常见nginx安全配置nginx作为较常用的反向代理服务器，安全配置尤为重要，以下是常见nginx安全配置集合，直接复制

server {
        listen 80 default;
        rewrite ^(.*) https://baron.com;
}

server {
        listen 8080;
        listen [::]:8080;
        root /home/ap/project/frontend;
        index index.html index.htm index.nginx-debian.html;
        server_name _;
        server_tokens off;
        location / {
                try_files $uri $uri/ =404;
        }
}

server{
    listen 443 ssl;
    listen [::]:443 ssl;
    client_max_body_size 20m;
    server_name pro.baron.com;
    # 添加Anti-clickjacking头部
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header Content-Security-Policy "frame-ancestors 'self' baron.com;" always;
    ssl_certificate /etc/nginx/baron_com_chained.crt;
    ssl_certificate_key /etc/nginx/baron_com.key;
    # 添加Strict-Transport-Security头部
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    # 使用TLSv1.2和TLSv1.3协议
    ssl_protocols TLSv1.2 TLSv1.3;
    server_tokens off;
    # 添加响应头，禁止暴露时间戳信息
    add_header X-Response-Time "";
    add_header X-Content-Duration "";
    # 添加X-Content-Type-Options头部
    add_header X-Content-Type-Options "nosniff" always;
    # 禁止缓存，防止出现“Re-examine Cache-control Directives”警告
    # add_header Cache-Control "no-cache, no-store, must-revalidate" always;
    # add_header Pragma "no-cache" always;
    # add_header Expires "0" always;
    # 限制用户代理字符串
    if ($http_user_agent ~* (fuzzer|scanner|crawler|spider)) {
        return 403;
    }

    # xss安全防护头
    add_header X-XSS-Protection "1; mode=block";

    # 禁止跨域请求
    add_header 'Access-Control-Allow-Origin' $host always;
    add_header 'Access-Control-Allow-Credentials' 'true' always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
    add_header 'Access-Control-Allow-Headers' 'Origin, Content-Type, Accept, Authorization, X-Request-With' always;

        location / {
                proxy_redirect off;
                proxy_pass http://localhost:8080/;
         }

        location ^~/api/ {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_redirect off;
                proxy_send_timeout 300;
                proxy_read_timeout 300;
                proxy_connect_timeout 300;

                if ($request_method = 'OPTIONS') {
                         return 204;
                }
        proxy_pass http://localhost:9080/api/;
    }
}