Too much! Nginx these important security settings, you will not

Time:2021-3-6

Too much! Nginx these important security settings, you will not

Nginx is the most popular web server, which can only occupy 2.5 MB of memory, but can easily handle 1W HTTP requests.

As the entrance of the website, the importance of security settings of nginx is self-evident.

Let’s take you to know these security configurations!

nginx.conf Is the main configuration file of nginx, and most of the security configuration is carried out on this file.

Disable unwanted nginx modules

Automatic installation of nginx will have many built-in modules, not all modules are required, for non essential modules can be disabled, such asautoindexThe following shows how to disable the module

# ./configure --without-http_autoindex_module
# make
# make install

Do not display server tokens

By default, the server tokens of nginx will display the version number of nginx on the error page, which may lead to information disclosure. Unauthorized users may know the version of nginx you are using. Should be in nginx.conf By setting the server_ Tokens off to disable

Too much! Nginx these important security settings, you will not

Control resources and constraints

In order to prevent potential DoS attacks on nginx, the buffer size limit can be set for all clients. The configuration is as follows:

  • client_ body_ buffer_ Size specifies the size of the client request body buffer. The default value is 8K or 16K, but it is recommended to set this value as low as 1K: client_ body_ buffer_ size 1k
  • client_ header_ buffer_ Size specifies the header buffer size for the client request header. Setting 1K is enough for most requests.
  • client_ max_ body_ Size specifies the maximum acceptable body size for client requests. Setting 1K should be enough, but if you receive file uploads through post, you need to add it.
  • large_ client_ header_ Buffers specifies the maximum number and size of buffers used to read large client request headers. Set the maximum number of buffers to 2, and the maximum size of each buffer is 1K. The instruction will accept 2 kb data, large_ client_ header_ buffers 2 1k

Disable all unwanted HTTP methods

Disable all unnecessary HTTP methods. The following setting means that only get, head and post methods are allowed, and delete and trace methods are filtered out.

location / {
limit_except GET HEAD POST { deny all; }
}

The other method is to set it in the server block, but it is set globally. Pay attention to evaluate the impact

if ($request_method !~ ^(GET|HEAD|POST)$ ) {
    return 444; }

Monitoring access log and error log

By continuously monitoring and managing nginx’s error logs, you can better understand the requests to the web server, notice any errors encountered, help to discover any attack attempts, and determine what actions you can perform to optimize the server performance.

Log management tools such as logrotate can be used to rotate and compress old logs and free up disk space. Similarly, NGX_ http_ stub_ status_ Module module provides access to basic state information.

Too much! Nginx these important security settings, you will not

Reasonable configuration of response head

In order to further enhance the performance of nginx web, several different response headers can be added and recommended

X-Frame-Options

The X-FRAME-OPTIONS HTTP response header can be used to indicate whether the browser should be allowed to render the page in < frame > or < iframe >. This can prevent click hijacking attacks.

Add to the configuration file:

add_header X-Frame-Options "SAMEORIGIN";

Strict-Transport-Security

HTTP strict transport security is called HSTs for short. It allows an HTTPS website and requires the browser to always access it through HTTPS. At the same time, it will reject requests from http. The operation is as follows:

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

CSP

Content security policy (CSP) protects your website from attacks such as XSS and SQL injection

add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;

Configure SSL and cipher suits

By default, nginx allows the use of the old SSL protocol, SSL, which is not secure_ Protocols tlsv1 tlsv1.1 tlsv1.2, the following modifications are recommended:

ssl_protocols TLSv1.2 TLSv1.3;

In addition, to specify cipher suits, you can ensure that the server configuration item is used when tlsv1 handshakes to enhance security.

ssl_prefer_server_ciphers on

Update the server regularly

There are always various vulnerabilities in the old version of nginx, so it’s better to update to the latest version.

Vulnerabilities can be found on major CVE websites, and the latest version of nginx can be found on the official website.

Source:https://www.toutiao.com/i6901…

Too much! Nginx these important security settings, you will not