 ubuntu1804 systemd[1]: Starting A high performance web server and a reverse proxy server... Mar 10 02:43:14 ubuntu1804 systemd[1]: nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argument Mar 10 02:43:14 ubuntu1804 systemd[1]: Started A high performance web server and a reverse proxy server.
2.更新Nginx
你需要更新Nginx Web伺服器系統,因為許多性能上的改進、新的功能和安全修補程式在不斷添加。大多數現代Linux發行版不會在默認軟體包列表中隨帶新版的Nginx。所以你需要通過軟體包管理器來更新新版的Nginx。可以用下列命令來更新Nginx Web伺服器系統:
apt-get update -y apt-get install nginx --reinstall -y
3.防止資訊透露
首先需要防止Nginx透露其版本資訊。
默認情況下,Nginx在HTTP報頭中顯示其名稱和版本。
你可以用下列命令來檢查:
curl -I http://localhost
在上述輸出中,應該會看到Nginx和作業系統的版本。
可以編輯/etc/nginx/nginx.conf文件,隱藏這部分資訊:
nano /etc/nginx/nginx.conf
在http配置部分裡面添加server_tokens off這一行:
http { ## # Basic Settings ## server_tokens off;
完成之後保存並關閉文件。然後重啟Nginx Web伺服器系統使變更生效:
systemctl restart nginx
現在再次運行curl命令:
curl -I http://localhost
應該會看到下列輸出:
HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Mar 2019 15:33:31 GMT Content-Type: text/html Content-Length: 10918 Last-Modified: Fri, 01 Feb 2019 16:05:17 GMT Connection: keep-alive ETag: "5c546e3d-2aa6" Accept-Ranges: bytes
4.限制IP被訪問
Nginx隨帶一個名為ngx_http_access_module的簡單模組,允許或拒絕某個特定的IP地址。
如果你想允許從172.16.0.0/16訪問Nginx,但拒絕來自其他子網的訪問,那麼打開/etc/nginx/sites-enabled/default文件:
nano /etc/nginx/sites-enabled/default
在server block裡面進行下列更改:
server { listen 80 default_server; listen [::]:80 default_server; allow 172.16.0.0/16; deny all;
完成後保存並關閉文件。然後重啟Nginx使這些變更生效:
systemctl restart nginx
現在,試著從192.168.0.102之類的其他IP地址範圍來訪問Nginx伺服器。
下一步,用下列命令檢查Nginx日誌:
tail -f /var/log/nginx/error.log
你應該會在下列輸出中看到訪問被禁止:
2019/03/09 16:13:01 [error] 11589#11589: *1 access forbidden by rule, client: 192.168.0.102, server: _, request: "GET /test/ HTTP/1.1", host: "172.16.0.122"
5.用TLS保護Nginx
傳輸層安全(TLS)是安全套接層(SSL)的後續技術。它提供更強大更高效的HTTPS,含有更多的改進,比如Forward Secrecy、與現代的OpenSSL密碼組以及HSTS。本教程介紹如何在Nginx中啟用自簽名的SSL證書。如果你想改而使用let's Encrypt證書,不妨參閱:https://www.howtoforge.com/tutorial/nginx-with-letsencrypt-ciphersuite/。
先用下列命令為SSL創建目錄:
mkdir /etc/nginx/ssl/
接下來,用下列命令創建密鑰和證書:
cd /etc/nginx/ssl/
先用下列命令創建密鑰:
openssl genrsa -aes256 -out nginx.key 1024
你會看到下列輸出:
Generating RSA private key, 1024 bit long modulus ...++++++ .............................++++++ e is 65537 (0x010001) Enter pass phrase for nginx.key: Verifying - Enter pass phrase for nginx.key:
接下來用下列命令創建csr:
openssl req -new -key nginx.key -out nginx.csr
提供所有資訊,如下所示:
Generating RSA private key, 1024 bit long modulus ...++++++ .............................++++++ e is 65537 (0x010001) Enter pass phrase for nginx.key: Verifying - Enter pass phrase for nginx.key: root@ubuntu1804:~# openssl req -new -key nginx.key -out nginx.csr Enter pass phrase for nginx.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:Gujarat Locality Name (eg, city) []:Junagadh Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:HITESH Email Address []:admin@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:admin An optional company name []:IT
接下來用下列命令簽名證書:
openssl x509 -req -days 365 -in nginx.csr -signkey nginx.key -out nginx.crt
你會看到下列輸出:
Signature ok subject=C = IN, ST = Gujarat, L = Junagadh, O = IT, OU = IT, CN = HITESH, emailAddress = admin@example.com Getting Private key Enter pass phrase for nginx.key:
接下來打開Nginx默認虛擬主機文件,定義證書:
nano /etc/nginx/sites-enabled/default
進行下列更改:
server { listen 192.168.0.100:443 ssl; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
完成後保存並關閉文件。然後重啟Nginx伺服器使這些變更生效:
systemctl restart nginx
6.用密碼保護目錄
創建Nginx Web伺服器時,還可以用密碼來保護特定的目錄。可以使用.htpasswd文件來做到這一點。
為此用下列命令創建passwd文件,並為它添加用戶:
mkdir /etc/nginx/.htpasswd htpasswd -c /etc/nginx/.htpasswd/passwd admin
你會看到下列輸出:
New password: Re-type new password: Adding password for user admin
接下來用下列命令在Nginx Web root裡面創建測試目錄。
mkdir /var/www/html/test
接下來用下列命令為www-data user賦予所有權:
chown -R www-data:www-data /var/www/html/test
接下來用下列命令打開Nginx默認虛擬主機文件:
nano /etc/nginx/sites-enabled/default
接下來保護測試目錄,如下所示:
location /test { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd/passwd;
完成後保存並關閉文件。然後重啟Nginx服務使這些變更生效:
systemctl restart nginx
接下來打開Web瀏覽器,輸入URL http://your-server-ip/test。系統會提示你輸入用戶名和密碼,訪問測試目錄,如下所示:
恭喜你!你已成功保護了Ubuntu 18.04伺服器上的Nginx伺服器系統。但願本文可保護你放在Nginx Web伺服器上的應用程式。想了解更多資訊,可以查閱Nginx安全文檔(https://docs.nginx.com/nginx/admin-guide/security-controls/)。
