登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 3 Fork 0

michaelwang / NGINX Security

代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
分支 1
标签 0
贡献代码
同步代码
创建 Pull Request
了解更多
对比差异 通过 Pull Request 同步
同步更新到分支
通过 Pull Request 同步
将会在向当前分支创建一个 Pull
Request,合入后将完成同步
取消
提示: 由于 Git 不支持空文件夾,创建文件夹后会生成空的 .keep 文件
.gitee
images
.gitignore
LICENSE
README.md
Loading...
README
Apache-2.0

NGINX Security实验手册

0-访问UDF环境

注册UDF账号及登录UDF环境

无需操作,在上一个实验《容器化应用的动态发布实验手册》中已经完成此操作。

登录UDF课程

使用chrome浏览器访问 https://udf.f5.com/ ,选择 Invited Users:

启动环境,登录NGINX Security虚拟服务器

一切就绪后,您可以点击课程右端的launch 启动您的课程,您将进入课程文档的界面。

coursedoc

打开Lab Guide中的链接:https://gitee.com/michaelwang19/0917_NGINX_OSS_Security

该文档详细说明了实验操作步骤。 您也可以点击DEPLOYMENT打开部署环境,您将看到环境正在被拉起,耐心等待,直到各组件前出现绿色三角,表明环境就绪:

deployment

接下来,您就可以通过Web Shell或者SSH客户端访问NGINX Security:

nginxsecurity

登录Client客户端虚拟机Window 10

下载RDP远程桌面配置:

下载RDP

远程桌面登录Client客户端,账号密码为:

账号:Administrator
密码:gUyLsoBjoUjaD

1-实验环境简介

  • 系统版本:CentOS 7
  • NGINX版本:1.23.1

Web Shell或SSH登录NGINX Security虚拟机之后,首先确认一下NGINX的运行状态是active (running) :


[root@2370ed03-0df5-471a-bc80-3928ece95a4c sbin]# systemctl status nginx
● nginx.service - nginx - high performance web server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2022-08-31 11:58:03 UTC; 3h 52min ago
     Docs: http://nginx.org/en/docs/
  Process: 1898 ExecStop=/usr/local/nginx/sbin/nginx -s quit (code=exited, status=0/SUCCESS)
  Process: 1902 ExecStart=/usr/local/nginx/sbin/nginx (code=exited, status=0/SUCCESS)
 Main PID: 1903 (nginx)
   CGroup: /system.slice/nginx.service
           ├─1903 nginx: master process /usr/local/nginx/sbin/nginx
           └─2272 nginx: worker process

为方便不同技术栈背景的学员的学习,降低实验环境带来的时间消耗,将实验环境简化。

并对实验涉及到的配置全部编写在配置文件中,通过配置文件中添加注释和取消注释的方式做不同的实验。

每次NGINX配置修改后请执行配置文件校验是否存在错误:


[centos@2370ed03-0df5-471a-bc80-3928ece95a4c ~]$ sudo su
[root@2370ed03-0df5-471a-bc80-3928ece95a4c centos]# cd /usr/local/nginx/sbin

[root@2370ed03-0df5-471a-bc80-3928ece95a4c sbin]# ./nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

提示successful之后,执行NGINX配置重新加载指令:

[root@2370ed03-0df5-471a-bc80-3928ece95a4c sbin]# ./nginx -s reload

实验拓扑结构图

实验拓扑图

相关配置文件目录

  • NGINX配置文件:/usr/local/nginx/conf/nginx.conf
  • SSL证书和密钥文件目录:/usr/local/nginx/conf/ssl/

2-访问控制实验章节

2.1 IP地址限制

本实验小节,NGINX通过限制客户端Client的IP地址10.1.1.6的访问,但是同网段10.1.1.0/24其他IP允许访问。

修改NGINX配置:

[centos@2370ed03-0df5-471a-bc80-3928ece95a4c ~]$ sudo su
[root@2370ed03-0df5-471a-bc80-3928ece95a4c centos]# cd /usr/local/nginx/sbin
[root@2370ed03-0df5-471a-bc80-3928ece95a4c sbin]# vim /usr/local/nginx/conf/nginx.conf

将以下两行deny 10.1.1.6和allow 10.1.1.0/24前面的注释符#去掉,并保存配置。

    server {
        listen       80;
        server_name  www.example.com;

        #charset koi8-r;

        access_log  logs/host.access.log  main;
	error_log logs/error.log info;
	#deny 10.1.1.6;
	#allow 10.1.1.0/24;

验证配置是否有错误:

