Linux

Securing Nginx: A How-To Guide

Raja Haikal
· 3 min read
Securing Nginx: A How-To Guide

Harden Nginx Configuration

List of some best practices to harden Nginx.

1. Update Nginx

Keep Nginx up to date with the latest version.

sudo apt-cache policy nginx
sudo apt-get --only-upgrade install nginx

# or

yum list nginx --showduplicates
yum update nginx

2. Configuration Check

Always check the Nginx configuration for syntax errors before restart.

nginx -t

3. Use Configuration Management

Utilize configuration management tools for managing Nginx configurations.

4. Access Control

Implement security headers in the Nginx configuration file.

location /admin {
    deny all;
    return 403;
}

5. Directory Listing

Disable Directory Listing.

location / {
    autoindex off;
}

6. Alias Traversal Protection

Use the alias directive carefully to prevent directory traversal.

location /files/ {
    alias /path/to/files/;
}

7. HTTP to HTTPS Redirect

Redirect HTTP traffic to HTTPS.

server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

8. SSL Configuration

Configure SSL for HTTPS.

server {
    listen 443 ssl;
    server_name example.com;
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private.key;
    # Other SSL configurations
}

9. Rate Limit

Implement rate limiting to prevent abuse.

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
server {
    location / {
        limit_req zone=one burst=5;
        # Other configurations
    }
}

10. Connection Limits

Set connection limits to protect against DDoS attacks.

events {
    worker_connections 1024;
}

11. Custom Error Pages

Customize error pages for better UX.

error_page 404 /404.html;

12. Gzip Compression

Enable Gzip compression for better performance.

gzip on;
gzip_types text/plain text/css application/json application/javascript;

13. Client-Side Caching

Enable client-side caching.

location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
    expires 7d;
}

14. HTTP2 Protocol

Use HTTP/2 for improved performance.

listen 443 ssl http2;

15. Secure File Permissions

Set appropriate file permissions depending on your setup.

chmod 640 /etc/nginx/nginx.conf

# or

chmod 440 /etc/nginx/nginx.conf

16. Logging

Set up monitoring and logging.

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

17. Deny Hidden Files

Deny access to hidden files.

location ~ /\. {
    deny all;
}

18. IP Whitelisting

Whitelist specific IP addresses.

location / {
    allow 192.168.4.10;
    deny all;
}

19. Disable Unused Modules

Disable unnecessary Nginx modules to reduce potential attack surfaces.

# Comment out or remove unnecessary modules
# load_module modules/ngx_http_ssi_filter_module.so;

20. Use Trailing Slash in Alias Directives

Ensure that the alias directive in the location block ends with a trailing slash. This helps prevent directory traversal vulnerabilities.

location /assets/ {
    alias /var/www/html/myapplication/assets/;
}

21. Regular Expression Matching

Consider using regular expression matching in the location directive. Regular expression matching provides more control over URL patterns and can enhance security.

location ~ ^/assets/ {
    alias /opt/production/assets/;
}

22. Disable server tokens

server_tokens off;

23. Implement SSL/TLS with appropriate ciphers and protocols

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;

24. Enable HSTS

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

25. Implement buffer overflow protection

proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;

26. Implement XSS protection

add_header X-XSS-Protection "1; mode=block";

27. Web Application Firewall (WAF)

Consider using a WAF for additional security such as Nginx Modsecurity or openappsec.

28. Use Fail2ban for Protection

Use fail2ban for additional security.

vim /etc/fail2ban/jail.local
---
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.4.10

[nginx]
enabled = true
port = http,https
filter = nginx
logpath = /var/log/nginx*/*access.log
action = iptables-multiport[name=404, port="http,https", protocol=tcp]
maxretry = 5
findtime = 10
bantime = 7200
---
vim /etc/fail2ban/filter.d/nginx.conf
---
[Definition]
failregex = ^<HOST>.*"(GET|POST).*" (404|403) .*$
ignoreregex =

#example for exclude image
failregex = ^<HOST>.*"(GET|POST) (?!.*\.(jpg|jpeg|png|gif|bmp|svg)).*" (403|404) .*$
---
systemctl restart fail2ban.service 
fail2ban-client status nginx

Additional Security

1. SSH Hardening

Harden SSH access to the server.

2. Firewall Configuration

Configure a firewall to allow only necessary traffic.

sudo ufw allow 80
sudo ufw allow 443
sudo ufw enable

3. Two-Factor Authentication

Enable two-factor authentication for server access.

4. Regular Backups

Implement regular backups of configurations and data.

Related Articles

Seamless Secret Management with Kubernetes Vault Secrets Operator

Seamless Secret Management with Kubernetes Vault Secrets Operator

· 7 min read
Hashicorp Vault HA Cluster with Integrated Storage (Raft) and AWS KMS Auto Unseal

Hashicorp Vault HA Cluster with Integrated Storage (Raft) and AWS KMS Auto Unseal

· 17 min read
Loneliness

Loneliness

· 2 min read
Configuring a Self-hosted Quay Registry in Private OpenShift Cluster

Configuring a Self-hosted Quay Registry in Private OpenShift Cluster

· 5 min read
Setup RedHat Openshift Codeready

Setup RedHat Openshift Codeready

· 5 min read
Setup Open-appsec on Nginx for Linux

Setup Open-appsec on Nginx for Linux

· 12 min read