Linux

Securing Nginx: A How-To Guide

Raja Haikal
· 3 min read
Securing Nginx: A How-To Guide

Harden Nginx Configuration

List of some best practices to harden Nginx.

1. Update Nginx

Keep Nginx up to date with the latest version.

sudo apt-cache policy nginx
sudo apt-get --only-upgrade install nginx

# or

yum list nginx --showduplicates
yum update nginx

2. Configuration Check

Always check the Nginx configuration for syntax errors before restart.

nginx -t

3. Use Configuration Management

Utilize configuration management tools for managing Nginx configurations.

4. Access Control

Implement security headers in the Nginx configuration file.

location /admin {
    deny all;
    return 403;
}

5. Directory Listing

Disable Directory Listing.

location / {
    autoindex off;
}

6. Alias Traversal Protection

Use the alias directive carefully to prevent directory traversal.

location /files/ {
    alias /path/to/files/;
}

7. HTTP to HTTPS Redirect

Redirect HTTP traffic to HTTPS.

server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

8. SSL Configuration

Configure SSL for HTTPS.

server {
    listen 443 ssl;
    server_name example.com;
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private.key;
    # Other SSL configurations
}

9. Rate Limit

Implement rate limiting to prevent abuse.

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
server {
    location / {
        limit_req zone=one burst=5;
        # Other configurations
    }
}

10. Connection Limits

Set connection limits to protect against DDoS attacks.

events {
    worker_connections 1024;
}

11. Custom Error Pages

Customize error pages for better UX.

error_page 404 /404.html;

12. Gzip Compression

Enable Gzip compression for better performance.

gzip on;
gzip_types text/plain text/css application/json application/javascript;

13. Client-Side Caching

Enable client-side caching.

location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
    expires 7d;
}

14. HTTP2 Protocol

Use HTTP/2 for improved performance.

listen 443 ssl http2;

15. Secure File Permissions

Set appropriate file permissions depending on your setup.

chmod 640 /etc/nginx/nginx.conf

# or

chmod 440 /etc/nginx/nginx.conf

16. Logging

Set up monitoring and logging.

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

17. Deny Hidden Files

Deny access to hidden files.

location ~ /\. {
    deny all;
}

18. IP Whitelisting

Whitelist specific IP addresses.

location / {
    allow 192.168.4.10;
    deny all;
}

19. Disable Unused Modules

Disable unnecessary Nginx modules to reduce potential attack surfaces.

# Comment out or remove unnecessary modules
# load_module modules/ngx_http_ssi_filter_module.so;

20. Use Trailing Slash in Alias Directives

Ensure that the alias directive in the location block ends with a trailing slash. This helps prevent directory traversal vulnerabilities.

location /assets/ {
    alias /var/www/html/myapplication/assets/;
}

21. Regular Expression Matching

Consider using regular expression matching in the location directive. Regular expression matching provides more control over URL patterns and can enhance security.

location ~ ^/assets/ {
    alias /opt/production/assets/;
}

22. Disable server tokens

server_tokens off;

23. Implement SSL/TLS with appropriate ciphers and protocols

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;

24. Enable HSTS

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

25. Implement buffer overflow protection

proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;

26. Implement XSS protection

add_header X-XSS-Protection "1; mode=block";

27. Web Application Firewall (WAF)

Consider using a WAF for additional security such as Nginx Modsecurity or openappsec.

28. Use Fail2ban for Protection

Use fail2ban for additional security.

vim /etc/fail2ban/jail.local
---
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.4.10

[nginx]
enabled = true
port = http,https
filter = nginx
logpath = /var/log/nginx*/*access.log
action = iptables-multiport[name=404, port="http,https", protocol=tcp]
maxretry = 5
findtime = 10
bantime = 7200
---
vim /etc/fail2ban/filter.d/nginx.conf
---
[Definition]
failregex = ^<HOST>.*"(GET|POST).*" (404|403) .*$
ignoreregex =

#example for exclude image
failregex = ^<HOST>.*"(GET|POST) (?!.*\.(jpg|jpeg|png|gif|bmp|svg)).*" (403|404) .*$
---
systemctl restart fail2ban.service 
fail2ban-client status nginx

Additional Security

1. SSH Hardening

Harden SSH access to the server.

2. Firewall Configuration

Configure a firewall to allow only necessary traffic.

sudo ufw allow 80
sudo ufw allow 443
sudo ufw enable

3. Two-Factor Authentication

Enable two-factor authentication for server access.

4. Regular Backups

Implement regular backups of configurations and data.

Related Articles

Configuring Secondary Networks for KubeVirt VMs with OVN-Kubernetes

Configuring Secondary Networks for KubeVirt VMs with OVN-Kubernetes

· 5 min read
Kubevirt + Kube-OVN Live Migration

Kubevirt + Kube-OVN Live Migration

· 6 min read
Seamless Secret Management with Kubernetes Vault Secrets Operator

Seamless Secret Management with Kubernetes Vault Secrets Operator

· 7 min read
Hashicorp Vault HA Cluster with Integrated Storage (Raft) and AWS KMS Auto Unseal

Hashicorp Vault HA Cluster with Integrated Storage (Raft) and AWS KMS Auto Unseal

· 17 min read
Loneliness

Loneliness

· 2 min read
Configuring a Self-hosted Quay Registry in Private OpenShift Cluster

Configuring a Self-hosted Quay Registry in Private OpenShift Cluster

· 5 min read