我有 nginx 和一些 web 服务器,如下所示:
server {
listen 80 default_server;
server_name _;
return 444;
access_log /var/log/nginx/adefault.log;
}
server {
listen 443 default;
server_name _;
ssl on;
ssl_certificate /etc/nginx/cert-default-ssl.pem;
ssl_certificate_key /etc/nginx/private-default-ssl.pem;
return 403;
}
server {
listen a.b.c.d:80;
listen a.b.c.d:443 ssl;
server_name cloud.example.com;
if ($host = ldap.example.com) {
return 404;
}
ssl_certificate /etc/letsencrypt/live/cloud.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cloud.example.com/privkey.pem;
add_header Content-Security-Policy "frame-ancestors 'self' cloud.example.com example.com";
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/cloud.log;
client_max_body_size 300m;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://cloud.example.com;
proxy_read_timeout 90;
proxy_cache_bypass $http_secret_header;
}
location ~ .well-known {
root /srv/web;
}
}
server {
listen a.b.c.d:80;
listen a.b.c.d:443 ssl;
server_name gw.example.com;
add_header Content-Security-Policy "frame-ancestors example.com cloud.example.com";
ssl_certificate /etc/letsencrypt/live/gw.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/gw.example.com/privkey.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/gw.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://gw.example.com;
proxy_read_timeout 90;
}
location ~ .well-known {
root /srv/web;
}
}
如果我运行 nikto 这样的软件,它会告诉我
RFC-1918 在“位置”标头中发现 IP 地址。该 IP 是...
如何防止 nginx 向 http 客户端返回其私有 IP 地址?
答案1
该Location
标头用于外部重定向。尝试在相关server
容器中设置以下内容:
server_name_in_redirect on
让 Nginx 使用标头server_name
中定义的Location
。
答案2
根据这个答案:https://serverfault.com/a/389136/129090我已采取以下解决方法:
if ($server_protocol ~* "HTTP/1.0") {
return 444;
}
注意:通过这个我可以防止泄露 nginx 服务器的内部 IP 地址,但是 http 客户端不会获取状态 444。