LNMP (Linux + Nginx + MySQL + PHP) 架設伺服器
LNMP (Linux + Nginx + MySQL + PHP) 架設伺服器
Table of Contents
[TOC]
General Setup
If you are a total beginner to this, start here!
-
(Linux) Ubuntu 20.4.1
lsb_release -a
-
Nginx 1.18.0
nginx -v
-
MySQL 8.0.30-0ubuntu0.22.04.2
mysql -v
-
Php 7.4.3
php -v
Server DEMO
http://10.250.128.133/
1. Login
2. Show MySQL Database (contacts information)
sudo apt-get install php-mysqlnd
(WEB)
(SSH)
3. Contacts Information Page
4. Add/Edit Contacts
| Add New Contact | Edit |
|---|---|
 |
 |
5. Delete Contacts
6. Nginx Load Balance
http {
# At least 2 servers.
upstream loadbalancer{
server [server1 IP] weight=1;
server [server2 IP] weight=1;
}
location / {
proxy_pass http://loadbalancer;
try_files $uri $uri/ =404;
}
| Server1 | Server2 |
|---|---|
 |
 |
Vulnerability Scan & Fix
1. OWASP ZAP scanner
●Result:
●Alerts
2. Fix vulnerabilities
(1)Content Security Policy (CSP) Header Not Set
etc/nginx/sites-available/default add_header Content-Security-Policy "default-src 'self';"
| 
| 
|
(2)Missig Anti-clickjacking Header
/etc/nginx/conf.d add_header X-Frame-Options sameorigin always;
| 
| 
|
(3)Cookie No HttpOnly Flag
/etc/nginx/sites-available/default
location ~ \.php$ {
...
add_header Set-Cookie "Path=/; HttpOnly; Secure";
proxy_cookie_path / "/; HTTPOnly; Secure";
}
| 
| 
|
(4)Cookie without SameSite Attribute
/etc/nginx/sites-available/default add_header Set-Cookie "Path=/; HttpOnly; Secure; SameSite=Lax"
|
|
|
(5)X-Content-Type-Options Header Missing
/etc/nginx/sites-available/default add_header X-Content-Type_Options nosniff;
|
|
|
Database Audit (Enable MySQL Query Log)
/var/lib/mysql/ create mysql.log
mysql > Setting
SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file ='/var/lib/mysql/mysql.log';
Test:
The time difference between database audit is enabled or not.
●Enable general_log -> Scaning Time :12.399 (s)
|
|
|
●Disable general_log -> Scaning Time :9.788 (s)
|
|
|
:::info 可以看出general_log開啟前後,在OWASP ZAP scanner掃描時間的差異。 :::