如何提高Nginx的安全與性能

#?不要將nginx版本號在錯誤頁面或服務器頭部中顯示 server_tokens?off;  #不允許頁面從框架frame?或?iframe中顯示，這樣能避免clickjacking #?http://en.wikipedia.org/wiki/clickjacking #?如果你允許[i]frames,?你能使用sameorigin?或在allow-from中設置你的允許的url #?https://developer.mozilla.org/en-us/docs/http/x-frame-options add_header?x-frame-options?sameorigin;  #當你的網站是用戶提供的內容比如博客論壇等，使用?x-content-type-options:?nosniff?頭部, #?這是為了失效某些瀏覽器的內容類型探嗅 #?https://www.owasp.org/index.php/list_of_useful_http_headers #?當前支持ie?>?8以上版本?http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx #?http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx #firefox?https://bugzilla.mozilla.org/show_bug.cgi?id=471020 add_header?x-content-type-options?nosniff;  #?防止跨站腳本?cross-site?scripting?(xss)?，目前已經被大多數瀏覽器支持 #默認是激活的，如果被用戶失效，可以使用這個配置激活。 #?https://www.owasp.org/index.php/list_of_useful_http_headers add_header?x-xss-protection?"1;?mode=block";  #激活內容安全策略content?security?policy?(csp)?，大部分瀏覽器支持 #?告訴瀏覽器只能從本域名和你顯式指定的網址下載腳本。 #?http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful add_header?content-security-policy?"default-src?'self';?script-src?'self'?'unsafe-inline'?'unsafe-eval'?https://ssl.google-analytics.com?https://assets.zendesk.com?https://connect.facebook.net;?img-src?'self'?https://ssl.google-analytics.com?https://s-static.ak.facebook.com?https://assets.zendesk.com;?style-src?'self'?'unsafe-inline'?https://fonts.googleapis.com?https://assets.zendesk.com;?font-src?'self'?https://themes.googleusercontent.com;?frame-src?https://assets.zendesk.com?https://www.facebook.com?https://s-static.ak.facebook.com?https://tautt.zendesk.com;?object-src?'none'";  server?{ listen?443?ssl?default?deferred; server_name?.forgott.com;  ssl_certificate?/etc/nginx/ssl/star_forgott_com.crt; ssl_certificate_key?/etc/nginx/ssl/star_forgott_com.key;  #激活會話重續提高https性能 #?http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html ssl_session_cache?shared:ssl:50m; ssl_session_timeout?5m;  #?diffie-hellman?parameter?for?dhe?ciphersuites,?recommended?2048?bits ssl_dhparam?/etc/nginx/ssl/dhparam.pem;  #激活服務器端保護免于beast?攻擊 #?http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html ssl_prefer_server_ciphers?on; #?失效?sslv3(自nginx?0.8.19默認激活)?http://en.wikipedia.org/wiki/secure_sockets_layer#ssl_3.0 ssl_protocols?tlsv1?tlsv1.1?tlsv1.2; #?為保密性和相容性選擇密碼 #?http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html ssl_ciphers?"ecdhe-rsa-aes256-gcm-sha384:ecdhe-rsa-aes128-gcm-sha256:dhe-rsa-aes256-gcm-sha384:dhe-rsa-aes128-gcm-sha256:ecdhe-rsa-aes256-sha384:ecdhe-rsa-aes128-sha256:ecdhe-rsa-aes256-sha:ecdhe-rsa-aes128-sha:dhe-rsa-aes256-sha256:dhe-rsa-aes128-sha256:dhe-rsa-aes256-sha:dhe-rsa-aes128-sha:ecdhe-rsa-des-cbc3-sha:edh-rsa-des-cbc3-sha:aes256-gcm-sha384:aes128-gcm-sha256:aes256-sha256:aes128-sha256:aes256-sha:aes128-sha:des-cbc3-sha:high:!anull:!enull:!export:!des:!md5:!psk:!rc4";  #?激活ocsp?stapling?（一種機制：一個網站可以保護隱私可擴展的方式傳達的證書撤銷信息給訪問者）mechanism?by?which?a?site?can?convey?certificate?revocation?information?to?visitors?in?a?privacy-preserving,?scalable?manner) #?http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ resolver?8.8.8.8; ssl_stapling?on; ssl_trusted_certificate?/etc/nginx/ssl/star_forgott_com.crt;  #?配置激活hsts(http?strict?transport?security)?https://developer.mozilla.org/en-us/docs/security/http_strict_transport_security #避免ssl?stripping?https://en.wikipedia.org/wiki/ssl_stripping#ssl_stripping add_header?strict-transport-security?"max-age=31536000;?includesubdomains;";  #?...?the?rest?of?your?configuration }  #?redirect?all?http?traffic?to?https server?{ listen?80; server_name?.forgott.com; return?301?https://$host$request_uri; }