NGINX Security Configurations for Web Applications

NGINX is one of the most popular web servers and reverse proxies, widely used to serve websites, APIs, and microservices. While it’s known for its performance and scalability, NGINX also offers a range of security features that can help protect your web applications from common threats. In this article, we’ll explore 20 essential NGINX security configurations for web applications.

1. Enable HTTP Strict Transport Security (HSTS)

HSTS is a security feature that forces clients to communicate with the server only over HTTPS. This helps prevent man-in-the-middle attacks and ensures that sensitive data remains encrypted.
nginx
add_headerStrict-Transport-Security "max-age=31536000";
2. Set Up SSL/TLS Configuration

NGINX supports multiple SSL/TLS protocols, including TLSv1.2 and TLSv1.3. Make sure to configure your SSL/TLS settings correctly.
nginx
ssl_protocols TLSv1.2 TLSv1.3;
3. Use a Secure Cipher Suite

Choose a secure cipher suite that supports both forward secrecy (FS) and elliptic curve cryptography (ECC).
nginx
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256;
4. Specify the Server Certificate

Identify your server certificate using the server directive.
“`nginx
server {
listen 443 ssl;
server_name example.com;

# Certificate configuration goes here...

}
“`
5. Configure SSL/TLS Verification

Verify the identity of your clients using a trusted CA (Certificate Authority) or a self-signed certificate.
nginx
ssl_verify_client on;
ssl_verify_depth 1;
6. Set Up HTTP/2 Support

Enable HTTP/2 support to improve performance and reduce latency.
nginx
http2_push /path/to/resource;
7. Implement Rate Limiting

Prevent brute-force attacks by implementing rate limiting for specific IP addresses or user agents.
“`nginx
limit_req_zone $binary_remote_addr zone=10:10m;

server {
…
limit_req zone=10 burst=10;
}
``
**8. Use thedeny` Directive**

Block access to sensitive resources using the deny directive.
nginx
location /sensitive-resource {
deny all;
}
9. Configure IP Blocking

Prevent unauthorized access by blocking specific IP addresses or ranges.
“`nginx
http {
…
geoip_country /usr/share/GeoIP/Geo.dat;

server {
    ...
    if ($binary_remote_addr ~ GeoIP::Country( 192.168.0.1 ) { deny all; }
}

}
“`
10. Implement SSL/TLS Verification for WebSocket

Verify the identity of clients connecting via WebSockets.
“`nginx
server {
listen 443 ssl;
server_name example.com;

...
proxy_pass https://$http_upgrade:$server_port/upgrades;

}

location /upgrades {
proxy_set_header Upgrade $http_upgrade;
}
``
**11. Use thereturn` Directive**

Redirect clients to a different resource or URL.
nginx
location /sensitive-resource {
return 403 "Access denied";
}
12. Configure HTTP/1.x and HTTP/2 Support

Support both HTTP/1.x and HTTP/2 protocols for legacy clients.
nginx
http2_push /path/to/resource;
http {
...
http2_push yes;
}
13. Set Up Reverse Proxy Configuration

Use NGINX as a reverse proxy to protect internal resources from external access.
“`nginx
server {
listen 443 ssl;
server_name example.com;

location /internal-resource {
    proxy_pass https://$http_upgrade:$server_port/upgrades;
    proxy_set_header Upgrade $http_upgrade;
}

}
“`
14. Implement Basic Authentication

Protect resources using basic authentication.
nginx
location /sensitive-resource {
auth_basic "Login required";
auth_basic_user_file /path/to/userfile;
}
15. Configure Digest Authentication

Protect resources using digest authentication.
nginx
location /sensitive-resource {
auth_digest "$http_auth_username" "Digest $http_auth_password";
auth_digest_algorithm md5;
}
16. Set Up Two-Factor Authentication (2FA)

Implement 2FA to add an extra layer of security for sensitive resources.
nginx
location /sensitive-resource {
auth_two_factor required;
auth_two_factor_secret "$secret";
}
17. Use the map Directive

Create a mapping between variables and values using the map directive.
“`nginx
http {
…
map $binary_remote_addr:$binary_remote_port to=addr:port;

server {
    ...
    set $address addr:port;

}
“`
18. Implement IP Address Blacklisting

Prevent unauthorized access by blocking specific IP addresses or ranges.
“`nginx
http {
…
geoip_country /usr/share/GeoIP/Geo.dat;

server {
    ...
    if ($binary_remote_addr ~ GeoIP::Country( 192.168.0.1 ) { deny all; }

}
“`
19. Set Up SSL/TLS Session Cache

Improve performance by setting up an SSL/TLS session cache.
nginx
ssl_session_cache shared:SSL:10m;
20. Configure NGINX Logging and Access Control

Configure logging and access control to monitor and analyze traffic.
“`nginx
http {
…
log_format combined ‘$remote_addr – $remote_user [$time_local] “$request” ‘
‘$status $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” $http_x_forwarded_for’;

server {
    ...
    access_log /var/log/access.log combined;

}
“`
By implementing these 20 essential NGINX security configurations for web applications, you can significantly improve the security and reliability of your websites and APIs. Remember to regularly review and update your configuration to ensure that you’re protected against emerging threats and vulnerabilities.

About the Author

Paul

Administrator

Visit Website View All Posts