NGINX Security Configurations for Web Applications
As one of the most popular web servers, NGINX provides an array of security features to protect your web applications from common attacks and vulnerabilities. In this article, we will explore 15 essential NGINX security configurations that you should consider implementing in your production environment.
Table of Contents
- 1. Disable Root Access
- 2. Enable HTTPS
- 3. Use Strong SSL/TLS Ciphers
- 4. Specify a High Timeout Value
- 5. Limit the Number of Concurrent Connections
- 6. Disable .gitignore Files
- 7. Enable IP Blocking
- 8. Configure Error Pages
- 9. Use a Secure Protocol for Proxying
- 10. Implement Rate Limiting
- 11. Disable Auto Indexing
- 12. Use a Web Application Firewall (WAF)
- 13. Enable HTTP/2 Support
- 14. Configure a Secure Server Header
- 15. Regularly Update NGINX and Dependencies
1. Disable Root Access
By default, NGINX allows access to the root directory of your server. However, this can be a security risk if an attacker gains access to your system. To prevent this, add the following configuration:
nginx
http {
...
root /var/www/html;
}
This sets the document root for all virtual hosts to /var/www/html, effectively disabling access to the root directory.
2. Enable HTTPS
Encrypting traffic between your server and clients is crucial for protecting sensitive data. To enable HTTPS, add a certificate block and configure SSL/TLS settings:
“`nginx
server {
listen 443 ssl;
server_name example.com;
# Certificate blocks
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/snakeoil.key;
}
“`
Replace the certificate and key with your own.
3. Use Strong SSL/TLS Ciphers
Ensure that NGINX uses only secure cipher suites by adding the following configuration:
“`nginx
server {
listen 443 ssl;
server_name example.com;
# Cipher suite configurations
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
“`
This configuration enables only modern and secure cipher suites.
4. Specify a High Timeout Value
By default, NGINX waits for a connection timeout of 60 seconds. To prevent timing attacks, increase this value to at least 300 seconds:
nginx
http {
...
keepalive_timeout 300;
}
This configuration sets the keepalive timeout to 300 seconds.
5. Limit the Number of Concurrent Connections
To prevent overload and Denial-of-Service (DoS) attacks, limit the number of concurrent connections per client IP:
nginx
http {
...
limit_conn zone 10;
}
This configuration sets a connection limit for each client to 10.
6. Disable .gitignore Files
When enabling version control for your web application, avoid exposing sensitive files by disabling .gitignore files in NGINX:
nginx
http {
...
location / .git/ {
deny all;
}
}
This configuration denies access to any files or directories with the name .git.
7. Enable IP Blocking
To prevent brute-force attacks, block specific IP addresses from accessing your server:
“`nginx
server {
listen 443 ssl;
server_name example.com;
# Block malicious IPs
if ($binary_remote_addr = "192.168.1.100") { return 403; }
}
“`
Replace the IP address with the one you want to block.
8. Configure Error Pages
To provide a better user experience, configure custom error pages for different HTTP status codes:
“`nginx
server {
listen 443 ssl;
server_name example.com;
# Custom error pages
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
}
“`
This configuration sets the error page for the specified HTTP status codes.
9. Use a Secure Protocol for Proxying
When proxying traffic, use only secure protocols to protect sensitive data:
“`nginx
server {
listen 443 ssl;
server_name example.com;
# Secure protocol configurations
proxy_set_header X-Forwarded-Proto $scheme;
}
“`
This configuration sets the X-Forwarded-Proto header to the scheme used for proxying.
10. Implement Rate Limiting
To prevent abuse, implement rate limiting based on IP addresses or other criteria:
“`nginx
server {
listen 443 ssl;
server_name example.com;
# Rate limiting configurations
limit_req zone=one burst=5 nodelay;
}
“`
This configuration sets a burst of 5 requests per second for the specified zone.
11. Disable Auto Indexing
To prevent directory listing, disable auto indexing in NGINX:
“`nginx
server {
listen 443 ssl;
server_name example.com;
# Disable auto indexing
autoindex off;
}
“`
This configuration disables auto indexing for all directories on the server.
12. Use a Web Application Firewall (WAF)
Consider implementing a WAF to protect your web application from common attacks:
“`nginx
server {
listen 443 ssl;
server_name example.com;
# WAF configurations
location / {
include /path/to/waf.conf;
}
}
“`
Replace the path with the actual path to your WAF configuration file.
13. Enable HTTP/2 Support
To take advantage of modern web browsers, enable HTTP/2 support in NGINX:
“`nginx
server {
listen 443 ssl http2;
server_name example.com;
# Enable HTTP/2 support
http2_push /path/to/resource;
}
“`
This configuration enables HTTP/2 support and pushes a resource to clients.
14. Configure a Secure Server Header
To prevent fingerprinting attacks, configure a secure server header in NGINX:
“`nginx
server {
listen 443 ssl;
server_name example.com;
# Secure server header configurations
more_set_headers "Server: Apache/2";
}
“`
This configuration sets the Server header to a fake value.
15. Regularly Update NGINX and Dependencies
To maintain a secure environment, regularly update NGINX and its dependencies:
bash
sudo apt-get update && sudo apt-get upgrade -y
Replace the command with the actual update command for your Linux distribution.
By implementing these essential security configurations in your NGINX setup, you can significantly improve the overall security of your web application. Remember to regularly review and update your configuration to ensure that your server remains secure against evolving threats.
About the Author
