符合PCI-DSS规范要求的Nginx模板
符合PCI-DSS规范要求的Nginx模板
- nginx.conf
user nginx;
worker_processes 1;
pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
send_timeout 60;
client_max_body_size 1024m;
sendfile on;
keepalive_timeout 65;
server_tokens off;
proxy_headers_hash_max_size 1024;
proxy_headers_hash_bucket_size 128;
map $http_origin $allow_cors {
default 1;
"~https://1.1.1.1" 1;
"~*" 0;
}
include datatrans.conf;
}
- proxy.conf
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 15s;
proxy_send_timeout 15s;
proxy_read_timeout 15s;
# 将客户端的原始IP地址添加到请求头中。
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 允许跨域预检
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'Content-Type,Access-Control-Allow-Headers,Content-Length,Accept,Authorization,X-Requested-With,istoken,appcode';
# add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
add_header 'Access-Control-Allow-Methods' 'PUT,POST,GET,DELETE,OPTIONS';
# add_header 'Access-Control-Max-Age' 1728000;
# add_header 'Content-Type' 'text/plain charset=UTF-8';
# add_header 'Content-Length' 0;
return 204;
}
- server.conf
server {
listen 443 ssl http2 default_server;
server_name localhost 1.1.1.1:443 ;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH:EDH:!NULL:!aNULL:!3DES:!MD5";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff; 5.3.2
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_certificate /opt/app/middleware/nginx/cert/nginx-selfsigned.crt;
ssl_certificate_key /opt/app/middleware/nginx/cert/nginx-selfsigned.key;
add_header X-Frame-Options "SAMEORIGIN" always; # 5.3.1
add_header X-Content-Type-Options "nosniff" always; # 5.3.2
add_header Content-Security-Policy "default-src 'self'" always; # 5.3.3
add_header Referrer-Policy "no-referrer" always; # 5.3.4
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin-when-cross-origin";
access_log /opt/app/logs/nginx/https.domain.access.log;
error_log /opt/app/logs/nginx/https.domain.error.log;
location ~ ^/(app) {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_pass http://localhost:8080;
}
location =/ {
rewrite ^/$ /app/ break;
}
location / {
rewrite ^/(.*)$ /app/$1 break;
return 403;
}
# location /status {
# stub_status on;
# access_log off;
# }
}
看看其他吧