💡 Big News! 🧙 AI Wizard - Instant Page Insights is Here : Explore Smarter, Friendlier Solutions Just for You →
Linux
Web-Server
Nginx
Nginx Sec Adw

Comprehensive Guide to Securing Nginx

Table of Contents

  1. Introduction
  2. SSL/TLS Configuration
  3. HTTP Security Headers
  4. Rate Limiting
  5. Access Control
  6. Disable Unused HTTP Methods
  7. Hide Nginx Version
  8. Buffer Overflow Protection
  9. Prevent Clickjacking
  10. Limit Buffer Sizes
  11. File Permission Management
  12. Protection against Slowloris Attack
  13. Log Monitoring and Analysis

Introduction

Nginx is a powerful and popular web server known for its performance and flexibility. Securing an Nginx server involves a combination of best practices and configurations that address various potential vulnerabilities. This guide provides detailed steps and explanations on how to secure your Nginx server for production use.

SSL/TLS Configuration

Enforce HTTPS

Redirect all HTTP traffic to HTTPS to ensure secure communication.

server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

Use Strong Ciphers and Protocols

Configure Nginx to use strong SSL/TLS protocols and ciphers.

server {
    listen 443 ssl;
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private.key;
 
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
    ssl_prefer_server_ciphers on;
 
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}

HTTP Security Headers

Content Security Policy (CSP)

The Content Security Policy (CSP) helps prevent various types of attacks such as Cross-Site Scripting (XSS) and data injection attacks.

add_header Content-Security-Policy "default-src 'self';";

X-Frame-Options

Prevent clickjacking by controlling whether the site can be embedded in an iframe.

add_header X-Frame-Options "SAMEORIGIN";

X-Content-Type-Options

Prevent browsers from interpreting files as a different MIME type than what is specified.

add_header X-Content-Type-Options "nosniff";

Referrer-Policy

Control how much information the browser includes with navigations away from your site.

add_header Referrer-Policy "no-referrer-when-downgrade";

X-XSS-Protection

Enable cross-site scripting (XSS) filter built into most modern web browsers.

add_header X-XSS-Protection "1; mode=block";

Rate Limiting

Limit Request Rate

Limit the number of requests a client can make in a certain period to mitigate DoS attacks.

http {
    limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
 
    server {
        location / {
            limit_req zone=one burst=20 nodelay;
        }
    }
}

Access Control

Restrict Access by IP

Allow access to specific locations only from certain IP addresses.

location /admin {
    allow 192.168.1.0/24;
    deny all;
}

Password Protect Directories

Use basic authentication to protect certain directories.

location /secure {
    auth_basic "Restricted Area";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

Disable Unused HTTP Methods

Block HTTP methods that are not required by your application to reduce the attack surface.

if ($request_method !~ ^(GET|POST|HEAD)$) {
    return 444;
}

Hide Nginx Version

Prevent the Nginx version number from being displayed in error pages and headers.

server_tokens off;

Buffer Overflow Protection

Configure buffer sizes to mitigate buffer overflow attacks.

client_body_buffer_size 10K;
client_header_buffer_size 1k;
client_max_body_size 8m;
large_client_header_buffers 2 1k;

Prevent Clickjacking

Ensure your site cannot be embedded into an iframe on another site.

add_header X-Frame-Options "DENY";

Limit Buffer Sizes

Configure buffer sizes to prevent potential overflow issues.

client_body_buffer_size 1K;
client_header_buffer_size 1k;
large_client_header_buffers 2 1k;

File Permission Management

  • Ensure Nginx has limited permissions to access files and directories, only as necessary.
  • Run Nginx with a non-privileged user.

Protection against Slowloris Attack

Configure timeouts to protect against Slowloris attacks, which aim to keep many connections to the server open and idle.

client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;

Log Monitoring and Analysis

Enable Detailed Logging

Set up detailed logging for monitoring and analysis of requests and errors.

log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;

Regular Log Analysis

Regularly analyze logs for suspicious activity and potential security incidents.

Conclusion

Implementing these security measures in Nginx will significantly enhance the security posture of your web server. Regularly review and update your configurations to adapt to new threats and best practices.

Nginx as LbNginx Security
🧙 AI Wizard - Instant Page Insights

Click the button below to analyze this page.
Get an AI-generated summary and key insights in seconds.
Powered by Perplexity AI!