[root@2370ed03-0df5-471a-bc80-3928ece95a4c sbin]# ./nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

提示successful之后,执行NGINX配置重新加载指令:

[root@2370ed03-0df5-471a-bc80-3928ece95a4c sbin]# ./nginx -s reload

使用Client客户端(10.1.1.6)访问NGINX的服务(10.1.1.5:80):

  • 命令行中输入:
curl http://10.1.1.5

拦截效果:

IP限制

检查日志:

[root@2370ed03-0df5-471a-bc80-3928ece95a4c sbin]# tail -f /usr/local/nginx/logs/error.log 
2022/09/02 18:17:49 [notice] 1671#0: signal process started
2022/09/02 18:21:01 [notice] 1676#0: signal process started
2022/09/02 18:29:25 [notice] 1680#0: signal process started
2022/09/02 22:50:56 [notice] 2028#0: signal process started
2022/09/03 08:36:35 [emerg] 1414#0: unknown "accessip" variable
2022/09/03 08:44:57 [notice] 1509#0: signal process started
2022/09/03 08:50:39 [error] 1510#0: *4 access forbidden by rule, client: 10.1.1.6, server: www.example.com, request: "GET / HTTP/1.1", host: "10.1.1.5"
2022/09/03 08:50:39 [info] 1510#0: *4 client 10.1.1.6 closed keepalive connection
2022/09/03 08:51:45 [error] 1510#0: *5 access forbidden by rule, client: 10.1.1.6, server: www.example.com, request: "GET / HTTP/1.1", host: "10.1.1.5"
2022/09/03 08:51:46 [error] 1510#0: *5 access forbidden by rule, client: 10.1.1.6, server: www.example.com, request: "GET /favicon.ico HTTP/1.1", host: "10.1.1.5", referrer: "http://10.1.1.5/"

日志截图如下:

IP限制log

2.2 地域限制

本实验小节,由于实验环境是纯内网环境,无法通过互联网直接访问NGINX,因此,NGINX上检测到的IP地址都是内网IP。

而且真实应用场景中,NGINX多数部署在内网,数据包在进入NGINX的时候,前段会存在多次的IP地址转换NAT的设备,因此,实际应用场景中,NGINX在网络数据包层面看到的多数也是内网IP地址。这就是为什么实际应用场景中,NGINX上经常会启用一些技术手段来获取真实的客户端IP地址,比较常用的就是通过X-Forwarded-For字段来传递真实客户端IP。

为了验证该实验效果,我们通过在HTTP包头中插入标准的X-Forwarded-For字段,来模拟真实环境中NGINX通过限制客户端IP所属的地域属性。

实验中用到的两个IP分别为:

  • 202.96.209.5:所属的国家地域代码为CN。允许访问。
  • 8.8.8.8:所属的国家地域代码为US。禁止访问。

可以通过以下网站查询IP的地域信息:

https://www.maxmind.com/en/geoip2-precision-demo

修改NGINX配置:

[root@2370ed03-0df5-471a-bc80-3928ece95a4c sbin]# vim /usr/local/nginx/conf/nginx.conf

将以下4行geoip开头和map这部分配置前面的注释符#去掉,参考如下:

http {
    include       mime.types;
    default_type  application/octet-stream;

    geoip_country /usr/share/GeoIP/GeoIP.dat;
    geoip_city /usr/share/GeoIP/GeoIPCity.dat;
    geoip_proxy 10.1.1.6;
    geoip_proxy_recursive on;

    map $geoip_country_code $accessip {
        default false;
        US false;
        CN true;
    }

将上一个实验《IP地址限制》中两行deny 10.1.1.6和allow 10.1.1.0/24注释掉。 并将下面的if语句和proxy_set_header前面的注释取消,参考如下。

    server {
        listen       80;
        server_name  www.example.com;

        #charset koi8-r;

        access_log  logs/host.access.log  main;
        error_log logs/error.log info;
#        deny 10.1.1.6;
#        allow 10.1.1.0/24;

       if ( $accessip = 'false') {return 403;} 
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

验证配置是否有错误:

[root@2370ed03-0df5-471a-bc80-3928ece95a4c sbin]# ./nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

提示successful之后,执行NGINX配置重新加载指令:

[root@2370ed03-0df5-471a-bc80-3928ece95a4c sbin]# ./nginx -s reload

使用Client客户端(10.1.1.6)访问NGINX的服务(10.1.1.5:80):

  • 命令行中输入:
curl -H "X-Forwarded-For:202.96.209.5" http://10.1.1.5

可以看到允许正常访问:

