Practical Security Tips

20.0 Introduction

Security is done in layers, and much like an onion, there must be

multiple layers to your security model for it to be truly hardened. In

Part II of this book, we’ve gone through many different ways to

secure your web applications with NGINX and NGINX Plus. Many

of these security methods can be used in conjunction to help harden

security. The following are a few more practical security tips to

ensure your users are using HTTPS and to tell NGINX to satisfy one

or more security methods.

20.0 介绍

我们的系统通常是分层的，所以安全策略需要依据不同的分层架构指定解决方案。

在本书的第二部分，已经介绍了诸多安全策略方案。其中的部分章节中的解决方

案能够用于加强安全防御能力。在这个章节，将从实战角度出发，讲解构建安全

的 HTTPS 协议和 NGINX 服务器的方法。

20.1 HTTPS Redirects 重定向至 HTTPS 协议

Problem

You need to redirect unencrypted requests to HTTPS.

问题

需要将用户请求从 HTTP 协议重定向至 HTTPS 协议。

Solution

Use a rewrite to send all HTTP traffic to HTTPS:

server {
    listen 80 default\_server;
    listen \[::\]:80 default\_server;
    server\_name \_;
    return 301 https://$host$request\_uri;
}

This configuration listens on port 80 as the default server for both

IPv4 and IPv6 and for any hostname. The return statement returns

a 301 permanent redirect to the HTTPS server at the same host and

request URI.

解决方案

通过使用 rewrite 重写将所有 HTTP 请求重定向至 HTTPS:

server {
    listen 80 default\_server;
    listen \[::\]:80 default\_server;
    server\_name \_;
    return 301 https://$host$request\_uri;
}

server 块级指令配置了用于监听所有 IPv4 和 IPv6 地址的 80 端口，return

指令将请求及请求 URI 重定向至相同域名的 HTTPS 服务器并响应 301 状态码

给客户端。

Discussion

It’s important to always redirect to HTTPS where appropriate. You

may find that you do not need to redirect all requests but only those

with sensitive information being passed between client and server.

In that case, you may want to put the return statement in particular

locations only, such as /login.

结论

在必要的场景下将 HTTP 请求重定向至 HTTPS 请求对系统安全来说很重要。有时，

我们并不需要将将所有的用户请求都重定向至 HTTPS 服务器，而仅需将包含用户

敏感数据的请求重定向至 HTTPS 服务即可，比如用户登录服务。