Spring 文件映射漏洞 改用nginx文件服务器
# API 路径代理
location /prod_api/ {
proxy_pass http://localhost:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
# 可选的其他配置
proxy_buffers 256 4k;
proxy_max_temp_file_size 0k;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_next_upstream error timeout invalid_header http_502;
add_header XX-proxy-for "api";#测试是否区分
}
# 静态文件映射
location /prod_api/prefix/ {
alias /home/prefix/uploadPath/;
expires 30d;
add_header Cache-Control "public, max-age=2592000"; # 设置缓存控制头
add_header X-Content-Type-Options nosniff; # 防止内容类型篡改
add_header X-XSS-Protection "1; mode=block"; # 防止跨站脚本攻击
add_header X-Frame-Options DENY; # 防止点击劫持
# 强制使用HTTPS
#add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
add_header XX-proxy-for "nginx";#测试是否区分
}
nginx其他安全配置
#=====================================================================================
server_tokens off;
autoindex off;
add_header Referrer-Policy "origin" always;
add_header X-Xss-header "1;mode=block";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Download-Options "noopen" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Permitted-Cross-Domain-Policies "master-only";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Permissions-Policy "geolocation=self";
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: mediastream: data: ";
#==================================================================================================