地域限制ok

检查日志:

地域限制ok_log

  • 命令行中输入:
curl -H "X-Forwarded-For:8.8.8.8" http://10.1.1.5

可以看到访问被拦截,返回403:

地域限制fail

检查日志:

地域限制fail_log

恢复环境:

参照以下将对应的配置注释掉:

http {
    include       mime.types;
    default_type  application/octet-stream;

    #geoip_country /usr/share/GeoIP/GeoIP.dat;
    #geoip_city /usr/share/GeoIP/GeoIPCity.dat;
    #geoip_proxy 10.1.1.6;
    #geoip_proxy_recursive on;

    #map $geoip_country_code $accessip {
    #    default false;
    #    US false;
    #    CN true;
    #}

    server {
        listen       80;
        server_name  www.example.com;

        #charset koi8-r;

        access_log  logs/host.access.log  main;
        error_log logs/error.log info;
        #deny 10.1.1.6;
        #allow 10.1.1.0/24;

#       if ( $accessip = 'false') {return 403;} 
#       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

删除log格式中2个变量geoip_country_code和accessip的调用,即保留如下:

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

2.3 连接数限制

在上一个实验《容器化应用的动态发布实验手册》的第5个实验中,已经了解到通过KIC实现连接数限制的方法。 本实验小节,通过NGINX来实现连接数的限制。

修改NGINX配置:

[root@2370ed03-0df5-471a-bc80-3928ece95a4c sbin]# vim /usr/local/nginx/conf/nginx.conf

将以下limit_conn_zone $remote_addr zone=ip:10m前面的注释符#去掉:

http {
    include       mime.types;
    default_type  application/octet-stream;

#    geoip_country /usr/share/GeoIP/GeoIP.dat;
#    geoip_city /usr/share/GeoIP/GeoIPCity.dat;
#    geoip_proxy 10.1.1.6;
#    geoip_proxy_recursive on;

#    map $geoip_country_code $accessip {
#        default false;
#        US false;
#        CN true;
#    }

    limit_conn_zone $remote_addr zone=ip:10m;
    #limit_req_zone $remote_addr zone=reqzone:10m rate=2r/m;

将以下limit_conn_status, limit_rate, limit_conn_log_level, limit_conn ip这4个配置前面的注释符取消掉:

说明: 由于实验环境是内网,而且NGINX高性能的处理效率,所以为了验证连接数限制的效果,通过limit_rate参数将每秒返回50个字节的数据量,将限制的并发连接数调小。 实际环境中的应用,根据实际情况设置连接数。

配置如下:

	location /limit {
            root   html;
            index  limit_conn.html;
            #proxy_pass http://127.0.0.1/limit/;

	#    limit_except GET {
	#	deny all;
	#    }

	    #This is limit connection section
            limit_conn_status 509;
            limit_rate 50;
	    limit_conn_log_level warn;
            limit_conn ip 1;

验证配置是否有错误,提示successful之后,执行NGINX配置重新加载指令。

使用Client开启2个命令行工具,发送curl验证连接数限制:

curl -I http://10.1.1.5/limit/

可以看到超过1个连接之后,第二个连接请求被返回在配置中定义好的509状态码:

连接数限制

检查日志,看到请求被连接数限制:

连接数限制log

2.4 请求速率限制

本实验小节,通过对每秒或者每分钟的请求速率进行限制。 限制基于源IP来限制请求速率,每分钟请求不能超过2次,突发请求缓冲3个,超出3个缓冲连接后即返回503响应码。

修改NGINX配置:

将http配置块中的limit_req_zonet这部分注释取消,参考如下配置:

http {
    include       mime.types;
    default_type  application/octet-stream;

#    geoip_country /usr/share/GeoIP/GeoIP.dat;
#    geoip_city /usr/share/GeoIP/GeoIPCity.dat;
#    geoip_proxy 10.1.1.6;
#    geoip_proxy_recursive on;

#    map $geoip_country_code $accessip {
#       default false;
#       US false;
#       CN true;        
#    }

    limit_conn_zone $remote_addr zone=ip:10m;
    limit_req_zone $remote_addr zone=reqzone:10m rate=2r/m;

将location配置块中的This is limit request section后面4行配置的注释取消,参考如下配置:


        location /limit {
            root   html;
            index  limit_conn.html;
            #proxy_pass http://127.0.0.1/limit/;

         #   limit_except GET {
        #       deny all;
        #    }

            #This is limit connection section
            limit_conn_status 509;
            limit_rate 50;
            limit_conn_log_level warn;
            limit_conn ip 1;

