如何防止nginx泄露自己的私人地址?

tag-icon tag-icon nginx http-headers
如何防止nginx泄露自己的私人地址?

我有 nginx 和一些 web 服务器,如下所示:

server {
    listen    80  default_server;
    server_name _;
    return      444;
    access_log            /var/log/nginx/adefault.log;

}
server {
    listen 443 default;
    server_name     _;
    ssl     on;
    ssl_certificate         /etc/nginx/cert-default-ssl.pem;
    ssl_certificate_key     /etc/nginx/private-default-ssl.pem;
    return 403;
}
server {
    listen a.b.c.d:80;
    listen a.b.c.d:443 ssl;
    server_name cloud.example.com;
    if ($host = ldap.example.com) {
                 return 404;
        }
    ssl_certificate           /etc/letsencrypt/live/cloud.example.com/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/cloud.example.com/privkey.pem;


    add_header Content-Security-Policy "frame-ancestors 'self' cloud.example.com example.com";
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;
    access_log            /var/log/nginx/cloud.log;
        client_max_body_size 300m;
    location / {
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
      proxy_pass          https://cloud.example.com;
      proxy_read_timeout  90;
      proxy_cache_bypass $http_secret_header;


    }
   location ~ .well-known {
                 root /srv/web;
        }
  }
server {
    listen a.b.c.d:80;
    listen a.b.c.d:443 ssl;
    server_name gw.example.com;
    add_header Content-Security-Policy "frame-ancestors example.com cloud.example.com";
    ssl_certificate           /etc/letsencrypt/live/gw.example.com/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/gw.example.com/privkey.pem;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;
    access_log            /var/log/nginx/gw.log;
    location / {
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
      proxy_pass          https://gw.example.com;
      proxy_read_timeout  90;

    }
   location ~ .well-known {
                 root /srv/web;
        }
  }

如果我运行 nikto 这样的软件,它会告诉我

RFC-1918 在“位置”标头中发现 IP 地址。该 IP 是...

如何防止 nginx 向 http 客户端返回其私有 IP 地址?

答案1

Location标头用于外部重定向。尝试在相关server容器中设置以下内容:

server_name_in_redirect on

让 Nginx 使用标头server_name中定义的Location

答案2

根据这个答案:https://serverfault.com/a/389136/129090我已采取以下解决方法:

if ($server_protocol ~* "HTTP/1.0") {
return 444;
}

注意:通过这个我可以防止泄露 nginx 服务器的内部 IP 地址,但是 http 客户端不会获取状态 4​​44。

相关内容