Nginx is a powerful and flexible web server, used by millions of websites worldwide. While its default configuration is reasonably secure, there are additional steps you can take to further improve your Nginx server’s security. In this article, we will cover various tips and tricks to help you harden your Nginx web server and protect it from potential threats.
1. Keep software up-to-date
Regularly updating your Nginx server and related software ensures that you have the latest security patches and bug fixes. Use your operating system’s package manager to keep track of updates, and subscribe to security mailing lists for Nginx and its dependencies to stay informed about potential vulnerabilities.
2. Secure connections with HTTPS
Encrypting your web traffic using HTTPS is essential for ensuring the confidentiality and integrity of data exchanged between your server and its clients. Acquire an SSL/TLS certificate from a trusted Certificate Authority (CA) and configure Nginx to use it for secure connections.
Obtain an SSL/TLS certificate from a trusted Certificate Authority (CA) or use a free service like Let’s Encrypt to acquire a certificate. Store your certificate and private key files (e.g., example.com.crt and example.com.key) in a secure location on your server, such as /etc/nginx/ssl/. Then Add the following directives to configure the server block for HTTPS:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | server { listen 80; server_name example.com www.example.com; return 301 https://$host$request_uri; } server { listen 443 ssl http2; server_name example.com www.example.com; ssl_certificate /etc/nginx/ssl/example.com.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; # ... other directives, such as root, index, and location blocks } |
3. Enable HTTP Strict Transport Security (HSTS)
HSTS is a security feature that forces browsers to use HTTPS connections for your website, preventing man-in-the-middle attacks. Add the following line to your Nginx configuration file to enable HSTS:
1 | add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; |
4. Use strong SSL/TLS protocols and cipher suites
Disable weak SSL/TLS protocols such as SSLv2, SSLv3, and TLSv1.0. Instead, use only strong protocols like TLSv1.2 and TLSv1.3. Additionally, configure Nginx to use secure cipher suites and prefer server ciphers.
Edit your Nginx configuration file (usually located at /etc/nginx/nginx.conf or /etc/nginx/sites-available/default) and add the following directives inside the server block:
1 2 3 | ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; |
5. Disable unnecessary modules
Nginx comes with various modules, some of which may not be required for your specific use case. Disabling unnecessary modules reduces the potential attack surface. Edit the Nginx configuration file and comment out the lines that load the modules you don’t need.
To disable unnecessary modules, open your Nginx configuration file and comment out the load_module lines for the modules you don’t need. For example, if you don’t need the `ngx_http_geoip_module`, comment out the corresponding line:
1 | # load_module modules/ngx_http_geoip_module.so; |
6. Limit request rates
Rate limiting helps protect your server against brute-force attacks and denial-of-service (DoS) attacks. Configure Nginx to limit the number of requests per client IP address by adding the following directives to your configuration file:
1 2 | limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; limit_req zone=one burst=5; |
7. Hide Nginx server tokens
By default, Nginx sends its version number in HTTP headers and error pages. This information can be used by attackers to identify potential vulnerabilities. To hide the Nginx version, add the following directives to your configuration file:
1 | server_tokens off; |
8. Secure sensitive resources
Protect sensitive resources, such as administrative interfaces and private directories, by using password authentication, IP address restrictions, or a combination of both.
To secure an administrative interface, you can use basic authentication and IP address restrictions. In your Nginx configuration file, add the following directives inside a specific location block that corresponds to the sensitive resource:
1 2 3 4 5 6 | location /admin { auth_basic "Restricted Access"; auth_basic_user_file /etc/nginx/.htpasswd; allow 192.168.1.0/24; # Replace with your IP address or subnet deny all; } |
To create the password file /etc/nginx/.htpasswd, you can use a tool like htpasswd from the Apache HTTP Server package:
sudo htpasswd -c /etc/nginx/.htpasswd username
9. Use Content Security Policy (CSP)
Content Security Policy (CSP) is an HTTP response header that restricts the browser to load external resources such as scripts, styles, or any other resources. It can be used to mitigate the risk of cross-site scripting (XSS) and other content injection attacks.
In the Nginx configuration file, you can add the CSP as follows. Please adjust the policy to fit your own needs:
1 2 3 4 5 6 7 8 | server { listen 80; server_name yourdomain.com; location / { add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://trustedscripts.com; style-src 'self' https://trustedstyles.com; img-src 'self' https://trustedimages.com; font-src 'self' https://trustedfonts.com; connect-src 'self' https://trustedconnections.com; frame-src 'none'; object-src 'none'; base-uri 'self'; form-action 'self';"; try_files $uri $uri/ =404; } } |
This is a basic policy that restricts content loading to sources from your own domain, with exceptions for scripts, styles, images, and connections to specific trusted domains. frame-src and object-src are set to ‘none’, meaning iframes and plugins are not allowed. base-uri and form-action are set to ‘self’, limiting where base and form elements can point to.
Remember to replace “yourdomain.com” with your own domain and “trustedscripts.com”, “trustedstyles.com”, “trustedimages.com”, “trustedfonts.com”, and “trustedconnections.com” with actual domains from which you want to load scripts, styles, images, fonts, and connections respectively.
Please note that a poorly configured CSP can break your site, so be sure to test thoroughly.
Also, always use HTTPS in production. This example uses HTTP for simplicity.
10. Regularly audit and monitor your server
Regularly audit your Nginx configuration for potential security issues, and keep an eye on server logs for signs of suspicious activity. Set up log analyzers and monitoring tools to help you detect and respond to threats in real-time.
Conclusion
Securing your Nginx web server is an ongoing process that requires regular attention and maintenance. By implementing these tips and tricks, you can significantly improve your server’s security posture and reduce the likelihood of falling victim to cyberattacks. Remember that no security measure is foolproof, so always stay vigilant, keep up to date with security best practices, and be proactive in addressing potential vulnerabilities. Combining these efforts with a strong security mindset will help ensure that your Nginx server remains a safe and reliable platform for your web applications.