            #This is limit request section
            limit_req zone=reqzone;
            limit_req zone=reqzone burst=3 nodelay;
            limit_conn_status 503;
            limit_conn_log_level warn;

        }

使用Client客户端测试:

curl -I http://10.1.1.5/limit/

测试效果:

请求限制

检查log日志:

可以看到日志中显示是请求request超过了限制。

请求限制log

2.5 访问方式限制

本实验小节,通过对HTTP请求方式Method进行限制,如POST、GET、HEAD、PUT、PATCH、OPTIONS、DELETE、CONNECT、TRACE。 如针对不同的uri只允许指定的GET方法使用,其他的方法都拒绝。

修改NGINX配置:

将limit_except这3行配置注释取消,参考如下配置:

        location /limit {
            root   html;
            index  limit_conn.html;
            #proxy_pass http://127.0.0.1/limit/;

            limit_except GET {
               deny all;
            }

使用Client客户端测试:

curl -X POST http://10.1.1.5/limit/

测试效果:

方式限制

检查log日志:

可以看到日志中显示POST方法不被允许使用,返回了405响应码。

方式限制log

3-SSL/TLS加密实验章节

本章节涉及的证书已经通过openssl自签发,用于临时测试使用,所以证书属于浏览器不受信任的证书,在测试过程中看到浏览器报证书不受信的提示时,可以忽略。

3.1 HTTPS加密 - 单域名证书

3.1.1 默认NGINX HTTPS配置

修改配置,https配置部分加载证书和key,其他配置采用NGINX默认,不作额外修改:

    server {
        listen       443 ssl;
        server_name  www.test.com;

        ssl_certificate      /usr/local/nginx/conf/www.test.com.crt;
        ssl_certificate_key  /usr/local/nginx/conf/www.test.com.key;

        location / {
            root   html;
            index  index.html index.htm;

客户端Client访问:

https://www.test.com

检查证书信息:

3.1.1证书信息

检查所支持的SSL/TLS相关算法:

3.1.1算法信息

3.1.2 调整HTTPS所支持的TLS协议

修改配置,增加TLSv1.3协议的支持:

取消ssl_protocol前面的注释,参考如下:

    #HTTPS Server
    server {
        listen       443 ssl;
        server_name  www.example.com;

        ssl_certificate      /usr/local/nginx/conf/www.example.com.crt;
        ssl_certificate_key  /usr/local/nginx/conf/www.example.com.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

         ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
         #ssl_ciphers ALL:!IDEA;
    #    ssl_ciphers  HIGH;
    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;

客户端Client浏览器访问:

https://www.example.com

检查证书信息:

3.1.2cert信息

使用客户端Client桌面上Zenmap软件测试算法支持情况:

nmap -sV -p 443 --script ssl-enum-ciphers www.example.com

检查所支持的SSL/TLS相关算法,扫描发现TLSv1.3算法:

3.1.2cert信息

3.1.3 调整SSL算法

修改配置,调整当前NGINX版本中所有SSL算法支持:

取消ssl_protocol前面的注释,参考如下:

    #HTTPS Server
    server {
        listen       443 ssl;
        server_name  www.example.com;

        ssl_certificate      /usr/local/nginx/conf/www.example.com.crt;
        ssl_certificate_key  /usr/local/nginx/conf/www.example.com.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

         ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
	 ssl_ciphers ALL; 
         #ssl_ciphers ALL:!IDEA;
    #    ssl_ciphers  HIGH;
    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;

使用客户端Client桌面上Zenmap软件测试算法支持情况:

nmap -sV -p 443 --script ssl-enum-ciphers www.example.com

检查所支持的SSL/TLS相关算法,扫描发现存在warning信息,提示IDEA算法漏洞存在SWEET32攻击风险:

3.1.3cipher信息

禁用IDEA算法,可以通过调整算法组合,也可以直接禁用该算法,如下是直接禁用该算法的方式:

修改配置:

    #HTTPS Server
    server {
        listen       443 ssl;
        server_name  www.example.com;

        ssl_certificate      /usr/local/nginx/conf/www.example.com.crt;
        ssl_certificate_key  /usr/local/nginx/conf/www.example.com.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

         ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
	# ssl_ciphers ALL; 
         ssl_ciphers ALL:!IDEA;
    #    ssl_ciphers  HIGH;
    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;

保存配置,并加载配置。

再次使用Zenmap软件测试算法支持情况:

发现已经无法扫描出IDEA算法:

