Title: Enhancing Your Enterprise System’s Security with 24 NGINX Configurations
Introduction
NGINX is an essential component of many enterprise systems, providing robust web serving, caching, and load balancing capabilities. However, as with any critical system, security is a top priority. In this article, we’ll delve into the world of NGINX configurations to explore 24 essential settings that can strengthen your enterprise system’s defenses.
Configuration 1: Disable Directories Browsing
Disable directory browsing for all directories to prevent unauthorized access.
nginx
location / {
index index.html;
}
Configuration 2: Block Malicious IPs
Block IP addresses known to be malicious, using a third-party service like MaxMind’s GeoIP.
“`nginx
http {
…
geoip_country /usr/share/GeoIP/GeoLiteCity.dat;
geoip_city /usr/share/GeoIP/GeoLiteCity.dat;
set $bad_ip 0;
if ($geocountry != "US" && $remote_addr !~ ^127.0.0.1$) {
set $bad_ip 1;
}
if ($bad_ip = 1) {
return 403;
}
}
“`
Configuration 3: Enable SSL/TLS
Configure NGINX to use a valid SSL/TLS certificate, ensuring encrypted communication.
“`nginx
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /path/to/ssl.crt;
ssl_certificate_key /path/to/ssl.key;
}
“`
Configuration 4: Restrict Access by IP Address
Restrict access to specific resources based on the client’s IP address.
nginx
location /admin {
allow 192.168.1.100;
deny all;
}
Configuration 5: Enable HTTP Strict Transport Security (HSTS)
Enable HSTS, which informs browsers that only HTTPS connections should be used.
nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
Configuration 6: Configure Rate Limiting
Implement rate limiting to prevent brute-force attacks and abuse.
“`nginx
limit_req_zone $binary_remote_addr zone=req_limit:10m rate=5r/s;
server {
…
limit_req req_limit;
}
“`
Configuration 7: Use Two-Factor Authentication (2FA)
Integrate NGINX with an external 2FA service, adding an extra layer of security.
nginx
proxy_pass https://example.com;
proxy_set_header X-Forwarded-For $remote_addr;
auth_2fa on;
Configuration 8: Monitor and Alert for Suspicious Activity
Configure NGINX to monitor and alert on suspicious activity, such as login attempts or unusual traffic patterns.
“`nginx
http {
…
log_format combined ‘$remote_addr – $remote_user [$time_local] “$request” ‘
‘$status $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” “$http_x_forwarded_for”‘ combined;
error_log /var/log/nginx/error.log notice;
}
“`
Configuration 9: Implement Least Privilege Access
Only grant necessary permissions to NGINX and its components, reducing the attack surface.
nginx
user www-data;
group www-data;
Configuration 10: Disable Debugging Information
Remove debugging information from NGINX, which can aid attackers in exploiting vulnerabilities.
nginx
http {
...
server_tokens off;
}
Configuration 11: Use HTTP/2 and TLSv1.3
Enable the latest web standards for improved security and performance.
“`nginx
server {
listen [::]:443 ssl http2;
server_name example.com;
ssl_certificate /path/to/ssl.crt;
ssl_certificate_key /path/to/ssl.key;
}
“`
Configuration 12: Implement Certificate Pinning
Pin SSL/TLS certificates to prevent man-in-the-middle attacks.
“`nginx
server {
listen [::]:443 ssl http2;
server_name example.com;
ssl_certificate /path/to/ssl.crt;
ssl_certificate_key /path/to/ssl.key;
add_header Public-Key-Pins 'pin-sha256="sha256-pin-value"; max-age=2592000; includeSubdomains';
}
“`
Configuration 13: Configure NGINX to Use a Reverse Proxy
Use a reverse proxy to cache and protect backend services.
“`nginx
upstream backend {
server localhost:8080;
}
server {
listen [::]:443 ssl http2;
server_name example.com;
location / {
proxy_pass https://backend;
proxy_set_header Host $host;
}
}
“`
Configuration 14: Implement IP Spoofing Protection
Block requests from IP addresses spoofed by attackers.
nginx
http {
...
ip_cdn_cache_lock on;
}
Configuration 15: Use a Web Application Firewall (WAF)
Integrate NGINX with an external WAF, providing additional security and protection against common web attacks.
“`nginx
proxy_pass https://example.com;
proxy_set_header X-Forwarded-For $remote_addr;
http {
…
map $scheme $waf_rule_name {
~*https waf_rule_https;
}
http_waf / {
rule waf_rule_https;
rule waf_rule_common;
}
}
“`
Configuration 16: Configure NGINX to Use a Load Balancer
Distribute incoming traffic across multiple backend servers for improved availability and performance.
“`nginx
upstream backend {
server localhost:8080 weight=3 max_fails=2 fail_timeout=10s;
server localhost:8081 weight=2 max_fails=2 fail_timeout=10s;
}
server {
listen [::]:443 ssl http2;
server_name example.com;
location / {
proxy_pass https://backend;
proxy_set_header Host $host;
}
}
“`
Configuration 17: Implement Content Security Policy (CSP)
Configure NGINX to enforce CSP, preventing attackers from injecting malicious scripts.
nginx
add_header Content-Security-Policy "default-src 'self'";
Configuration 18: Use a Secure Random Number Generator
Generate cryptographically secure random numbers for improved security and protection against predictable numbers attacks.
nginx
http {
...
ssl_early_data on;
}
Configuration 19: Configure NGINX to Use a Key-Value Store
Store sensitive data in a secure key-value store, improving security and ease of management.
“`nginx
key_value_store /path/to/key/value/store;
server {
listen [::]:443 ssl http2;
server_name example.com;
location / {
set $var_value "";
value $var_value from kvs;
}
}
“`
Configuration 20: Implement an SSL/TLS Certificate Revocation List (CRL)
Configure NGINX to verify the revocation status of client certificates.
nginx
ssl_certificate /path/to/ssl.crt;
ssl_crl_path /path/to/crl.crl;
Configuration 21: Configure NGINX to Use a Hardware Security Module (HSM)
Use an external HSM for improved security and protection against software-based attacks.
nginx
http {
...
ssl_hsm on;
}
Configuration 22: Implement HTTP/2 Server Push
Push resources to clients, improving performance and reducing latency.
“`nginx
server {
listen [::]:443 ssl http2;
server_name example.com;
location / {
push /path/to/resource;
}
}
“`
Configuration 23: Use a TLSv1.3-Only Configuration
Enforce the use of TLSv1.3, disabling older protocols for improved security.
“`nginx
server {
listen [::]:443 ssl http2 tls13-only;
server_name example.com;
ssl_certificate /path/to/ssl.crt;
ssl_certificate_key /path/to/ssl.key;
}
“`
Configuration 24: Configure NGINX to Use a Certificate Transparency (CT) Log
Verify the transparency of SSL/TLS certificates using an external CT log.
“`nginx
server {
listen [::]:443 ssl http2;
server_name example.com;
location / {
add_header Public-Key-Pins 'pin-sha256="sha256-pin-value"; max-age=2592000; includeSubdomains';
ct_log /path/to/ct/log;
}
}
“`
By implementing these 24 NGINX configurations, you can significantly enhance the security and resilience of your enterprise system. Remember to regularly review and update your configuration to ensure the continued effectiveness of these security measures.
About the Author
