Ultimate Guide: 12 tips for improving nginx server hardness

Time:2020-8-28

Nginx is a lightweight web server / reverse proxy server and email (IMAP / POP3) proxy server, which is distributed under a BSD like protocol. Its characteristics are less memory and concurrent capability. In fact, nginx’s concurrent capability is better in the same type of web server. Mainland China uses nginx website users: Baidu, Jingdong, Sina, NetEase, Tencent, Taobao, etc. Maybe you have heard the wonderful things about nginx above. You may already like it very much. You are considering how to improve the security and stability of nginx server, or you are considering replacing Apache with nginx. Then this article is very suitable for you to continue to read.

This article will introduce 12 operations to improve the security, stability and performance of nginx server.

1: Maintain the timely upgrade of nginx

At present, the stable version of nginx is 1.14.0. It is better to upgrade to the latest version. If you look at the official release note, you will find that they have fixed many bugs. The production environment of any product does not want to run under such a bug risk.
In addition, although installation package installation is easier than source code compilation, the latter option has two advantages:

  • 1) It allows you to add additional modules to nginx (for example, more_ header,mod_ security),
  • 2) It always provides a newer version than the installation package, which can be found on the nginx website.

2: Remove the unused nginx module

When compiling and installing, add the following configuration instructions when executing the. / configure method to explicitly delete unused modules:

./configure --without-module1 --without-module2 --without-module3
For example:
./configure --without-http_dav_module --withouthttp_spdy_module
#Note: configuration instructions are provided by the module. Make sure that the module you disable does not contain the instructions you need to use! Before deciding to disable a module, you should check the list of instructions available for each module in the nginx documentation.

3: Disable server in nginx configuration_ Tokens

server_ When the tokens are opened, the 404 page will display the current version number of nginx. This is obviously not secure, as hackers will use this information to try to exploit the corresponding version of nginx.
Just need to be in nginx.conf Setting server in HTTP module_ Tokens off, for example:

server {
listen 192.168.0.25:80;
Server_tokens off; 
server_name tecmintlovesnginx.com www.tecmintlovesnginx.com;
access_log /var/www/logs/tecmintlovesnginx.access.log;
error_log /var/www/logs/tecmintlovesnginx.error.log error;
root /var/www/tecmintlovesnginx.com/public_html;
index index.html index.htm;
}
#Take effect after restarting nginx:

Ultimate Guide: 12 tips for improving nginx server hardness

4: Prohibit illegal HTTP user agents

User agent is a kind of identification of browser in HTTP protocol. Forbidding illegal user agent can block some requests of crawler and scanner, and prevent these requests from consuming a lot of nginx server resources.
For better maintenance, it’s best to create a file that contains an unexpected list of user agents, such as / etc / nginx/ blockuseragents.rules It includes the following contents:

map $http_user_agent $blockedagent {
default 0;
~*malicious 1;
~*bot 1;
~*backdoor 1;
~*crawler 1; 
~*bandit 1;
}
Then put the following statements into the server module of the configuration file:
include /etc/nginx/blockuseragents.rules;
The if statement is added to set the page to be blocked

Ultimate Guide: 12 tips for improving nginx server hardness

5: Disable unwanted HTTP methods

For example, some web sites and applications can only support get, post and head methods.
Some spoofing attacks can be prevented by adding the following methods to the server module in the configuration file

if ($request_method !~ ^(GET|HEAD|POST)$) {
return 444;
}

6: Set the maximum buffer size

This setting prevents buffer overflow attacks (also server modules)

client_body_buffer_size 1k;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
#After setting, no matter how many HTTP requests, the server system's buffer will not overflow.

7: Limit maximum connections

  • In the HTTP module, set the limit outside the server module_ conn_ Zone, you can set the IP address of the connection
  • Set limit in HTTP, server or location module_ Conn, you can set the maximum number of IP connections
    For example:
limit_conn_zone $binary_remote_addr zone=addr:5m;
limit_conn addr 1;

Ultimate Guide: 12 tips for improving nginx server hardness

8: Set up log monitoring

As shown in the above screenshot, how to set nginx log

Ultimate Guide: 12 tips for improving nginx server hardness

You may need to take it because of the settings in point 7

grep addr /var/www/logs/tecmintlovesnginx.error.log --color=auto

At the same time, you can also filter the following content in the log:

  • Client IP
  • Browser type
  • HTTP request method
  • Request content
  • Server response

9: Prevent pictures from being chained from your server

This will obviously increase the bandwidth pressure on your server.
Suppose you have an img directory to store images. Your own IP address is 192.168.0.25. Add the following configuration to prevent external links

location /img/ {      
    valid_referers none blocked 192.168.0.25;
    if ($invalid_referer) {
    return 403; 
    }
}

10: Disable SSL and only turn on TLS

If possible, try to avoid using SSL and replace it with TLS. The following settings can be placed in the server module:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Ultimate Guide: 12 tips for improving nginx server hardness

11: Do HTTPS certificate encryption

First, the key and integer are generated, which of the following can be used:

# openssl genrsa -aes256 -out tecmintlovesnginx.key 1024
# openssl req -new -key tecmintlovesnginx.key -out tecmintlovesnginx.csr
# cp tecmintlovesnginx.key tecmintlovesnginx.key.org
# openssl rsa -in tecmintlovesnginx.key.org -out tecmintlovesnginx.key
# openssl x509 -req -days 365 -in tecmintlovesnginx.csr -signkey tecmintlovesnginx.key -out tecmintlovesnginx.crt
#Then configure the server module
server {      
   listen 192.168.0.25:443 ssl;
   server_tokens off;  
   server_name tecmintlovesnginx.com www.tecmintlovesnginx.com;
   root /var/www/tecmintlovesnginx.com/public_html;
   ssl_certificate /etc/nginx/sites-  enabled/certs/tecmintlovesnginx.crt;
   ssl_certificate_key /etc/nginx/sites-  enabled/certs/tecmintlovesnginx.key;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

}

12: Redirect HTTP requests to HTTPS

Add return 301 HTTPS: // $server on the basis of point 11_ name$request_ uri;

Ultimate Guide: 12 tips for improving nginx server hardness

summary

This article shared some tips for protecting the nginx web server. I’d love to hear from you. If you have any other suggestions, please feel free to comment and share your experience with you. Original text: https://www.toutiao.com/i6567…