作者:Igor Furseev
最近的安全补丁已经涵盖了许多安全漏洞。一些更改是通过Magento根目录或特定目录(例如shell目录)中的.htaccess文件添加的。如果您的Magento 1.x安装在Apache 2上运行,则会自动应用这些修复程序,但如果您更喜欢Nginx,它将无法运行。在这篇文章中,我们将向您展示正确的Nginx配置,它提供相同的结果和一些配置。
让我们从Nginx配置文件的一般内容开始。它应该通过以下路径找到(可能与您的Nginx安装路径不同):/ etc / nginx / sites-available / your-site-name,有时可能在/ etc / nginx / sites-available / default下。因此,我们所有修改的文件内容应如下例所示:
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 | server { listen 80; listen 443 default ssl; ssl_certificate /etc/ssl/private/ssl-certificate-name.cer; ssl_certificate_key /etc/ssl/private/ssl-certificate-key.key; #disabling SSLv3 in order to avoid poodle attack ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #Weak Diffie-Hellman and the Logjam Attack ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/dhparams.pem; server_name website.com; root /path/to/magento/root; # Gzip Settings gzip on; gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain application/xml text/css text/js text/xml application/x-javascript text/javascript application/json application/xml+rss; location / { index index.html index.php; ## Allow a static html file to be shown first try_files $uri $uri/ @handler; ## If missing pass the URI to Magento's front handler expires 30d; ## Assume all files are cachable } location @handler { rewrite / /index.php; } location ~ \.php(/.*)? { if (!-e $request_filename) { rewrite / /index.php break; } expires off; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_split_path_info ^(.+?\.php)(/.*)$; root /path/to/magento/root; fastcgi_param SCRIPT_FILENAME /path/to/magento/root$fastcgi_script_name; fastcgi_index index.php; fastcgi_read_timeout 18000; #set phpscript executing timeout include fastcgi_params; } location /api { rewrite ^/api/rest /api.php?type=rest; } location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|xml|txt)$ { root /path/to/magento/root; access_log off; expires max; } ##downloader directory password location /downloader { auth_basic "Halt! Please, confirm your identity"; auth_basic_user_file /etc/nginx/.htpasswd; index index.php; } ##restrict var, dev and .git directory from external access ##restrict cron.php from external access location ^~ /.git/ { return 403; } location ^~ /cron.php { return 403; } location ^~ /dev/ { return 403; } location ^~ /var/ { return 403; } } |
我们来看看更多细节。
首先,我们需要限制我们的商店使用SSL协议以避免其漏洞。我们只会使用TLS:
| 1 2 | #disabling SSLv3 in order to avoid poodle attack ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
我们还需要使用更强的密钥进行Diffie-Hellman加密:
| 1 2 3 4 | #Weak Diffie-Hellman and the Logjam Attack ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/dhparams.pem; |
为此,我们需要在指定的路径中生成2千字节的密钥。这可以从bash shell完成:
| 1 | sudo openssl dhparam -out /etc/nginx/dhparams.pem 2048 |
我们还应该使用htpassword保护限制下载程序目录:
| 1 2 3 4 5 6 | ##downloader directory password location /downloader { auth_basic "Halt! Please, confirm your identity"; auth_basic_user_file /etc/nginx/.htpasswd; index index.php; } |
为此,从bash shell生成/etc/nginx/.htpasswd文件:
| 1 | htpasswd -c /etc/nginx/.htpasswd username |
最后,限制var和dev(Magento 1.9.1.x)目录和cron.php的Web访问。如果您使用git进行版本控制(不建议用于生产服务器),您还应该限制.git目录:
| 1 2 3 4 5 6 | ##restrict var, dev and .git directory from external access ##restrict cron.php from external access location ^~ /.git/ { return 403; } location ^~ /cron.php { return 403; } location ^~ /dev/ { return 403; } location ^~ /var/ { return 403; } |
就这些。在完成上述所有更改后,应重新启动Nginx:
| 1 | sudo systemctl restart nginx |
为了检查结果(最好在更改之前和之后检查),您可以使用magereport.com和ssllabs.com进行SSL漏洞检查。
此外,如果需要,在这篇文章中提供的文件内容可用于您的Nginx配置文件(我们假设所有路径和域名都已正确更新)。感谢您阅读我们!