3.1.3noidea

3.2 HTTPS强制加密

本实验小节,通过在http的服务中启用301重定向的策略,将http的请求强制跳转至https的请求,来实现强制加密访问的需求。

修改配置文件,在80服务中启用强制HTTPS跳转访问的策略:

    server {
        listen       80;
        server_name  www.example.com;

        #charset koi8-r;

        access_log  logs/host.access.log  main;
        error_log logs/error.log info;
        #deny 10.1.1.6;
        #allow 10.1.1.0/24;

#       if ( $accessip = 'false') {return 403;} 
#       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #limit_conn_status 509;
        #limit_conn_log_level warn;
        #limit_rate 50;
        #limit_conn ip 1;

        return 301 https://$server_name$request_uri;

保存配置,并加载配置。

客户端Client使用Chrome浏览器,并开发者工具,访问:

http://www.example.com

可以看到http请求被301重定向访问至https

3.2redirect

3.2https

恢复环境:

修改配置,将强制https跳转的配置注释:

    server {
        listen       80;
        server_name  www.example.com;

        #charset koi8-r;

        access_log  logs/host.access.log  main;
        error_log logs/error.log info;
        #deny 10.1.1.6;
        #allow 10.1.1.0/24;

#       if ( $accessip = 'false') {return 403;} 
#       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #limit_conn_status 509;
        #limit_conn_log_level warn;
        #limit_rate 50;
        #limit_conn ip 1;

        #return 301 https://$server_name$request_uri;

3.3 HTTPS加密 - 多域名证书共用IP

本实验小节,用来验证实际应用场景中,会存在不同的域名,但是提供的服务是相同的。所以就需要在同一个IP中启用不同的域名的证书。

确认以下2个443监听端口的配置中,分别挂载了2套不同的证书:

    #HTTPS Server
    server {
        listen       443 ssl;
        server_name  www.example.com;

        ssl_certificate      /usr/local/nginx/conf/www.example.com.crt;
        ssl_certificate_key  /usr/local/nginx/conf/www.example.com.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

         ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
         #ssl_ciphers ALL;
         ssl_ciphers ALL:!IDEA;
    #    ssl_ciphers  HIGH;
    #    ssl_ciphers  HIGH:!aNULL:!MD5;

        location / {
            root   html;
            index  index.html index.htm;
            
        }
    }

    server {
        listen       443 ssl;
        server_name  www.test.com;

        ssl_certificate      /usr/local/nginx/conf/www.test.com.crt;
        ssl_certificate_key  /usr/local/nginx/conf/www.test.com.key;

        location / {
            root   html;
            index  index.html index.htm;
            
        }
    }

保存配置,并加载配置。

客户端Client使用Chrome浏览器,分别访问2个域名:

https://www.example.com
https://www.test.com

检查每个域名对应的加载的证书信息:

3.3example

3.3test

4-认证实验章节

4.1 HTTP Basic 用户名密码认证

本实验小节,通过NGINX对访问请求做基本的用户名密码认证。

检查配置,参考如下:

        location /login {
            auth_basic "Login Auth";
            auth_basic_user_file /usr/local/nginx/conf/plain_pass;

            root html;
            index login_auth.html;
        }

其中,用户名密码文件已经提前通过htpasswd命令生成好,放在/usr/local/nginx/conf/plain_pass文件中,如下格式:

[root@2370ed03-0df5-471a-bc80-3928ece95a4c sbin]# cat /usr/local/nginx/conf/plain_pass
#plain password
#test:password123
test:$apr1$eWZ.7ICp$a533nPfihwalfGANpy6oE/

客户端Client使用Chrome浏览器,访问测试:

http://www.example.com/login/

弹出用户名密码认证窗口:

  • 输入用户名:test
  • 输入密码:password123

4.1auth

登录成功后,页面提示:

4.1authok

如果输入用户名密码错误,无法登录:

4.1authfail1

检查log日志信息:

4.1authfaillog

Game Over

恭喜您已经完成本次培训的所有实验内容! :+1: :+1: :+1: Cheers!

Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Starred
3
Star
3
Fork
0

简介

暂无描述 展开 收起
Nginx
开源
安全
限速
限流
暂无标签
Shell
Apache-2.0
使用 Apache-2.0 开源许可协议
取消

发行版

暂无发行版

贡献者

全部

近期动态

加载更多
不能加载更多了
Shell
1
https://gitee.com/michaelwang19/0917_NGINX_OSS_Security.git
git@gitee.com:michaelwang19/0917_NGINX_OSS_Security.git
michaelwang19
0917_NGINX_OSS_Security
NGINX Security
master
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部