server_tokens off;
#define NGINX_VERSION "1.9.15"
#define NGINX_VER "nginx/" NGINX_VERSION
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
$uri
$document_uri
request_uri
变量名 | 取值 | 是否解码 | 对应Lua Nginx模块变量名 |
---|---|---|---|
$uri | URL路径,不包括host和参数 | URL解码 | ngx.var.uri |
$document_uri | URL路径,不包括host和参数 | URL解码 | ngx.var.uri |
$request_uri | URL路径,不包括host,但包括参数 | 不进行URL解码 | ngx.var.request_uri |
rewrite
return
add_header
proxy_set_header
proxy_pass
location /sectest {
return 302 https://$host$uri;
}
curl -v 'joychou.org/sectest/12%203%0d%0ajoychou=1'
< HTTP/1.1 302 Moved Temporarily
< Server: nginx
< Date: Fri, 30 Jun 2017 08:19:52 GMT
< Content-Type: text/html
< Content-Length: 154
< Connection: keep-alive
< Location: https://joychou.org/sectest/12 3
< joychou=1
< x-frame-options: SAMEORIGIN
location / {
rewrite ^ https://$host/$uri;
}
server {
listen 80 default;
location ~ /v1/((?<action>[^.]*)\.json)?$ {
add_header X-Action $action;
return 200 "OK";
}
}
location /files {
alias /home/;
}
curl http://joychou.me/files../etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
location /files/ {
alias /home/;
}
proxy_pass http://ip:port/uri/;
location ~ /proxy/(.*)/(.*)/(.*)$ {
proxy_pass $1://$2/$3;
}
Syntax: add_header name value [always];
Default: —
Context: http, server, location, if in location
server {
listen 80;
add_header X-Frame-Options "DENY" always;
location / {
return 200 "index";
}
location /new-headers {
# Add special cache control
add_header Cache-Control "no-cache, no-store, max-age=0, must-revalidate" always;
add_header Pragma "no-cache" always;
return 200 "new-headers";
}
}
proxy_set_header Host $http_host;
location /host {
return 200 "'$host' (host) VS '$http_host' (http_host)";
}
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xfo
https://github.com/yandex/gixy
https://www.leavesongs.com/PENETRATION/nginx-insecure-configuration.html