本篇文章主要介紹了nginx伺服器中的安全配置，較為詳細的分析了nginx伺服器中的安全配置與相關操作注意事項,需要的朋友可以參考下。
本篇文章詳細的講訴了nginx伺服器中的安全配置，具體如下：

一、關閉SELinux

安全增強型Linux（SELinux）的是一個Linux核心的功能，它提供支援訪問控制的安全政策保護機制。

但是，SELinux帶來的附加安全性和使用複雜性上不成比例，價效比不高

sed -i /SELINUX=enforcing/SELINUX=disabled/ /etc/selinux/config/usr/sbin/sestatus -v #檢視狀態
二、透過分割槽掛載允許最少特權

伺服器上 nginx 目錄單獨分割槽。例如，新建一個分割槽/dev/sda5(第一邏輯分割槽)，並且掛載在/nginx。確保 /nginx是以noexec, nodev and nosetuid的許可權掛載

以下是我的/etc/fstab的掛載/nginx的資訊：LABEL=/nginx /nginx ext3 defaults,nosuid,noexec,nodev 1 2 

注意：你需要使用fdisk和mkfs.ext3命令建立一個新分割槽。

三、配置/etc/sysctl.conf強化Linux安全

你可以透過編輯/etc/sysctl.conf來控制和配置Linux核心、網路設定

Avoid a smurf attacknet.ipv4.icmp_echo_ignore_broadcasts = 1# Turn on protection for bad icmp error messagesnet.ipv4.icmp_ignore_bogus_error_responses = 1# Turn on syncookies for SYN flood attack protectionnet.ipv4.tcp_syncookies = 1# Turn on and log spoofed, source routed, and redirect packetsnet.ipv4.conf.all.log_martians = 1net.ipv4.conf.default.log_martians = 1# No source routed packets herenet.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0# Turn on reverse path filteringnet.ipv4.conf.all.rp_filter = 1net.ipv4.conf.default.rp_filter = 1# Make sure no one can alter the routing tablesnet.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0net.ipv4.conf.all.secure_redirects = 0net.ipv4.conf.default.secure_redirects = 0# Don’t act as a routernet.ipv4.ip_forward = 0net.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0# Turn on execshildkernel.exec-shield = 1kernel.randomize_va_space = 1# Tuen IPv6net.ipv6.conf.default.router_solicitations = 0net.ipv6.conf.default.accept_ra_rtr_pref = 0net.ipv6.conf.default.accept_ra_pinfo = 0net.ipv6.conf.default.accept_ra_defrtr = 0net.ipv6.conf.default.autoconf = 0net.ipv6.conf.default.dad_transmits = 0net.ipv6.conf.default.max_addresses = 1# Optimization for port usefor LBs# Increase system file descriptor limitfs.file-max = 65535# Allow for more PIDs (to reduce rollover problems); may break some programs 32768kernel.pid_max = 65536# Increase system IP port limitsnet.ipv4.ip_local_port_range = 2000 65000# Increase TCP max buffer size setable using setsockopt()net.ipv4.tcp_rmem = 4096 87380 8388608net.ipv4.tcp_wmem = 4096 87380 8388608# Increase Linux auto tuning TCP buffer limits# min, default, and max number of bytes to use# set max to at least 4MB, or higher if you use very high BDP paths# Tcp Windows etcnet.core.rmem_max = 8388608net.core.wmem_max = 8388608net.core.netdev_max_backlog = 5000net.ipv4.tcp_window_scaling = 1